From ec94e14b681a671776c8d7ca962d3d7ed5aca5b7 Mon Sep 17 00:00:00 2001 From: Jim Fehlig Date: Thu, 2 Feb 2017 19:26:13 -0700 Subject: [PATCH] apparmor: don't fail on non-apparmor If the apparmor security driver is loaded/enabled and domain config contains a element whose type attribute is not 'apparmor', starting the domain fails when attempting to label resources such as tap FDs. Many of the apparmor driver entry points attempt to retrieve the apparmor security label from the domain def, returning failure if not found. Functions such as AppArmorSetFDLabel fail even though domain config contains an explicit 'none' secuirty driver, e.g. Change the entry points to succeed if the domain config is not apparmor. This matches the behavior of the selinux driver. --- src/security/security_apparmor.c | 58 ++++++++++---------------------- 1 file changed, 17 insertions(+), 41 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index ad50b08082..0d3e891a71 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -289,10 +289,7 @@ reload_profile(virSecurityManagerPtr mgr, virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef( def, SECURITY_APPARMOR_NAME); - if (!secdef) - return rc; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; if ((profile_name = get_profile_name(def)) == NULL) @@ -435,7 +432,7 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SECURITY_APPARMOR_NAME); if (!secdef) - return -1; + return 0; if ((secdef->type == VIR_DOMAIN_SECLABEL_STATIC) || (secdef->type == VIR_DOMAIN_SECLABEL_NONE)) @@ -495,10 +492,7 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, { virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; /* Reload the profile if stdin_path is specified. Note that @@ -559,12 +553,11 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, { virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - VIR_FREE(secdef->model); - VIR_FREE(secdef->label); - VIR_FREE(secdef->imagelabel); + if (secdef) { + VIR_FREE(secdef->model); + VIR_FREE(secdef->label); + VIR_FREE(secdef->imagelabel); + } return 0; } @@ -580,7 +573,7 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); if (!secdef) - return -1; + return 0; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if ((rc = remove_profile(secdef->label)) != 0) { @@ -604,10 +597,7 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; if ((profile_name = get_profile_name(def)) == NULL) @@ -653,10 +643,7 @@ AppArmorSetSecurityChildProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - goto cleanup; - - if (secdef->label == NULL) + if (!secdef || !secdef->label) return 0; if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) { @@ -738,10 +725,8 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, if (!src->path || !virStorageSourceIsLocalStorage(src)) return 0; - if (!(secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME))) - return -1; - - if (!secdef->relabel) + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); + if (!secdef || !secdef->relabel) return 0; if (secdef->imagelabel) { @@ -792,7 +777,7 @@ AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); if (!secdef) - return -1; + return 0; if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) { if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) { @@ -829,10 +814,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi; virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host; - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) @@ -940,10 +922,7 @@ AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (!secdef->relabel) + if (!secdef || !secdef->relabel) return 0; return reload_profile(mgr, def, NULL, false); @@ -978,10 +957,7 @@ AppArmorSetFDLabel(virSecurityManagerPtr mgr, virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); - if (!secdef) - return -1; - - if (secdef->imagelabel == NULL) + if (!secdef || !secdef->imagelabel) return 0; if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)