shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-12 04:58:32 +03:00
Code Releases Activity

security, apparmor: add (Set|Restore)MemoryLabel

Browse Source 
Recent changes have made implementing this mandatory to hot add any
memory.
Implementing this in apparmor fixes this as well as allows hot-add of nvdimm
tpye memory with an nvdimmPath set generating a AppArmor rule for that
path.

Example hot adding:
  <memory model='nvdimm'>
    <source>
      <path>/tmp/nvdimm-test</path>
    </source>
    <target>
      <size unit='KiB'>524288</size>
      <node>0</node>
    </target>
  </memory>
Creates now:
  "/tmp/nvdimm-test" rwk,

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1755153

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
This commit is contained in:
Christian Ehrhardt 2018-03-19 13:12:14 +01:00
parent 85666f1314
commit 999998a792
No known key found for this signature in database
GPG Key ID: BA3E29338280B242
1 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
src/security/security_apparmor.c
View File

@ -716,6 +716,49 @@ AppArmorRestoreSecurityDiskLabel(virSecurityManagerPtr mgr,
return AppArmorRestoreSecurityImageLabel(mgr, def, disk->src); return AppArmorRestoreSecurityImageLabel(mgr, def, disk->src);
} }
/* Called when hotplugging */
static int
AppArmorSetMemoryLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainMemoryDefPtr mem)
{
if (mem == NULL)
return 0;
switch ((virDomainMemoryModel) mem->model) {
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
if (mem->nvdimmPath == NULL) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("%s: nvdimm without a path"),
__func__);
return -1;
}
if (!virFileExists(mem->nvdimmPath)) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("%s: \'%s\' does not exist"),
__func__, mem->nvdimmPath);
return -1;
}
return reload_profile(mgr, def, mem->nvdimmPath, true);
break;
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
break;
}
return 0;
}
static int
AppArmorRestoreMemoryLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainMemoryDefPtr mem ATTRIBUTE_UNUSED)
{
return reload_profile(mgr, def, NULL, false);
}
/* Called when hotplugging */ /* Called when hotplugging */
static int static int
AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
@ -1115,6 +1158,9 @@ virSecurityDriver virAppArmorSecurityDriver = {
.domainSetSecurityImageLabel = AppArmorSetSecurityImageLabel, .domainSetSecurityImageLabel = AppArmorSetSecurityImageLabel,
.domainRestoreSecurityImageLabel = AppArmorRestoreSecurityImageLabel, .domainRestoreSecurityImageLabel = AppArmorRestoreSecurityImageLabel,
.domainSetSecurityMemoryLabel = AppArmorSetMemoryLabel,
.domainRestoreSecurityMemoryLabel = AppArmorRestoreMemoryLabel,
.domainSetSecurityDaemonSocketLabel = AppArmorSetSecurityDaemonSocketLabel, .domainSetSecurityDaemonSocketLabel = AppArmorSetSecurityDaemonSocketLabel,
.domainSetSecuritySocketLabel = AppArmorSetSecuritySocketLabel, .domainSetSecuritySocketLabel = AppArmorSetSecuritySocketLabel,
.domainClearSecuritySocketLabel = AppArmorClearSecuritySocketLabel, .domainClearSecuritySocketLabel = AppArmorClearSecuritySocketLabel,