[libvirt] Resubmission: [PATCH 6/6] sVirt AppArmor security driver

Daniel P. Berrange berrange at redhat.com
Thu Sep 10 11:50:23 UTC 2009 

On Tue, Sep 08, 2009 at 04:23:34PM -0500, Jamie Strandboge wrote:
> On Tue, 08 Sep 2009, Jamie Strandboge wrote:
> 
> > > [PATCH 6]
> > > patch_6_autoconf.patch:
> > > Updates Makefile.am and configure.in for AppArmor. It is based on and
> > > should operate the same as the SELinux configuration.
> > > 
> 
> -- 
> Jamie Strandboge             | http://www.canonical.com

> diff -Nurp ./libvirt.orig/configure.in ./libvirt/configure.in
> --- ./libvirt.orig/configure.in	2009-09-08 12:59:59.000000000 -0500
> +++ ./libvirt/configure.in	2009-09-08 15:32:22.000000000 -0500
> @@ -799,6 +799,84 @@ fi
>  AM_CONDITIONAL([WITH_SECDRIVER_SELINUX], [test "$with_secdriver_selinux" != "no"])
>  
>  
> +dnl AppArmor
> +AC_ARG_WITH([apparmor],
> +  [  --with-apparmor        use AppArmor to manage security],
> +  [],
> +  [with_apparmor=check])
> +
> +APPARMOR_CFLAGS=
> +APPARMOR_LIBS=
> +if test "$with_apparmor" != "no"; then
> +  old_cflags="$CFLAGS"
> +  old_libs="$LIBS"
> +  if test "$with_apparmor" = "check"; then
> +    AC_CHECK_HEADER([sys/apparmor.h],[],[with_apparmor=no])
> +    AC_CHECK_LIB([apparmor], [aa_change_profile],[],[with_apparmor=no])
> +    AC_CHECK_LIB([apparmor], [aa_change_hat],[],[with_apparmor=no])
> +    if test "$with_apparmor" != "no"; then
> +      with_apparmor="yes"
> +    fi
> +  else
> +    fail=0
> +    AC_CHECK_HEADER([sys/apparmor.h],[],[fail=1])
> +    AC_CHECK_LIB([apparmor], [aa_change_profile],[],[fail=1])
> +    AC_CHECK_LIB([apparmor], [aa_change_hat],[],[fail=1])
> +    test $fail = 1 &&
> +      AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt])
> +  fi
> +  CFLAGS="$old_cflags"
> +  LIBS="$old_libs"
> +fi
> +if test "$with_apparmor" = "yes"; then
> +  APPARMOR_LIBS="-lapparmor"
> +  AC_DEFINE_UNQUOTED([HAVE_APPARMOR], 1, [whether AppArmor is available for security])
> +  AC_DEFINE_UNQUOTED([APPARMOR_DIR], "/etc/apparmor.d", [path to apparmor directory])
> +  AC_DEFINE_UNQUOTED([APPARMOR_PROFILES_PATH], "/sys/kernel/security/apparmor/profiles", [path to kernel profiles])
> +  AC_DEFINE_UNQUOTED([VIRT_AA_HELPER_PATH], "$prefix/bin/virt-aa-helper", [path to virt-aa-helper])
> +fi
> +AM_CONDITIONAL([HAVE_APPARMOR], [test "$with_apparmor" != "no"])
> +AC_SUBST([APPARMOR_CFLAGS])
> +AC_SUBST([APPARMOR_LIBS])
> +
> +
> +AC_ARG_WITH([secdriver-apparmor],
> +  [  --with-secdriver-apparmor         use AppArmor security driver],
> +  [],
> +  [with_secdriver_apparmor=check])
> +
> +if test "$with_apparmor" != "yes" ; then
> +  if test "$with_secdriver_apparmor" = "check" ; then
> +    with_secdriver_apparmor=no
> +  else
> +    AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt])
> +  fi
> +else
> +  old_cflags="$CFLAGS"
> +  old_libs="$LIBS"
> +  CFLAGS="$CFLAGS $APPARMOR_CFLAGS"
> +  LIBS="$CFLAGS $APPARMOR_LIBS"
> +
> +  fail=0
> +  AC_CHECK_FUNC([change_hat], [], [fail=1])
> +  AC_CHECK_FUNC([aa_change_profile], [], [fail=1])
> +  CFLAGS="$old_cflags"
> +  LIBS="$old_libs"
> +
> +  if test "$fail" = "1" ; then
> +    if test "$with_secdriver_apparmor" = "check" ; then
> +      with_secdriver_apparmor=no
> +    else
> +      AC_MSG_ERROR([You must install the AppArmor development package in order to compile libvirt])
> +    fi
> +  else
> +    with_secdriver_apparmor=yes
> +    AC_DEFINE_UNQUOTED([WITH_SECDRIVER_APPARMOR], 1, [whether AppArmor security driver is available])
> +  fi
> +fi
> +AM_CONDITIONAL([WITH_SECDRIVER_APPARMOR], [test "$with_secdriver_apparmor" != "no"])
> +
> +
>  
>  dnl NUMA lib
>  AC_ARG_WITH([numactl],
> @@ -1706,6 +1784,7 @@ AC_MSG_NOTICE([])
>  AC_MSG_NOTICE([Security Drivers])
>  AC_MSG_NOTICE([])
>  AC_MSG_NOTICE([ SELinux: $with_secdriver_selinux])
> +AC_MSG_NOTICE([ AppArmor: $with_secdriver_apparmor])
>  AC_MSG_NOTICE([])
>  AC_MSG_NOTICE([Driver Loadable Modules])
>  AC_MSG_NOTICE([])
> @@ -1753,6 +1832,11 @@ AC_MSG_NOTICE([ selinux: $SELINUX_CFLAGS
>  else
>  AC_MSG_NOTICE([ selinux: no])
>  fi
> +if test "$with_apparmor" = "yes" ; then
> +AC_MSG_NOTICE([ apparmor: $APPARMOR_CFLAGS $APPARMOR_LIBS])
> +else
> +AC_MSG_NOTICE([ apparmor: no])
> +fi
>  if test "$with_numactl" = "yes" ; then
>  AC_MSG_NOTICE([ numactl: $NUMACTL_CFLAGS $NUMACTL_LIBS])
>  else
> diff -Nurp ./libvirt.orig/src/Makefile.am ./libvirt/src/Makefile.am
> --- ./libvirt.orig/src/Makefile.am	2009-09-08 13:00:00.000000000 -0500
> +++ ./libvirt/src/Makefile.am	2009-09-08 15:32:22.000000000 -0500
> @@ -9,6 +9,7 @@ INCLUDES = \
>  	   $(LIBSSH2_CFLAGS) \
>  	   $(XEN_CFLAGS) \
>  	   $(SELINUX_CFLAGS) \
> +	   $(APPARMOR_CFLAGS) \
>  	   $(DRIVER_MODULE_CFLAGS) \
>  	   -DLIBDIR=\""$(libdir)"\" \
>  	   -DBINDIR=\""$(libexecdir)"\" \
> @@ -216,6 +217,8 @@ SECURITY_DRIVER_SOURCES =					\
>  SECURITY_DRIVER_SELINUX_SOURCES =				\
>  		security_selinux.h security_selinux.c
>  
> +SECURITY_DRIVER_APPARMOR_SOURCES =				\
> +		security_apparmor.h security_apparmor.c
>  
>  NODE_DEVICE_DRIVER_SOURCES =					\
>  		node_device.c node_device.h
> @@ -527,6 +530,9 @@ libvirt_la_LIBADD += libvirt_driver_secu
>  if WITH_SECDRIVER_SELINUX
>  libvirt_driver_security_la_SOURCES += $(SECURITY_DRIVER_SELINUX_SOURCES)
>  endif
> +if WITH_SECDRIVER_APPARMOR
> +libvirt_driver_security_la_SOURCES += $(SECURITY_DRIVER_APPARMOR_SOURCES)
> +endif
>  
>  # Add all conditional sources just in case...
>  EXTRA_DIST +=							\
> @@ -615,7 +621,7 @@ libvirt_la_LIBADD += \
>  libvirt_la_LDFLAGS = $(VERSION_SCRIPT_FLAGS)libvirt.syms \
>                       -version-info @LIBVIRT_VERSION_INFO@ \
>                      $(COVERAGE_CFLAGS:-f%=-Wc,-f%) \
> -                    $(LIBXML_LIBS) $(SELINUX_LIBS) \
> +                    $(LIBXML_LIBS) $(SELINUX_LIBS) $(APPARMOR_LIBS) \
>  		    $(XEN_LIBS) $(DRIVER_MODULE_LIBS) \
>  		    $(DEVMAPPER_LIBS) \
>  		    @CYGWIN_EXTRA_LDFLAGS@ @MINGW_EXTRA_LDFLAGS@
> @@ -654,6 +660,23 @@ virsh_LDADD =							\
>  		../gnulib/lib/libgnu.la				\
>  		$(VIRSH_LIBS)
>  virsh_CFLAGS = $(COVERAGE_CFLAGS) $(READLINE_CFLAGS) $(NUMACTL_CFLAGS)
> +
> +if WITH_SECDRIVER_APPARMOR
> +bin_PROGRAMS += virt-aa-helper
> +
> +virt_aa_helper_SOURCES =					\
> +	virt-aa-helper.c
> +
> +virt_aa_helper_LDFLAGS = $(WARN_CFLAGS) $(COVERAGE_LDFLAGS)
> +virt_aa_helper_LDADD =						\
> +		$(STATIC_BINARIES)				\
> +		$(WARN_CFLAGS)					\
> +		libvirt.la					\
> +		../gnulib/lib/libgnu.la				\
> +		$(VIRSH_LIBS)
> +virt_aa_helper_CFLAGS = $(COVERAGE_CFLAGS)
> +endif
> +
>  BUILT_SOURCES = virsh-net-edit.c virsh-pool-edit.c libvirt.syms
>  
>  virsh-net-edit.c: virsh.c Makefile.am

ACK, though again this patch needs to be adjusted wrt the others, since
earlier patches look like they have build time depends on this one.

It is probably counter-productive to try & split up this series since
it is all one big feature. Probably  just have the first generic cleanup,
then the apparmour implementation, and then the documentation patch

Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list