[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] 0/10AppArmor driver updates



This patch series addresses bug fixes in the AppArmor driver as well as
updating it to changes made in 0.7.6 and 0.7.7. All of these are
self-contained within the driver except 4_qemu_driver_stdin_path.patch.
This is required by 5_apparmor-fix-save-restore.patch (see below). These
all pass 'make syntax-check' and 'make check' (except 'daemon-conf',
which has never passed here and I didn't patch it).

1_apparmor-dont-clear-caps.patch: originally submitted on 2010/02/08
with no feedback. The calls to virExec() in security_apparmor.c when
invoking virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without
libcap-ng, this is not a problem (it's effectively a no-op) but with
libcap-ng this causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by
virt-aa-helper to manipulate apparmor profiles and without it VMs will
not start[1]. This patch calls virExec with the default VIR_EXEC_NONE
instead.

2_apparmor-remove-unloaded-profile-is-not-fatal.patch: Don't exit with
error if the user unloaded the profile outside of libvirt[2]

3_apparmor-fix-vah-xml-parse.patch: add VIR_DOMAIN_XML_INACTIVE flag to
virDomainDefParseString() so virDomainDefParseString() doesn't error out
when seeing <seclabel...>. This was needed due to changes since 0.7.5.

4_qemu_driver_stdin_path.patch: adjust args to qemudStartVMDaemon() to
also specify path to stdin_fd, so this can be passed to the AppArmor
driver via *SetSecurityAllLabel(). This updates all calls to
qemudStartVMDaemon() as well as setting up the non-AppArmor security
driver *SetSecurityAllLabel() declarations for the above. This is
required for 5_apparmor-fix-save-restore.patch since AppArmor resolves
the passed file descriptor to the pathname given to open().

5_apparmor-fix-save-restore.patch: refactoring to update AppArmor
security driver to adjust profile for save/restore[3]

6_apparmor-fix-backingstore.patch: adjust virt-aa-helper to handle
backing store[4]

7_apparmor-fix-hostdev.patch: adjust virt-aa-helper to handle pci
devices. Update valid_path() to have an override array to check against,
and add "/sys/devices/pci" to it. Then rename file_iterate_cb() to
file_iterate_hostdev_cb() and create file_iterate_pci_cb() based on it.

8_apparmor-fix-xauth.patch: adjust virt-aa-helper to handle SDL
graphics, specifically Xauthority[6]. Also remove a couple redundant
checks

9_apparmor-examples.patch: adjustments to the example profiles

10_apparmor-vah-test.patch: update pcidev test and add SDL xauth


[1] https://launchpad.net/bugs/517714
[2] https://launchpad.net/bugs/530400
[3] https://launchpad.net/bugs/457716
[4] https://launchpad.net/bugs/470636
[5] https://launchpad.net/bugs/545795
[6] https://launchpad.net/bugs/545426


-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]