security, apparmor: implement domainSetPathLabel

This came up in discussions around huge pages, but it will cover more per guest paths that should be added to the guests apparmor profile: - keys via qemuDomainWriteMasterKeyFile - per domain dirs via qemuProcessMakeDir - memory backing paths via qemuProcessBuildDestroyMemoryPathsImpl Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2018-01-09 16:04:02 +01:00 · 2018-01-09 16:04:02 +01:00 · f436a78239
parent 5924977870
commit f436a78239
1 changed files with 9 additions and 0 deletions
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@ -953,6 +953,13 @@ AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr,
    return reload_profile(mgr, def, savefile, true);
 }

+static int
+AppArmorSetPathLabel(virSecurityManagerPtr mgr,
+                           virDomainDefPtr def,
+                           const char *path)
+{
+    return reload_profile(mgr, def, path, true);
+}

 static int
 AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr,
@ -1045,6 +1052,8 @@ virSecurityDriver virAppArmorSecurityDriver = {
    .domainSetSavedStateLabel           = AppArmorSetSavedStateLabel,
    .domainRestoreSavedStateLabel       = AppArmorRestoreSavedStateLabel,

+    .domainSetPathLabel                 = AppArmorSetPathLabel,
+
    .domainSetSecurityImageFDLabel      = AppArmorSetFDLabel,
    .domainSetSecurityTapFDLabel        = AppArmorSetFDLabel,