diff options
| author | Serge Hallyn <serge.hallyn@canonical.com> | 2011-12-02 13:10:58 -0600 |
|---|---|---|
| committer | Eric Blake <eblake@redhat.com> | 2011-12-02 12:31:51 -0700 |
| commit | 4cfdbfc46f0a7b777035a5b2af5ecbe7373a7e12 (patch) | |
| tree | ff63a7de377f5acf7b78cd332ea61167f08b4def | |
| parent | fd066925440ba48acc95d8f31b2c98b1cc9d582d (diff) | |
| download | libvirt-4cfdbfc46f0a7b777035a5b2af5ecbe7373a7e12.tar.gz | |
apparmor: allow tunnelled migrations.
The pathname for the pipe for tunnelled migration is unresolvable. The
libvirt apparmor driver therefore refuses access, causing migration to
fail. If we can't resolve the path, the worst that can happen is that
we should have given permission to the file but didn't. Otherwise
(especially since this is a /proc/$$/fd/N file) the file is already open
and libvirt won't be refused access by apparmor anyway.
Also adjust virt-aa-helper to allow access to the
*.tunnelmigrate.dest.name files.
For more information, see https://launchpad.net/bugs/869553.
Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
| -rw-r--r-- | src/security/security_apparmor.c | 7 | ||||
| -rw-r--r-- | src/security/virt-aa-helper.c | 4 |
2 files changed, 8 insertions, 3 deletions
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 299dcc644b..db7e7dc871 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -38,6 +38,7 @@ #include "virfile.h" #include "configmake.h" #include "command.h" +#include "logging.h" #define VIR_FROM_THIS VIR_FROM_SECURITY #define SECURITY_APPARMOR_VOID_DOI "0" @@ -791,9 +792,9 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, } if (virFileResolveLink(proc, &fd_path) < 0) { - virSecurityReportError(VIR_ERR_INTERNAL_ERROR, - "%s", _("could not find path for descriptor")); - return rc; + /* it's a deleted file, presumably. Ignore? */ + VIR_WARN("could not find path for descriptor %s, skipping", proc); + return 0; } return reload_profile(mgr, vm, fd_path, true); diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 14399cce63..4561bb9db4 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1220,6 +1220,10 @@ main(int argc, char **argv) LOCALSTATEDIR, ctl->def->name); virBufferAsprintf(&buf, " \"/run/libvirt/**/%s.pid\" rwk,\n", ctl->def->name); + virBufferAsprintf(&buf, " \"%s/run/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n", + LOCALSTATEDIR, ctl->def->name); + virBufferAsprintf(&buf, " \"/run/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n", + ctl->def->name); if (ctl->files) virBufferAdd(&buf, ctl->files, -1); } |