On Wed, Nov 13, 2024 at 11:35:19AM +0100, Michal Privoznik wrote:
Problem with qemu_domain.c is that it's constantly growing. But
there are few options for improvement. For instance, validation
functions were moved out and now live in qemu_validate.c. We can
do the same for PostParse functions, t
Some rules are generated dynamically during boot and added to the
AppArmor policy. An example of that is macvtap devices that call the
AppArmorSetFDLabel hook to add a rule for the tap device path.
Since this information is dynamic, it is not available in the xml
config, therefore whenever a "Rest
Moving towards full adoption of GLib APIs in the AppArmor code.
Signed-off-by: Georgia Garcia
---
src/security/security_apparmor.c | 41 -
src/security/virt-aa-helper.c| 100 ++-
2 files changed, 45 insertions(+), 96 deletions(-)
diff --git a/src/sec
proc and fd_path are allocated but never freed. Fix by using
g_autofree instead.
Fixes: b9757fea30785a92aa95ea675b9bc371e4fb2e8c
Signed-off-by: Georgia Garcia
---
src/security/security_apparmor.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/security/security_apparm
Reviewed-by: Marc-André Lureau
Signed-off-by: Stefan Berger
---
v3:
- Adjustments due to rebase
- Applied Marc-André's R-b
---
src/qemu/qemu_tpm.c | 52 +
1 file changed, 20 insertions(+), 32 deletions(-)
diff --git a/src/qemu/qemu_tpm.c b/src/q
Upcoming libtpms v0.10 and swtpm v0.10 will have TPM profile support that
allows to restrict a TPM's provided set of crypto algorithms and commands
and through which backwards compatibility and migration from newer versions
of libtpms to older ones (up to libtpms v0.9) is supported. For the latter
To avoid passing TPM emulator parameters around individually, move them
into a structure and pass around the structure.
Reviewed-by: Marc-André Lureau
Signed-off-by: Stefan Berger
---
v3:
- Made virDomainTPMEmulatorDef first parameter to functions
- Applied Marc-André's R-b
---
src/conf/d
Add support for parsing swtpm_setup 'cmdarg-profile' capability
(since v0.10).
Reviewed-by: Marc-André Lureau
Signed-off-by: Stefan Berger
---
src/util/virtpm.c | 1 +
src/util/virtpm.h | 1 +
tests/testutilsqemu.c | 1 +
3 files changed, 3 insertions(+)
diff --git a/src/util/virtpm.c
Reviewed-by: Marc-André Lureau
Signed-off-by: Stefan Berger
---
src/conf/domain_conf.c | 7 +++
src/conf/domain_conf.h | 9 +
2 files changed, 16 insertions(+)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 3a32e50890..a5627ada88 100644
--- a/src/conf/domain_conf
Add documentation for the TPM backend profile node and point the reader to
further documentation about TPM profiles available in the swtpm man page.
Signed-off-by: Stefan Berger
---
docs/formatdomain.rst | 30 ++
1 file changed, 30 insertions(+)
diff --git a/docs/for
Extend the schema for the TPM emulator profile node. Require that the
profile the user provides is described in a 'source' attribute. An optional
remove_disabled attribute is also supported for swtpm to automatically
remove algorithms from the 'custom' profile if they are disabled by FIPS
mode on t
Extend the parser and XML builder with support for the profile parameter
and its remove_disabled attribute.
Signed-off-by: Stefan Berger
---
src/conf/domain_conf.c | 36
src/conf/domain_conf.h | 2 ++
src/conf/domain_validate.c | 7 +++
3 files
Run swtpm_setup with the --profile-name option if the user provided the
name of a profile. swtpm_setup will try to load the profile from
directories with local profiles and distro profiles and if no profile
by this name with appended '.json' suffix could be found there, it will
fall back to try to
Get the JSON profile that the swtpm instance was created with from the
output of 'swtpm socket --tpm2 --print-info 0x20 --tpmstate ...'. Get the
name of the profile from the JSON and set it in the current and persistent
emulator descriptions as 'name' attribute and have the persistent
description s
Factor-out code related to adding key to the swtpm command line into its
own function.
Reviewed-by: Marc-André Lureau
Signed-off-by: Stefan Berger
---
src/qemu/qemu_tpm.c | 60 +++--
1 file changed, 36 insertions(+), 24 deletions(-)
diff --git a/src/qemu
Factor-out code related to adding the --tpmstate option to the swtpm
command line into its own function.
Signed-off-by: Stefan Berger
---
src/qemu/qemu_tpm.c | 33 -
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qem
My initial goal was to write the second patch, but as usual I just
couldn't stop myself...
Andrea Bolognani (2):
docs: Rework documentation for the NSS module
docs: Document authselect to enable the NSS module
docs/nss.rst | 194 ---
1 file cha
The page contains some confusing information, especially around
limitations that supposedly only affect one of the two variants,
and goes into what is arguably an unnecessary amount of detail
when it comes to its inner workings.
We can make the page a lot shorter and snappier without
affecting its
When using recent Fedora and RHEL versions, the manual setup that
is otherwise necessary to enable the module can be replaced with
executing a single command.
Signed-off-by: Andrea Bolognani
---
docs/nss.rst | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/docs/nss
On 11/13/24 11:35, Andrea Bolognani wrote:
> My initial goal was to write the second patch, but as usual I just
> couldn't stop myself...
>
> Andrea Bolognani (2):
> docs: Rework documentation for the NSS module
> docs: Document authselect to enable the NSS module
>
> docs/nss.rst | 194
On 11/13/24 11:35, Andrea Bolognani wrote:
> The page contains some confusing information, especially around
> limitations that supposedly only affect one of the two variants,
> and goes into what is arguably an unnecessary amount of detail
> when it comes to its inner workings.
>
> We can make th
There is a common misconception when writing AppArmor policy that
[0-9]* applies * to the [0-9] class, but that's not the case. For this
example, [0-9]* matches a single digit followed by any number of
characters except for /
Create a UUID variable that uses the following format 8-4-4-4-12.
Signe
Some rules are generated dynamically during boot and added to the
AppArmor policy. An example of that is macvtap devices that call the
AppArmorSetFDLabel hook to add a rule for the tap device path.
Since this information is dynamic, it is not available in the xml
config, therefore whenever a "Rest
The rule catches incorrect attempts to use internal references,
but doesn't guide the developer hitting a failure towards the
not exactly obvious acceptable alternatives.
Signed-off-by: Andrea Bolognani
---
build-aux/syntax-check.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --g
On Wed, Nov 13, 2024 at 11:57:10AM +0100, Michal Prívozník wrote:
> On 11/13/24 11:35, Andrea Bolognani wrote:
> > +Note that this feature only works in certain scenarios. See the
> > +`limitations <#limitations>`__ section for more information.
>
> syntax check is not happy with this style of link
On Wed, Nov 13, 2024 at 22:54:39 +0100, Andrea Bolognani wrote:
> The rule catches incorrect attempts to use internal references,
> but doesn't guide the developer hitting a failure towards the
> not exactly obvious acceptable alternatives.
>
> Signed-off-by: Andrea Bolognani
> ---
> build-aux/s
26 matches
Mail list logo
