[Bug 1845506] Re: Libvirt snapshot doesn't update apparmor profile

Christian Ehrhardt  Tue, 15 Oct 2019 07:41:50 -0700

All false are reloads to restore former content (that is ok):
src/security/security_apparmor.c:706:    return reload_profile(mgr, def, NULL, 
false);
src/security/security_apparmor.c:750:    return reload_profile(mgr, def, NULL, 
false);
src/security/security_apparmor.c:795:    return reload_profile(mgr, def, NULL, 
false);
src/security/security_apparmor.c:1017:    return reload_profile(mgr, def, NULL, 
false);
src/security/security_apparmor.c:1088:    return reload_profile(mgr, def, NULL, 
false);
src/security/security_apparmor.c:1125:    return reload_profile(mgr, def, NULL, 
false);


All additions of paths are append=true which will cause it to use -F:
src/security/security_apparmor.c:320:    return reload_profile(ptr->mgr, def, 
file, true);
src/security/security_apparmor.c:501:        return reload_profile(mgr, def, 
stdin_path, true);
src/security/security_apparmor.c:733:        return reload_profile(mgr, def, 
mem->nvdimmPath, true);
src/security/security_apparmor.c:776:        return reload_profile(mgr, def, 
input->source.evdev, true);
src/security/security_apparmor.c:1039:        ret = reload_profile(mgr, def, 
dev_source->data.file.path, true);
src/security/security_apparmor.c:1047:            if (reload_profile(mgr, def, 
in, true) < 0)
src/security/security_apparmor.c:1051:            if (reload_profile(mgr, def, 
out, true) < 0)
src/security/security_apparmor.c:1054:        ret = reload_profile(mgr, def, 
dev_source->data.file.path, true);
src/security/security_apparmor.c:1096:    return reload_profile(mgr, def, 
savefile, true);
src/security/security_apparmor.c:1111:        rc = reload_profile(mgr, def, 
full_path, true);
src/security/security_apparmor.c:1114:        rc = reload_profile(mgr, def, 
path, true);
src/security/security_apparmor.c:1152:    return reload_profile(mgr, def, 
fd_path, true);

The only outlier to this rule is:
src/security/security_apparmor.c:466:    if (load_profile(mgr, secdef->label, 
def, NULL, false) < 0) {

Which is what we hit in the call chain of this use-case that fails here.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845506

Title:
  Libvirt snapshot doesn't update apparmor profile

To manage notifications about this bug go to:
https://bugs.launchpad.net/libvirt/+bug/1845506/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1845506] Re: Libvirt snapshot doesn't update apparmor profile

Reply via email to