/* returns -1 on error or profile for libvirtd is unconfined, 0 if complain * mode and 1 if enforcing. This is required because at present you cannot * aa_change_profile() from a process that is unconfined. */ static int use_apparmor(void) { int rc = -1; char *libvirt_daemon = NULL; if (virFileResolveLink("/proc/self/exe", &libvirt_daemon) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("could not find libvirtd")); return rc; } /* If libvirt_lxc is calling us, then consider apparmor is used * and enforced. */ if (strstr(libvirt_daemon, "libvirt_lxc")) return 1; if (access(APPARMOR_PROFILES_PATH, R_OK) != 0) goto cleanup; rc = profile_status(libvirt_daemon, 1); cleanup: VIR_FREE(libvirt_daemon); return rc; }
/* NB: It was previously believed that changes in driver name were * relayed to libvirt as "change" events by udev, and the udev event * notification is setup to recognize such events and effectively * recreate the device entry in the cache. However, neither the kernel * nor udev sends such an event, so it is necessary to manually update * the driver name for a device each time its entry is used, both for * udev *and* HAL backends. */ static int update_driver_name(virNodeDeviceObjPtr dev) { char *driver_link = NULL; char *devpath = NULL; char *p; int ret = -1; VIR_FREE(dev->def->driver); if (virAsprintf(&driver_link, "%s/driver", dev->def->sysfs_path) < 0) goto cleanup; /* Some devices don't have an explicit driver, so just return without a name */ if (access(driver_link, R_OK) < 0) { ret = 0; goto cleanup; } if (virFileResolveLink(driver_link, &devpath) < 0) { virReportSystemError(errno, _("cannot resolve driver link %s"), driver_link); goto cleanup; } p = strrchr(devpath, '/'); if (p && VIR_STRDUP(dev->def->driver, p + 1) < 0) goto cleanup; ret = 0; cleanup: VIR_FREE(driver_link); VIR_FREE(devpath); return ret; }
/* This method shouldn't raise errors, since they'll overwrite * errors that the caller(s) are already dealing with */ static int SELinuxRestoreSecurityFileLabel(const char *path) { struct stat buf; security_context_t fcon = NULL; int rc = -1; char *newpath = NULL; char ebuf[1024]; VIR_INFO("Restoring SELinux context on '%s'", path); if (virFileResolveLink(path, &newpath) < 0) { VIR_WARN("cannot resolve symlink %s: %s", path, virStrerror(errno, ebuf, sizeof(ebuf))); goto err; } if (stat(newpath, &buf) != 0) { VIR_WARN("cannot stat %s: %s", newpath, virStrerror(errno, ebuf, sizeof(ebuf))); goto err; } if (getContext(newpath, buf.st_mode, &fcon) < 0) { VIR_WARN("cannot lookup default selinux label for %s", newpath); } else { rc = SELinuxSetFilecon(newpath, fcon); } err: freecon(fcon); VIR_FREE(newpath); return rc; }
static int parallelsGetBridgedNetInfo(virNetworkDefPtr def, virJSONValuePtr jobj) { const char *ifname; char *bridgeLink = NULL; char *bridgePath = NULL; char *bridgeAddressPath = NULL; char *bridgeAddress = NULL; int len = 0; int ret = -1; if (!(ifname = virJSONValueObjectGetString(jobj, "Bound To"))) { parallelsParseError(); goto cleanup; } if (virAsprintf(&bridgeLink, SYSFS_NET_DIR "%s/brport/bridge", ifname) < 0) goto cleanup; if (virFileResolveLink(bridgeLink, &bridgePath) < 0) { virReportSystemError(errno, _("cannot read link '%s'"), bridgeLink); goto cleanup; } if (VIR_STRDUP(def->bridge, last_component(bridgePath)) < 0) goto cleanup; if (virAsprintf(&bridgeAddressPath, SYSFS_NET_DIR "%s/brport/bridge/address", ifname) < 0) goto cleanup; if ((len = virFileReadAll(bridgeAddressPath, 18, &bridgeAddress)) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, _("Error reading file '%s'"), bridgeAddressPath); goto cleanup; } if (len < VIR_MAC_STRING_BUFLEN) { virReportError(VIR_ERR_INTERNAL_ERROR, _("Error reading MAC from '%s'"), bridgeAddressPath); } bridgeAddress[VIR_MAC_STRING_BUFLEN - 1] = '\0'; if (virMacAddrParse(bridgeAddress, &def->mac) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, _("Can't parse MAC '%s'"), bridgeAddress); goto cleanup; } def->mac_specified = 1; ret = 0; cleanup: VIR_FREE(bridgeLink); VIR_FREE(bridgePath); VIR_FREE(bridgeAddress); VIR_FREE(bridgeAddressPath); return ret; }
/* returns -1 on error or profile for libvirtd is unconfined, 0 if complain * mode and 1 if enforcing. This is required because at present you cannot * aa_change_profile() from a process that is unconfined. */ static int use_apparmor(void) { int rc = -1; char *libvirt_daemon = NULL; if (virFileResolveLink("/proc/self/exe", &libvirt_daemon) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("could not find libvirtd")); return rc; } if (access(APPARMOR_PROFILES_PATH, R_OK) != 0) goto cleanup; rc = profile_status(libvirt_daemon, 1); cleanup: VIR_FREE(libvirt_daemon); return rc; }