/* returns -1 on error or profile for libvirtd is unconfined, 0 if complain
* mode and 1 if enforcing. This is required because at present you cannot
* aa_change_profile() from a process that is unconfined.
*/
static int
use_apparmor(void)
{
int rc = -1;
char *libvirt_daemon = NULL;
if (virFileResolveLink("/proc/self/exe", &libvirt_daemon) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("could not find libvirtd"));
return rc;
}
/* If libvirt_lxc is calling us, then consider apparmor is used
* and enforced. */
if (strstr(libvirt_daemon, "libvirt_lxc"))
return 1;
if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
goto cleanup;
rc = profile_status(libvirt_daemon, 1);
cleanup:
VIR_FREE(libvirt_daemon);
return rc;
}
/* NB: It was previously believed that changes in driver name were
* relayed to libvirt as "change" events by udev, and the udev event
* notification is setup to recognize such events and effectively
* recreate the device entry in the cache. However, neither the kernel
* nor udev sends such an event, so it is necessary to manually update
* the driver name for a device each time its entry is used, both for
* udev *and* HAL backends.
*/
static int update_driver_name(virNodeDeviceObjPtr dev)
{
char *driver_link = NULL;
char *devpath = NULL;
char *p;
int ret = -1;
VIR_FREE(dev->def->driver);
if (virAsprintf(&driver_link, "%s/driver", dev->def->sysfs_path) < 0)
goto cleanup;
/* Some devices don't have an explicit driver, so just return
without a name */
if (access(driver_link, R_OK) < 0) {
ret = 0;
goto cleanup;
}
if (virFileResolveLink(driver_link, &devpath) < 0) {
virReportSystemError(errno,
_("cannot resolve driver link %s"), driver_link);
goto cleanup;
}
p = strrchr(devpath, '/');
if (p && VIR_STRDUP(dev->def->driver, p + 1) < 0)
goto cleanup;
ret = 0;
cleanup:
VIR_FREE(driver_link);
VIR_FREE(devpath);
return ret;
}
/* This method shouldn't raise errors, since they'll overwrite
* errors that the caller(s) are already dealing with */
static int
SELinuxRestoreSecurityFileLabel(const char *path)
{
struct stat buf;
security_context_t fcon = NULL;
int rc = -1;
char *newpath = NULL;
char ebuf[1024];
VIR_INFO("Restoring SELinux context on '%s'", path);
if (virFileResolveLink(path, &newpath) < 0) {
VIR_WARN("cannot resolve symlink %s: %s", path,
virStrerror(errno, ebuf, sizeof(ebuf)));
goto err;
}
if (stat(newpath, &buf) != 0) {
VIR_WARN("cannot stat %s: %s", newpath,
virStrerror(errno, ebuf, sizeof(ebuf)));
goto err;
}
if (getContext(newpath, buf.st_mode, &fcon) < 0) {
VIR_WARN("cannot lookup default selinux label for %s", newpath);
} else {
rc = SELinuxSetFilecon(newpath, fcon);
}
err:
freecon(fcon);
VIR_FREE(newpath);
return rc;
}
static int parallelsGetBridgedNetInfo(virNetworkDefPtr def, virJSONValuePtr jobj)
{
const char *ifname;
char *bridgeLink = NULL;
char *bridgePath = NULL;
char *bridgeAddressPath = NULL;
char *bridgeAddress = NULL;
int len = 0;
int ret = -1;
if (!(ifname = virJSONValueObjectGetString(jobj, "Bound To"))) {
parallelsParseError();
goto cleanup;
}
if (virAsprintf(&bridgeLink, SYSFS_NET_DIR "%s/brport/bridge", ifname) < 0)
goto cleanup;
if (virFileResolveLink(bridgeLink, &bridgePath) < 0) {
virReportSystemError(errno, _("cannot read link '%s'"), bridgeLink);
goto cleanup;
}
if (VIR_STRDUP(def->bridge, last_component(bridgePath)) < 0)
goto cleanup;
if (virAsprintf(&bridgeAddressPath, SYSFS_NET_DIR "%s/brport/bridge/address",
ifname) < 0)
goto cleanup;
if ((len = virFileReadAll(bridgeAddressPath, 18, &bridgeAddress)) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Error reading file '%s'"), bridgeAddressPath);
goto cleanup;
}
if (len < VIR_MAC_STRING_BUFLEN) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Error reading MAC from '%s'"), bridgeAddressPath);
}
bridgeAddress[VIR_MAC_STRING_BUFLEN - 1] = '\0';
if (virMacAddrParse(bridgeAddress, &def->mac) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("Can't parse MAC '%s'"), bridgeAddress);
goto cleanup;
}
def->mac_specified = 1;
ret = 0;
cleanup:
VIR_FREE(bridgeLink);
VIR_FREE(bridgePath);
VIR_FREE(bridgeAddress);
VIR_FREE(bridgeAddressPath);
return ret;
}
/* returns -1 on error or profile for libvirtd is unconfined, 0 if complain
* mode and 1 if enforcing. This is required because at present you cannot
* aa_change_profile() from a process that is unconfined.
*/
static int
use_apparmor(void)
{
int rc = -1;
char *libvirt_daemon = NULL;
if (virFileResolveLink("/proc/self/exe", &libvirt_daemon) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("could not find libvirtd"));
return rc;
}
if (access(APPARMOR_PROFILES_PATH, R_OK) != 0)
goto cleanup;
rc = profile_status(libvirt_daemon, 1);
cleanup:
VIR_FREE(libvirt_daemon);
return rc;
}
