Re: [PATCH 1/3] security: Introduce virSecurityDomainLoadProfile()

Wed, 04 Feb 2026 03:58:33 -0800 

What, if anything, can I do to move this topic forward?

Bye,

Erik.

http://efficito.com -- Hosted accounting and ERP.
Robust and Flexible. No vendor lock-in.

On Wed, Jan 14, 2026, 16:37 Michal Privoznik via Devel <
[email protected]> wrote:

> From: Michal Privoznik <[email protected]>
>
> Specifically tailored for AppArmor, so that generating a seclabel
> and producing profile can be separated.
>
> Signed-off-by: Michal Privoznik <[email protected]>
> ---
>  src/libvirt_private.syms        |  1 +
>  src/security/security_driver.h  |  4 ++++
>  src/security/security_manager.c | 13 +++++++++++++
>  src/security/security_manager.h |  2 ++
>  src/security/security_stack.c   | 15 +++++++++++++++
>  5 files changed, 35 insertions(+)
>
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index 4e57e4a8f6..64152c3bbb 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -1822,6 +1822,7 @@ virSecurityManagerGetModel;
>  virSecurityManagerGetMountOptions;
>  virSecurityManagerGetNested;
>  virSecurityManagerGetProcessLabel;
> +virSecurityManagerLoadProfile;
>  virSecurityManagerMoveImageMetadata;
>  virSecurityManagerNew;
>  virSecurityManagerNewDAC;
> diff --git a/src/security/security_driver.h
> b/src/security/security_driver.h
> index b8c5b416e3..d81662dab4 100644
> --- a/src/security/security_driver.h
> +++ b/src/security/security_driver.h
> @@ -81,6 +81,8 @@ typedef int (*virSecurityDomainReserveLabel)
> (virSecurityManager *mgr,
>                                                pid_t pid);
>  typedef int (*virSecurityDomainReleaseLabel) (virSecurityManager *mgr,
>                                                virDomainDef *sec);
> +typedef int (*virSecurityDomainLoadProfile) (virSecurityManager *mgr,
> +                                             virDomainDef *def);
>  typedef int (*virSecurityDomainSetAllLabel) (virSecurityManager *mgr,
>                                               char *const
> *sharedFilesystems,
>                                               virDomainDef *sec,
> @@ -211,6 +213,8 @@ struct _virSecurityDriver {
>      virSecurityDomainReserveLabel domainReserveSecurityLabel;
>      virSecurityDomainReleaseLabel domainReleaseSecurityLabel;
>
> +    virSecurityDomainLoadProfile domainLoadProfile;
> +
>      virSecurityDomainGetProcessLabel domainGetSecurityProcessLabel;
>      virSecurityDomainSetProcessLabel domainSetSecurityProcessLabel;
>      virSecurityDomainSetChildProcessLabel
> domainSetSecurityChildProcessLabel;
> diff --git a/src/security/security_manager.c
> b/src/security/security_manager.c
> index 5fc4eb4872..87c8b9f3c1 100644
> --- a/src/security/security_manager.c
> +++ b/src/security/security_manager.c
> @@ -726,6 +726,19 @@ virSecurityManagerReleaseLabel(virSecurityManager
> *mgr,
>  }
>
>
> +int
> +virSecurityManagerLoadProfile(virSecurityManager *mgr,
> +                              virDomainDef *def)
> +{
> +    VIR_LOCK_GUARD lock = virObjectLockGuard(mgr);
> +
> +    if (!mgr->drv->domainLoadProfile)
> +        return 0;
> +
> +    return mgr->drv->domainLoadProfile(mgr, def);
> +}
> +
> +
>  static int virSecurityManagerCheckModel(virSecurityManager *mgr,
>                                          char *secmodel)
>  {
> diff --git a/src/security/security_manager.h
> b/src/security/security_manager.h
> index 068ca4e290..381b614ec1 100644
> --- a/src/security/security_manager.h
> +++ b/src/security/security_manager.h
> @@ -128,6 +128,8 @@ int virSecurityManagerReserveLabel(virSecurityManager
> *mgr,
>                                     pid_t pid);
>  int virSecurityManagerReleaseLabel(virSecurityManager *mgr,
>                                     virDomainDef *sec);
> +int virSecurityManagerLoadProfile(virSecurityManager *mgr,
> +                                  virDomainDef *def);
>  int virSecurityManagerCheckAllLabel(virSecurityManager *mgr,
>                                      virDomainDef *sec);
>  int virSecurityManagerSetAllLabel(virSecurityManager *mgr,
> diff --git a/src/security/security_stack.c b/src/security/security_stack.c
> index 99a68a6053..96b59d159b 100644
> --- a/src/security/security_stack.c
> +++ b/src/security/security_stack.c
> @@ -280,6 +280,19 @@ virSecurityStackReserveLabel(virSecurityManager *mgr,
>  }
>
>
> +static int
> +virSecurityStackLoadProfile(virSecurityManager *mgr,
> +                            virDomainDef *vm)
> +{
> +    int rc = 0;
> +
> +    if (virSecurityManagerLoadProfile(virSecurityStackGetPrimary(mgr),
> vm) < 0)
> +        rc = -1;
> +
> +    return rc;
> +}
> +
> +
>  static int
>  virSecurityStackSetHostdevLabel(virSecurityManager *mgr,
>                                  virDomainDef *vm,
> @@ -1070,6 +1083,8 @@ virSecurityDriver virSecurityDriverStack = {
>      .domainReserveSecurityLabel         = virSecurityStackReserveLabel,
>      .domainReleaseSecurityLabel         = virSecurityStackReleaseLabel,
>
> +    .domainLoadProfile                  = virSecurityStackLoadProfile,
> +
>      .domainGetSecurityProcessLabel      = virSecurityStackGetProcessLabel,
>      .domainSetSecurityProcessLabel      = virSecurityStackSetProcessLabel,
>      .domainSetSecurityChildProcessLabel =
> virSecurityStackSetChildProcessLabel,
> --
> 2.52.0
>
>

Reply via email to