November 2011 - Devel - libvirt List Archives

[libvirt] [PATCH libvirt-glib 0/5] Updates to streams APIs
by Daniel P. Berrange 28 Nov '11

28 Nov '11

This patch series expands the streams APIs to allow practical use of non-blocking bi-directional streams. It also formally documents the required coding style conventions for libvirt-glib before we get too much more code that is out of the ordinary.

2 12

[libvirt] [ PATCH v4 0/4] API to invoke S3/S4 on a host and also resume from within libvirt
by Srivatsa S. Bhat 28 Nov '11

28 Nov '11

This patchset adds a new API to put a host to a suspended state (Suspend-to-RAM, Suspend-to-Disk or Hybrid-Suspend) and setup a timed resume to get the host back online, from within libvirt. This uses the RTC wakeup mechanism to set up a timer alarm before suspending the host, so that in-band resume is facilitated by the firing of the RTC alarm, which wakes up the host. The decision to use the RTC Wakeup mechanism to resume the host from sleep was taken in [1]. An initial API was discussed in [2]. Some design ideas for the asynchronous mechanism implementation was discussed in [3]. v4: * Applies on top of the Hybrid-Suspend patch posted in [4]. * Incorporated the review comments in [5]. v3: * Rebased to libvirt 0.9.7 * Added a check to see if alarmTime (suspend duration) is within an acceptable range. v2: * Added an init function which finds out if S3/S4 is supported by the host, upon the first request to suspend/hibernate. * Added synchronization/locking to ensure that only one suspend operation is active at a time. v1: http://www.redhat.com/archives/libvir-list/2011-September/msg00830.html v2: http://comments.gmane.org/gmane.comp.emulators.libvirt/46729 References: [1]. http://www.redhat.com/archives/libvir-list/2011-August/msg00327.html [2]. http://www.redhat.com/archives/libvir-list/2011-August/msg00248.html [3]. http://www.redhat.com/archives/libvir-list/2011-September/msg00438.html [4]. http://www.redhat.com/archives/libvir-list/2011-November/msg01407.html [5]. http://thread.gmane.org/gmane.comp.emulators.libvirt/47950 Srivatsa S. Bhat (4): Add a public API to invoke suspend/resume on the host Add the remote protocol implementation for virNodeSuspendForDuration Implement the core API to suspend/resume the host Add virsh command to initiate suspend on the host include/libvirt/libvirt.h.in | 17 +++ src/driver.h | 6 + src/libvirt.c | 61 ++++++++++ src/libvirt_private.syms | 7 + src/libvirt_public.syms | 5 + src/nodeinfo.c | 245 ++++++++++++++++++++++++++++++++++++++++++ src/nodeinfo.h | 9 ++ src/qemu/qemu_driver.c | 4 + src/remote/remote_driver.c | 1 src/remote/remote_protocol.x | 10 ++ tools/virsh.c | 64 +++++++++++ tools/virsh.pod | 7 + 12 files changed, 434 insertions(+), 2 deletions(-)

3 12

[libvirt] [PATCH] Make virt-xml-validate work with xbox domains
by Lorin Hochstein 28 Nov '11

28 Nov '11

virt-xml-validate fails when run on a domain XML file of type 'vbox'. For failing test case, see https://bugzilla.redhat.com/show_bug.cgi?id=757097 This patch updates the XML schema so it accepts type 'vbox'. --- diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 8968ee6..444592c 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -85,6 +85,7 @@ <value>qemu</value> <value>lxc</value> <value>openvz</value> + <value>vbox</value> <value>test</value> </choice> </attribute>

2 2

[libvirt] [PATCH] virsh: Don't traverse childless nodes in vshNodeIsSuperset
by Michal Privoznik 28 Nov '11

28 Nov '11

If both nodes do not have any children, we pass zero to virBitmapAlloc which returns NULL. In turn we report OOM error and return false (meaning nodes are different). This is not true. --- tools/virsh.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/tools/virsh.c b/tools/virsh.c index 16d815c..6ed249b 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -11556,6 +11556,9 @@ vshNodeIsSuperset(xmlNodePtr n1, xmlNodePtr n2) if (n1_child_size < n2_child_size) return false; + if (n1_child_size == 0 && n2_child_size == 0) + return true; + if (!(bitmap = virBitmapAlloc(n1_child_size))) { virReportOOMError(); return false; -- 1.7.3.4

2 2

[libvirt] [PATCH] virnetsocket: pass XAUTORITY for ssh connection
by Christian Franke 28 Nov '11

28 Nov '11

When spawning an ssh connection, the environment variables DISPLAY, SSH_ASKPASS, ... are passed. However XAUTHORITY, which is neccessary if the .Xauthority is in a non default place, was not passed. Signed-off-by: Christian Franke <nobody(a)nowhere.ws> --- src/rpc/virnetsocket.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c index b733095..2747f66 100644 --- a/src/rpc/virnetsocket.c +++ b/src/rpc/virnetsocket.c @@ -628,6 +628,7 @@ int virNetSocketNewConnectSSH(const char *nodename, virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK"); virCommandAddEnvPass(cmd, "SSH_ASKPASS"); virCommandAddEnvPass(cmd, "DISPLAY"); + virCommandAddEnvPass(cmd, "XAUTHORITY"); virCommandClearCaps(cmd); if (service) -- 1.7.6.1

3 2

[libvirt] [PATCH] Change security driver APIs to use virDomainDefPtr instead of virDomainObjPtr
by Daniel P. Berrange 28 Nov '11

28 Nov '11

From: "Daniel P. Berrange" <berrange(a)redhat.com> When sVirt is integrated with the LXC driver, it will be neccessary to invoke the security driver APIs using only a virDomainDefPtr since the lxc_container.c code has no virDomainObjPtr available. Aside from two functions which want obj->pid, every bit of the security driver code only touches obj->def. So we don't need to pass a virDomainObjPtr into the security drivers, a virDomainDefPtr is sufficient. Two functions also gain a 'pid_t pid' argument. * src/qemu/qemu_driver.c, src/qemu/qemu_hotplug.c, src/qemu/qemu_migration.c, src/qemu/qemu_process.c, src/security/security_apparmor.c, src/security/security_dac.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_nop.c, src/security/security_selinux.c, src/security/security_stack.c: Change all security APIs to use a virDomainDefPtr instead of virDomainObjPtr --- src/qemu/qemu_driver.c | 10 +- src/qemu/qemu_hotplug.c | 28 ++-- src/qemu/qemu_migration.c | 12 +- src/qemu/qemu_process.c | 24 ++-- src/security/security_apparmor.c | 136 ++++++++++---------- src/security/security_dac.c | 91 +++++++------- src/security/security_driver.h | 36 +++--- src/security/security_manager.c | 40 +++--- src/security/security_manager.h | 36 +++--- src/security/security_nop.c | 36 +++--- src/security/security_selinux.c | 258 +++++++++++++++++++------------------- src/security/security_stack.c | 44 ++++--- 12 files changed, 384 insertions(+), 367 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 6cfdd1d..6e001ce 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -3096,7 +3096,7 @@ qemuDomainScreenshot(virDomainPtr dom, } unlink_tmp = true; - virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp); + virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp); qemuDomainObjEnterMonitor(driver, vm); if (qemuMonitorScreendump(priv->mon, tmp) < 0) { @@ -3868,7 +3868,7 @@ static int qemudDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr sec */ if (virDomainObjIsActive(vm)) { if (virSecurityManagerGetProcessLabel(driver->securityManager, - vm, seclabel) < 0) { + vm->def, vm->pid, seclabel) < 0) { qemuReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to get security label")); goto cleanup; @@ -4167,7 +4167,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, out: virCommandFree(cmd); if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) VIR_WARN("failed to restore save state label on %s", path); return ret; @@ -7584,7 +7584,7 @@ qemudDomainMemoryPeek (virDomainPtr dom, goto endjob; } - virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp); + virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp); priv = vm->privateData; qemuDomainObjEnterMonitor(driver, vm); @@ -9064,7 +9064,7 @@ qemuDomainSnapshotCreateSingleDiskActive(struct qemud_driver *driver, if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0) goto cleanup; - if (virSecurityManagerSetImageLabel(driver->securityManager, vm, + if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", source); diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 96c0070..684fede 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -88,7 +88,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -120,7 +120,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver, goto error; if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, origdisk) < 0) + vm->def, origdisk) < 0) VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, origdisk) < 0) @@ -141,7 +141,7 @@ error: VIR_FREE(driveAlias); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on new media %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -209,7 +209,7 @@ int qemuDomainAttachPciDiskDevice(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -283,7 +283,7 @@ error: VIR_WARN("Unable to release PCI address on %s", disk->src); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -439,7 +439,7 @@ int qemuDomainAttachSCSIDisk(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -530,7 +530,7 @@ error: VIR_FREE(drivestr); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -562,7 +562,7 @@ int qemuDomainAttachUsbMassstorageDevice(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -623,7 +623,7 @@ error: VIR_FREE(drivestr); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -1112,7 +1112,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver, if (virSecurityManagerSetHostdevLabel(driver->securityManager, - vm, hostdev) < 0) + vm->def, hostdev) < 0) return -1; switch (hostdev->source.subsys.type) { @@ -1139,7 +1139,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver, error: if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, - vm, hostdev) < 0) + vm->def, hostdev) < 0) VIR_WARN("Unable to restore host device labelling on hotplug fail"); return -1; @@ -1572,7 +1572,7 @@ int qemuDomainDetachPciDiskDevice(struct qemud_driver *driver, virDomainDiskDefFree(detach); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, dev->data.disk) < 0) + vm->def, dev->data.disk) < 0) VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); if (cgroup != NULL) { @@ -1654,7 +1654,7 @@ int qemuDomainDetachDiskDevice(struct qemud_driver *driver, virDomainDiskDefFree(detach); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, dev->data.disk) < 0) + vm->def, dev->data.disk) < 0) VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); if (cgroup != NULL) { @@ -2162,7 +2162,7 @@ int qemuDomainDetachHostDevice(struct qemud_driver *driver, } if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, - vm, dev->data.hostdev) < 0) + vm->def, dev->data.hostdev) < 0) VIR_WARN("Failed to restore host device labelling"); return ret; diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 8ae989a..b3ef894 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1749,13 +1749,13 @@ static int doNativeMigrate(struct qemud_driver *driver, virReportOOMError(); goto cleanup; } - if (virSecurityManagerSetSocketLabel(driver->securityManager, vm) < 0) + if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0) goto cleanup; if (virNetSocketNewConnectTCP(uribits->server, tmp, &sock) == 0) { spec.dest.fd.qemu = virNetSocketDupFD(sock, true); virNetSocketFree(sock); } - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0 || + if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0 || spec.dest.fd.qemu == -1) goto cleanup; } else { @@ -1822,7 +1822,7 @@ static int doTunnelMigrate(struct qemud_driver *driver, spec.dest.fd.local = fds[0]; } if (spec.dest.fd.qemu == -1 || - virSecurityManagerSetImageFDLabel(driver->securityManager, vm, + virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, spec.dest.fd.qemu) < 0) { virReportSystemError(errno, "%s", _("cannot create pipe for tunnelled migration")); @@ -2842,7 +2842,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm, * doesn't have to open() the file, so while we still have to * grant SELinux access, we can do it on fd and avoid cleanup * later, as well as skip futzing with cgroup. */ - if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm, + if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, compressor ? pipeFD[1] : fd) < 0) goto cleanup; bypassSecurityDriver = true; @@ -2876,7 +2876,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm, } if ((!bypassSecurityDriver) && virSecurityManagerSetSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) goto cleanup; restoreLabel = true; } @@ -2951,7 +2951,7 @@ cleanup: virCommandFree(cmd); if (restoreLabel && (!bypassSecurityDriver) && virSecurityManagerRestoreSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) VIR_WARN("failed to restore save state label on %s", path); if (cgroup != NULL) { diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 2563f97..58ce333 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -839,7 +839,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm) qemuMonitorPtr mon = NULL; if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager, - vm) < 0) { + vm->def) < 0) { VIR_ERROR(_("Failed to set security context for monitor for %s"), vm->def->name); goto error; @@ -872,7 +872,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm) } priv->mon = mon; - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0) { + if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) { VIR_ERROR(_("Failed to clear security context for monitor for %s"), vm->def->name); goto error; @@ -2163,7 +2163,7 @@ static int qemuProcessHook(void *data) * sockets the lock driver opens that we don't want * labelled. So far we're ok though. */ - if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; if (virDomainLockProcessStart(h->driver->lockManager, h->vm, @@ -2171,7 +2171,7 @@ static int qemuProcessHook(void *data) true, &fd) < 0) goto cleanup; - if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; if (qemuProcessLimits(h->driver) < 0) @@ -2194,7 +2194,7 @@ static int qemuProcessHook(void *data) return -1; VIR_DEBUG("Setting up security labelling"); - if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; ret = 0; @@ -2656,7 +2656,7 @@ qemuProcessReconnect(void *opaque) goto error; } - if (virSecurityManagerReserveLabel(driver->securityManager, obj) < 0) + if (virSecurityManagerReserveLabel(driver->securityManager, obj->def, obj->pid) < 0) goto error; if (qemuProcessNotifyNets(obj->def) < 0) @@ -2894,7 +2894,7 @@ int qemuProcessStart(virConnectPtr conn, /* If you are using a SecurityDriver with dynamic labelling, then generate a security label for isolation */ VIR_DEBUG("Generating domain security label (if required)"); - if (virSecurityManagerGenLabel(driver->securityManager, vm) < 0) { + if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) { virDomainAuditSecurityLabel(vm, false); goto cleanup; } @@ -3128,7 +3128,7 @@ int qemuProcessStart(virConnectPtr conn, VIR_DEBUG("Setting domain security labels"); if (virSecurityManagerSetAllLabel(driver->securityManager, - vm, stdin_path) < 0) + vm->def, stdin_path) < 0) goto cleanup; if (stdin_fd != -1) { @@ -3145,7 +3145,7 @@ int qemuProcessStart(virConnectPtr conn, goto cleanup; } if (S_ISFIFO(stdin_sb.st_mode) && - virSecurityManagerSetImageFDLabel(driver->securityManager, vm, stdin_fd) < 0) + virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, stdin_fd) < 0) goto cleanup; } @@ -3398,8 +3398,8 @@ void qemuProcessStop(struct qemud_driver *driver, /* Reset Security Labels */ virSecurityManagerRestoreAllLabel(driver->securityManager, - vm, migrated); - virSecurityManagerReleaseLabel(driver->securityManager, vm); + vm->def, migrated); + virSecurityManagerReleaseLabel(driver->securityManager, vm->def); /* Clear out dynamically assigned labels */ if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) { @@ -3548,7 +3548,7 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED, if (VIR_ALLOC(seclabel) < 0) goto no_memory; if (virSecurityManagerGetProcessLabel(driver->securityManager, - vm, seclabel) < 0) + vm->def, vm->pid, seclabel) < 0) goto cleanup; if (!(vm->def->seclabel.model = strdup(driver->caps->host.secModel.model))) goto no_memory; diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 299dcc6..4848d85 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -47,7 +47,7 @@ /* Data structure to pass to *FileIterate so we have everything we need */ struct SDPDOP { virSecurityManagerPtr mgr; - virDomainObjPtr vm; + virDomainDefPtr def; }; /* @@ -159,7 +159,7 @@ profile_status_file(const char *str) static int load_profile(virSecurityManagerPtr mgr, const char *profile, - virDomainObjPtr vm, + virDomainDefPtr def, const char *fn, bool append) { @@ -170,7 +170,7 @@ load_profile(virSecurityManagerPtr mgr, const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr) ? "1" : "0"; - xml = virDomainDefFormat(vm->def, VIR_DOMAIN_XML_SECURE); + xml = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE); if (!xml) goto clean; @@ -212,12 +212,12 @@ remove_profile(const char *profile) } static char * -get_profile_name(virDomainObjPtr vm) +get_profile_name(virDomainDefPtr def) { char uuidstr[VIR_UUID_STRING_BUFLEN]; char *name = NULL; - virUUIDFormat(vm->def->uuid, uuidstr); + virUUIDFormat(def->uuid, uuidstr); if (virAsprintf(&name, "%s%s", AA_PREFIX, uuidstr) < 0) { virReportOOMError(); return NULL; @@ -257,23 +257,23 @@ cleanup: */ static int reload_profile(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *fn, bool append) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name = NULL; if (secdef->norelabel) return 0; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; /* Update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(mgr, secdef->imagelabel, vm, fn, append) < 0) { + if (load_profile(mgr, secdef->imagelabel, def, fn, append) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -294,10 +294,10 @@ AppArmorSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { struct SDPDOP *ptr = opaque; - virDomainObjPtr vm = ptr->vm; + virDomainDefPtr def = ptr->def; - if (reload_profile(ptr->mgr, vm, file, true) < 0) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + if (reload_profile(ptr->mgr, def, file, true) < 0) { + const virSecurityLabelDefPtr secdef = &def->seclabel; virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -312,10 +312,10 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { struct SDPDOP *ptr = opaque; - virDomainObjPtr vm = ptr->vm; + virDomainDefPtr def = ptr->def; - if (reload_profile(ptr->mgr, vm, file, true) < 0) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + if (reload_profile(ptr->mgr, def, file, true) < 0) { + const virSecurityLabelDefPtr secdef = &def->seclabel; virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -390,56 +390,56 @@ AppArmorSecurityManagerGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED) */ static int AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { int rc = -1; char *profile_name = NULL; - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; - if (vm->def->seclabel.baselabel) { + if (def->seclabel.baselabel) { virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Cannot set a base label with AppArmour")); return rc; } - if ((vm->def->seclabel.label) || - (vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) { + if ((def->seclabel.label) || + (def->seclabel.model) || (def->seclabel.imagelabel)) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); return rc; } - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; - vm->def->seclabel.label = strndup(profile_name, strlen(profile_name)); - if (!vm->def->seclabel.label) { + def->seclabel.label = strndup(profile_name, strlen(profile_name)); + if (!def->seclabel.label) { virReportOOMError(); goto clean; } /* set imagelabel the same as label (but we won't use it) */ - vm->def->seclabel.imagelabel = strndup(profile_name, + def->seclabel.imagelabel = strndup(profile_name, strlen(profile_name)); - if (!vm->def->seclabel.imagelabel) { + if (!def->seclabel.imagelabel) { virReportOOMError(); goto err; } - vm->def->seclabel.model = strdup(SECURITY_APPARMOR_NAME); - if (!vm->def->seclabel.model) { + def->seclabel.model = strdup(SECURITY_APPARMOR_NAME); + if (!def->seclabel.model) { virReportOOMError(); goto err; } /* Now that we have a label, load the profile into the kernel. */ - if (load_profile(mgr, vm->def->seclabel.label, vm, NULL, false) < 0) { + if (load_profile(mgr, def->seclabel.label, def, NULL, false) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot load AppArmor profile " - "\'%s\'"), vm->def->seclabel.label); + "\'%s\'"), def->seclabel.label); goto err; } @@ -447,9 +447,9 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, goto clean; err: - VIR_FREE(vm->def->seclabel.label); - VIR_FREE(vm->def->seclabel.imagelabel); - VIR_FREE(vm->def->seclabel.model); + VIR_FREE(def->seclabel.label); + VIR_FREE(def->seclabel.imagelabel); + VIR_FREE(def->seclabel.model); clean: VIR_FREE(profile_name); @@ -459,15 +459,15 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, const char *stdin_path) + virDomainDefPtr def, const char *stdin_path) { - if (vm->def->seclabel.norelabel) + if (def->seclabel.norelabel) return 0; /* Reload the profile if stdin_path is specified. Note that GenSecurityLabel() will have already been run. */ if (stdin_path) - return reload_profile(mgr, vm, stdin_path, true); + return reload_profile(mgr, def, stdin_path, true); return 0; } @@ -477,13 +477,14 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, */ static int AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec) { int rc = -1; char *profile_name = NULL; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; if (virStrcpy(sec->label, profile_name, @@ -511,9 +512,9 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, */ static int AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; VIR_FREE(secdef->model); VIR_FREE(secdef->label); @@ -525,10 +526,10 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = 0; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { @@ -545,13 +546,13 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, * LOCALSTATEDIR/log/libvirt/qemu/<vm name>.log */ static int -AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) +AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name = NULL; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -579,21 +580,21 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) static int AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } @@ -602,18 +603,18 @@ AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, /* Called when hotplugging */ static int AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } /* Called when hotplugging */ static int AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, virDomainDiskDefPtr disk) + virDomainDefPtr def, virDomainDiskDefPtr disk) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name; @@ -631,12 +632,12 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, return rc; } - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; /* update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(mgr, secdef->imagelabel, vm, disk->src, + if (load_profile(mgr, secdef->imagelabel, def, disk->src, false) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " @@ -673,7 +674,8 @@ AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { /* NOOP. Nothing to reserve with AppArmor */ return 0; @@ -681,11 +683,11 @@ AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; struct SDPDOP *ptr; int ret = -1; @@ -701,7 +703,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, if (VIR_ALLOC(ptr) < 0) return -1; ptr->mgr = mgr; - ptr->vm = vm; + ptr->def = def; switch (dev->source.subsys.type) { case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: { @@ -743,44 +745,44 @@ done: static int AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } static int AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - return reload_profile(mgr, vm, savefile, true); + return reload_profile(mgr, def, savefile, true); } static int AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile ATTRIBUTE_UNUSED) { - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } static int AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd) { int rc = -1; char *proc = NULL; char *fd_path = NULL; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->imagelabel == NULL) return 0; @@ -796,7 +798,7 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, return rc; } - return reload_profile(mgr, vm, fd_path, true); + return reload_profile(mgr, def, fd_path, true); } virSecurityDriver virAppArmorSecurityDriver = { diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 0e75319..9c0017b 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -171,7 +171,7 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk) { @@ -190,7 +190,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk, int migrated) { @@ -235,10 +235,10 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - return virSecurityDACRestoreSecurityImageLabelInt(mgr, vm, disk, 0); + return virSecurityDACRestoreSecurityImageLabelInt(mgr, def, disk, 0); } @@ -268,7 +268,7 @@ virSecurityDACSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -338,7 +338,7 @@ virSecurityDACRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev) { @@ -489,7 +489,7 @@ virSecurityDACRestoreChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -501,34 +501,34 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, VIR_DEBUG("Restoring security label on %s migrated=%d", - vm->def->name, migrated); + def->name, migrated); - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (virSecurityDACRestoreSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) rc = -1; } - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { if (virSecurityDACRestoreSecurityImageLabelInt(mgr, - vm, - vm->def->disks[i], + def, + def->disks[i], migrated) < 0) rc = -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, false, virSecurityDACRestoreChardevCallback, mgr) < 0) rc = -1; - if (vm->def->os.kernel && - virSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0) + if (def->os.kernel && + virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0) rc = -1; - if (vm->def->os.initrd && - virSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0) + if (def->os.initrd && + virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0) rc = -1; return rc; @@ -548,7 +548,7 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *stdin_path ATTRIBUTE_UNUSED) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -557,36 +557,36 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, if (!priv->dynamicOwnership) return 0; - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { /* XXX fixme - we need to recursively label the entire tree :-( */ - if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) + if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) continue; if (virSecurityDACSetSecurityImageLabel(mgr, - vm, - vm->def->disks[i]) < 0) + def, + def->disks[i]) < 0) return -1; } - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (virSecurityDACSetSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) return -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, true, virSecurityDACSetChardevCallback, mgr) < 0) return -1; - if (vm->def->os.kernel && - virSecurityDACSetOwnership(vm->def->os.kernel, + if (def->os.kernel && + virSecurityDACSetOwnership(def->os.kernel, priv->user, priv->group) < 0) return -1; - if (vm->def->os.initrd && - virSecurityDACSetOwnership(vm->def->os.initrd, + if (def->os.initrd && + virSecurityDACSetOwnership(def->os.initrd, priv->user, priv->group) < 0) return -1; @@ -597,7 +597,7 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, const char *savefile) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -608,7 +608,7 @@ virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, const char *savefile) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -622,11 +622,11 @@ virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); - VIR_DEBUG("Dropping privileges of VM to %u:%u", + VIR_DEBUG("Dropping privileges of DEF to %u:%u", (unsigned int) priv->user, (unsigned int) priv->group); if (virSetUIDGID(priv->user, priv->group) < 0) @@ -645,28 +645,30 @@ virSecurityDACVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACGenLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACReleaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED, virSecurityLabelPtr seclabel ATTRIBUTE_UNUSED) { return 0; @@ -674,7 +676,7 @@ virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } @@ -682,7 +684,7 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } @@ -690,20 +692,19 @@ virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, int fd ATTRIBUTE_UNUSED) { return 0; } - virSecurityDriver virSecurityDriverDAC = { sizeof(virSecurityDACData), "virDAC", diff --git a/src/security/security_driver.h b/src/security/security_driver.h index aea90b0..f0ace1c 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -39,50 +39,52 @@ typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr); typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr); typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr vm); typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec, + pid_t pid); typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec, + virDomainDefPtr sec, const char *stdin_path); typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated); typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec); typedef int (*virSecurityDomainSetProcessLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr, virDomainDefPtr def); typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd); struct _virSecurityDriver { diff --git a/src/security/security_manager.c b/src/security/security_manager.c index cae9b83..2e4956a 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -150,7 +150,7 @@ bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr) } int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { if (mgr->drv->domainRestoreSecurityImageLabel) @@ -161,7 +161,7 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecurityDaemonSocketLabel) return mgr->drv->domainSetSecurityDaemonSocketLabel(mgr, vm); @@ -171,7 +171,7 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecuritySocketLabel) return mgr->drv->domainSetSecuritySocketLabel(mgr, vm); @@ -181,7 +181,7 @@ int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainClearSecuritySocketLabel) return mgr->drv->domainClearSecuritySocketLabel(mgr, vm); @@ -191,7 +191,7 @@ int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { if (mgr->drv->domainSetSecurityImageLabel) @@ -202,7 +202,7 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { if (mgr->drv->domainRestoreSecurityHostdevLabel) @@ -213,7 +213,7 @@ int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { if (mgr->drv->domainSetSecurityHostdevLabel) @@ -224,7 +224,7 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { if (mgr->drv->domainSetSavedStateLabel) @@ -235,7 +235,7 @@ int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { if (mgr->drv->domainRestoreSavedStateLabel) @@ -246,7 +246,7 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, } int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainGenSecurityLabel) return mgr->drv->domainGenSecurityLabel(mgr, vm); @@ -256,17 +256,18 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, } int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm, + pid_t pid) { if (mgr->drv->domainReserveSecurityLabel) - return mgr->drv->domainReserveSecurityLabel(mgr, vm); + return mgr->drv->domainReserveSecurityLabel(mgr, vm, pid); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); return -1; } int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainReleaseSecurityLabel) return mgr->drv->domainReleaseSecurityLabel(mgr, vm); @@ -276,7 +277,7 @@ int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *stdin_path) { if (mgr->drv->domainSetSecurityAllLabel) @@ -287,7 +288,7 @@ int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int migrated) { if (mgr->drv->domainRestoreSecurityAllLabel) @@ -298,18 +299,19 @@ int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, } int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, + pid_t pid, virSecurityLabelPtr sec) { if (mgr->drv->domainGetSecurityProcessLabel) - return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, sec); + return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, pid, sec); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); return -1; } int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecurityProcessLabel) return mgr->drv->domainSetSecurityProcessLabel(mgr, vm); @@ -337,7 +339,7 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr, } int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int fd) { if (mgr->drv->domainSetSecurityImageFDLabel) diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 12cd498..6731d59 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -51,50 +51,52 @@ const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr); bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr); int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr vm); int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec, + pid_t pid); int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec, + virDomainDefPtr sec, const char *stdin_path); int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated); int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec); int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerVerify(virSecurityManagerPtr mgr, virDomainDefPtr def); int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd); #endif /* VIR_SECURITY_MANAGER_H__ */ diff --git a/src/security/security_nop.c b/src/security/security_nop.c index a68a6c0..c3bd426 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -47,104 +47,106 @@ static const char * virSecurityDriverGetDOINop(virSecurityManagerPtr mgr ATTRIBU } static int virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, const char *savefile ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, const char *savefile ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainGenLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainReserveLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainReleaseLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED, + virDomainDefPtr sec ATTRIBUTE_UNUSED, const char *stdin_path ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, int migrated ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainGetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED, virSecurityLabelPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } @@ -156,7 +158,7 @@ static int virSecurityDomainVerifyNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED } static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED, + virDomainDefPtr sec ATTRIBUTE_UNUSED, int fd ATTRIBUTE_UNUSED) { return 0; diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 78c0d45..c3c06a4 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -162,7 +162,7 @@ SELinuxInitialize(void) static int SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { int rc = -1; char *mcs = NULL; @@ -171,40 +171,40 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, int c2 = 0; context_t ctx = NULL; - if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) && - !vm->def->seclabel.baselabel && - vm->def->seclabel.model) { + if ((def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) && + !def->seclabel.baselabel && + def->seclabel.model) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security model already defined for VM")); return rc; } - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && - vm->def->seclabel.label) { + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && + def->seclabel.label) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); return rc; } - if (vm->def->seclabel.imagelabel) { + if (def->seclabel.imagelabel) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security image label already defined for VM")); return rc; } - if (vm->def->seclabel.model && - STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) { + if (def->seclabel.model && + STRNEQ(def->seclabel.model, SECURITY_SELINUX_NAME)) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("security label model %s is not supported with selinux"), - vm->def->seclabel.model); + def->seclabel.model); return rc; } - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) { - if (!(ctx = context_new(vm->def->seclabel.label)) ) { + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) { + if (!(ctx = context_new(def->seclabel.label)) ) { virReportSystemError(errno, _("unable to allocate socket security context '%s'"), - vm->def->seclabel.label); + def->seclabel.label); return rc; } @@ -237,25 +237,25 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, } } while (mcsAdd(mcs) == -1); - vm->def->seclabel.label = - SELinuxGenNewContext(vm->def->seclabel.baselabel ? - vm->def->seclabel.baselabel : + def->seclabel.label = + SELinuxGenNewContext(def->seclabel.baselabel ? + def->seclabel.baselabel : default_domain_context, mcs); - if (! vm->def->seclabel.label) { + if (! def->seclabel.label) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); goto cleanup; } } - vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); - if (!vm->def->seclabel.imagelabel) { + def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); + if (!def->seclabel.imagelabel) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); goto cleanup; } - if (!vm->def->seclabel.model && - !(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) { + if (!def->seclabel.model && + !(def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) { virReportOOMError(); goto cleanup; } @@ -264,12 +264,12 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, cleanup: if (rc != 0) { - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) - VIR_FREE(vm->def->seclabel.label); - VIR_FREE(vm->def->seclabel.imagelabel); - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && - !vm->def->seclabel.baselabel) - VIR_FREE(vm->def->seclabel.model); + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) + VIR_FREE(def->seclabel.label); + VIR_FREE(def->seclabel.imagelabel); + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && + !def->seclabel.baselabel) + VIR_FREE(def->seclabel.model); } if (ctx) @@ -278,28 +278,29 @@ cleanup: VIR_FREE(mcs); VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s", - NULLSTR(vm->def->seclabel.model), - NULLSTR(vm->def->seclabel.label), - NULLSTR(vm->def->seclabel.imagelabel), - NULLSTR(vm->def->seclabel.baselabel)); + NULLSTR(def->seclabel.model), + NULLSTR(def->seclabel.label), + NULLSTR(def->seclabel.imagelabel), + NULLSTR(def->seclabel.baselabel)); return rc; } static int SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def, + pid_t pid) { security_context_t pctx; context_t ctx = NULL; const char *mcs; - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; - if (getpidcon(vm->pid, &pctx) == -1) { + if (getpidcon(pid, &pctx) == -1) { virReportSystemError(errno, - _("unable to get PID %d security context"), vm->pid); + _("unable to get PID %d security context"), pid); return -1; } @@ -360,15 +361,16 @@ static const char *SELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNU static int SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid, virSecurityLabelPtr sec) { security_context_t ctx; - if (getpidcon(vm->pid, &ctx) == -1) { + if (getpidcon(pid, &ctx) == -1) { virReportSystemError(errno, _("unable to get PID %d security context"), - vm->pid); + pid); return -1; } @@ -543,11 +545,11 @@ err: static int SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk, int migrated) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -588,10 +590,10 @@ SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0); + return SELinuxRestoreSecurityImageLabelInt(mgr, def, disk, 0); } @@ -626,11 +628,11 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk, static int SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr); if (secdef->norelabel) @@ -648,8 +650,8 @@ static int SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { - virDomainObjPtr vm = opaque; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + virDomainDefPtr def = opaque; + const virSecurityLabelDefPtr secdef = &def->seclabel; return SELinuxSetFilecon(file, secdef->imagelabel); } @@ -658,19 +660,19 @@ static int SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { - virDomainObjPtr vm = opaque; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + virDomainDefPtr def = opaque; + const virSecurityLabelDefPtr secdef = &def->seclabel; return SELinuxSetFilecon(file, secdef->imagelabel); } static int SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int ret = -1; if (secdef->norelabel) @@ -687,7 +689,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (!usb) goto done; - ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm); + ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, def); usbFreeDevice(usb); break; } @@ -701,7 +703,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (!pci) goto done; - ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm); + ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, def); pciFreeDevice(pci); break; @@ -735,11 +737,11 @@ SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int ret = -1; if (secdef->norelabel) @@ -788,11 +790,11 @@ done: static int -SELinuxSetSecurityChardevLabel(virDomainObjPtr vm, +SELinuxSetSecurityChardevLabel(virDomainDefPtr def, virDomainChrSourceDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; char *in = NULL, *out = NULL; int ret = -1; @@ -834,11 +836,11 @@ done: } static int -SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm, +SELinuxRestoreSecurityChardevLabel(virDomainDefPtr def, virDomainChrSourceDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; char *in = NULL, *out = NULL; int ret = -1; @@ -882,9 +884,9 @@ done: static int -SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { virDomainObjPtr vm = opaque; @@ -893,16 +895,15 @@ SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL) return 0; - return SELinuxRestoreSecurityChardevLabel(vm, &dev->source); + return SELinuxRestoreSecurityChardevLabel(def, &dev->source); } static int -SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def, virDomainSmartcardDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; const char *database; switch (dev->type) { @@ -916,7 +917,7 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, return SELinuxRestoreSecurityFileLabel(database); case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: - return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru); + return SELinuxRestoreSecurityChardevLabel(def, &dev->data.passthru); default: virSecurityReportError(VIR_ERR_INTERNAL_ERROR, @@ -931,50 +932,50 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int i; int rc = 0; - VIR_DEBUG("Restoring security label on %s", vm->def->name); + VIR_DEBUG("Restoring security label on %s", def->name); if (secdef->norelabel) return 0; - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (SELinuxRestoreSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) rc = -1; } - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { if (SELinuxRestoreSecurityImageLabelInt(mgr, - vm, - vm->def->disks[i], + def, + def->disks[i], migrated) < 0) rc = -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, false, SELinuxRestoreSecurityChardevCallback, - vm) < 0) + NULL) < 0) rc = -1; - if (virDomainSmartcardDefForeach(vm->def, + if (virDomainSmartcardDefForeach(def, false, SELinuxRestoreSecuritySmartcardCallback, - vm) < 0) + NULL) < 0) rc = -1; - if (vm->def->os.kernel && - SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0) + if (def->os.kernel && + SELinuxRestoreSecurityFileLabel(def->os.kernel) < 0) rc = -1; - if (vm->def->os.initrd && - SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0) + if (def->os.initrd && + SELinuxRestoreSecurityFileLabel(def->os.initrd) < 0) rc = -1; return rc; @@ -982,9 +983,9 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (secdef->label != NULL) { @@ -1006,10 +1007,10 @@ SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -1020,10 +1021,10 @@ SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -1058,12 +1059,12 @@ SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1089,16 +1090,16 @@ SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, static int SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; context_t execcon = NULL; context_t proccon = NULL; security_context_t scon = NULL; int rc = -1; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1139,7 +1140,7 @@ SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, } VIR_DEBUG("Setting VM %s socket context %s", - vm->def->name, context_str(proccon)); + def->name, context_str(proccon)); if (setsockcreatecon(context_str(proccon)) == -1) { virReportSystemError(errno, _("unable to set socket security context '%s'"), @@ -1160,9 +1161,9 @@ done: static int SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &vm->seclabel; int rc = -1; if (secdef->label == NULL) @@ -1178,7 +1179,7 @@ SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, } VIR_DEBUG("Setting VM %s socket context %s", - vm->def->name, secdef->label); + vm->name, secdef->label); if (setsockcreatecon(secdef->label) == -1) { virReportSystemError(errno, _("unable to set socket security context '%s'"), @@ -1197,12 +1198,12 @@ done: static int SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1227,10 +1228,11 @@ SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, static int -SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxSetSecurityChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { +<<<<<<< HEAD virDomainObjPtr vm = opaque; /* This is taken care of by processing of def->serials */ @@ -1239,15 +1241,17 @@ SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, return 0; return SELinuxSetSecurityChardevLabel(vm, &dev->source); +======= + return SELinuxSetSecurityChardevLabel(def, &dev->source); +>>>>>>> Change security driver APIs to use virDomainDefPtr instead of virDomainObjPtr } static int -SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def, virDomainSmartcardDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; const char *database; switch (dev->type) { @@ -1261,7 +1265,7 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, return SELinuxSetFilecon(database, default_content_context); case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: - return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru); + return SELinuxSetSecurityChardevLabel(def, &dev->data.passthru); default: virSecurityReportError(VIR_ERR_INTERNAL_ERROR, @@ -1276,53 +1280,53 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *stdin_path) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int i; if (secdef->norelabel) return 0; - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { /* XXX fixme - we need to recursively label the entire tree :-( */ - if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) { + if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) { VIR_WARN("Unable to relabel directory tree %s for disk %s", - vm->def->disks[i]->src, vm->def->disks[i]->dst); + def->disks[i]->src, def->disks[i]->dst); continue; } if (SELinuxSetSecurityImageLabel(mgr, - vm, vm->def->disks[i]) < 0) + def, def->disks[i]) < 0) return -1; } - /* XXX fixme process vm->def->fss if relabel == true */ + /* XXX fixme process def->fss if relabel == true */ - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (SELinuxSetSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) return -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, true, SELinuxSetSecurityChardevCallback, - vm) < 0) + NULL) < 0) return -1; - if (virDomainSmartcardDefForeach(vm->def, + if (virDomainSmartcardDefForeach(def, true, SELinuxSetSecuritySmartcardCallback, - vm) < 0) + NULL) < 0) return -1; - if (vm->def->os.kernel && - SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0) + if (def->os.kernel && + SELinuxSetFilecon(def->os.kernel, default_content_context) < 0) return -1; - if (vm->def->os.initrd && - SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0) + if (def->os.initrd && + SELinuxSetFilecon(def->os.initrd, default_content_context) < 0) return -1; if (stdin_path) { @@ -1337,10 +1341,10 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, static int SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int fd) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->imagelabel == NULL) return 0; diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 3f601c1..c82865f 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -106,7 +106,7 @@ virSecurityStackVerify(virSecurityManagerPtr mgr, static int virSecurityStackGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -131,7 +131,7 @@ virSecurityStackGenLabel(virSecurityManagerPtr mgr, static int virSecurityStackReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -150,16 +150,17 @@ virSecurityStackReleaseLabel(virSecurityManagerPtr mgr, static int virSecurityStackReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm, + pid_t pid) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; - if (virSecurityManagerReserveLabel(priv->primary, vm) < 0) + if (virSecurityManagerReserveLabel(priv->primary, vm, pid) < 0) rc = -1; #if 0 /* XXX See note in GenLabel */ - if (virSecurityManagerReserveLabel(priv->secondary, vm) < 0) + if (virSecurityManagerReserveLabel(priv->secondary, vm, pid) < 0) rc = -1; #endif @@ -169,7 +170,7 @@ virSecurityStackReserveLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -186,7 +187,7 @@ virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -203,7 +204,7 @@ virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { @@ -221,7 +222,7 @@ virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -238,7 +239,7 @@ virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *stdin_path) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -255,7 +256,7 @@ virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int migrated) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -272,7 +273,7 @@ virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -289,7 +290,7 @@ virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -306,7 +307,7 @@ virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -321,17 +322,18 @@ virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, static int virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, + pid_t pid, virSecurityLabelPtr seclabel) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; #if 0 - if (virSecurityManagerGetProcessLabel(priv->secondary, vm, seclabel) < 0) + if (virSecurityManagerGetProcessLabel(priv->secondary, vm, pid, seclabel) < 0) rc = -1; #endif - if (virSecurityManagerGetProcessLabel(priv->primary, vm, seclabel) < 0) + if (virSecurityManagerGetProcessLabel(priv->primary, vm, pid, seclabel) < 0) rc = -1; return rc; @@ -340,7 +342,7 @@ virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -356,7 +358,7 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -372,7 +374,7 @@ virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -387,7 +389,7 @@ virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int fd) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); -- 1.7.6.4

2 1

[libvirt] [PATCH] storage: Refetch file status after open
by Michal Privoznik 28 Nov '11

28 Nov '11

This partly reverts my previous patch f88de3eb. We need to get file status after open, as given path could have been symlink, so fstat() will operate on different file than lstat(). --- src/storage/storage_backend.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/src/storage/storage_backend.c b/src/storage/storage_backend.c index d30829d..d7394e0 100644 --- a/src/storage/storage_backend.c +++ b/src/storage/storage_backend.c @@ -1041,6 +1041,14 @@ virStorageBackendVolOpenCheckMode(const char *path, unsigned int flags) return -1; } + if (fstat(fd, &sb) < 0) { + virReportSystemError(errno, + _("cannot stat file '%s'"), + path); + VIR_FORCE_CLOSE(fd); + return -1; + } + if (S_ISREG(sb.st_mode)) mode = VIR_STORAGE_VOL_OPEN_REG; else if (S_ISCHR(sb.st_mode)) -- 1.7.3.4

3 3

[libvirt] [PATCH 0/5 (repost)] Support Blkio tune, CPU tune, NUMA, CPU affinity in LXC
by Daniel P. Berrange 28 Nov '11

28 Nov '11

Re-post of https://www.redhat.com/archives/libvir-list/2011-November/msg00464.html rebased to latest GIT

2 12

[libvirt] VBOX driver : "An error occurred, but the cause is unknown" when trying to start a Virtualbox domain
by Jean-Christophe Guillain 28 Nov '11

28 Nov '11

Hello, I opened a bug (http://bugzilla.redhat.com/show_bug.cgi?id=757138) about this issue, but I was told to mention it to this list too. Here is my problem : when I try to start a virtualbox domain with virsh, an error occurs. (But when the domain is started using Virtualbox GUI it works, and I have no problem to stop it with virsh...) Example : virsh # start freenas1 error: Failed to start domain freenas1 error: An error occurred, but the cause is unknown I use libvirt 0.9.2-7 and virtualbox 4.0.10 on a Debian with 2.6.32-5-amd64 kernel. The XML config file of the domain : <domain type='vbox' id='1'> <name>freenas1</name> <uuid>07aadf11-2090-4690-9518-52766722c544</uuid> <memory>524288</memory> <currentMemory>524288</currentMemory> <vcpu>1</vcpu> <os> <type arch='x86_64'>hvm</type> <boot dev='hd'/> </os> <features> <acpi/> <apic/> </features> <clock offset='localtime'/> <on_poweroff>destroy</on_poweroff> <on_reboot>destroy</on_reboot> <on_crash>destroy</on_crash> <devices> <disk type='file' device='disk'> <source file='/data/Freenas1Disk1.vdi'/> <target dev='hda' bus='ide'/> </disk> <input type='mouse' bus='ps2'/> <graphics type='desktop' display='localhost:10.0'/> <video> <model type='vbox' vram='8192' heads='1'> <acceleration accel3d='no' accel2d='no'/> </model> </video> </devices> </domain> virsh debug output : virsh # start freenas1 15:51:31.043: 5796: debug : virConnectOpenAuth:1328 : name=(null), auth=0x7f19ee32d320, flags=0 15:51:31.043: 5796: debug : do_open:1065 : no name, allowing driver auto-select 15:51:31.043: 5796: debug : do_open:1102 : trying driver 0 (Test) ... 15:51:31.043: 5796: debug : do_open:1108 : driver 0 Test returned DECLINED 15:51:31.043: 5796: debug : do_open:1102 : trying driver 1 (Xen) ... 15:51:31.043: 5796: debug : do_open:1108 : driver 1 Xen returned DECLINED 15:51:31.043: 5796: debug : do_open:1102 : trying driver 2 (OPENVZ) ... 15:51:31.043: 5796: debug : do_open:1108 : driver 2 OPENVZ returned DECLINED 15:51:31.043: 5796: debug : do_open:1102 : trying driver 3 (VMWARE) ... 15:51:31.043: 5796: debug : do_open:1108 : driver 3 VMWARE returned DECLINED 15:51:31.043: 5796: debug : do_open:1102 : trying driver 4 (VBOX) ... 15:51:31.050: 5796: debug : vboxOpen:1035 : in vboxOpen 15:51:31.050: 5796: debug : do_open:1108 : driver 4 VBOX returned SUCCESS 15:51:31.050: 5796: debug : do_open:1130 : network driver 0 Test returned DECLINED 15:51:31.050: 5796: debug : vboxNetworkOpen:6953 : network initialized 15:51:31.050: 5796: debug : do_open:1130 : network driver 1 VBOX returned SUCCESS 15:51:31.050: 5796: debug : do_open:1145 : interface driver 0 Test returned DECLINED 15:51:31.051: 5796: debug : doRemoteOpen:596 : proceeding with name = vbox:///system 15:51:31.051: 5796: debug : remoteIO:5824 : Do proc=66 serial=0 length=28 wait=(nil) 15:51:31.051: 5796: debug : remoteIO:5896 : We have the buck 66 0x7f19e6c37010 0x7f19e6c37010 15:51:31.051: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now need 64 total (60 more) 15:51:31.051: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 66 0x7f19e6c37010 (nil) 15:51:31.051: 5796: debug : remoteIO:5924 : All done with our call 66 (nil) 0x7f19e6c37010 15:51:31.051: 5796: debug : remoteIO:5824 : Do proc=1 serial=1 length=56 wait=(nil) 15:51:31.051: 5796: debug : remoteIO:5896 : We have the buck 1 0x7f19e003fec0 0x7f19e003fec0 15:51:31.052: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now need 176 total (172 more) 15:51:31.052: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 1 0x7f19e003fec0 (nil) 15:51:31.052: 5796: debug : remoteIO:5924 : All done with our call 1 (nil) 0x7f19e003fec0 15:51:31.052: 5796: debug : do_open:1145 : interface driver 1 remote returned ERROR 15:51:31.052: 5796: debug : do_open:1161 : storage driver 0 Test returned DECLINED 15:51:31.052: 5796: debug : vboxStorageOpen:7764 : vbox storage initialized 15:51:31.052: 5796: debug : do_open:1161 : storage driver 1 VBOX returned SUCCESS 15:51:31.052: 5796: debug : do_open:1177 : node driver 0 Test returned DECLINED 15:51:31.053: 5796: debug : doRemoteOpen:596 : proceeding with name = vbox:///system 15:51:31.053: 5796: debug : remoteIO:5824 : Do proc=66 serial=0 length=28 wait=(nil) 15:51:31.053: 5796: debug : remoteIO:5896 : We have the buck 66 0x7f19e0081f90 0x7f19e0081f90 15:51:31.054: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now need 64 total (60 more) 15:51:31.054: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 66 0x7f19e0081f90 (nil) 15:51:31.054: 5796: debug : remoteIO:5924 : All done with our call 66 (nil) 0x7f19e0081f90 15:51:31.054: 5796: debug : remoteIO:5824 : Do proc=1 serial=1 length=56 wait=(nil) 15:51:31.054: 5796: debug : remoteIO:5896 : We have the buck 1 0x7f19e0081f90 0x7f19e0081f90 15:51:31.055: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now need 176 total (172 more) 15:51:31.055: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 1 0x7f19e0081f90 (nil) 15:51:31.055: 5796: debug : remoteIO:5924 : All done with our call 1 (nil) 0x7f19e0081f90 15:51:31.055: 5796: debug : do_open:1177 : node driver 1 remote returned ERROR 15:51:31.055: 5796: debug : do_open:1193 : secret driver 0 Test returned DECLINED 15:51:31.055: 5796: debug : doRemoteOpen:596 : proceeding with name = vbox:///system 15:51:31.055: 5796: debug : remoteIO:5824 : Do proc=66 serial=0 length=28 wait=(nil) 15:51:31.055: 5796: debug : remoteIO:5896 : We have the buck 66 0x7f19e0081f90 0x7f19e0081f90 15:51:31.056: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now need 64 total (60 more) 15:51:31.056: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 66 0x7f19e0081f90 (nil) 15:51:31.056: 5796: debug : remoteIO:5924 : All done with our call 66 (nil) 0x7f19e0081f90 15:51:31.056: 5796: debug : remoteIO:5824 : Do proc=1 serial=1 length=56 wait=(nil) 15:51:31.056: 5796: debug : remoteIO:5896 : We have the buck 1 0x7f19e0081f90 0x7f19e0081f90 15:51:31.057: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now need 176 total (172 more) 15:51:31.057: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 1 0x7f19e0081f90 (nil) 15:51:31.057: 5796: debug : remoteIO:5924 : All done with our call 1 (nil) 0x7f19e0081f90 15:51:31.057: 5796: debug : do_open:1193 : secret driver 1 remote returned ERROR 15:51:31.057: 5796: debug : do_open:1209 : nwfilter driver 0 Test returned DECLINED 15:51:31.057: 5796: debug : doRemoteOpen:596 : proceeding with name = vbox:///system 15:51:31.057: 5796: debug : remoteIO:5824 : Do proc=66 serial=0 length=28 wait=(nil) 15:51:31.057: 5796: debug : remoteIO:5896 : We have the buck 66 0x7f19e0081f90 0x7f19e0081f90 15:51:31.058: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now need 64 total (60 more) 15:51:31.058: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 66 0x7f19e0081f90 (nil) 15:51:31.058: 5796: debug : remoteIO:5924 : All done with our call 66 (nil) 0x7f19e0081f90 15:51:31.058: 5796: debug : remoteIO:5824 : Do proc=1 serial=1 length=56 wait=(nil) 15:51:31.058: 5796: debug : remoteIO:5896 : We have the buck 1 0x7f19e0081f90 0x7f19e0081f90 15:51:31.059: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now need 176 total (172 more) 15:51:31.059: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 1 0x7f19e0081f90 (nil) 15:51:31.059: 5796: debug : remoteIO:5924 : All done with our call 1 (nil) 0x7f19e0081f90 15:51:31.059: 5796: debug : do_open:1209 : nwfilter driver 1 remote returned ERROR 15:51:31.060: 5796: debug : virDomainLookupByName:2030 : conn=0x6f6350, name=freenas1 15:51:31.061: 5796: debug : virDomainGetID:2718 : dom=0x7f19e002db00, (VM: name=freenas1, uuid=07aadf11-2090-4690-9518-52766722c544), 15:51:31.061: 5796: debug : virDomainCreate:6300 : dom=0x7f19e002db00, (VM: name=freenas1, uuid=07aadf11-2090-4690-9518-52766722c544), 15:51:31.566: 5796: debug : virDomainGetName:2623 : domain=0x7f19e002db00 error: Failed to start domain freenas1 15:51:31.566: 5796: debug : virDomainFree:2118 : dom=0x7f19e002db00, (VM: name=freenas1, uuid=07aadf11-2090-4690-9518-52766722c544), 15:51:31.566: 5796: debug : virUnrefDomain:276 : unref domain 0x7f19e002db00 freenas1 1 15:51:31.566: 5796: debug : virReleaseDomain:238 : release domain 0x7f19e002db00 freenas1 07aadf11-2090-4690-9518-52766722c544 15:51:31.566: 5796: debug : virReleaseDomain:246 : unref connection 0x6f6350 2 error: An error occurred, but the cause is unknown ##### I f you have an idea of what the problem is... Thank you, jC

1 0

[libvirt] RE : Re: [PATCH] util: fix thinko in runIO
by Bastien ROUCARIES 28 Nov '11

28 Nov '11

Malloc page than realloc to smaller does not work ? Bastien Le 25 nov. 2011 14:38, "Eric Blake" <eblake(a)redhat.com> a écrit : [adding bug-gnulib; replies can drop libvirt] On 11/25/2011 05:51 AM, Paolo Bonzini wrote: >> Indeed; Linux has posix_memalign, and mingw never runs the io helper >> (although it does compile it, hence the #if). If gnulib would give >> us posix_memalign on mingw, we could nuke this #if altogether. > > That's pretty difficult (unless you also add a posix_memalign_free) > because at the time posix_memalign returns you have lost the base > pointer for free(). Providing a posix_memalign_free defeats the purpose - POSIX requires that plain free() will cover the memory returned by posix_memalign. The list of platforms missing posix_memalign is a bit daunting: MacOS X 10.5, FreeBSD 6.0, NetBSD 3.0, OpenBSD 3.8, Minix 3.1.8, AIX 5.1, HP-UX 11, IRIX 6.5, OSF/1 5.1, Solaris 10, Cygwin 1.5.x, mingw, MSVC 9, Interix 3.5, BeOS. but what would be interesting to know is how many of those platforms return page-aligned pointers for any malloc() request of a page or more of memory. That is, we may be able to coerce malloc into aligned results by over-allocating and over-aligning the user's request, if the system malloc() has at least one mode of returning page-aligned memory. Another alternative is to override free() at the same time as providing posix_memalign(). The gnulib malloca module provides a freea() function that can distinguish whether it is paired with an alloca() (nop) or mmalloca() (call the real free()), by over-allocating and probing for a magic header. Similar concepts could be used in writing an rpl_free() that determines whether it was allocated by posix_memalign(): if we guarantee that posix_memalign always returns something aligned to at least a page, then rpl_free() can make a quick check for whether the pointer passed in is page-aligned; if so, do a hash lookup to see if it was a page reserved by our posix_memalign (if so, we know the real address to free); if not or the hash lookup fails, it came from malloc (in which case, regular free should work). Of course, unlike freea() that probes for a magic header, we can't safely probe a header by crossing page boundaries, since that would fault if we didn't allocate the previous page at the same time. -- Eric Blake eblake(a)redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

2 1