[libvirt] [ PATCH v4 0/4] API to invoke S3/S4 on a host and also resume from within libvirt
by Srivatsa S. Bhat
This patchset adds a new API to put a host to a suspended state
(Suspend-to-RAM, Suspend-to-Disk or Hybrid-Suspend) and setup a timed resume
to get the host back online, from within libvirt.
This uses the RTC wakeup mechanism to set up a timer alarm before suspending
the host, so that in-band resume is facilitated by the firing of the RTC
alarm, which wakes up the host.
The decision to use the RTC Wakeup mechanism to resume the host from
sleep was taken in [1]. An initial API was discussed in [2].
Some design ideas for the asynchronous mechanism implementation was
discussed in [3].
v4:
* Applies on top of the Hybrid-Suspend patch posted in [4].
* Incorporated the review comments in [5].
v3:
* Rebased to libvirt 0.9.7
* Added a check to see if alarmTime (suspend duration) is within an
acceptable range.
v2:
* Added an init function which finds out if S3/S4 is supported by the host,
upon the first request to suspend/hibernate.
* Added synchronization/locking to ensure that only one suspend operation
is active at a time.
v1: http://www.redhat.com/archives/libvir-list/2011-September/msg00830.html
v2: http://comments.gmane.org/gmane.comp.emulators.libvirt/46729
References:
[1]. http://www.redhat.com/archives/libvir-list/2011-August/msg00327.html
[2]. http://www.redhat.com/archives/libvir-list/2011-August/msg00248.html
[3]. http://www.redhat.com/archives/libvir-list/2011-September/msg00438.html
[4]. http://www.redhat.com/archives/libvir-list/2011-November/msg01407.html
[5]. http://thread.gmane.org/gmane.comp.emulators.libvirt/47950
Srivatsa S. Bhat (4):
Add a public API to invoke suspend/resume on the host
Add the remote protocol implementation for virNodeSuspendForDuration
Implement the core API to suspend/resume the host
Add virsh command to initiate suspend on the host
include/libvirt/libvirt.h.in | 17 +++
src/driver.h | 6 +
src/libvirt.c | 61 ++++++++++
src/libvirt_private.syms | 7 +
src/libvirt_public.syms | 5 +
src/nodeinfo.c | 245 ++++++++++++++++++++++++++++++++++++++++++
src/nodeinfo.h | 9 ++
src/qemu/qemu_driver.c | 4 +
src/remote/remote_driver.c | 1
src/remote/remote_protocol.x | 10 ++
tools/virsh.c | 64 +++++++++++
tools/virsh.pod | 7 +
12 files changed, 434 insertions(+), 2 deletions(-)
13 years, 4 months
- 3
- 12
[libvirt] [PATCH] Make virt-xml-validate work with xbox domains
by Lorin Hochstein
virt-xml-validate fails when run on a domain XML file of type 'vbox'.
For failing test case, see https://bugzilla.redhat.com/show_bug.cgi?id=757097
This patch updates the XML schema so it accepts type 'vbox'.
---
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 8968ee6..444592c 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -85,6 +85,7 @@
<value>qemu</value>
<value>lxc</value>
<value>openvz</value>
+ <value>vbox</value>
<value>test</value>
</choice>
</attribute>
13 years, 4 months
- 2
- 2
[libvirt] [PATCH] virsh: Don't traverse childless nodes in vshNodeIsSuperset
by Michal Privoznik
If both nodes do not have any children, we pass zero to
virBitmapAlloc which returns NULL. In turn we report OOM error
and return false (meaning nodes are different). This is not true.
---
tools/virsh.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/tools/virsh.c b/tools/virsh.c
index 16d815c..6ed249b 100644
--- a/tools/virsh.c
+++ b/tools/virsh.c
@@ -11556,6 +11556,9 @@ vshNodeIsSuperset(xmlNodePtr n1, xmlNodePtr n2)
if (n1_child_size < n2_child_size)
return false;
+ if (n1_child_size == 0 && n2_child_size == 0)
+ return true;
+
if (!(bitmap = virBitmapAlloc(n1_child_size))) {
virReportOOMError();
return false;
--
1.7.3.4
13 years, 4 months
- 2
- 2
[libvirt] [PATCH] virnetsocket: pass XAUTORITY for ssh connection
by Christian Franke
When spawning an ssh connection, the environment variables
DISPLAY, SSH_ASKPASS, ... are passed. However XAUTHORITY,
which is neccessary if the .Xauthority is in a non default
place, was not passed.
Signed-off-by: Christian Franke <nobody(a)nowhere.ws>
---
src/rpc/virnetsocket.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index b733095..2747f66 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -628,6 +628,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
virCommandAddEnvPass(cmd, "SSH_AUTH_SOCK");
virCommandAddEnvPass(cmd, "SSH_ASKPASS");
virCommandAddEnvPass(cmd, "DISPLAY");
+ virCommandAddEnvPass(cmd, "XAUTHORITY");
virCommandClearCaps(cmd);
if (service)
--
1.7.6.1
13 years, 4 months
- 3
- 2
[libvirt] [PATCH] Change security driver APIs to use virDomainDefPtr instead of virDomainObjPtr
by Daniel P. Berrange
From: "Daniel P. Berrange" <berrange(a)redhat.com>
When sVirt is integrated with the LXC driver, it will be neccessary
to invoke the security driver APIs using only a virDomainDefPtr
since the lxc_container.c code has no virDomainObjPtr available.
Aside from two functions which want obj->pid, every bit of the
security driver code only touches obj->def. So we don't need to
pass a virDomainObjPtr into the security drivers, a virDomainDefPtr
is sufficient. Two functions also gain a 'pid_t pid' argument.
* src/qemu/qemu_driver.c, src/qemu/qemu_hotplug.c,
src/qemu/qemu_migration.c, src/qemu/qemu_process.c,
src/security/security_apparmor.c,
src/security/security_dac.c,
src/security/security_driver.h,
src/security/security_manager.c,
src/security/security_manager.h,
src/security/security_nop.c,
src/security/security_selinux.c,
src/security/security_stack.c: Change all security APIs to use a
virDomainDefPtr instead of virDomainObjPtr
---
src/qemu/qemu_driver.c | 10 +-
src/qemu/qemu_hotplug.c | 28 ++--
src/qemu/qemu_migration.c | 12 +-
src/qemu/qemu_process.c | 24 ++--
src/security/security_apparmor.c | 136 ++++++++++----------
src/security/security_dac.c | 91 +++++++-------
src/security/security_driver.h | 36 +++---
src/security/security_manager.c | 40 +++---
src/security/security_manager.h | 36 +++---
src/security/security_nop.c | 36 +++---
src/security/security_selinux.c | 258 +++++++++++++++++++-------------------
src/security/security_stack.c | 44 ++++---
12 files changed, 384 insertions(+), 367 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 6cfdd1d..6e001ce 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -3096,7 +3096,7 @@ qemuDomainScreenshot(virDomainPtr dom,
}
unlink_tmp = true;
- virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp);
+ virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp);
qemuDomainObjEnterMonitor(driver, vm);
if (qemuMonitorScreendump(priv->mon, tmp) < 0) {
@@ -3868,7 +3868,7 @@ static int qemudDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr sec
*/
if (virDomainObjIsActive(vm)) {
if (virSecurityManagerGetProcessLabel(driver->securityManager,
- vm, seclabel) < 0) {
+ vm->def, vm->pid, seclabel) < 0) {
qemuReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("Failed to get security label"));
goto cleanup;
@@ -4167,7 +4167,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
out:
virCommandFree(cmd);
if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
- vm, path) < 0)
+ vm->def, path) < 0)
VIR_WARN("failed to restore save state label on %s", path);
return ret;
@@ -7584,7 +7584,7 @@ qemudDomainMemoryPeek (virDomainPtr dom,
goto endjob;
}
- virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp);
+ virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp);
priv = vm->privateData;
qemuDomainObjEnterMonitor(driver, vm);
@@ -9064,7 +9064,7 @@ qemuDomainSnapshotCreateSingleDiskActive(struct qemud_driver *driver,
if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0)
goto cleanup;
- if (virSecurityManagerSetImageLabel(driver->securityManager, vm,
+ if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def,
disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", source);
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 96c0070..684fede 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -88,7 +88,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver,
return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager,
- vm, disk) < 0) {
+ vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src);
return -1;
@@ -120,7 +120,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver,
goto error;
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, origdisk) < 0)
+ vm->def, origdisk) < 0)
VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, origdisk) < 0)
@@ -141,7 +141,7 @@ error:
VIR_FREE(driveAlias);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, disk) < 0)
+ vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on new media %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@@ -209,7 +209,7 @@ int qemuDomainAttachPciDiskDevice(virConnectPtr conn,
return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager,
- vm, disk) < 0) {
+ vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src);
return -1;
@@ -283,7 +283,7 @@ error:
VIR_WARN("Unable to release PCI address on %s", disk->src);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, disk) < 0)
+ vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@@ -439,7 +439,7 @@ int qemuDomainAttachSCSIDisk(virConnectPtr conn,
return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager,
- vm, disk) < 0) {
+ vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src);
return -1;
@@ -530,7 +530,7 @@ error:
VIR_FREE(drivestr);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, disk) < 0)
+ vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@@ -562,7 +562,7 @@ int qemuDomainAttachUsbMassstorageDevice(virConnectPtr conn,
return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager,
- vm, disk) < 0) {
+ vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src);
return -1;
@@ -623,7 +623,7 @@ error:
VIR_FREE(drivestr);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, disk) < 0)
+ vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@@ -1112,7 +1112,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver,
if (virSecurityManagerSetHostdevLabel(driver->securityManager,
- vm, hostdev) < 0)
+ vm->def, hostdev) < 0)
return -1;
switch (hostdev->source.subsys.type) {
@@ -1139,7 +1139,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver,
error:
if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
- vm, hostdev) < 0)
+ vm->def, hostdev) < 0)
VIR_WARN("Unable to restore host device labelling on hotplug fail");
return -1;
@@ -1572,7 +1572,7 @@ int qemuDomainDetachPciDiskDevice(struct qemud_driver *driver,
virDomainDiskDefFree(detach);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, dev->data.disk) < 0)
+ vm->def, dev->data.disk) < 0)
VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
if (cgroup != NULL) {
@@ -1654,7 +1654,7 @@ int qemuDomainDetachDiskDevice(struct qemud_driver *driver,
virDomainDiskDefFree(detach);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, dev->data.disk) < 0)
+ vm->def, dev->data.disk) < 0)
VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
if (cgroup != NULL) {
@@ -2162,7 +2162,7 @@ int qemuDomainDetachHostDevice(struct qemud_driver *driver,
}
if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
- vm, dev->data.hostdev) < 0)
+ vm->def, dev->data.hostdev) < 0)
VIR_WARN("Failed to restore host device labelling");
return ret;
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 8ae989a..b3ef894 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1749,13 +1749,13 @@ static int doNativeMigrate(struct qemud_driver *driver,
virReportOOMError();
goto cleanup;
}
- if (virSecurityManagerSetSocketLabel(driver->securityManager, vm) < 0)
+ if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0)
goto cleanup;
if (virNetSocketNewConnectTCP(uribits->server, tmp, &sock) == 0) {
spec.dest.fd.qemu = virNetSocketDupFD(sock, true);
virNetSocketFree(sock);
}
- if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0 ||
+ if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0 ||
spec.dest.fd.qemu == -1)
goto cleanup;
} else {
@@ -1822,7 +1822,7 @@ static int doTunnelMigrate(struct qemud_driver *driver,
spec.dest.fd.local = fds[0];
}
if (spec.dest.fd.qemu == -1 ||
- virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
+ virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
spec.dest.fd.qemu) < 0) {
virReportSystemError(errno, "%s",
_("cannot create pipe for tunnelled migration"));
@@ -2842,7 +2842,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
* doesn't have to open() the file, so while we still have to
* grant SELinux access, we can do it on fd and avoid cleanup
* later, as well as skip futzing with cgroup. */
- if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
+ if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
compressor ? pipeFD[1] : fd) < 0)
goto cleanup;
bypassSecurityDriver = true;
@@ -2876,7 +2876,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
}
if ((!bypassSecurityDriver) &&
virSecurityManagerSetSavedStateLabel(driver->securityManager,
- vm, path) < 0)
+ vm->def, path) < 0)
goto cleanup;
restoreLabel = true;
}
@@ -2951,7 +2951,7 @@ cleanup:
virCommandFree(cmd);
if (restoreLabel && (!bypassSecurityDriver) &&
virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
- vm, path) < 0)
+ vm->def, path) < 0)
VIR_WARN("failed to restore save state label on %s", path);
if (cgroup != NULL) {
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 2563f97..58ce333 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -839,7 +839,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm)
qemuMonitorPtr mon = NULL;
if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager,
- vm) < 0) {
+ vm->def) < 0) {
VIR_ERROR(_("Failed to set security context for monitor for %s"),
vm->def->name);
goto error;
@@ -872,7 +872,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm)
}
priv->mon = mon;
- if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0) {
+ if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) {
VIR_ERROR(_("Failed to clear security context for monitor for %s"),
vm->def->name);
goto error;
@@ -2163,7 +2163,7 @@ static int qemuProcessHook(void *data)
* sockets the lock driver opens that we don't want
* labelled. So far we're ok though.
*/
- if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm) < 0)
+ if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup;
if (virDomainLockProcessStart(h->driver->lockManager,
h->vm,
@@ -2171,7 +2171,7 @@ static int qemuProcessHook(void *data)
true,
&fd) < 0)
goto cleanup;
- if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm) < 0)
+ if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup;
if (qemuProcessLimits(h->driver) < 0)
@@ -2194,7 +2194,7 @@ static int qemuProcessHook(void *data)
return -1;
VIR_DEBUG("Setting up security labelling");
- if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm) < 0)
+ if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup;
ret = 0;
@@ -2656,7 +2656,7 @@ qemuProcessReconnect(void *opaque)
goto error;
}
- if (virSecurityManagerReserveLabel(driver->securityManager, obj) < 0)
+ if (virSecurityManagerReserveLabel(driver->securityManager, obj->def, obj->pid) < 0)
goto error;
if (qemuProcessNotifyNets(obj->def) < 0)
@@ -2894,7 +2894,7 @@ int qemuProcessStart(virConnectPtr conn,
/* If you are using a SecurityDriver with dynamic labelling,
then generate a security label for isolation */
VIR_DEBUG("Generating domain security label (if required)");
- if (virSecurityManagerGenLabel(driver->securityManager, vm) < 0) {
+ if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) {
virDomainAuditSecurityLabel(vm, false);
goto cleanup;
}
@@ -3128,7 +3128,7 @@ int qemuProcessStart(virConnectPtr conn,
VIR_DEBUG("Setting domain security labels");
if (virSecurityManagerSetAllLabel(driver->securityManager,
- vm, stdin_path) < 0)
+ vm->def, stdin_path) < 0)
goto cleanup;
if (stdin_fd != -1) {
@@ -3145,7 +3145,7 @@ int qemuProcessStart(virConnectPtr conn,
goto cleanup;
}
if (S_ISFIFO(stdin_sb.st_mode) &&
- virSecurityManagerSetImageFDLabel(driver->securityManager, vm, stdin_fd) < 0)
+ virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, stdin_fd) < 0)
goto cleanup;
}
@@ -3398,8 +3398,8 @@ void qemuProcessStop(struct qemud_driver *driver,
/* Reset Security Labels */
virSecurityManagerRestoreAllLabel(driver->securityManager,
- vm, migrated);
- virSecurityManagerReleaseLabel(driver->securityManager, vm);
+ vm->def, migrated);
+ virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
/* Clear out dynamically assigned labels */
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
@@ -3548,7 +3548,7 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED,
if (VIR_ALLOC(seclabel) < 0)
goto no_memory;
if (virSecurityManagerGetProcessLabel(driver->securityManager,
- vm, seclabel) < 0)
+ vm->def, vm->pid, seclabel) < 0)
goto cleanup;
if (!(vm->def->seclabel.model = strdup(driver->caps->host.secModel.model)))
goto no_memory;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 299dcc6..4848d85 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -47,7 +47,7 @@
/* Data structure to pass to *FileIterate so we have everything we need */
struct SDPDOP {
virSecurityManagerPtr mgr;
- virDomainObjPtr vm;
+ virDomainDefPtr def;
};
/*
@@ -159,7 +159,7 @@ profile_status_file(const char *str)
static int
load_profile(virSecurityManagerPtr mgr,
const char *profile,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *fn,
bool append)
{
@@ -170,7 +170,7 @@ load_profile(virSecurityManagerPtr mgr,
const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr)
? "1" : "0";
- xml = virDomainDefFormat(vm->def, VIR_DOMAIN_XML_SECURE);
+ xml = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE);
if (!xml)
goto clean;
@@ -212,12 +212,12 @@ remove_profile(const char *profile)
}
static char *
-get_profile_name(virDomainObjPtr vm)
+get_profile_name(virDomainDefPtr def)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
char *name = NULL;
- virUUIDFormat(vm->def->uuid, uuidstr);
+ virUUIDFormat(def->uuid, uuidstr);
if (virAsprintf(&name, "%s%s", AA_PREFIX, uuidstr) < 0) {
virReportOOMError();
return NULL;
@@ -257,23 +257,23 @@ cleanup:
*/
static int
reload_profile(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *fn,
bool append)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = -1;
char *profile_name = NULL;
if (secdef->norelabel)
return 0;
- if ((profile_name = get_profile_name(vm)) == NULL)
+ if ((profile_name = get_profile_name(def)) == NULL)
return rc;
/* Update the profile only if it is loaded */
if (profile_loaded(secdef->imagelabel) >= 0) {
- if (load_profile(mgr, secdef->imagelabel, vm, fn, append) < 0) {
+ if (load_profile(mgr, secdef->imagelabel, def, fn, append) < 0) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile "
"\'%s\'"),
@@ -294,10 +294,10 @@ AppArmorSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
struct SDPDOP *ptr = opaque;
- virDomainObjPtr vm = ptr->vm;
+ virDomainDefPtr def = ptr->def;
- if (reload_profile(ptr->mgr, vm, file, true) < 0) {
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ if (reload_profile(ptr->mgr, def, file, true) < 0) {
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile "
"\'%s\'"),
@@ -312,10 +312,10 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
struct SDPDOP *ptr = opaque;
- virDomainObjPtr vm = ptr->vm;
+ virDomainDefPtr def = ptr->def;
- if (reload_profile(ptr->mgr, vm, file, true) < 0) {
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ if (reload_profile(ptr->mgr, def, file, true) < 0) {
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile "
"\'%s\'"),
@@ -390,56 +390,56 @@ AppArmorSecurityManagerGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
*/
static int
AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
int rc = -1;
char *profile_name = NULL;
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
- if (vm->def->seclabel.baselabel) {
+ if (def->seclabel.baselabel) {
virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("Cannot set a base label with AppArmour"));
return rc;
}
- if ((vm->def->seclabel.label) ||
- (vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) {
+ if ((def->seclabel.label) ||
+ (def->seclabel.model) || (def->seclabel.imagelabel)) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s",
_("security label already defined for VM"));
return rc;
}
- if ((profile_name = get_profile_name(vm)) == NULL)
+ if ((profile_name = get_profile_name(def)) == NULL)
return rc;
- vm->def->seclabel.label = strndup(profile_name, strlen(profile_name));
- if (!vm->def->seclabel.label) {
+ def->seclabel.label = strndup(profile_name, strlen(profile_name));
+ if (!def->seclabel.label) {
virReportOOMError();
goto clean;
}
/* set imagelabel the same as label (but we won't use it) */
- vm->def->seclabel.imagelabel = strndup(profile_name,
+ def->seclabel.imagelabel = strndup(profile_name,
strlen(profile_name));
- if (!vm->def->seclabel.imagelabel) {
+ if (!def->seclabel.imagelabel) {
virReportOOMError();
goto err;
}
- vm->def->seclabel.model = strdup(SECURITY_APPARMOR_NAME);
- if (!vm->def->seclabel.model) {
+ def->seclabel.model = strdup(SECURITY_APPARMOR_NAME);
+ if (!def->seclabel.model) {
virReportOOMError();
goto err;
}
/* Now that we have a label, load the profile into the kernel. */
- if (load_profile(mgr, vm->def->seclabel.label, vm, NULL, false) < 0) {
+ if (load_profile(mgr, def->seclabel.label, def, NULL, false) < 0) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot load AppArmor profile "
- "\'%s\'"), vm->def->seclabel.label);
+ "\'%s\'"), def->seclabel.label);
goto err;
}
@@ -447,9 +447,9 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
goto clean;
err:
- VIR_FREE(vm->def->seclabel.label);
- VIR_FREE(vm->def->seclabel.imagelabel);
- VIR_FREE(vm->def->seclabel.model);
+ VIR_FREE(def->seclabel.label);
+ VIR_FREE(def->seclabel.imagelabel);
+ VIR_FREE(def->seclabel.model);
clean:
VIR_FREE(profile_name);
@@ -459,15 +459,15 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm, const char *stdin_path)
+ virDomainDefPtr def, const char *stdin_path)
{
- if (vm->def->seclabel.norelabel)
+ if (def->seclabel.norelabel)
return 0;
/* Reload the profile if stdin_path is specified. Note that
GenSecurityLabel() will have already been run. */
if (stdin_path)
- return reload_profile(mgr, vm, stdin_path, true);
+ return reload_profile(mgr, def, stdin_path, true);
return 0;
}
@@ -477,13 +477,14 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
*/
static int
AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
+ pid_t pid,
virSecurityLabelPtr sec)
{
int rc = -1;
char *profile_name = NULL;
- if ((profile_name = get_profile_name(vm)) == NULL)
+ if ((profile_name = get_profile_name(def)) == NULL)
return rc;
if (virStrcpy(sec->label, profile_name,
@@ -511,9 +512,9 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
*/
static int
AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
VIR_FREE(secdef->model);
VIR_FREE(secdef->label);
@@ -525,10 +526,10 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int migrated ATTRIBUTE_UNUSED)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
@@ -545,13 +546,13 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
* LOCALSTATEDIR/log/libvirt/qemu/<vm name>.log
*/
static int
-AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm)
+AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = -1;
char *profile_name = NULL;
- if ((profile_name = get_profile_name(vm)) == NULL)
+ if ((profile_name = get_profile_name(def)) == NULL)
return rc;
if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@@ -579,21 +580,21 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm)
static int
AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
static int
AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
static int
AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
@@ -602,18 +603,18 @@ AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
/* Called when hotplugging */
static int
AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
{
- return reload_profile(mgr, vm, NULL, false);
+ return reload_profile(mgr, def, NULL, false);
}
/* Called when hotplugging */
static int
AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm, virDomainDiskDefPtr disk)
+ virDomainDefPtr def, virDomainDiskDefPtr disk)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = -1;
char *profile_name;
@@ -631,12 +632,12 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
return rc;
}
- if ((profile_name = get_profile_name(vm)) == NULL)
+ if ((profile_name = get_profile_name(def)) == NULL)
return rc;
/* update the profile only if it is loaded */
if (profile_loaded(secdef->imagelabel) >= 0) {
- if (load_profile(mgr, secdef->imagelabel, vm, disk->src,
+ if (load_profile(mgr, secdef->imagelabel, def, disk->src,
false) < 0) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile "
@@ -673,7 +674,8 @@ AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ pid_t pid ATTRIBUTE_UNUSED)
{
/* NOOP. Nothing to reserve with AppArmor */
return 0;
@@ -681,11 +683,11 @@ AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
struct SDPDOP *ptr;
int ret = -1;
@@ -701,7 +703,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (VIR_ALLOC(ptr) < 0)
return -1;
ptr->mgr = mgr;
- ptr->vm = vm;
+ ptr->def = def;
switch (dev->source.subsys.type) {
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
@@ -743,44 +745,44 @@ done:
static int
AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel)
return 0;
- return reload_profile(mgr, vm, NULL, false);
+ return reload_profile(mgr, def, NULL, false);
}
static int
AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile)
{
- return reload_profile(mgr, vm, savefile, true);
+ return reload_profile(mgr, def, savefile, true);
}
static int
AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile ATTRIBUTE_UNUSED)
{
- return reload_profile(mgr, vm, NULL, false);
+ return reload_profile(mgr, def, NULL, false);
}
static int
AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int fd)
{
int rc = -1;
char *proc = NULL;
char *fd_path = NULL;
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->imagelabel == NULL)
return 0;
@@ -796,7 +798,7 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
return rc;
}
- return reload_profile(mgr, vm, fd_path, true);
+ return reload_profile(mgr, def, fd_path, true);
}
virSecurityDriver virAppArmorSecurityDriver = {
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 0e75319..9c0017b 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -171,7 +171,7 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
static int
virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk)
{
@@ -190,7 +190,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
static int
virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk,
int migrated)
{
@@ -235,10 +235,10 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
static int
virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
- return virSecurityDACRestoreSecurityImageLabelInt(mgr, vm, disk, 0);
+ return virSecurityDACRestoreSecurityImageLabelInt(mgr, def, disk, 0);
}
@@ -268,7 +268,7 @@ virSecurityDACSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
static int
virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -338,7 +338,7 @@ virSecurityDACRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
static int
virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev)
{
@@ -489,7 +489,7 @@ virSecurityDACRestoreChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
static int
virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int migrated)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -501,34 +501,34 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
VIR_DEBUG("Restoring security label on %s migrated=%d",
- vm->def->name, migrated);
+ def->name, migrated);
- for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+ for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecurityDACRestoreSecurityHostdevLabel(mgr,
- vm,
- vm->def->hostdevs[i]) < 0)
+ def,
+ def->hostdevs[i]) < 0)
rc = -1;
}
- for (i = 0 ; i < vm->def->ndisks ; i++) {
+ for (i = 0 ; i < def->ndisks ; i++) {
if (virSecurityDACRestoreSecurityImageLabelInt(mgr,
- vm,
- vm->def->disks[i],
+ def,
+ def->disks[i],
migrated) < 0)
rc = -1;
}
- if (virDomainChrDefForeach(vm->def,
+ if (virDomainChrDefForeach(def,
false,
virSecurityDACRestoreChardevCallback,
mgr) < 0)
rc = -1;
- if (vm->def->os.kernel &&
- virSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
+ if (def->os.kernel &&
+ virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0)
rc = -1;
- if (vm->def->os.initrd &&
- virSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
+ if (def->os.initrd &&
+ virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0)
rc = -1;
return rc;
@@ -548,7 +548,7 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
static int
virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *stdin_path ATTRIBUTE_UNUSED)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -557,36 +557,36 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
if (!priv->dynamicOwnership)
return 0;
- for (i = 0 ; i < vm->def->ndisks ; i++) {
+ for (i = 0 ; i < def->ndisks ; i++) {
/* XXX fixme - we need to recursively label the entire tree :-( */
- if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
+ if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
continue;
if (virSecurityDACSetSecurityImageLabel(mgr,
- vm,
- vm->def->disks[i]) < 0)
+ def,
+ def->disks[i]) < 0)
return -1;
}
- for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+ for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecurityDACSetSecurityHostdevLabel(mgr,
- vm,
- vm->def->hostdevs[i]) < 0)
+ def,
+ def->hostdevs[i]) < 0)
return -1;
}
- if (virDomainChrDefForeach(vm->def,
+ if (virDomainChrDefForeach(def,
true,
virSecurityDACSetChardevCallback,
mgr) < 0)
return -1;
- if (vm->def->os.kernel &&
- virSecurityDACSetOwnership(vm->def->os.kernel,
+ if (def->os.kernel &&
+ virSecurityDACSetOwnership(def->os.kernel,
priv->user,
priv->group) < 0)
return -1;
- if (vm->def->os.initrd &&
- virSecurityDACSetOwnership(vm->def->os.initrd,
+ if (def->os.initrd &&
+ virSecurityDACSetOwnership(def->os.initrd,
priv->user,
priv->group) < 0)
return -1;
@@ -597,7 +597,7 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
static int
virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
const char *savefile)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -608,7 +608,7 @@ virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr,
static int
virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
const char *savefile)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -622,11 +622,11 @@ virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr,
static int
virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
- VIR_DEBUG("Dropping privileges of VM to %u:%u",
+ VIR_DEBUG("Dropping privileges of DEF to %u:%u",
(unsigned int) priv->user, (unsigned int) priv->group);
if (virSetUIDGID(priv->user, priv->group) < 0)
@@ -645,28 +645,30 @@ virSecurityDACVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
virSecurityDACGenLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDACReleaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ pid_t pid ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ pid_t pid ATTRIBUTE_UNUSED,
virSecurityLabelPtr seclabel ATTRIBUTE_UNUSED)
{
return 0;
@@ -674,7 +676,7 @@ virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
@@ -682,7 +684,7 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
@@ -690,20 +692,19 @@ virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
int fd ATTRIBUTE_UNUSED)
{
return 0;
}
-
virSecurityDriver virSecurityDriverDAC = {
sizeof(virSecurityDACData),
"virDAC",
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index aea90b0..f0ace1c 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -39,50 +39,52 @@ typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr);
typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr);
typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr vm);
typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev);
typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev);
typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile);
typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile);
typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec);
typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec,
+ pid_t pid);
typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec);
typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr sec,
+ virDomainDefPtr sec,
const char *stdin_path);
typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int migrated);
typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
+ pid_t pid,
virSecurityLabelPtr sec);
typedef int (*virSecurityDomainSetProcessLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
virDomainDefPtr def);
typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int fd);
struct _virSecurityDriver {
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index cae9b83..2e4956a 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -150,7 +150,7 @@ bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
}
int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainDiskDefPtr disk)
{
if (mgr->drv->domainRestoreSecurityImageLabel)
@@ -161,7 +161,7 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainSetSecurityDaemonSocketLabel)
return mgr->drv->domainSetSecurityDaemonSocketLabel(mgr, vm);
@@ -171,7 +171,7 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainSetSecuritySocketLabel)
return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
@@ -181,7 +181,7 @@ int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainClearSecuritySocketLabel)
return mgr->drv->domainClearSecuritySocketLabel(mgr, vm);
@@ -191,7 +191,7 @@ int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainDiskDefPtr disk)
{
if (mgr->drv->domainSetSecurityImageLabel)
@@ -202,7 +202,7 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainHostdevDefPtr dev)
{
if (mgr->drv->domainRestoreSecurityHostdevLabel)
@@ -213,7 +213,7 @@ int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainHostdevDefPtr dev)
{
if (mgr->drv->domainSetSecurityHostdevLabel)
@@ -224,7 +224,7 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *savefile)
{
if (mgr->drv->domainSetSavedStateLabel)
@@ -235,7 +235,7 @@ int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *savefile)
{
if (mgr->drv->domainRestoreSavedStateLabel)
@@ -246,7 +246,7 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainGenSecurityLabel)
return mgr->drv->domainGenSecurityLabel(mgr, vm);
@@ -256,17 +256,18 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm,
+ pid_t pid)
{
if (mgr->drv->domainReserveSecurityLabel)
- return mgr->drv->domainReserveSecurityLabel(mgr, vm);
+ return mgr->drv->domainReserveSecurityLabel(mgr, vm, pid);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
}
int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainReleaseSecurityLabel)
return mgr->drv->domainReleaseSecurityLabel(mgr, vm);
@@ -276,7 +277,7 @@ int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *stdin_path)
{
if (mgr->drv->domainSetSecurityAllLabel)
@@ -287,7 +288,7 @@ int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
int migrated)
{
if (mgr->drv->domainRestoreSecurityAllLabel)
@@ -298,18 +299,19 @@ int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
}
int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
+ pid_t pid,
virSecurityLabelPtr sec)
{
if (mgr->drv->domainGetSecurityProcessLabel)
- return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, sec);
+ return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, pid, sec);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
}
int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainSetSecurityProcessLabel)
return mgr->drv->domainSetSecurityProcessLabel(mgr, vm);
@@ -337,7 +339,7 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
}
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
int fd)
{
if (mgr->drv->domainSetSecurityImageFDLabel)
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 12cd498..6731d59 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -51,50 +51,52 @@ const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk);
int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr vm);
int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk);
int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev);
int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev);
int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile);
int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile);
int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec);
int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec,
+ pid_t pid);
int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec);
int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr sec,
+ virDomainDefPtr sec,
const char *stdin_path);
int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int migrated);
int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
+ pid_t pid,
virSecurityLabelPtr sec);
int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
int virSecurityManagerVerify(virSecurityManagerPtr mgr,
virDomainDefPtr def);
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int fd);
#endif /* VIR_SECURITY_MANAGER_H__ */
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index a68a6c0..c3bd426 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -47,104 +47,106 @@ static const char * virSecurityDriverGetDOINop(virSecurityManagerPtr mgr ATTRIBU
}
static int virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
const char *savefile ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainRestoreSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
const char *savefile ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainGenLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr sec ATTRIBUTE_UNUSED)
+ virDomainDefPtr sec ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainReserveLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr sec ATTRIBUTE_UNUSED)
+ virDomainDefPtr sec ATTRIBUTE_UNUSED,
+ pid_t pid ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainReleaseLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr sec ATTRIBUTE_UNUSED)
+ virDomainDefPtr sec ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr sec ATTRIBUTE_UNUSED,
+ virDomainDefPtr sec ATTRIBUTE_UNUSED,
const char *stdin_path ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
int migrated ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainGetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
+ pid_t pid ATTRIBUTE_UNUSED,
virSecurityLabelPtr sec ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
@@ -156,7 +158,7 @@ static int virSecurityDomainVerifyNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED
}
static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr sec ATTRIBUTE_UNUSED,
+ virDomainDefPtr sec ATTRIBUTE_UNUSED,
int fd ATTRIBUTE_UNUSED)
{
return 0;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 78c0d45..c3c06a4 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -162,7 +162,7 @@ SELinuxInitialize(void)
static int
SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
int rc = -1;
char *mcs = NULL;
@@ -171,40 +171,40 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
int c2 = 0;
context_t ctx = NULL;
- if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
- !vm->def->seclabel.baselabel &&
- vm->def->seclabel.model) {
+ if ((def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
+ !def->seclabel.baselabel &&
+ def->seclabel.model) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security model already defined for VM"));
return rc;
}
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
- vm->def->seclabel.label) {
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+ def->seclabel.label) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security label already defined for VM"));
return rc;
}
- if (vm->def->seclabel.imagelabel) {
+ if (def->seclabel.imagelabel) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security image label already defined for VM"));
return rc;
}
- if (vm->def->seclabel.model &&
- STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) {
+ if (def->seclabel.model &&
+ STRNEQ(def->seclabel.model, SECURITY_SELINUX_NAME)) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("security label model %s is not supported with selinux"),
- vm->def->seclabel.model);
+ def->seclabel.model);
return rc;
}
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
- if (!(ctx = context_new(vm->def->seclabel.label)) ) {
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
+ if (!(ctx = context_new(def->seclabel.label)) ) {
virReportSystemError(errno,
_("unable to allocate socket security context '%s'"),
- vm->def->seclabel.label);
+ def->seclabel.label);
return rc;
}
@@ -237,25 +237,25 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
}
} while (mcsAdd(mcs) == -1);
- vm->def->seclabel.label =
- SELinuxGenNewContext(vm->def->seclabel.baselabel ?
- vm->def->seclabel.baselabel :
+ def->seclabel.label =
+ SELinuxGenNewContext(def->seclabel.baselabel ?
+ def->seclabel.baselabel :
default_domain_context, mcs);
- if (! vm->def->seclabel.label) {
+ if (! def->seclabel.label) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs);
goto cleanup;
}
}
- vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
- if (!vm->def->seclabel.imagelabel) {
+ def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
+ if (!def->seclabel.imagelabel) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs);
goto cleanup;
}
- if (!vm->def->seclabel.model &&
- !(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
+ if (!def->seclabel.model &&
+ !(def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
virReportOOMError();
goto cleanup;
}
@@ -264,12 +264,12 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
cleanup:
if (rc != 0) {
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
- VIR_FREE(vm->def->seclabel.label);
- VIR_FREE(vm->def->seclabel.imagelabel);
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
- !vm->def->seclabel.baselabel)
- VIR_FREE(vm->def->seclabel.model);
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
+ VIR_FREE(def->seclabel.label);
+ VIR_FREE(def->seclabel.imagelabel);
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+ !def->seclabel.baselabel)
+ VIR_FREE(def->seclabel.model);
}
if (ctx)
@@ -278,28 +278,29 @@ cleanup:
VIR_FREE(mcs);
VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
- NULLSTR(vm->def->seclabel.model),
- NULLSTR(vm->def->seclabel.label),
- NULLSTR(vm->def->seclabel.imagelabel),
- NULLSTR(vm->def->seclabel.baselabel));
+ NULLSTR(def->seclabel.model),
+ NULLSTR(def->seclabel.label),
+ NULLSTR(def->seclabel.imagelabel),
+ NULLSTR(def->seclabel.baselabel));
return rc;
}
static int
SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm)
+ virDomainDefPtr def,
+ pid_t pid)
{
security_context_t pctx;
context_t ctx = NULL;
const char *mcs;
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
- if (getpidcon(vm->pid, &pctx) == -1) {
+ if (getpidcon(pid, &pctx) == -1) {
virReportSystemError(errno,
- _("unable to get PID %d security context"), vm->pid);
+ _("unable to get PID %d security context"), pid);
return -1;
}
@@ -360,15 +361,16 @@ static const char *SELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNU
static int
SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ pid_t pid,
virSecurityLabelPtr sec)
{
security_context_t ctx;
- if (getpidcon(vm->pid, &ctx) == -1) {
+ if (getpidcon(pid, &ctx) == -1) {
virReportSystemError(errno,
_("unable to get PID %d security context"),
- vm->pid);
+ pid);
return -1;
}
@@ -543,11 +545,11 @@ err:
static int
SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk,
int migrated)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel)
return 0;
@@ -588,10 +590,10 @@ SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
- return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0);
+ return SELinuxRestoreSecurityImageLabelInt(mgr, def, disk, 0);
}
@@ -626,11 +628,11 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
static int
SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
if (secdef->norelabel)
@@ -648,8 +650,8 @@ static int
SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
- virDomainObjPtr vm = opaque;
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ virDomainDefPtr def = opaque;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
return SELinuxSetFilecon(file, secdef->imagelabel);
}
@@ -658,19 +660,19 @@ static int
SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
- virDomainObjPtr vm = opaque;
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ virDomainDefPtr def = opaque;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
return SELinuxSetFilecon(file, secdef->imagelabel);
}
static int
SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int ret = -1;
if (secdef->norelabel)
@@ -687,7 +689,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
if (!usb)
goto done;
- ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm);
+ ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, def);
usbFreeDevice(usb);
break;
}
@@ -701,7 +703,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
if (!pci)
goto done;
- ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm);
+ ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, def);
pciFreeDevice(pci);
break;
@@ -735,11 +737,11 @@ SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
static int
SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int ret = -1;
if (secdef->norelabel)
@@ -788,11 +790,11 @@ done:
static int
-SELinuxSetSecurityChardevLabel(virDomainObjPtr vm,
+SELinuxSetSecurityChardevLabel(virDomainDefPtr def,
virDomainChrSourceDefPtr dev)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
char *in = NULL, *out = NULL;
int ret = -1;
@@ -834,11 +836,11 @@ done:
}
static int
-SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
+SELinuxRestoreSecurityChardevLabel(virDomainDefPtr def,
virDomainChrSourceDefPtr dev)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
char *in = NULL, *out = NULL;
int ret = -1;
@@ -882,9 +884,9 @@ done:
static int
-SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def,
virDomainChrDefPtr dev,
- void *opaque)
+ void *opaque ATTRIBUTE_UNUSED)
{
virDomainObjPtr vm = opaque;
@@ -893,16 +895,15 @@ SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
return 0;
- return SELinuxRestoreSecurityChardevLabel(vm, &dev->source);
+ return SELinuxRestoreSecurityChardevLabel(def, &dev->source);
}
static int
-SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
virDomainSmartcardDefPtr dev,
- void *opaque)
+ void *opaque ATTRIBUTE_UNUSED)
{
- virDomainObjPtr vm = opaque;
const char *database;
switch (dev->type) {
@@ -916,7 +917,7 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
return SELinuxRestoreSecurityFileLabel(database);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
- return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);
+ return SELinuxRestoreSecurityChardevLabel(def, &dev->data.passthru);
default:
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
@@ -931,50 +932,50 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
static int
SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int migrated ATTRIBUTE_UNUSED)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int i;
int rc = 0;
- VIR_DEBUG("Restoring security label on %s", vm->def->name);
+ VIR_DEBUG("Restoring security label on %s", def->name);
if (secdef->norelabel)
return 0;
- for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+ for (i = 0 ; i < def->nhostdevs ; i++) {
if (SELinuxRestoreSecurityHostdevLabel(mgr,
- vm,
- vm->def->hostdevs[i]) < 0)
+ def,
+ def->hostdevs[i]) < 0)
rc = -1;
}
- for (i = 0 ; i < vm->def->ndisks ; i++) {
+ for (i = 0 ; i < def->ndisks ; i++) {
if (SELinuxRestoreSecurityImageLabelInt(mgr,
- vm,
- vm->def->disks[i],
+ def,
+ def->disks[i],
migrated) < 0)
rc = -1;
}
- if (virDomainChrDefForeach(vm->def,
+ if (virDomainChrDefForeach(def,
false,
SELinuxRestoreSecurityChardevCallback,
- vm) < 0)
+ NULL) < 0)
rc = -1;
- if (virDomainSmartcardDefForeach(vm->def,
+ if (virDomainSmartcardDefForeach(def,
false,
SELinuxRestoreSecuritySmartcardCallback,
- vm) < 0)
+ NULL) < 0)
rc = -1;
- if (vm->def->os.kernel &&
- SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
+ if (def->os.kernel &&
+ SELinuxRestoreSecurityFileLabel(def->os.kernel) < 0)
rc = -1;
- if (vm->def->os.initrd &&
- SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
+ if (def->os.initrd &&
+ SELinuxRestoreSecurityFileLabel(def->os.initrd) < 0)
rc = -1;
return rc;
@@ -982,9 +983,9 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
if (secdef->label != NULL) {
@@ -1006,10 +1007,10 @@ SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel)
return 0;
@@ -1020,10 +1021,10 @@ SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel)
return 0;
@@ -1058,12 +1059,12 @@ SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
/* TODO: verify DOI */
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
- if (vm->def->seclabel.label == NULL)
+ if (def->seclabel.label == NULL)
return 0;
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@@ -1089,16 +1090,16 @@ SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
static int
SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
/* TODO: verify DOI */
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
context_t execcon = NULL;
context_t proccon = NULL;
security_context_t scon = NULL;
int rc = -1;
- if (vm->def->seclabel.label == NULL)
+ if (def->seclabel.label == NULL)
return 0;
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@@ -1139,7 +1140,7 @@ SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
}
VIR_DEBUG("Setting VM %s socket context %s",
- vm->def->name, context_str(proccon));
+ def->name, context_str(proccon));
if (setsockcreatecon(context_str(proccon)) == -1) {
virReportSystemError(errno,
_("unable to set socket security context '%s'"),
@@ -1160,9 +1161,9 @@ done:
static int
SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &vm->seclabel;
int rc = -1;
if (secdef->label == NULL)
@@ -1178,7 +1179,7 @@ SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
}
VIR_DEBUG("Setting VM %s socket context %s",
- vm->def->name, secdef->label);
+ vm->name, secdef->label);
if (setsockcreatecon(secdef->label) == -1) {
virReportSystemError(errno,
_("unable to set socket security context '%s'"),
@@ -1197,12 +1198,12 @@ done:
static int
SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
/* TODO: verify DOI */
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
- if (vm->def->seclabel.label == NULL)
+ if (def->seclabel.label == NULL)
return 0;
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@@ -1227,10 +1228,11 @@ SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
static int
-SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxSetSecurityChardevCallback(virDomainDefPtr def,
virDomainChrDefPtr dev,
- void *opaque)
+ void *opaque ATTRIBUTE_UNUSED)
{
+<<<<<<< HEAD
virDomainObjPtr vm = opaque;
/* This is taken care of by processing of def->serials */
@@ -1239,15 +1241,17 @@ SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
return 0;
return SELinuxSetSecurityChardevLabel(vm, &dev->source);
+=======
+ return SELinuxSetSecurityChardevLabel(def, &dev->source);
+>>>>>>> Change security driver APIs to use virDomainDefPtr instead of virDomainObjPtr
}
static int
-SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
virDomainSmartcardDefPtr dev,
- void *opaque)
+ void *opaque ATTRIBUTE_UNUSED)
{
- virDomainObjPtr vm = opaque;
const char *database;
switch (dev->type) {
@@ -1261,7 +1265,7 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
return SELinuxSetFilecon(database, default_content_context);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
- return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);
+ return SELinuxSetSecurityChardevLabel(def, &dev->data.passthru);
default:
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1276,53 +1280,53 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
static int
SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *stdin_path)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int i;
if (secdef->norelabel)
return 0;
- for (i = 0 ; i < vm->def->ndisks ; i++) {
+ for (i = 0 ; i < def->ndisks ; i++) {
/* XXX fixme - we need to recursively label the entire tree :-( */
- if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
+ if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
VIR_WARN("Unable to relabel directory tree %s for disk %s",
- vm->def->disks[i]->src, vm->def->disks[i]->dst);
+ def->disks[i]->src, def->disks[i]->dst);
continue;
}
if (SELinuxSetSecurityImageLabel(mgr,
- vm, vm->def->disks[i]) < 0)
+ def, def->disks[i]) < 0)
return -1;
}
- /* XXX fixme process vm->def->fss if relabel == true */
+ /* XXX fixme process def->fss if relabel == true */
- for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+ for (i = 0 ; i < def->nhostdevs ; i++) {
if (SELinuxSetSecurityHostdevLabel(mgr,
- vm,
- vm->def->hostdevs[i]) < 0)
+ def,
+ def->hostdevs[i]) < 0)
return -1;
}
- if (virDomainChrDefForeach(vm->def,
+ if (virDomainChrDefForeach(def,
true,
SELinuxSetSecurityChardevCallback,
- vm) < 0)
+ NULL) < 0)
return -1;
- if (virDomainSmartcardDefForeach(vm->def,
+ if (virDomainSmartcardDefForeach(def,
true,
SELinuxSetSecuritySmartcardCallback,
- vm) < 0)
+ NULL) < 0)
return -1;
- if (vm->def->os.kernel &&
- SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
+ if (def->os.kernel &&
+ SELinuxSetFilecon(def->os.kernel, default_content_context) < 0)
return -1;
- if (vm->def->os.initrd &&
- SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
+ if (def->os.initrd &&
+ SELinuxSetFilecon(def->os.initrd, default_content_context) < 0)
return -1;
if (stdin_path) {
@@ -1337,10 +1341,10 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
static int
SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int fd)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->imagelabel == NULL)
return 0;
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 3f601c1..c82865f 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -106,7 +106,7 @@ virSecurityStackVerify(virSecurityManagerPtr mgr,
static int
virSecurityStackGenLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
@@ -131,7 +131,7 @@ virSecurityStackGenLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackReleaseLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
@@ -150,16 +150,17 @@ virSecurityStackReleaseLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackReserveLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm,
+ pid_t pid)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
- if (virSecurityManagerReserveLabel(priv->primary, vm) < 0)
+ if (virSecurityManagerReserveLabel(priv->primary, vm, pid) < 0)
rc = -1;
#if 0
/* XXX See note in GenLabel */
- if (virSecurityManagerReserveLabel(priv->secondary, vm) < 0)
+ if (virSecurityManagerReserveLabel(priv->secondary, vm, pid) < 0)
rc = -1;
#endif
@@ -169,7 +170,7 @@ virSecurityStackReserveLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainDiskDefPtr disk)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -186,7 +187,7 @@ virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainDiskDefPtr disk)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -203,7 +204,7 @@ virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainHostdevDefPtr dev)
{
@@ -221,7 +222,7 @@ virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainHostdevDefPtr dev)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -238,7 +239,7 @@ virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *stdin_path)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -255,7 +256,7 @@ virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
int migrated)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -272,7 +273,7 @@ virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *savefile)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -289,7 +290,7 @@ virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *savefile)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -306,7 +307,7 @@ virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
@@ -321,17 +322,18 @@ virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
+ pid_t pid,
virSecurityLabelPtr seclabel)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
#if 0
- if (virSecurityManagerGetProcessLabel(priv->secondary, vm, seclabel) < 0)
+ if (virSecurityManagerGetProcessLabel(priv->secondary, vm, pid, seclabel) < 0)
rc = -1;
#endif
- if (virSecurityManagerGetProcessLabel(priv->primary, vm, seclabel) < 0)
+ if (virSecurityManagerGetProcessLabel(priv->primary, vm, pid, seclabel) < 0)
rc = -1;
return rc;
@@ -340,7 +342,7 @@ virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
@@ -356,7 +358,7 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
@@ -372,7 +374,7 @@ virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
@@ -387,7 +389,7 @@ virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
int fd)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
--
1.7.6.4
13 years, 4 months
- 2
- 1
[libvirt] [PATCH] storage: Refetch file status after open
by Michal Privoznik
This partly reverts my previous patch f88de3eb. We need to
get file status after open, as given path could have been symlink,
so fstat() will operate on different file than lstat().
---
src/storage/storage_backend.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/src/storage/storage_backend.c b/src/storage/storage_backend.c
index d30829d..d7394e0 100644
--- a/src/storage/storage_backend.c
+++ b/src/storage/storage_backend.c
@@ -1041,6 +1041,14 @@ virStorageBackendVolOpenCheckMode(const char *path, unsigned int flags)
return -1;
}
+ if (fstat(fd, &sb) < 0) {
+ virReportSystemError(errno,
+ _("cannot stat file '%s'"),
+ path);
+ VIR_FORCE_CLOSE(fd);
+ return -1;
+ }
+
if (S_ISREG(sb.st_mode))
mode = VIR_STORAGE_VOL_OPEN_REG;
else if (S_ISCHR(sb.st_mode))
--
1.7.3.4
13 years, 4 months
- 3
- 3
[libvirt] [PATCH 0/5 (repost)] Support Blkio tune, CPU tune, NUMA, CPU affinity in LXC
by Daniel P. Berrange
Re-post of
https://www.redhat.com/archives/libvir-list/2011-November/msg00464.html
rebased to latest GIT
13 years, 4 months
- 2
- 12
[libvirt] VBOX driver : "An error occurred, but the cause is unknown" when trying to start a Virtualbox domain
by Jean-Christophe Guillain
Hello,
I opened a bug (http://bugzilla.redhat.com/show_bug.cgi?id=757138)
about this issue, but I was told to mention it to this list too.
Here is my problem : when I try to start a virtualbox domain with
virsh, an error occurs.
(But when the domain is started using Virtualbox GUI it works, and I have no
problem to stop it with virsh...)
Example :
virsh # start freenas1
error: Failed to start domain freenas1
error: An error occurred, but the cause is unknown
I use libvirt 0.9.2-7 and virtualbox 4.0.10 on a Debian with
2.6.32-5-amd64 kernel.
The XML config file of the domain :
<domain type='vbox' id='1'>
<name>freenas1</name>
<uuid>07aadf11-2090-4690-9518-52766722c544</uuid>
<memory>524288</memory>
<currentMemory>524288</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
</features>
<clock offset='localtime'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>destroy</on_reboot>
<on_crash>destroy</on_crash>
<devices>
<disk type='file' device='disk'>
<source file='/data/Freenas1Disk1.vdi'/>
<target dev='hda' bus='ide'/>
</disk>
<input type='mouse' bus='ps2'/>
<graphics type='desktop' display='localhost:10.0'/>
<video>
<model type='vbox' vram='8192' heads='1'>
<acceleration accel3d='no' accel2d='no'/>
</model>
</video>
</devices>
</domain>
virsh debug output :
virsh # start freenas1
15:51:31.043: 5796: debug : virConnectOpenAuth:1328 : name=(null),
auth=0x7f19ee32d320, flags=0
15:51:31.043: 5796: debug : do_open:1065 : no name, allowing driver auto-select
15:51:31.043: 5796: debug : do_open:1102 : trying driver 0 (Test) ...
15:51:31.043: 5796: debug : do_open:1108 : driver 0 Test returned DECLINED
15:51:31.043: 5796: debug : do_open:1102 : trying driver 1 (Xen) ...
15:51:31.043: 5796: debug : do_open:1108 : driver 1 Xen returned DECLINED
15:51:31.043: 5796: debug : do_open:1102 : trying driver 2 (OPENVZ) ...
15:51:31.043: 5796: debug : do_open:1108 : driver 2 OPENVZ returned DECLINED
15:51:31.043: 5796: debug : do_open:1102 : trying driver 3 (VMWARE) ...
15:51:31.043: 5796: debug : do_open:1108 : driver 3 VMWARE returned DECLINED
15:51:31.043: 5796: debug : do_open:1102 : trying driver 4 (VBOX) ...
15:51:31.050: 5796: debug : vboxOpen:1035 : in vboxOpen
15:51:31.050: 5796: debug : do_open:1108 : driver 4 VBOX returned SUCCESS
15:51:31.050: 5796: debug : do_open:1130 : network driver 0 Test returned
DECLINED
15:51:31.050: 5796: debug : vboxNetworkOpen:6953 : network initialized
15:51:31.050: 5796: debug : do_open:1130 : network driver 1 VBOX returned
SUCCESS
15:51:31.050: 5796: debug : do_open:1145 : interface driver 0 Test returned
DECLINED
15:51:31.051: 5796: debug : doRemoteOpen:596 : proceeding with name =
vbox:///system
15:51:31.051: 5796: debug : remoteIO:5824 : Do proc=66 serial=0 length=28
wait=(nil)
15:51:31.051: 5796: debug : remoteIO:5896 : We have the buck 66 0x7f19e6c37010
0x7f19e6c37010
15:51:31.051: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now
need 64 total (60 more)
15:51:31.051: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 66
0x7f19e6c37010 (nil)
15:51:31.051: 5796: debug : remoteIO:5924 : All done with our call 66 (nil)
0x7f19e6c37010
15:51:31.051: 5796: debug : remoteIO:5824 : Do proc=1 serial=1 length=56
wait=(nil)
15:51:31.051: 5796: debug : remoteIO:5896 : We have the buck 1 0x7f19e003fec0
0x7f19e003fec0
15:51:31.052: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now
need 176 total (172 more)
15:51:31.052: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 1
0x7f19e003fec0 (nil)
15:51:31.052: 5796: debug : remoteIO:5924 : All done with our call 1 (nil)
0x7f19e003fec0
15:51:31.052: 5796: debug : do_open:1145 : interface driver 1 remote returned
ERROR
15:51:31.052: 5796: debug : do_open:1161 : storage driver 0 Test returned
DECLINED
15:51:31.052: 5796: debug : vboxStorageOpen:7764 : vbox storage initialized
15:51:31.052: 5796: debug : do_open:1161 : storage driver 1 VBOX returned
SUCCESS
15:51:31.052: 5796: debug : do_open:1177 : node driver 0 Test returned DECLINED
15:51:31.053: 5796: debug : doRemoteOpen:596 : proceeding with name =
vbox:///system
15:51:31.053: 5796: debug : remoteIO:5824 : Do proc=66 serial=0 length=28
wait=(nil)
15:51:31.053: 5796: debug : remoteIO:5896 : We have the buck 66 0x7f19e0081f90
0x7f19e0081f90
15:51:31.054: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now
need 64 total (60 more)
15:51:31.054: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 66
0x7f19e0081f90 (nil)
15:51:31.054: 5796: debug : remoteIO:5924 : All done with our call 66 (nil)
0x7f19e0081f90
15:51:31.054: 5796: debug : remoteIO:5824 : Do proc=1 serial=1 length=56
wait=(nil)
15:51:31.054: 5796: debug : remoteIO:5896 : We have the buck 1 0x7f19e0081f90
0x7f19e0081f90
15:51:31.055: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now
need 176 total (172 more)
15:51:31.055: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 1
0x7f19e0081f90 (nil)
15:51:31.055: 5796: debug : remoteIO:5924 : All done with our call 1 (nil)
0x7f19e0081f90
15:51:31.055: 5796: debug : do_open:1177 : node driver 1 remote returned ERROR
15:51:31.055: 5796: debug : do_open:1193 : secret driver 0 Test returned
DECLINED
15:51:31.055: 5796: debug : doRemoteOpen:596 : proceeding with name =
vbox:///system
15:51:31.055: 5796: debug : remoteIO:5824 : Do proc=66 serial=0 length=28
wait=(nil)
15:51:31.055: 5796: debug : remoteIO:5896 : We have the buck 66 0x7f19e0081f90
0x7f19e0081f90
15:51:31.056: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now
need 64 total (60 more)
15:51:31.056: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 66
0x7f19e0081f90 (nil)
15:51:31.056: 5796: debug : remoteIO:5924 : All done with our call 66 (nil)
0x7f19e0081f90
15:51:31.056: 5796: debug : remoteIO:5824 : Do proc=1 serial=1 length=56
wait=(nil)
15:51:31.056: 5796: debug : remoteIO:5896 : We have the buck 1 0x7f19e0081f90
0x7f19e0081f90
15:51:31.057: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now
need 176 total (172 more)
15:51:31.057: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 1
0x7f19e0081f90 (nil)
15:51:31.057: 5796: debug : remoteIO:5924 : All done with our call 1 (nil)
0x7f19e0081f90
15:51:31.057: 5796: debug : do_open:1193 : secret driver 1 remote returned
ERROR
15:51:31.057: 5796: debug : do_open:1209 : nwfilter driver 0 Test returned
DECLINED
15:51:31.057: 5796: debug : doRemoteOpen:596 : proceeding with name =
vbox:///system
15:51:31.057: 5796: debug : remoteIO:5824 : Do proc=66 serial=0 length=28
wait=(nil)
15:51:31.057: 5796: debug : remoteIO:5896 : We have the buck 66 0x7f19e0081f90
0x7f19e0081f90
15:51:31.058: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now
need 64 total (60 more)
15:51:31.058: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 66
0x7f19e0081f90 (nil)
15:51:31.058: 5796: debug : remoteIO:5924 : All done with our call 66 (nil)
0x7f19e0081f90
15:51:31.058: 5796: debug : remoteIO:5824 : Do proc=1 serial=1 length=56
wait=(nil)
15:51:31.058: 5796: debug : remoteIO:5896 : We have the buck 1 0x7f19e0081f90
0x7f19e0081f90
15:51:31.059: 5796: debug : remoteIODecodeMessageLength:5214 : Got length, now
need 176 total (172 more)
15:51:31.059: 5796: debug : remoteIOEventLoop:5750 : Giving up the buck 1
0x7f19e0081f90 (nil)
15:51:31.059: 5796: debug : remoteIO:5924 : All done with our call 1 (nil)
0x7f19e0081f90
15:51:31.059: 5796: debug : do_open:1209 : nwfilter driver 1 remote returned
ERROR
15:51:31.060: 5796: debug : virDomainLookupByName:2030 : conn=0x6f6350,
name=freenas1
15:51:31.061: 5796: debug : virDomainGetID:2718 : dom=0x7f19e002db00, (VM:
name=freenas1, uuid=07aadf11-2090-4690-9518-52766722c544),
15:51:31.061: 5796: debug : virDomainCreate:6300 : dom=0x7f19e002db00, (VM:
name=freenas1, uuid=07aadf11-2090-4690-9518-52766722c544),
15:51:31.566: 5796: debug : virDomainGetName:2623 : domain=0x7f19e002db00
error: Failed to start domain freenas1
15:51:31.566: 5796: debug : virDomainFree:2118 : dom=0x7f19e002db00, (VM:
name=freenas1, uuid=07aadf11-2090-4690-9518-52766722c544),
15:51:31.566: 5796: debug : virUnrefDomain:276 : unref domain 0x7f19e002db00
freenas1 1
15:51:31.566: 5796: debug : virReleaseDomain:238 : release domain
0x7f19e002db00 freenas1 07aadf11-2090-4690-9518-52766722c544
15:51:31.566: 5796: debug : virReleaseDomain:246 : unref connection 0x6f6350 2
error: An error occurred, but the cause is unknown
#####
I f you have an idea of what the problem is...
Thank you,
jC
13 years, 4 months
- 1
- 0
[libvirt] RE : Re: [PATCH] util: fix thinko in runIO
by Bastien ROUCARIES
Malloc page than realloc to smaller does not work ?
Bastien
Le 25 nov. 2011 14:38, "Eric Blake" <eblake(a)redhat.com> a écrit :
[adding bug-gnulib; replies can drop libvirt]
On 11/25/2011 05:51 AM, Paolo Bonzini wrote:
>> Indeed; Linux has posix_memalign, and mingw never runs the io helper
>> (although it does compile it, hence the #if). If gnulib would give
>> us posix_memalign on mingw, we could nuke this #if altogether.
>
> That's pretty difficult (unless you also add a posix_memalign_free)
> because at the time posix_memalign returns you have lost the base
> pointer for free().
Providing a posix_memalign_free defeats the purpose - POSIX requires
that plain free() will cover the memory returned by posix_memalign. The
list of platforms missing posix_memalign is a bit daunting:
MacOS X 10.5, FreeBSD 6.0, NetBSD 3.0, OpenBSD 3.8, Minix 3.1.8, AIX
5.1, HP-UX 11,
IRIX 6.5, OSF/1 5.1, Solaris 10, Cygwin 1.5.x, mingw, MSVC 9, Interix
3.5, BeOS.
but what would be interesting to know is how many of those platforms
return page-aligned pointers for any malloc() request of a page or more
of memory. That is, we may be able to coerce malloc into aligned
results by over-allocating and over-aligning the user's request, if the
system malloc() has at least one mode of returning page-aligned memory.
Another alternative is to override free() at the same time as providing
posix_memalign(). The gnulib malloca module provides a freea() function
that can distinguish whether it is paired with an alloca() (nop) or
mmalloca() (call the real free()), by over-allocating and probing for a
magic header. Similar concepts could be used in writing an rpl_free()
that determines whether it was allocated by posix_memalign(): if we
guarantee that posix_memalign always returns something aligned to at
least a page, then rpl_free() can make a quick check for whether the
pointer passed in is page-aligned; if so, do a hash lookup to see if it
was a page reserved by our posix_memalign (if so, we know the real
address to free); if not or the hash lookup fails, it came from malloc
(in which case, regular free should work). Of course, unlike freea()
that probes for a magic header, we can't safely probe a header by
crossing page boundaries, since that would fault if we didn't allocate
the previous page at the same time.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
13 years, 4 months
- 2
- 1
Re: [libvirt] Upgrade-problems from qemu-0.14.1 + libvirt-0.8.4 to qemu-0.15.1 + libvirt-0.9.6: Why I think multifunction=on is a bad idea...
by Philipp Hahn
Hello,
On Thursday 17 November 2011 18:39:15 Eric Blake wrote:
> Is any of this worth keeping on the public libvir-list?
Not much but to be careful when you upgrade any part of libvirt, qemu(-kvm) or
it's (external*) dependencies like etherboot/iPXE, vgabios and seabios,
because it can invalidate your snapshots and saved state.
(*): As Debian does for DFSG-compliance, since it replaces the seabios /
vgabios / pxe-bios as shipped with qemu by a version compiled from
(different) sources.
Sincerely
Philipp
--
Philipp Hahn Open Source Software Engineer hahn(a)univention.de
Univention GmbH Linux for Your Business fon: +49 421 22 232- 0
Mary-Somerville-Str.1 D-28359 Bremen fax: +49 421 22 232-99
http://www.univention.de/
13 years, 4 months
- 1
- 0