January 2012 - Devel - Libvirt List Archives

[libvirt] [PATCH libvirt-glib] Add support for configuring serial, parallel & channel devices

by Daniel P. Berrange

From: "Daniel P. Berrange" <berrange(a)redhat.com> The basic config of serial, parallel & channel devices is just the same as console devices. Add basic stubs for these new devices --- libvirt-gconfig/Makefile.am | 6 ++ libvirt-gconfig/libvirt-gconfig-domain-channel.c | 70 +++++++++++++++++++++ libvirt-gconfig/libvirt-gconfig-domain-channel.h | 67 ++++++++++++++++++++ libvirt-gconfig/libvirt-gconfig-domain-parallel.c | 70 +++++++++++++++++++++ libvirt-gconfig/libvirt-gconfig-domain-parallel.h | 67 ++++++++++++++++++++ libvirt-gconfig/libvirt-gconfig-domain-serial.c | 70 +++++++++++++++++++++ libvirt-gconfig/libvirt-gconfig-domain-serial.h | 67 ++++++++++++++++++++ libvirt-gconfig/libvirt-gconfig.h | 3 + libvirt-gconfig/libvirt-gconfig.sym | 12 ++++ 9 files changed, 432 insertions(+), 0 deletions(-) create mode 100644 libvirt-gconfig/libvirt-gconfig-domain-channel.c create mode 100644 libvirt-gconfig/libvirt-gconfig-domain-channel.h create mode 100644 libvirt-gconfig/libvirt-gconfig-domain-parallel.c create mode 100644 libvirt-gconfig/libvirt-gconfig-domain-parallel.h create mode 100644 libvirt-gconfig/libvirt-gconfig-domain-serial.c create mode 100644 libvirt-gconfig/libvirt-gconfig-domain-serial.h diff --git a/libvirt-gconfig/Makefile.am b/libvirt-gconfig/Makefile.am index d542074..03a5507 100644 --- a/libvirt-gconfig/Makefile.am +++ b/libvirt-gconfig/Makefile.am @@ -13,6 +13,7 @@ GCONFIG_HEADER_FILES = \ libvirt-gconfig-object.h \ libvirt-gconfig-capabilities.h \ libvirt-gconfig-domain.h \ + libvirt-gconfig-domain-channel.h \ libvirt-gconfig-domain-chardev.h \ libvirt-gconfig-domain-chardev-source.h \ libvirt-gconfig-domain-chardev-source-pty.h \ @@ -32,7 +33,9 @@ GCONFIG_HEADER_FILES = \ libvirt-gconfig-domain-interface-user.h \ libvirt-gconfig-domain-memballoon.h \ libvirt-gconfig-domain-os.h \ + libvirt-gconfig-domain-parallel.h \ libvirt-gconfig-domain-seclabel.h \ + libvirt-gconfig-domain-serial.h \ libvirt-gconfig-domain-snapshot.h \ libvirt-gconfig-domain-sound.h \ libvirt-gconfig-domain-timer.h \ @@ -61,6 +64,7 @@ GCONFIG_SOURCE_FILES = \ libvirt-gconfig-main.c \ libvirt-gconfig-capabilities.c \ libvirt-gconfig-domain.c \ + libvirt-gconfig-domain-channel.c \ libvirt-gconfig-domain-chardev.c \ libvirt-gconfig-domain-chardev-source.c \ libvirt-gconfig-domain-chardev-source-pty.c \ @@ -80,7 +84,9 @@ GCONFIG_SOURCE_FILES = \ libvirt-gconfig-domain-interface-user.c \ libvirt-gconfig-domain-memballoon.c \ libvirt-gconfig-domain-os.c \ + libvirt-gconfig-domain-parallel.c \ libvirt-gconfig-domain-seclabel.c \ + libvirt-gconfig-domain-serial.c \ libvirt-gconfig-domain-snapshot.c \ libvirt-gconfig-domain-sound.c \ libvirt-gconfig-domain-timer.c \ diff --git a/libvirt-gconfig/libvirt-gconfig-domain-channel.c b/libvirt-gconfig/libvirt-gconfig-domain-channel.c new file mode 100644 index 0000000..a3134b4 --- /dev/null +++ b/libvirt-gconfig/libvirt-gconfig-domain-channel.c @@ -0,0 +1,70 @@ +/* + * libvirt-gconfig-domain-channel.c: libvirt domain channel configuration + * + * Copyright (C) 2011 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: Daniel P. Berrange <berrange(a)redhat.com> + */ + +#include <config.h> + +#include "libvirt-gconfig/libvirt-gconfig.h" + +#define GVIR_CONFIG_DOMAIN_CHANNEL_GET_PRIVATE(obj) \ + (G_TYPE_INSTANCE_GET_PRIVATE((obj), GVIR_CONFIG_TYPE_DOMAIN_CHANNEL, GVirConfigDomainChannelPrivate)) + +struct _GVirConfigDomainChannelPrivate +{ + gboolean unused; +}; + +G_DEFINE_TYPE(GVirConfigDomainChannel, gvir_config_domain_channel, GVIR_CONFIG_TYPE_DOMAIN_CHARDEV); + + +static void gvir_config_domain_channel_class_init(GVirConfigDomainChannelClass *klass) +{ + g_type_class_add_private(klass, sizeof(GVirConfigDomainChannelPrivate)); +} + + +static void gvir_config_domain_channel_init(GVirConfigDomainChannel *channel) +{ + g_debug("Init GVirConfigDomainChannel=%p", channel); + + channel->priv = GVIR_CONFIG_DOMAIN_CHANNEL_GET_PRIVATE(channel); +} + +GVirConfigDomainChannel *gvir_config_domain_channel_new(void) +{ + GVirConfigObject *object; + + object = gvir_config_object_new(GVIR_CONFIG_TYPE_DOMAIN_CHANNEL, + "channel", NULL); + return GVIR_CONFIG_DOMAIN_CHANNEL(object); +} + +GVirConfigDomainChannel *gvir_config_domain_channel_new_from_xml(const gchar *xml, + GError **error) +{ + GVirConfigObject *object; + + object = gvir_config_object_new_from_xml(GVIR_CONFIG_TYPE_DOMAIN_CHANNEL, + "channel", NULL, xml, error); + if (object == NULL) + return NULL; + return GVIR_CONFIG_DOMAIN_CHANNEL(object); +} diff --git a/libvirt-gconfig/libvirt-gconfig-domain-channel.h b/libvirt-gconfig/libvirt-gconfig-domain-channel.h new file mode 100644 index 0000000..d2dc136 --- /dev/null +++ b/libvirt-gconfig/libvirt-gconfig-domain-channel.h @@ -0,0 +1,67 @@ +/* + * libvirt-gconfig-domain-channel.h: libvirt domain channel configuration + * + * Copyright (C) 2011 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: Daniel P. Berrange <berrange(a)redhat.com> + */ + +#if !defined(__LIBVIRT_GCONFIG_H__) && !defined(LIBVIRT_GCONFIG_BUILD) +#error "Only <libvirt-gconfig/libvirt-gconfig.h> can be included directly." +#endif + +#ifndef __LIBVIRT_GCONFIG_DOMAIN_CHANNEL_H__ +#define __LIBVIRT_GCONFIG_DOMAIN_CHANNEL_H__ + +G_BEGIN_DECLS + +#define GVIR_CONFIG_TYPE_DOMAIN_CHANNEL (gvir_config_domain_channel_get_type ()) +#define GVIR_CONFIG_DOMAIN_CHANNEL(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), GVIR_CONFIG_TYPE_DOMAIN_CHANNEL, GVirConfigDomainChannel)) +#define GVIR_CONFIG_DOMAIN_CHANNEL_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), GVIR_CONFIG_TYPE_DOMAIN_CHANNEL, GVirConfigDomainChannelClass)) +#define GVIR_CONFIG_IS_DOMAIN_CHANNEL(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GVIR_CONFIG_TYPE_DOMAIN_CHANNEL)) +#define GVIR_CONFIG_IS_DOMAIN_CHANNEL_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), GVIR_CONFIG_TYPE_DOMAIN_CHANNEL)) +#define GVIR_CONFIG_DOMAIN_CHANNEL_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), GVIR_CONFIG_TYPE_DOMAIN_CHANNEL, GVirConfigDomainChannelClass)) + +typedef struct _GVirConfigDomainChannel GVirConfigDomainChannel; +typedef struct _GVirConfigDomainChannelPrivate GVirConfigDomainChannelPrivate; +typedef struct _GVirConfigDomainChannelClass GVirConfigDomainChannelClass; + +struct _GVirConfigDomainChannel +{ + GVirConfigDomainChardev parent; + + GVirConfigDomainChannelPrivate *priv; + + /* Do not add fields to this struct */ +}; + +struct _GVirConfigDomainChannelClass +{ + GVirConfigDomainChardevClass parent_class; + + gpointer padding[20]; +}; + + +GType gvir_config_domain_channel_get_type(void); +GVirConfigDomainChannel *gvir_config_domain_channel_new(void); +GVirConfigDomainChannel *gvir_config_domain_channel_new_from_xml(const gchar *xml, + GError **error); + +G_END_DECLS + +#endif /* __LIBVIRT_GCONFIG_DOMAIN_CHANNEL_H__ */ diff --git a/libvirt-gconfig/libvirt-gconfig-domain-parallel.c b/libvirt-gconfig/libvirt-gconfig-domain-parallel.c new file mode 100644 index 0000000..2f5ea52 --- /dev/null +++ b/libvirt-gconfig/libvirt-gconfig-domain-parallel.c @@ -0,0 +1,70 @@ +/* + * libvirt-gconfig-domain-parallel.c: libvirt domain parallel configuration + * + * Copyright (C) 2011 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: Daniel P. Berrange <berrange(a)redhat.com> + */ + +#include <config.h> + +#include "libvirt-gconfig/libvirt-gconfig.h" + +#define GVIR_CONFIG_DOMAIN_PARALLEL_GET_PRIVATE(obj) \ + (G_TYPE_INSTANCE_GET_PRIVATE((obj), GVIR_CONFIG_TYPE_DOMAIN_PARALLEL, GVirConfigDomainParallelPrivate)) + +struct _GVirConfigDomainParallelPrivate +{ + gboolean unused; +}; + +G_DEFINE_TYPE(GVirConfigDomainParallel, gvir_config_domain_parallel, GVIR_CONFIG_TYPE_DOMAIN_CHARDEV); + + +static void gvir_config_domain_parallel_class_init(GVirConfigDomainParallelClass *klass) +{ + g_type_class_add_private(klass, sizeof(GVirConfigDomainParallelPrivate)); +} + + +static void gvir_config_domain_parallel_init(GVirConfigDomainParallel *parallel) +{ + g_debug("Init GVirConfigDomainParallel=%p", parallel); + + parallel->priv = GVIR_CONFIG_DOMAIN_PARALLEL_GET_PRIVATE(parallel); +} + +GVirConfigDomainParallel *gvir_config_domain_parallel_new(void) +{ + GVirConfigObject *object; + + object = gvir_config_object_new(GVIR_CONFIG_TYPE_DOMAIN_PARALLEL, + "parallel", NULL); + return GVIR_CONFIG_DOMAIN_PARALLEL(object); +} + +GVirConfigDomainParallel *gvir_config_domain_parallel_new_from_xml(const gchar *xml, + GError **error) +{ + GVirConfigObject *object; + + object = gvir_config_object_new_from_xml(GVIR_CONFIG_TYPE_DOMAIN_PARALLEL, + "parallel", NULL, xml, error); + if (object == NULL) + return NULL; + return GVIR_CONFIG_DOMAIN_PARALLEL(object); +} diff --git a/libvirt-gconfig/libvirt-gconfig-domain-parallel.h b/libvirt-gconfig/libvirt-gconfig-domain-parallel.h new file mode 100644 index 0000000..fd9c656 --- /dev/null +++ b/libvirt-gconfig/libvirt-gconfig-domain-parallel.h @@ -0,0 +1,67 @@ +/* + * libvirt-gconfig-domain-parallel.h: libvirt domain parallel configuration + * + * Copyright (C) 2011 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: Daniel P. Berrange <berrange(a)redhat.com> + */ + +#if !defined(__LIBVIRT_GCONFIG_H__) && !defined(LIBVIRT_GCONFIG_BUILD) +#error "Only <libvirt-gconfig/libvirt-gconfig.h> can be included directly." +#endif + +#ifndef __LIBVIRT_GCONFIG_DOMAIN_PARALLEL_H__ +#define __LIBVIRT_GCONFIG_DOMAIN_PARALLEL_H__ + +G_BEGIN_DECLS + +#define GVIR_CONFIG_TYPE_DOMAIN_PARALLEL (gvir_config_domain_parallel_get_type ()) +#define GVIR_CONFIG_DOMAIN_PARALLEL(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), GVIR_CONFIG_TYPE_DOMAIN_PARALLEL, GVirConfigDomainParallel)) +#define GVIR_CONFIG_DOMAIN_PARALLEL_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), GVIR_CONFIG_TYPE_DOMAIN_PARALLEL, GVirConfigDomainParallelClass)) +#define GVIR_CONFIG_IS_DOMAIN_PARALLEL(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GVIR_CONFIG_TYPE_DOMAIN_PARALLEL)) +#define GVIR_CONFIG_IS_DOMAIN_PARALLEL_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), GVIR_CONFIG_TYPE_DOMAIN_PARALLEL)) +#define GVIR_CONFIG_DOMAIN_PARALLEL_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), GVIR_CONFIG_TYPE_DOMAIN_PARALLEL, GVirConfigDomainParallelClass)) + +typedef struct _GVirConfigDomainParallel GVirConfigDomainParallel; +typedef struct _GVirConfigDomainParallelPrivate GVirConfigDomainParallelPrivate; +typedef struct _GVirConfigDomainParallelClass GVirConfigDomainParallelClass; + +struct _GVirConfigDomainParallel +{ + GVirConfigDomainChardev parent; + + GVirConfigDomainParallelPrivate *priv; + + /* Do not add fields to this struct */ +}; + +struct _GVirConfigDomainParallelClass +{ + GVirConfigDomainChardevClass parent_class; + + gpointer padding[20]; +}; + + +GType gvir_config_domain_parallel_get_type(void); +GVirConfigDomainParallel *gvir_config_domain_parallel_new(void); +GVirConfigDomainParallel *gvir_config_domain_parallel_new_from_xml(const gchar *xml, + GError **error); + +G_END_DECLS + +#endif /* __LIBVIRT_GCONFIG_DOMAIN_PARALLEL_H__ */ diff --git a/libvirt-gconfig/libvirt-gconfig-domain-serial.c b/libvirt-gconfig/libvirt-gconfig-domain-serial.c new file mode 100644 index 0000000..89c54ba --- /dev/null +++ b/libvirt-gconfig/libvirt-gconfig-domain-serial.c @@ -0,0 +1,70 @@ +/* + * libvirt-gconfig-domain-serial.c: libvirt domain serial configuration + * + * Copyright (C) 2011 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: Daniel P. Berrange <berrange(a)redhat.com> + */ + +#include <config.h> + +#include "libvirt-gconfig/libvirt-gconfig.h" + +#define GVIR_CONFIG_DOMAIN_SERIAL_GET_PRIVATE(obj) \ + (G_TYPE_INSTANCE_GET_PRIVATE((obj), GVIR_CONFIG_TYPE_DOMAIN_SERIAL, GVirConfigDomainSerialPrivate)) + +struct _GVirConfigDomainSerialPrivate +{ + gboolean unused; +}; + +G_DEFINE_TYPE(GVirConfigDomainSerial, gvir_config_domain_serial, GVIR_CONFIG_TYPE_DOMAIN_CHARDEV); + + +static void gvir_config_domain_serial_class_init(GVirConfigDomainSerialClass *klass) +{ + g_type_class_add_private(klass, sizeof(GVirConfigDomainSerialPrivate)); +} + + +static void gvir_config_domain_serial_init(GVirConfigDomainSerial *serial) +{ + g_debug("Init GVirConfigDomainSerial=%p", serial); + + serial->priv = GVIR_CONFIG_DOMAIN_SERIAL_GET_PRIVATE(serial); +} + +GVirConfigDomainSerial *gvir_config_domain_serial_new(void) +{ + GVirConfigObject *object; + + object = gvir_config_object_new(GVIR_CONFIG_TYPE_DOMAIN_SERIAL, + "serial", NULL); + return GVIR_CONFIG_DOMAIN_SERIAL(object); +} + +GVirConfigDomainSerial *gvir_config_domain_serial_new_from_xml(const gchar *xml, + GError **error) +{ + GVirConfigObject *object; + + object = gvir_config_object_new_from_xml(GVIR_CONFIG_TYPE_DOMAIN_SERIAL, + "serial", NULL, xml, error); + if (object == NULL) + return NULL; + return GVIR_CONFIG_DOMAIN_SERIAL(object); +} diff --git a/libvirt-gconfig/libvirt-gconfig-domain-serial.h b/libvirt-gconfig/libvirt-gconfig-domain-serial.h new file mode 100644 index 0000000..8fba59c --- /dev/null +++ b/libvirt-gconfig/libvirt-gconfig-domain-serial.h @@ -0,0 +1,67 @@ +/* + * libvirt-gconfig-domain-serial.h: libvirt domain serial configuration + * + * Copyright (C) 2011 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Author: Daniel P. Berrange <berrange(a)redhat.com> + */ + +#if !defined(__LIBVIRT_GCONFIG_H__) && !defined(LIBVIRT_GCONFIG_BUILD) +#error "Only <libvirt-gconfig/libvirt-gconfig.h> can be included directly." +#endif + +#ifndef __LIBVIRT_GCONFIG_DOMAIN_SERIAL_H__ +#define __LIBVIRT_GCONFIG_DOMAIN_SERIAL_H__ + +G_BEGIN_DECLS + +#define GVIR_CONFIG_TYPE_DOMAIN_SERIAL (gvir_config_domain_serial_get_type ()) +#define GVIR_CONFIG_DOMAIN_SERIAL(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), GVIR_CONFIG_TYPE_DOMAIN_SERIAL, GVirConfigDomainSerial)) +#define GVIR_CONFIG_DOMAIN_SERIAL_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), GVIR_CONFIG_TYPE_DOMAIN_SERIAL, GVirConfigDomainSerialClass)) +#define GVIR_CONFIG_IS_DOMAIN_SERIAL(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), GVIR_CONFIG_TYPE_DOMAIN_SERIAL)) +#define GVIR_CONFIG_IS_DOMAIN_SERIAL_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), GVIR_CONFIG_TYPE_DOMAIN_SERIAL)) +#define GVIR_CONFIG_DOMAIN_SERIAL_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), GVIR_CONFIG_TYPE_DOMAIN_SERIAL, GVirConfigDomainSerialClass)) + +typedef struct _GVirConfigDomainSerial GVirConfigDomainSerial; +typedef struct _GVirConfigDomainSerialPrivate GVirConfigDomainSerialPrivate; +typedef struct _GVirConfigDomainSerialClass GVirConfigDomainSerialClass; + +struct _GVirConfigDomainSerial +{ + GVirConfigDomainChardev parent; + + GVirConfigDomainSerialPrivate *priv; + + /* Do not add fields to this struct */ +}; + +struct _GVirConfigDomainSerialClass +{ + GVirConfigDomainChardevClass parent_class; + + gpointer padding[20]; +}; + + +GType gvir_config_domain_serial_get_type(void); +GVirConfigDomainSerial *gvir_config_domain_serial_new(void); +GVirConfigDomainSerial *gvir_config_domain_serial_new_from_xml(const gchar *xml, + GError **error); + +G_END_DECLS + +#endif /* __LIBVIRT_GCONFIG_DOMAIN_SERIAL_H__ */ diff --git a/libvirt-gconfig/libvirt-gconfig.h b/libvirt-gconfig/libvirt-gconfig.h index 7176400..cb28e23 100644 --- a/libvirt-gconfig/libvirt-gconfig.h +++ b/libvirt-gconfig/libvirt-gconfig.h @@ -33,6 +33,7 @@ #include <libvirt-gconfig/libvirt-gconfig-domain-chardev.h> #include <libvirt-gconfig/libvirt-gconfig-domain-chardev-source.h> #include <libvirt-gconfig/libvirt-gconfig-domain-chardev-source-pty.h> +#include <libvirt-gconfig/libvirt-gconfig-domain-channel.h> #include <libvirt-gconfig/libvirt-gconfig-domain-clock.h> #include <libvirt-gconfig/libvirt-gconfig-domain-console.h> #include <libvirt-gconfig/libvirt-gconfig-domain-device.h> @@ -49,7 +50,9 @@ #include <libvirt-gconfig/libvirt-gconfig-domain-interface-user.h> #include <libvirt-gconfig/libvirt-gconfig-domain-memballoon.h> #include <libvirt-gconfig/libvirt-gconfig-domain-os.h> +#include <libvirt-gconfig/libvirt-gconfig-domain-parallel.h> #include <libvirt-gconfig/libvirt-gconfig-domain-seclabel.h> +#include <libvirt-gconfig/libvirt-gconfig-domain-serial.h> #include <libvirt-gconfig/libvirt-gconfig-domain-snapshot.h> #include <libvirt-gconfig/libvirt-gconfig-domain-sound.h> #include <libvirt-gconfig/libvirt-gconfig-domain-timer.h> diff --git a/libvirt-gconfig/libvirt-gconfig.sym b/libvirt-gconfig/libvirt-gconfig.sym index 8a47418..7cf3c3d 100644 --- a/libvirt-gconfig/libvirt-gconfig.sym +++ b/libvirt-gconfig/libvirt-gconfig.sym @@ -30,6 +30,10 @@ LIBVIRT_GCONFIG_0.0.3 { gvir_config_domain_set_virt_type; gvir_config_domain_virt_type_get_type; + gvir_config_domain_channel_get_type; + gvir_config_domain_channel_new; + gvir_config_domain_channel_new_from_xml; + gvir_config_domain_chardev_get_type; gvir_config_domain_chardev_set_source; @@ -168,6 +172,10 @@ LIBVIRT_GCONFIG_0.0.3 { gvir_config_domain_os_set_arch; gvir_config_domain_os_type_get_type; + gvir_config_domain_parallel_get_type; + gvir_config_domain_parallel_new; + gvir_config_domain_parallel_new_from_xml; + gvir_config_domain_seclabel_get_type; gvir_config_domain_seclabel_type_get_type; gvir_config_domain_seclabel_new; @@ -177,6 +185,10 @@ LIBVIRT_GCONFIG_0.0.3 { gvir_config_domain_seclabel_set_baselabel; gvir_config_domain_seclabel_set_label; + gvir_config_domain_serial_get_type; + gvir_config_domain_serial_new; + gvir_config_domain_serial_new_from_xml; + gvir_config_domain_snapshot_get_type; gvir_config_domain_snapshot_new; gvir_config_domain_snapshot_new_from_xml; -- 1.7.7.5

12 years, 10 months

2
1
0 / 0

[libvirt] ALERT Virtualization Automatic Builder

by berrange＠redhat.com

Overall status: failed Start date: Tue Jan 10 2012 Start time: 18:05:04 UTC / 13:05:04 EST Build counter: 1326218704 Build timestamp: 1326218704 URL: http://builder.virt-tools.org/index.html Module: libvirt Status: failed URL: http://builder.virt-tools.org/module-libvirt.html

12 years, 10 months

3
2
0 / 0

[libvirt] [PATCH] build: avoid spurious compiler warning

by Eric Blake

For some weird reason, i686-pc-mingw32-gcc version 4.6.1 at -O2 complained: ../../src/conf/nwfilter_params.c: In function 'virNWFilterVarCombIterCreate': ../../src/conf/nwfilter_params.c:346:23: error: 'minValue' may be used uninitialized in this function [-Werror=uninitialized] ../../src/conf/nwfilter_params.c:319:28: note: 'minValue' was declared here ../../src/conf/nwfilter_params.c:344:23: error: 'maxValue' may be used uninitialized in this function [-Werror=uninitialized] ../../src/conf/nwfilter_params.c:319:18: note: 'maxValue' was declared here cc1: all warnings being treated as errors even though all paths of the preceding switch statement either assign the variables or return. * src/conf/nwfilter_params.c (virNWFilterVarCombIterAddVariable): Initialize variables. --- Pushing under the build-breaker rule. src/conf/nwfilter_params.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/conf/nwfilter_params.c b/src/conf/nwfilter_params.c index 8949b95..7400fa0 100644 --- a/src/conf/nwfilter_params.c +++ b/src/conf/nwfilter_params.c @@ -1,7 +1,7 @@ /* * nwfilter_params.c: parsing and data maintenance of filter parameters * - * Copyright (C) 2011 Red Hat, Inc. + * Copyright (C) 2011-2012 Red Hat, Inc. * Copyright (C) 2010 IBM Corporation * * This library is free software; you can redistribute it and/or @@ -316,7 +316,7 @@ virNWFilterVarCombIterAddVariable(virNWFilterVarCombIterEntryPtr cie, const virNWFilterVarAccessPtr varAccess) { virNWFilterVarValuePtr varValue; - unsigned int maxValue, minValue; + unsigned int maxValue = 0, minValue = 0; const char *varName = virNWFilterVarAccessGetVarName(varAccess); varValue = virHashLookup(hash->hashTable, varName); -- 1.7.7.5

12 years, 10 months

1
0
0 / 0

[libvirt] [BUG, PATCH-RFC] libvirt localtime and rtc_timeoffset handling in xen-sexpr/sxpr/sxp

by Philipp Hahn

Hello, I'm currently tracking a problem in libvirt regarding Xens handling of localtime and rtc_timeoffset. My current understanding (Xen-3.4.3 and Xen-4.1.2 under Linux) of Xend (the depcrecated Python one still used by libvirt) is as this: - for HV domains, the RTC gets setup to either UTC or localtime depending on "/domain/image/hvm/localtime" ± "/domain/image/hvm/rtc_offset". - if the OS of a domU changes its RTC, the rtc_offset gets adjusted and is saved in XenStore as "/vm/$UUID/rtc/timeoffset". - if the dom0 accesses its RTC, is accesses the real HW-RTC. - the Xen-Hypervisor initially read the HW-RTC to setup its Wallclock once, which is than used to simulate the domU RTCs. (The HW-RTC is otherwise only accessed on (ACPI-)Suspend and Resume, and with NTP-drift-correction from dom0). - on shut-down the rtc_offset is stored by Xend in the "/var/lib/xend/domains/$uuid/config.sxp" file in "/domain/image/hvm/rtc_timeoffset", from where it is loaded again on next start. - since PV domains don't have a RTC, they somehow(?) get either initialized to the localtime or UTC time depending on "/domain/image/linux/localtime". @xen: Did I figure out that correct? @xen: Is there some documentation on the Xen-sxp domain configuration? For the Python based xen-xm format, I found (and updated) <http://wiki.xen.org/wiki/XenConfigurationFileOptions>, but for Xen-sxp I so far found no documentation, especially on what changed between xen-1, xen-2, xen-3.x, xen-4.x. @libvirt: Comparing Xend handling to <http://libvirt.org/formatdomain.html#elementsTime> the current translation done by libvirt looks wrong; I think is mandates back to the time when Xen supported only PV-domUs: libvirt translates the Xen configuration to "localtime" and "utc" ignoring the "rtc_offset", which exists for HV domains. For localtime=0 this translates to libvirts offset="variable"-case, but for localtime=1 there is no matching mapping in libvirt. Since for PV domains no rtc_timeoffset is tracked, there the mapping to "utc" and "localtime" looks right. For libvirt there was a patch <http://www.redhat.com/archives/libvir-list/2009-January/msg00757.html> which added some special handling for "localtime" to be either placed in "/domain/localtime" or "/domain/image/{hvm,linux}/localtime". Xend from 3.4.3 und 4.1.2 seems to accept either one, but /domain/image/hvm/localtime is preferred and overwrites the first one. When reading back the configuration the setting is always returned as /domain/image/{hvm,linux}/localtime. @John: Is there a case, where /domain/localtime is returned or is that key always translated to /domain/linux/{hvm,linux}/localtime? As you had a sun.com email address, was this some special case when using Xen with Solaris? @libvirt: The attached patch (for 0.8.7) would change the implementation to match the following: 1. For Xen-PV-domUs, use clock/@offset='utc' and clock/@offset='localtime'. 2. For Xen-HV-domUs, use clock/@offset='variable'. 3. For backward compatibility with old libvirt-XML-files convert clock/@offset='utc' → (localtime 0)(rtc_timeoffset 0) and clock/@offset='localtime' → (localtime 1)(rtc_timeosset 0). On readback that will be returned as clock/@offset='variable'! 4. For Xen-HV-domUs with (localtime=1)(rtc_timeoffset≠0) print a warning that there is no mapping to libvirts XML. 5. Always put the (localtime)(rtc_offset)-SEXPRs in "(image ({linux,hvm})", since this is where Xend-3.4 and Xend-4.1 return them. I also checked Xen-3.2, where this is okay, but the I don't have any older versions of Xen available (and running), the I can't verify that it still works there. Which leads me to a another question: Which versions of Xen are still supported by libvirt (and must be checked for regressions)? I don't want so actively remove the code for old Xen versions, but it gets harder and harder to maintain all those versions. So a statement like "Xen-3.x and Xen-4.y are actively supported by libvirt-0.a.b; older versions might still work (by accident ;-)" Before I forward-port that change to 0.9.10 I'd like to get some comments. Thanks in advance. Sincerely Philipp Hahn -- Philipp Hahn Open Source Software Engineer hahn(a)univention.de Univention GmbH Linux for Your Business fon: +49 421 22 232- 0 Mary-Somerville-Str.1 D-28359 Bremen fax: +49 421 22 232-99 http://www.univention.de/

12 years, 10 months

2
2
0 / 0

[libvirt] ALERT Virtualization Automatic Builder

by berrange＠redhat.com

Overall status: failed Start date: Wed Jan 11 2012 Start time: 11:29:22 UTC / 06:29:22 EST Build counter: 1326281362 Build timestamp: 1326281362 URL: http://builder.virt-tools.org/index.html Module: libvirt Status: failed URL: http://builder.virt-tools.org/module-libvirt.html

12 years, 10 months

1
0
0 / 0

[libvirt] [PATCH 2/3][TCK] nwfilter: test access via iterators

by Stefan Berger

Test access to variables using different iterators. --- scripts/nwfilter/nwfilter2vmtest.sh | 6 scripts/nwfilter/nwfilterxml2fwallout/iter-test2.fwall | 193 +++++++++++++++++ scripts/nwfilter/nwfilterxml2xmlin/iter-test2.xml | 23 ++ 3 files changed, 222 insertions(+) Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh +++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh @@ -348,9 +348,15 @@ createVM() { <parameter name='A' value='1.1.1.1'/> <parameter name='A' value='2.2.2.2'/> <parameter name='A' value='3.3.3.3'/> + <parameter name='A' value='3.3.3.3'/> <parameter name='B' value='80'/> <parameter name='B' value='90'/> <parameter name='B' value='80'/> + <parameter name='B' value='80'/> + <parameter name='C' value='1080'/> + <parameter name='C' value='1090'/> + <parameter name='C' value='1100'/> + <parameter name='C' value='1110'/> </filterref> <target dev='${vmname}'/> </interface> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/iter-test2.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/iter-test2.fwall @@ -0,0 +1,193 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x01tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x01tcp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x01tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 1.1.1.1 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 2.2.2.2 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 3.3.3.3 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x01tcp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x01tcp dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x01tcp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x02udp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x02udp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x02udp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x02udp dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x02udp dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x02udp dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x03sctp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x03sctp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x03sctp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x03sctp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x03sctp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x03sctp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x03sctp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x03sctp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x03sctp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x03sctp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x03sctp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x03sctp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1080 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1080 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1080 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1080 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1090 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1090 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1090 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1090 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1100 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1100 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1100 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1100 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1110 dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x04tcp spt:1110 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x04tcp spt:1110 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x04tcp spt:1110 dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 1.1.1.1 1.1.1.1 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 1.1.1.1 2.2.2.2 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 1.1.1.1 3.3.3.3 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 2.2.2.2 1.1.1.1 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 2.2.2.2 2.2.2.2 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 2.2.2.2 3.3.3.3 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 3.3.3.3 1.1.1.1 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 3.3.3.3 2.2.2.2 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT udp -- 3.3.3.3 3.3.3.3 DSCP match 0x05state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 1.1.1.1 1.1.1.1 DSCP match 0x06state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 2.2.2.2 2.2.2.2 DSCP match 0x06state ESTABLISHED ctdir ORIGINAL +ACCEPT sctp -- 3.3.3.3 3.3.3.3 DSCP match 0x06state ESTABLISHED ctdir ORIGINAL +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x01tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x01tcp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x01tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02udp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02udp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x03sctp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1080 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1090 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1100 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:80 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x04tcp spt:90 dpt:1110 state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 1.1.1.1 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 2.2.2.2 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 1.1.1.1 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 2.2.2.2 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN udp -- 3.3.3.3 3.3.3.3 DSCP match 0x05state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 1.1.1.1 1.1.1.1 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 2.2.2.2 2.2.2.2 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +RETURN sctp -- 3.3.3.3 3.3.3.3 DSCP match 0x06state NEW,ESTABLISHED ctdir REPLY +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FORWARD -n --line-number | grep libvirt +1 libvirt-in all -- 0.0.0.0/0 0.0.0.0/0 +2 libvirt-out all -- 0.0.0.0/0 0.0.0.0/0 +3 libvirt-in-post all -- 0.0.0.0/0 0.0.0.0/0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/iter-test2.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/iter-test2.xml @@ -0,0 +1,23 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcipaddr='$A' srcportstart='$B[@0]' dscp='1'/> + </rule> + <rule action='accept' direction='out'> + <udp srcipaddr='$A[@1]' srcportstart='$B[@2]' dscp='2'/> + </rule> + <rule action='accept' direction='out'> + <sctp srcipaddr='$A[@1]' srcportstart='$B[@2]' dstportstart='$C[@2]' + dscp='3'/> + </rule> + <rule action='accept' direction='out'> + <tcp srcipaddr='$A[@1]' srcportstart='$B[@2]' dstportstart='$C[@3]' + dscp='4'/> + </rule> + <rule action='accept' direction='out'> + <udp srcipaddr='$A[@1]' dstipaddr='$A[@2]' dscp='5'/> + </rule> + <rule action='accept' direction='out'> + <sctp srcipaddr='$A' dstipaddr='$A' dscp='6'/> + </rule> +</filter>

12 years, 10 months

1
0
0 / 0

[libvirt] [PATCH 1/3][TCK] nwfilter: test access to 2 lists in one rule

by Stefan Berger

Test access to 2 lists in one rule --- scripts/nwfilter/nwfilter2vmtest.sh | 6 +++ scripts/nwfilter/nwfilterxml2fwallout/iter-test1.fwall | 31 +++++++++++++++++ scripts/nwfilter/nwfilterxml2xmlin/iter-test1.xml | 6 +++ 3 files changed, 43 insertions(+) Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh +++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh @@ -345,6 +345,12 @@ createVM() { <source bridge='virbr0'/> <filterref filter='${filtername}'> <parameter name='IP' value='${ipaddr}'/> + <parameter name='A' value='1.1.1.1'/> + <parameter name='A' value='2.2.2.2'/> + <parameter name='A' value='3.3.3.3'/> + <parameter name='B' value='80'/> + <parameter name='B' value='90'/> + <parameter name='B' value='80'/> </filterref> <target dev='${vmname}'/> </interface> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/iter-test1.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/iter-test1.fwall @@ -0,0 +1,31 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02tcp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT tcp -- 0.0.0.0/0 1.1.1.1 DSCP match 0x02tcp dpt:80 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 2.2.2.2 DSCP match 0x02tcp dpt:90 state ESTABLISHED ctdir ORIGINAL +ACCEPT tcp -- 0.0.0.0/0 3.3.3.3 DSCP match 0x02tcp dpt:80 state ESTABLISHED ctdir ORIGINAL +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +RETURN tcp -- 1.1.1.1 0.0.0.0/0 DSCP match 0x02tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 2.2.2.2 0.0.0.0/0 DSCP match 0x02tcp spt:90 state NEW,ESTABLISHED ctdir REPLY +RETURN tcp -- 3.3.3.3 0.0.0.0/0 DSCP match 0x02tcp spt:80 state NEW,ESTABLISHED ctdir REPLY +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FORWARD -n --line-number | grep libvirt +1 libvirt-in all -- 0.0.0.0/0 0.0.0.0/0 +2 libvirt-out all -- 0.0.0.0/0 0.0.0.0/0 +3 libvirt-in-post all -- 0.0.0.0/0 0.0.0.0/0 + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/iter-test1.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/iter-test1.xml @@ -0,0 +1,6 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcipaddr='$A' srcportstart='$B' dscp='2'/> + </rule> +</filter>

12 years, 10 months

1
0
0 / 0

[libvirt] [PATCH v2 0/6] nwfilter: Enable access to variables via iterator or index

by Stefan Berger

This patch enables access to variables in filters using indep. iterators ($TEST[$@2]) or via index ($TEST[1]). Three test cases are added that are also being used for libvirt-TCK to check that the instantiation of the filtering rules is correct. v1 -> v2: - addressed Eric Blake's comments Regards, Stefan

12 years, 10 months

2
9
0 / 0

[libvirt] [PATCH] virsh: improve doMigrate function docs

by ajia＠redhat.com

From: Alex Jia <ajia(a)redhat.com> When running virsh migrate with --xml option and actual xml file doesn't exist, virsh hasn't output any error information, although return value is 1. * tools/virsh.c: Raising a appropriate error information when operation fails. * How to reproduce? % virsh migrate <domain> --live qemu+ssh://<target host>/system --xml non-existent.xml % echo $? * Fixed result: error: file 'non-existent.xml' doesn't exist Signed-off-by: Alex Jia <ajia(a)redhat.com> --- tools/virsh.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/virsh.c b/tools/virsh.c index e4b812e..020e7b5 100644 --- a/tools/virsh.c +++ b/tools/virsh.c @@ -6338,9 +6338,10 @@ doMigrate (void *opaque) flags |= VIR_MIGRATE_CHANGE_PROTECTION; if (xmlfile && - virFileReadAll(xmlfile, 8192, &xml) < 0) + virFileReadAll(xmlfile, 8192, &xml) < 0) { + vshError(ctl, _("file '%s' doesn't exist"), xmlfile); goto out; - + } if ((flags & VIR_MIGRATE_PEER2PEER) || vshCommandOptBool (cmd, "direct")) { -- 1.7.1

12 years, 10 months

2
1
0 / 0

[libvirt] [PATCH] Change security driver APIs to use virDomainDefPtr instead of virDomainObjPtr

by Daniel P. Berrange

From: "Daniel P. Berrange" <berrange(a)redhat.com> When sVirt is integrated with the LXC driver, it will be neccessary to invoke the security driver APIs using only a virDomainDefPtr since the lxc_container.c code has no virDomainObjPtr available. Aside from two functions which want obj->pid, every bit of the security driver code only touches obj->def. So we don't need to pass a virDomainObjPtr into the security drivers, a virDomainDefPtr is sufficient. Two functions also gain a 'pid_t pid' argument. * src/qemu/qemu_driver.c, src/qemu/qemu_hotplug.c, src/qemu/qemu_migration.c, src/qemu/qemu_process.c, src/security/security_apparmor.c, src/security/security_dac.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_nop.c, src/security/security_selinux.c, src/security/security_stack.c: Change all security APIs to use a virDomainDefPtr instead of virDomainObjPtr --- src/qemu/qemu_driver.c | 10 +- src/qemu/qemu_hotplug.c | 28 ++-- src/qemu/qemu_migration.c | 12 +- src/qemu/qemu_process.c | 24 ++-- src/security/security_apparmor.c | 136 ++++++++++---------- src/security/security_dac.c | 91 +++++++------- src/security/security_driver.h | 36 +++--- src/security/security_manager.c | 40 +++--- src/security/security_manager.h | 36 +++--- src/security/security_nop.c | 36 +++--- src/security/security_selinux.c | 260 +++++++++++++++++++------------------- src/security/security_stack.c | 44 ++++--- 12 files changed, 381 insertions(+), 372 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 6cfdd1d..6e001ce 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -3096,7 +3096,7 @@ qemuDomainScreenshot(virDomainPtr dom, } unlink_tmp = true; - virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp); + virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp); qemuDomainObjEnterMonitor(driver, vm); if (qemuMonitorScreendump(priv->mon, tmp) < 0) { @@ -3868,7 +3868,7 @@ static int qemudDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr sec */ if (virDomainObjIsActive(vm)) { if (virSecurityManagerGetProcessLabel(driver->securityManager, - vm, seclabel) < 0) { + vm->def, vm->pid, seclabel) < 0) { qemuReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to get security label")); goto cleanup; @@ -4167,7 +4167,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, out: virCommandFree(cmd); if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) VIR_WARN("failed to restore save state label on %s", path); return ret; @@ -7584,7 +7584,7 @@ qemudDomainMemoryPeek (virDomainPtr dom, goto endjob; } - virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp); + virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp); priv = vm->privateData; qemuDomainObjEnterMonitor(driver, vm); @@ -9064,7 +9064,7 @@ qemuDomainSnapshotCreateSingleDiskActive(struct qemud_driver *driver, if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0) goto cleanup; - if (virSecurityManagerSetImageLabel(driver->securityManager, vm, + if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", source); diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 96c0070..684fede 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -88,7 +88,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -120,7 +120,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver, goto error; if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, origdisk) < 0) + vm->def, origdisk) < 0) VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, origdisk) < 0) @@ -141,7 +141,7 @@ error: VIR_FREE(driveAlias); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on new media %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -209,7 +209,7 @@ int qemuDomainAttachPciDiskDevice(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -283,7 +283,7 @@ error: VIR_WARN("Unable to release PCI address on %s", disk->src); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -439,7 +439,7 @@ int qemuDomainAttachSCSIDisk(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -530,7 +530,7 @@ error: VIR_FREE(drivestr); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -562,7 +562,7 @@ int qemuDomainAttachUsbMassstorageDevice(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -623,7 +623,7 @@ error: VIR_FREE(drivestr); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -1112,7 +1112,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver, if (virSecurityManagerSetHostdevLabel(driver->securityManager, - vm, hostdev) < 0) + vm->def, hostdev) < 0) return -1; switch (hostdev->source.subsys.type) { @@ -1139,7 +1139,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver, error: if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, - vm, hostdev) < 0) + vm->def, hostdev) < 0) VIR_WARN("Unable to restore host device labelling on hotplug fail"); return -1; @@ -1572,7 +1572,7 @@ int qemuDomainDetachPciDiskDevice(struct qemud_driver *driver, virDomainDiskDefFree(detach); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, dev->data.disk) < 0) + vm->def, dev->data.disk) < 0) VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); if (cgroup != NULL) { @@ -1654,7 +1654,7 @@ int qemuDomainDetachDiskDevice(struct qemud_driver *driver, virDomainDiskDefFree(detach); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, dev->data.disk) < 0) + vm->def, dev->data.disk) < 0) VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); if (cgroup != NULL) { @@ -2162,7 +2162,7 @@ int qemuDomainDetachHostDevice(struct qemud_driver *driver, } if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, - vm, dev->data.hostdev) < 0) + vm->def, dev->data.hostdev) < 0) VIR_WARN("Failed to restore host device labelling"); return ret; diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 8ae989a..b3ef894 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1749,13 +1749,13 @@ static int doNativeMigrate(struct qemud_driver *driver, virReportOOMError(); goto cleanup; } - if (virSecurityManagerSetSocketLabel(driver->securityManager, vm) < 0) + if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0) goto cleanup; if (virNetSocketNewConnectTCP(uribits->server, tmp, &sock) == 0) { spec.dest.fd.qemu = virNetSocketDupFD(sock, true); virNetSocketFree(sock); } - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0 || + if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0 || spec.dest.fd.qemu == -1) goto cleanup; } else { @@ -1822,7 +1822,7 @@ static int doTunnelMigrate(struct qemud_driver *driver, spec.dest.fd.local = fds[0]; } if (spec.dest.fd.qemu == -1 || - virSecurityManagerSetImageFDLabel(driver->securityManager, vm, + virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, spec.dest.fd.qemu) < 0) { virReportSystemError(errno, "%s", _("cannot create pipe for tunnelled migration")); @@ -2842,7 +2842,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm, * doesn't have to open() the file, so while we still have to * grant SELinux access, we can do it on fd and avoid cleanup * later, as well as skip futzing with cgroup. */ - if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm, + if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, compressor ? pipeFD[1] : fd) < 0) goto cleanup; bypassSecurityDriver = true; @@ -2876,7 +2876,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm, } if ((!bypassSecurityDriver) && virSecurityManagerSetSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) goto cleanup; restoreLabel = true; } @@ -2951,7 +2951,7 @@ cleanup: virCommandFree(cmd); if (restoreLabel && (!bypassSecurityDriver) && virSecurityManagerRestoreSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) VIR_WARN("failed to restore save state label on %s", path); if (cgroup != NULL) { diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 2563f97..58ce333 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -839,7 +839,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm) qemuMonitorPtr mon = NULL; if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager, - vm) < 0) { + vm->def) < 0) { VIR_ERROR(_("Failed to set security context for monitor for %s"), vm->def->name); goto error; @@ -872,7 +872,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm) } priv->mon = mon; - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0) { + if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) { VIR_ERROR(_("Failed to clear security context for monitor for %s"), vm->def->name); goto error; @@ -2163,7 +2163,7 @@ static int qemuProcessHook(void *data) * sockets the lock driver opens that we don't want * labelled. So far we're ok though. */ - if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; if (virDomainLockProcessStart(h->driver->lockManager, h->vm, @@ -2171,7 +2171,7 @@ static int qemuProcessHook(void *data) true, &fd) < 0) goto cleanup; - if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; if (qemuProcessLimits(h->driver) < 0) @@ -2194,7 +2194,7 @@ static int qemuProcessHook(void *data) return -1; VIR_DEBUG("Setting up security labelling"); - if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; ret = 0; @@ -2656,7 +2656,7 @@ qemuProcessReconnect(void *opaque) goto error; } - if (virSecurityManagerReserveLabel(driver->securityManager, obj) < 0) + if (virSecurityManagerReserveLabel(driver->securityManager, obj->def, obj->pid) < 0) goto error; if (qemuProcessNotifyNets(obj->def) < 0) @@ -2894,7 +2894,7 @@ int qemuProcessStart(virConnectPtr conn, /* If you are using a SecurityDriver with dynamic labelling, then generate a security label for isolation */ VIR_DEBUG("Generating domain security label (if required)"); - if (virSecurityManagerGenLabel(driver->securityManager, vm) < 0) { + if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) { virDomainAuditSecurityLabel(vm, false); goto cleanup; } @@ -3128,7 +3128,7 @@ int qemuProcessStart(virConnectPtr conn, VIR_DEBUG("Setting domain security labels"); if (virSecurityManagerSetAllLabel(driver->securityManager, - vm, stdin_path) < 0) + vm->def, stdin_path) < 0) goto cleanup; if (stdin_fd != -1) { @@ -3145,7 +3145,7 @@ int qemuProcessStart(virConnectPtr conn, goto cleanup; } if (S_ISFIFO(stdin_sb.st_mode) && - virSecurityManagerSetImageFDLabel(driver->securityManager, vm, stdin_fd) < 0) + virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, stdin_fd) < 0) goto cleanup; } @@ -3398,8 +3398,8 @@ void qemuProcessStop(struct qemud_driver *driver, /* Reset Security Labels */ virSecurityManagerRestoreAllLabel(driver->securityManager, - vm, migrated); - virSecurityManagerReleaseLabel(driver->securityManager, vm); + vm->def, migrated); + virSecurityManagerReleaseLabel(driver->securityManager, vm->def); /* Clear out dynamically assigned labels */ if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) { @@ -3548,7 +3548,7 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED, if (VIR_ALLOC(seclabel) < 0) goto no_memory; if (virSecurityManagerGetProcessLabel(driver->securityManager, - vm, seclabel) < 0) + vm->def, vm->pid, seclabel) < 0) goto cleanup; if (!(vm->def->seclabel.model = strdup(driver->caps->host.secModel.model))) goto no_memory; diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 299dcc6..4848d85 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -47,7 +47,7 @@ /* Data structure to pass to *FileIterate so we have everything we need */ struct SDPDOP { virSecurityManagerPtr mgr; - virDomainObjPtr vm; + virDomainDefPtr def; }; /* @@ -159,7 +159,7 @@ profile_status_file(const char *str) static int load_profile(virSecurityManagerPtr mgr, const char *profile, - virDomainObjPtr vm, + virDomainDefPtr def, const char *fn, bool append) { @@ -170,7 +170,7 @@ load_profile(virSecurityManagerPtr mgr, const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr) ? "1" : "0"; - xml = virDomainDefFormat(vm->def, VIR_DOMAIN_XML_SECURE); + xml = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE); if (!xml) goto clean; @@ -212,12 +212,12 @@ remove_profile(const char *profile) } static char * -get_profile_name(virDomainObjPtr vm) +get_profile_name(virDomainDefPtr def) { char uuidstr[VIR_UUID_STRING_BUFLEN]; char *name = NULL; - virUUIDFormat(vm->def->uuid, uuidstr); + virUUIDFormat(def->uuid, uuidstr); if (virAsprintf(&name, "%s%s", AA_PREFIX, uuidstr) < 0) { virReportOOMError(); return NULL; @@ -257,23 +257,23 @@ cleanup: */ static int reload_profile(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *fn, bool append) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name = NULL; if (secdef->norelabel) return 0; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; /* Update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(mgr, secdef->imagelabel, vm, fn, append) < 0) { + if (load_profile(mgr, secdef->imagelabel, def, fn, append) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -294,10 +294,10 @@ AppArmorSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { struct SDPDOP *ptr = opaque; - virDomainObjPtr vm = ptr->vm; + virDomainDefPtr def = ptr->def; - if (reload_profile(ptr->mgr, vm, file, true) < 0) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + if (reload_profile(ptr->mgr, def, file, true) < 0) { + const virSecurityLabelDefPtr secdef = &def->seclabel; virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -312,10 +312,10 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { struct SDPDOP *ptr = opaque; - virDomainObjPtr vm = ptr->vm; + virDomainDefPtr def = ptr->def; - if (reload_profile(ptr->mgr, vm, file, true) < 0) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + if (reload_profile(ptr->mgr, def, file, true) < 0) { + const virSecurityLabelDefPtr secdef = &def->seclabel; virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -390,56 +390,56 @@ AppArmorSecurityManagerGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED) */ static int AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { int rc = -1; char *profile_name = NULL; - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; - if (vm->def->seclabel.baselabel) { + if (def->seclabel.baselabel) { virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Cannot set a base label with AppArmour")); return rc; } - if ((vm->def->seclabel.label) || - (vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) { + if ((def->seclabel.label) || + (def->seclabel.model) || (def->seclabel.imagelabel)) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); return rc; } - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; - vm->def->seclabel.label = strndup(profile_name, strlen(profile_name)); - if (!vm->def->seclabel.label) { + def->seclabel.label = strndup(profile_name, strlen(profile_name)); + if (!def->seclabel.label) { virReportOOMError(); goto clean; } /* set imagelabel the same as label (but we won't use it) */ - vm->def->seclabel.imagelabel = strndup(profile_name, + def->seclabel.imagelabel = strndup(profile_name, strlen(profile_name)); - if (!vm->def->seclabel.imagelabel) { + if (!def->seclabel.imagelabel) { virReportOOMError(); goto err; } - vm->def->seclabel.model = strdup(SECURITY_APPARMOR_NAME); - if (!vm->def->seclabel.model) { + def->seclabel.model = strdup(SECURITY_APPARMOR_NAME); + if (!def->seclabel.model) { virReportOOMError(); goto err; } /* Now that we have a label, load the profile into the kernel. */ - if (load_profile(mgr, vm->def->seclabel.label, vm, NULL, false) < 0) { + if (load_profile(mgr, def->seclabel.label, def, NULL, false) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot load AppArmor profile " - "\'%s\'"), vm->def->seclabel.label); + "\'%s\'"), def->seclabel.label); goto err; } @@ -447,9 +447,9 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, goto clean; err: - VIR_FREE(vm->def->seclabel.label); - VIR_FREE(vm->def->seclabel.imagelabel); - VIR_FREE(vm->def->seclabel.model); + VIR_FREE(def->seclabel.label); + VIR_FREE(def->seclabel.imagelabel); + VIR_FREE(def->seclabel.model); clean: VIR_FREE(profile_name); @@ -459,15 +459,15 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, const char *stdin_path) + virDomainDefPtr def, const char *stdin_path) { - if (vm->def->seclabel.norelabel) + if (def->seclabel.norelabel) return 0; /* Reload the profile if stdin_path is specified. Note that GenSecurityLabel() will have already been run. */ if (stdin_path) - return reload_profile(mgr, vm, stdin_path, true); + return reload_profile(mgr, def, stdin_path, true); return 0; } @@ -477,13 +477,14 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, */ static int AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec) { int rc = -1; char *profile_name = NULL; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; if (virStrcpy(sec->label, profile_name, @@ -511,9 +512,9 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, */ static int AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; VIR_FREE(secdef->model); VIR_FREE(secdef->label); @@ -525,10 +526,10 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = 0; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { @@ -545,13 +546,13 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, * LOCALSTATEDIR/log/libvirt/qemu/<vm name>.log */ static int -AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) +AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name = NULL; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -579,21 +580,21 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) static int AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } @@ -602,18 +603,18 @@ AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, /* Called when hotplugging */ static int AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } /* Called when hotplugging */ static int AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, virDomainDiskDefPtr disk) + virDomainDefPtr def, virDomainDiskDefPtr disk) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name; @@ -631,12 +632,12 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, return rc; } - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; /* update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(mgr, secdef->imagelabel, vm, disk->src, + if (load_profile(mgr, secdef->imagelabel, def, disk->src, false) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " @@ -673,7 +674,8 @@ AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { /* NOOP. Nothing to reserve with AppArmor */ return 0; @@ -681,11 +683,11 @@ AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; struct SDPDOP *ptr; int ret = -1; @@ -701,7 +703,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, if (VIR_ALLOC(ptr) < 0) return -1; ptr->mgr = mgr; - ptr->vm = vm; + ptr->def = def; switch (dev->source.subsys.type) { case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: { @@ -743,44 +745,44 @@ done: static int AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } static int AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - return reload_profile(mgr, vm, savefile, true); + return reload_profile(mgr, def, savefile, true); } static int AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile ATTRIBUTE_UNUSED) { - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } static int AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd) { int rc = -1; char *proc = NULL; char *fd_path = NULL; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->imagelabel == NULL) return 0; @@ -796,7 +798,7 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, return rc; } - return reload_profile(mgr, vm, fd_path, true); + return reload_profile(mgr, def, fd_path, true); } virSecurityDriver virAppArmorSecurityDriver = { diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 0e75319..9c0017b 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -171,7 +171,7 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk) { @@ -190,7 +190,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk, int migrated) { @@ -235,10 +235,10 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - return virSecurityDACRestoreSecurityImageLabelInt(mgr, vm, disk, 0); + return virSecurityDACRestoreSecurityImageLabelInt(mgr, def, disk, 0); } @@ -268,7 +268,7 @@ virSecurityDACSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -338,7 +338,7 @@ virSecurityDACRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev) { @@ -489,7 +489,7 @@ virSecurityDACRestoreChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -501,34 +501,34 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, VIR_DEBUG("Restoring security label on %s migrated=%d", - vm->def->name, migrated); + def->name, migrated); - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (virSecurityDACRestoreSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) rc = -1; } - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { if (virSecurityDACRestoreSecurityImageLabelInt(mgr, - vm, - vm->def->disks[i], + def, + def->disks[i], migrated) < 0) rc = -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, false, virSecurityDACRestoreChardevCallback, mgr) < 0) rc = -1; - if (vm->def->os.kernel && - virSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0) + if (def->os.kernel && + virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0) rc = -1; - if (vm->def->os.initrd && - virSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0) + if (def->os.initrd && + virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0) rc = -1; return rc; @@ -548,7 +548,7 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *stdin_path ATTRIBUTE_UNUSED) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -557,36 +557,36 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, if (!priv->dynamicOwnership) return 0; - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { /* XXX fixme - we need to recursively label the entire tree :-( */ - if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) + if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) continue; if (virSecurityDACSetSecurityImageLabel(mgr, - vm, - vm->def->disks[i]) < 0) + def, + def->disks[i]) < 0) return -1; } - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (virSecurityDACSetSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) return -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, true, virSecurityDACSetChardevCallback, mgr) < 0) return -1; - if (vm->def->os.kernel && - virSecurityDACSetOwnership(vm->def->os.kernel, + if (def->os.kernel && + virSecurityDACSetOwnership(def->os.kernel, priv->user, priv->group) < 0) return -1; - if (vm->def->os.initrd && - virSecurityDACSetOwnership(vm->def->os.initrd, + if (def->os.initrd && + virSecurityDACSetOwnership(def->os.initrd, priv->user, priv->group) < 0) return -1; @@ -597,7 +597,7 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, const char *savefile) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -608,7 +608,7 @@ virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, const char *savefile) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -622,11 +622,11 @@ virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); - VIR_DEBUG("Dropping privileges of VM to %u:%u", + VIR_DEBUG("Dropping privileges of DEF to %u:%u", (unsigned int) priv->user, (unsigned int) priv->group); if (virSetUIDGID(priv->user, priv->group) < 0) @@ -645,28 +645,30 @@ virSecurityDACVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACGenLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACReleaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED, virSecurityLabelPtr seclabel ATTRIBUTE_UNUSED) { return 0; @@ -674,7 +676,7 @@ virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } @@ -682,7 +684,7 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } @@ -690,20 +692,19 @@ virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, int fd ATTRIBUTE_UNUSED) { return 0; } - virSecurityDriver virSecurityDriverDAC = { sizeof(virSecurityDACData), "virDAC", diff --git a/src/security/security_driver.h b/src/security/security_driver.h index aea90b0..f0ace1c 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -39,50 +39,52 @@ typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr); typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr); typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr vm); typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec, + pid_t pid); typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec, + virDomainDefPtr sec, const char *stdin_path); typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated); typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec); typedef int (*virSecurityDomainSetProcessLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr, virDomainDefPtr def); typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd); struct _virSecurityDriver { diff --git a/src/security/security_manager.c b/src/security/security_manager.c index cae9b83..2e4956a 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -150,7 +150,7 @@ bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr) } int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { if (mgr->drv->domainRestoreSecurityImageLabel) @@ -161,7 +161,7 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecurityDaemonSocketLabel) return mgr->drv->domainSetSecurityDaemonSocketLabel(mgr, vm); @@ -171,7 +171,7 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecuritySocketLabel) return mgr->drv->domainSetSecuritySocketLabel(mgr, vm); @@ -181,7 +181,7 @@ int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainClearSecuritySocketLabel) return mgr->drv->domainClearSecuritySocketLabel(mgr, vm); @@ -191,7 +191,7 @@ int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { if (mgr->drv->domainSetSecurityImageLabel) @@ -202,7 +202,7 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { if (mgr->drv->domainRestoreSecurityHostdevLabel) @@ -213,7 +213,7 @@ int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { if (mgr->drv->domainSetSecurityHostdevLabel) @@ -224,7 +224,7 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { if (mgr->drv->domainSetSavedStateLabel) @@ -235,7 +235,7 @@ int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { if (mgr->drv->domainRestoreSavedStateLabel) @@ -246,7 +246,7 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, } int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainGenSecurityLabel) return mgr->drv->domainGenSecurityLabel(mgr, vm); @@ -256,17 +256,18 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, } int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm, + pid_t pid) { if (mgr->drv->domainReserveSecurityLabel) - return mgr->drv->domainReserveSecurityLabel(mgr, vm); + return mgr->drv->domainReserveSecurityLabel(mgr, vm, pid); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); return -1; } int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainReleaseSecurityLabel) return mgr->drv->domainReleaseSecurityLabel(mgr, vm); @@ -276,7 +277,7 @@ int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *stdin_path) { if (mgr->drv->domainSetSecurityAllLabel) @@ -287,7 +288,7 @@ int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int migrated) { if (mgr->drv->domainRestoreSecurityAllLabel) @@ -298,18 +299,19 @@ int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, } int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, + pid_t pid, virSecurityLabelPtr sec) { if (mgr->drv->domainGetSecurityProcessLabel) - return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, sec); + return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, pid, sec); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); return -1; } int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecurityProcessLabel) return mgr->drv->domainSetSecurityProcessLabel(mgr, vm); @@ -337,7 +339,7 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr, } int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int fd) { if (mgr->drv->domainSetSecurityImageFDLabel) diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 12cd498..6731d59 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -51,50 +51,52 @@ const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr); bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr); int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr vm); int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec, + pid_t pid); int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec, + virDomainDefPtr sec, const char *stdin_path); int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated); int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec); int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerVerify(virSecurityManagerPtr mgr, virDomainDefPtr def); int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd); #endif /* VIR_SECURITY_MANAGER_H__ */ diff --git a/src/security/security_nop.c b/src/security/security_nop.c index a68a6c0..c3bd426 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -47,104 +47,106 @@ static const char * virSecurityDriverGetDOINop(virSecurityManagerPtr mgr ATTRIBU } static int virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, const char *savefile ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, const char *savefile ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainGenLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainReserveLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainReleaseLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED, + virDomainDefPtr sec ATTRIBUTE_UNUSED, const char *stdin_path ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, int migrated ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainGetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED, virSecurityLabelPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } @@ -156,7 +158,7 @@ static int virSecurityDomainVerifyNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED } static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED, + virDomainDefPtr sec ATTRIBUTE_UNUSED, int fd ATTRIBUTE_UNUSED) { return 0; diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 78c0d45..8b7c0ed 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -162,7 +162,7 @@ SELinuxInitialize(void) static int SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { int rc = -1; char *mcs = NULL; @@ -171,40 +171,40 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, int c2 = 0; context_t ctx = NULL; - if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) && - !vm->def->seclabel.baselabel && - vm->def->seclabel.model) { + if ((def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) && + !def->seclabel.baselabel && + def->seclabel.model) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security model already defined for VM")); return rc; } - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && - vm->def->seclabel.label) { + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && + def->seclabel.label) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); return rc; } - if (vm->def->seclabel.imagelabel) { + if (def->seclabel.imagelabel) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security image label already defined for VM")); return rc; } - if (vm->def->seclabel.model && - STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) { + if (def->seclabel.model && + STRNEQ(def->seclabel.model, SECURITY_SELINUX_NAME)) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("security label model %s is not supported with selinux"), - vm->def->seclabel.model); + def->seclabel.model); return rc; } - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) { - if (!(ctx = context_new(vm->def->seclabel.label)) ) { + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) { + if (!(ctx = context_new(def->seclabel.label)) ) { virReportSystemError(errno, _("unable to allocate socket security context '%s'"), - vm->def->seclabel.label); + def->seclabel.label); return rc; } @@ -237,25 +237,25 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, } } while (mcsAdd(mcs) == -1); - vm->def->seclabel.label = - SELinuxGenNewContext(vm->def->seclabel.baselabel ? - vm->def->seclabel.baselabel : + def->seclabel.label = + SELinuxGenNewContext(def->seclabel.baselabel ? + def->seclabel.baselabel : default_domain_context, mcs); - if (! vm->def->seclabel.label) { + if (! def->seclabel.label) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); goto cleanup; } } - vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); - if (!vm->def->seclabel.imagelabel) { + def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); + if (!def->seclabel.imagelabel) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); goto cleanup; } - if (!vm->def->seclabel.model && - !(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) { + if (!def->seclabel.model && + !(def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) { virReportOOMError(); goto cleanup; } @@ -264,12 +264,12 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, cleanup: if (rc != 0) { - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) - VIR_FREE(vm->def->seclabel.label); - VIR_FREE(vm->def->seclabel.imagelabel); - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && - !vm->def->seclabel.baselabel) - VIR_FREE(vm->def->seclabel.model); + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) + VIR_FREE(def->seclabel.label); + VIR_FREE(def->seclabel.imagelabel); + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && + !def->seclabel.baselabel) + VIR_FREE(def->seclabel.model); } if (ctx) @@ -278,28 +278,29 @@ cleanup: VIR_FREE(mcs); VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s", - NULLSTR(vm->def->seclabel.model), - NULLSTR(vm->def->seclabel.label), - NULLSTR(vm->def->seclabel.imagelabel), - NULLSTR(vm->def->seclabel.baselabel)); + NULLSTR(def->seclabel.model), + NULLSTR(def->seclabel.label), + NULLSTR(def->seclabel.imagelabel), + NULLSTR(def->seclabel.baselabel)); return rc; } static int SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def, + pid_t pid) { security_context_t pctx; context_t ctx = NULL; const char *mcs; - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; - if (getpidcon(vm->pid, &pctx) == -1) { + if (getpidcon(pid, &pctx) == -1) { virReportSystemError(errno, - _("unable to get PID %d security context"), vm->pid); + _("unable to get PID %d security context"), pid); return -1; } @@ -360,15 +361,16 @@ static const char *SELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNU static int SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid, virSecurityLabelPtr sec) { security_context_t ctx; - if (getpidcon(vm->pid, &ctx) == -1) { + if (getpidcon(pid, &ctx) == -1) { virReportSystemError(errno, _("unable to get PID %d security context"), - vm->pid); + pid); return -1; } @@ -543,11 +545,11 @@ err: static int SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk, int migrated) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -588,10 +590,10 @@ SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0); + return SELinuxRestoreSecurityImageLabelInt(mgr, def, disk, 0); } @@ -626,11 +628,11 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk, static int SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr); if (secdef->norelabel) @@ -648,8 +650,8 @@ static int SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { - virDomainObjPtr vm = opaque; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + virDomainDefPtr def = opaque; + const virSecurityLabelDefPtr secdef = &def->seclabel; return SELinuxSetFilecon(file, secdef->imagelabel); } @@ -658,19 +660,19 @@ static int SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { - virDomainObjPtr vm = opaque; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + virDomainDefPtr def = opaque; + const virSecurityLabelDefPtr secdef = &def->seclabel; return SELinuxSetFilecon(file, secdef->imagelabel); } static int SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int ret = -1; if (secdef->norelabel) @@ -687,7 +689,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (!usb) goto done; - ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm); + ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, def); usbFreeDevice(usb); break; } @@ -701,7 +703,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (!pci) goto done; - ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm); + ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, def); pciFreeDevice(pci); break; @@ -735,11 +737,11 @@ SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int ret = -1; if (secdef->norelabel) @@ -788,11 +790,11 @@ done: static int -SELinuxSetSecurityChardevLabel(virDomainObjPtr vm, +SELinuxSetSecurityChardevLabel(virDomainDefPtr def, virDomainChrSourceDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; char *in = NULL, *out = NULL; int ret = -1; @@ -834,11 +836,11 @@ done: } static int -SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm, +SELinuxRestoreSecurityChardevLabel(virDomainDefPtr def, virDomainChrSourceDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; char *in = NULL, *out = NULL; int ret = -1; @@ -882,27 +884,24 @@ done: static int -SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; - /* This is taken care of by processing of def->serials */ if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE && dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL) return 0; - return SELinuxRestoreSecurityChardevLabel(vm, &dev->source); + return SELinuxRestoreSecurityChardevLabel(def, &dev->source); } static int -SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def, virDomainSmartcardDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; const char *database; switch (dev->type) { @@ -916,7 +915,7 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, return SELinuxRestoreSecurityFileLabel(database); case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: - return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru); + return SELinuxRestoreSecurityChardevLabel(def, &dev->data.passthru); default: virSecurityReportError(VIR_ERR_INTERNAL_ERROR, @@ -931,50 +930,50 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int i; int rc = 0; - VIR_DEBUG("Restoring security label on %s", vm->def->name); + VIR_DEBUG("Restoring security label on %s", def->name); if (secdef->norelabel) return 0; - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (SELinuxRestoreSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) rc = -1; } - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { if (SELinuxRestoreSecurityImageLabelInt(mgr, - vm, - vm->def->disks[i], + def, + def->disks[i], migrated) < 0) rc = -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, false, SELinuxRestoreSecurityChardevCallback, - vm) < 0) + NULL) < 0) rc = -1; - if (virDomainSmartcardDefForeach(vm->def, + if (virDomainSmartcardDefForeach(def, false, SELinuxRestoreSecuritySmartcardCallback, - vm) < 0) + NULL) < 0) rc = -1; - if (vm->def->os.kernel && - SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0) + if (def->os.kernel && + SELinuxRestoreSecurityFileLabel(def->os.kernel) < 0) rc = -1; - if (vm->def->os.initrd && - SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0) + if (def->os.initrd && + SELinuxRestoreSecurityFileLabel(def->os.initrd) < 0) rc = -1; return rc; @@ -982,9 +981,9 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (secdef->label != NULL) { @@ -1006,10 +1005,10 @@ SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -1020,10 +1019,10 @@ SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -1058,12 +1057,12 @@ SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1089,16 +1088,16 @@ SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, static int SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; context_t execcon = NULL; context_t proccon = NULL; security_context_t scon = NULL; int rc = -1; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1139,7 +1138,7 @@ SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, } VIR_DEBUG("Setting VM %s socket context %s", - vm->def->name, context_str(proccon)); + def->name, context_str(proccon)); if (setsockcreatecon(context_str(proccon)) == -1) { virReportSystemError(errno, _("unable to set socket security context '%s'"), @@ -1160,9 +1159,9 @@ done: static int SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &vm->seclabel; int rc = -1; if (secdef->label == NULL) @@ -1178,7 +1177,7 @@ SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, } VIR_DEBUG("Setting VM %s socket context %s", - vm->def->name, secdef->label); + vm->name, secdef->label); if (setsockcreatecon(secdef->label) == -1) { virReportSystemError(errno, _("unable to set socket security context '%s'"), @@ -1197,12 +1196,12 @@ done: static int SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1227,27 +1226,24 @@ SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, static int -SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxSetSecurityChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; - /* This is taken care of by processing of def->serials */ if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE && dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL) return 0; - return SELinuxSetSecurityChardevLabel(vm, &dev->source); + return SELinuxSetSecurityChardevLabel(def, &dev->source); } static int -SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def, virDomainSmartcardDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; const char *database; switch (dev->type) { @@ -1261,7 +1257,7 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, return SELinuxSetFilecon(database, default_content_context); case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: - return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru); + return SELinuxSetSecurityChardevLabel(def, &dev->data.passthru); default: virSecurityReportError(VIR_ERR_INTERNAL_ERROR, @@ -1276,53 +1272,53 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *stdin_path) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int i; if (secdef->norelabel) return 0; - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { /* XXX fixme - we need to recursively label the entire tree :-( */ - if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) { + if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) { VIR_WARN("Unable to relabel directory tree %s for disk %s", - vm->def->disks[i]->src, vm->def->disks[i]->dst); + def->disks[i]->src, def->disks[i]->dst); continue; } if (SELinuxSetSecurityImageLabel(mgr, - vm, vm->def->disks[i]) < 0) + def, def->disks[i]) < 0) return -1; } - /* XXX fixme process vm->def->fss if relabel == true */ + /* XXX fixme process def->fss if relabel == true */ - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (SELinuxSetSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) return -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, true, SELinuxSetSecurityChardevCallback, - vm) < 0) + NULL) < 0) return -1; - if (virDomainSmartcardDefForeach(vm->def, + if (virDomainSmartcardDefForeach(def, true, SELinuxSetSecuritySmartcardCallback, - vm) < 0) + NULL) < 0) return -1; - if (vm->def->os.kernel && - SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0) + if (def->os.kernel && + SELinuxSetFilecon(def->os.kernel, default_content_context) < 0) return -1; - if (vm->def->os.initrd && - SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0) + if (def->os.initrd && + SELinuxSetFilecon(def->os.initrd, default_content_context) < 0) return -1; if (stdin_path) { @@ -1337,10 +1333,10 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, static int SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int fd) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->imagelabel == NULL) return 0; diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 3f601c1..c82865f 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -106,7 +106,7 @@ virSecurityStackVerify(virSecurityManagerPtr mgr, static int virSecurityStackGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -131,7 +131,7 @@ virSecurityStackGenLabel(virSecurityManagerPtr mgr, static int virSecurityStackReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -150,16 +150,17 @@ virSecurityStackReleaseLabel(virSecurityManagerPtr mgr, static int virSecurityStackReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm, + pid_t pid) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; - if (virSecurityManagerReserveLabel(priv->primary, vm) < 0) + if (virSecurityManagerReserveLabel(priv->primary, vm, pid) < 0) rc = -1; #if 0 /* XXX See note in GenLabel */ - if (virSecurityManagerReserveLabel(priv->secondary, vm) < 0) + if (virSecurityManagerReserveLabel(priv->secondary, vm, pid) < 0) rc = -1; #endif @@ -169,7 +170,7 @@ virSecurityStackReserveLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -186,7 +187,7 @@ virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -203,7 +204,7 @@ virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { @@ -221,7 +222,7 @@ virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -238,7 +239,7 @@ virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *stdin_path) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -255,7 +256,7 @@ virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int migrated) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -272,7 +273,7 @@ virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -289,7 +290,7 @@ virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -306,7 +307,7 @@ virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -321,17 +322,18 @@ virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, static int virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, + pid_t pid, virSecurityLabelPtr seclabel) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; #if 0 - if (virSecurityManagerGetProcessLabel(priv->secondary, vm, seclabel) < 0) + if (virSecurityManagerGetProcessLabel(priv->secondary, vm, pid, seclabel) < 0) rc = -1; #endif - if (virSecurityManagerGetProcessLabel(priv->primary, vm, seclabel) < 0) + if (virSecurityManagerGetProcessLabel(priv->primary, vm, pid, seclabel) < 0) rc = -1; return rc; @@ -340,7 +342,7 @@ virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -356,7 +358,7 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -372,7 +374,7 @@ virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -387,7 +389,7 @@ virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int fd) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); -- 1.7.6.4

12 years, 10 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Devel January 2012