On Mon, Jun 11, 2012 at 04:18:21PM +0100, Daniel P. Berrange wrote:
On Mon, May 21, 2012 at 10:39:22AM -0300, Marcelo Cerri wrote:
>
> Hi,
>
> This set of patches updates the libvirt's security driver mechanism to support
per-guest configurable user and group for QEMU processes running together with other
security drivers, such as SELinux and AppArmor.
>
> This patches implement the changes discussed in the following thread:
>
>
https://www.redhat.com/archives/libvir-list/2012-February/msg00990.html
In general this patch series needs to be re-arranged so that it will
successfully compile & pass 'make check && make syntax-check' at
each
patch. It needs to have a cleaner split of simple no-op code refactoring,
vs new functionality.
I think I'd probably recommend splitting it up thus:
1. Refactor internal virDomainDefPtr/virCapsPtr data structures to
allow multiple seclabels, but only use first label. Also update all
code to compile with these changes
2. Extend RNG schema to allow multiple seclabels and extend domain_conf.c
XML parser / formatter to cope with mulitiple seclabels.
3. Add new API & remote protocol for getting list of security labels for
the domain
4. Extend the DAC security driver to pull configurable uid/gid out of the
sec label in virDomainDefPtr
5. Extend the QEMU driver to configure multiple security drivers
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://autobuild.org -o-
http://search.cpan.org/~danberr/ :|
|:
http://entangle-photo.org -o-
http://live.gnome.org/gtk-vnc :|