Re: [libvirt] [PATCH 2/2] security: Driver 'none' cannot create confined guests
On Tue, Feb 07, 2012 at 13:39:17 -0700, Eric Blake wrote:
On 02/07/2012 01:10 PM, Jiri Denemark wrote:
> In case the caller specifies that confined guests are required but the
> security driver turns out to be 'none', we should return an error since
> this driver clearly cannot meet that requirement. As a result of this
> error, libvirtd fails to start when the host admin explicitly sets
> confined guests are required but there is no security driver available.
>
> Since security driver 'none' cannot create confined guests, we override
> default confined setting so that hypervisor drivers do not thing they
s/thing/think/
Oops, I mistakenly pushed this without fixing the typo.
> should create confined guests.
> ---
> src/security/security_manager.c | 20 ++++++++++++++++++++
> tests/seclabeltest.c | 2 +-
> 2 files changed, 21 insertions(+), 1 deletions(-)
ACK that this fixes the issue, but I'm wondering whether we should move
the logic that rejects requireConfig out of security_manager.c and into
security_nop.c:virSecurityDriverOpenNop(). That is, the special casing
is a property of the 'none' security manager. Is it worth a v2 patch
that moves the error messages in that manner?
I went ahead and pushed this version (see my other email for reasons). We can
refactor the whole thing later if we feel like it's a good idea.
Jirka