Re: [libvirt] [PATCH v2 1/3] security: add new internal function "virSecurityManagerGetBaseLabel"

Friday, 6 September 2013

On Thu, Sep 05, 2013 at 01:49:43PM +0200, Giuseppe Scrivano wrote:
...
 virSecurityManagerGetBaseLabel queries the default settings used by
 a security model.

 Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com&gt;
 ---
  src/libvirt_private.syms         |  1 +
  src/security/security_apparmor.c |  7 +++++++
  src/security/security_dac.c      | 26 +++++++++++++++++++++++++-
  src/security/security_driver.h   |  3 +++
  src/security/security_manager.c  | 15 +++++++++++++++
  src/security/security_manager.h  |  2 ++
  src/security/security_nop.c      |  9 +++++++++
  src/security/security_selinux.c  |  9 +++++++++
  src/security/security_stack.c    |  8 ++++++++
  9 files changed, 79 insertions(+), 1 deletion(-)
 +static const char *
 +AppArmorGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
 +{
 +    return "";
 +} 
I wonder if we should just return NULL here. I don't think we need
to be able to report errors other than "no base label", so I think
using NULL for that is sufficient.

...
 @@ -1170,6 +1173,25 @@
virSecurityDACGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
      return NULL;
  }

 +static const char *
 +virSecurityDACGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
 +{
 +    uid_t user;
 +    gid_t group;
 +    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
 +    if (priv->baselabel)
 +        return priv->baselabel;
 +
 +    if (virGetUserID(QEMU_USER, &user) < 0 ||
 +        virGetGroupID(QEMU_GROUP, &group) < 0 ||
 +        virAsprintf(&priv->baselabel, "%u:%u",
 +                    (unsigned int) priv->user,
 +                    (unsigned int) priv->group) < 0)
 +        return NULL; 
It would be better to initialize the 'pribv->baselabel' when we
first set the user/group, so that this getter does not have
side effects.

...
 +typedef const char *(*virSecurityDriverGetBaseLabel)
(virSecurityManagerPtr mgr); 
We need to be able to pass in 'int virttype' here...

...
 +static const char *
 +virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr)
 +{
 +    virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
 +    return priv->domain_context; 
....So that here we can do

  if (virttype == VIR_DOMAIN_VIRT_QEMU)
      return priv->alt_domain_context
  else
      return priv->domain_context

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [PATCH v2 1/3] security: add new internal function "virSecurityManagerGetBaseLabel"