[libvirt] [PATCHv4 4/5] smartcard: enable SELinux support

* src/security/security_selinux.c (SELinuxRestoreSecuritySmartcardCallback) (SELinuxSetSecuritySmartcardCallback): New helper functions. (SELinuxRestoreSecurityAllLabel, SELinuxSetSecurityAllLabel): Use them. --- Notes: v3: new patch v4: match xml changes src/security/security_selinux.c | 76 +++++++++++++++++++++++++++++++++++++++ 1 files changed, 76 insertions(+), 0 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 24609bc..587b3b5 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -809,6 +809,38 @@ SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int +SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, + virDomainSmartcardDefPtr dev, + void *opaque) +{ + virDomainObjPtr vm = opaque; + const char *database; + + switch (dev->type) { + case VIR_DOMAIN_SMARTCARD_TYPE_HOST: + break; + + case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES: + database = dev->data.cert.database; + if (!database) + database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; + return SELinuxRestoreSecurityFileLabel(database); + + case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: + return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru); + + default: + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, + _("unknown smartcard type %d"), + dev->type); + return -1; + } + + return 0; +} + + +static int SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainObjPtr vm, int migrated ATTRIBUTE_UNUSED) @@ -842,6 +874,12 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, vm) < 0) rc = -1; + if (virDomainSmartcardDefForeach(vm->def, + false, + SELinuxRestoreSecuritySmartcardCallback, + vm) < 0) + rc = -1; + if (vm->def->os.kernel && SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0) rc = -1; @@ -1074,6 +1112,38 @@ SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int +SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, + virDomainSmartcardDefPtr dev, + void *opaque) +{ + virDomainObjPtr vm = opaque; + const char *database; + + switch (dev->type) { + case VIR_DOMAIN_SMARTCARD_TYPE_HOST: + break; + + case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES: + database = dev->data.cert.database; + if (!database) + database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; + return SELinuxSetFilecon(database, default_content_context); + + case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: + return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru); + + default: + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, + _("unknown smartcard type %d"), + dev->type); + return -1; + } + + return 0; +} + + +static int SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm, const char *stdin_path) @@ -1108,6 +1178,12 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, vm) < 0) return -1; + if (virDomainSmartcardDefForeach(vm->def, + true, + SELinuxSetSecuritySmartcardCallback, + vm) < 0) + return -1; + if (vm->def->os.kernel && SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0) return -1; -- 1.7.3.5