Re: [libvirt] [PATCH 4/6] Support relabelling of USB and PCI devices
On Thu, Sep 03, 2009 at 01:04:30PM +0100, Mark McLoughlin wrote:
Apart from DV's comments, ACK to patches 1-3
On Tue, 2009-09-01 at 16:28 +0100, Daniel P. Berrange wrote:
> * src/security.h: Driver API for relabelling host devices
> * src/security_selinux.c: Implement relabelling of PCI and USB
> devices
> * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
> ---
> src/qemu_driver.c | 12 ++-
> src/security.h | 7 ++
> src/security_selinux.c | 175 +++++++++++++++++++++++++++++++++++++++++++-----
> 3 files changed, 174 insertions(+), 20 deletions(-)
>
> diff --git a/src/qemu_driver.c b/src/qemu_driver.c
> index e9a09df..d75e28e 100644
> --- a/src/qemu_driver.c
> +++ b/src/qemu_driver.c
> @@ -5498,6 +5498,9 @@ static int qemudDomainAttachHostDevice(virConnectPtr conn,
>
> if (qemuDomainSetDeviceOwnership(conn, driver, dev, 0) < 0)
> return -1;
> + if (driver->securityDriver &&
> + driver->securityDriver->domainSetSecurityHostdevLabel(conn, vm,
dev->data.hostdev) < 0)
> + return -1;
>
> switch (hostdev->source.subsys.type) {
> case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI:
> @@ -5566,9 +5569,6 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
> }
> }
>
> - if (driver->securityDriver)
> - driver->securityDriver->domainSetSecurityImageLabel(dom->conn,
vm, dev->data.disk);
What's this about?
The very same call is issued a few lines later :-)
> diff --git a/src/security_selinux.c b/src/security_selinux.c
> index 3b2e88f..5b7b038 100644
> --- a/src/security_selinux.c
> +++ b/src/security_selinux.c
...
> @@ -414,6 +427,126 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
> return 0;
> }
>
> +
> +static int
> +SELinuxSetSecurityPCILabel(virConnectPtr conn,
> + pciDevice *dev ATTRIBUTE_UNUSED,
> + const char *file, void *opaque)
> +{
> + virDomainObjPtr vm = opaque;
> + const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
> +
> + return SELinuxSetFilecon(conn, file, secdef->imagelabel);
> +}
> +
> +static int
> +SELinuxSetSecurityHostdevLabel(virConnectPtr conn,
> + virDomainObjPtr vm,
> + virDomainHostdevDefPtr dev)
> +
> +{
> + int ret = -1;
> +
> + if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
> + return 0;
> +
> + switch (dev->source.subsys.type) {
> + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB:
> + break;
Either you're missing some code here, or I'm missing some
understanding :-)
Bizarrely the code secretly moved itself into the next patch while I
wasn't looking :-)
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|