5:13 a.m.
Introduce a new element in shmem device element, this
could help users to change the shm label to a specified
label.
Signed-off-by: Luyao Huang <lhuang(a)redhat.com>
---
docs/formatdomain.html.in | 7 ++++++
docs/schemas/domaincommon.rng | 3 +++
src/conf/domain_conf.c | 55 ++++++++++++++++++++++++++++++++++---------
src/conf/domain_conf.h | 5 ++++
4 files changed, 59 insertions(+), 11 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index d0c1741..e02c67c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6098,6 +6098,13 @@ qemu-kvm -net nic,model=? /dev/null
vectors. The <code>ioeventd</code> attribute enables/disables (values
"on"/"off", respectively) ioeventfd.
</dd>
+ <dt><code>seclabel</code></dt>
+ <dd>
+ The optional <code>seclabel</code> to override the way that labelling
+ is done on the shm object path or shm server path. If this
+ element is not present, the <a href="#seclabel">security label is
inherited
+ from the per-domain setting</a>.
+ </dd>
</dl>
<h4><a name="elementsMemory">Memory
devices</a></h4>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 1120003..f58e8de 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3323,6 +3323,9 @@
</optional>
</element>
</optional>
+ <zeroOrMore>
+ <ref name='devSeclabel'/>
+ </zeroOrMore>
<optional>
<ref name="address"/>
</optional>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 73ac537..cb3d72a 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -11261,6 +11261,8 @@ virDomainNVRAMDefParseXML(xmlNodePtr node,
static virDomainShmemDefPtr
virDomainShmemDefParseXML(xmlNodePtr node,
xmlXPathContextPtr ctxt,
+ virSecurityLabelDefPtr* vmSeclabels,
+ int nvmSeclabels,
unsigned int flags)
{
char *tmp = NULL;
@@ -11332,6 +11334,10 @@ virDomainShmemDefParseXML(xmlNodePtr node,
if (virDomainDeviceInfoParseXML(node, NULL, &def->info, flags) < 0)
goto cleanup;
+ if (virSecurityDeviceLabelDefParseXML(&def->seclabels,
&def->nseclabels,
+ vmSeclabels, nvmSeclabels,
+ ctxt, flags) < 0)
+ goto cleanup;
ret = def;
def = NULL;
@@ -12457,7 +12463,11 @@ virDomainDeviceDefParse(const char *xmlStr,
goto error;
break;
case VIR_DOMAIN_DEVICE_SHMEM:
- if (!(dev->data.shmem = virDomainShmemDefParseXML(node, ctxt, flags)))
+ if (!(dev->data.shmem = virDomainShmemDefParseXML(node,
+ ctxt,
+ def->seclabels,
+ def->nseclabels,
+ flags)))
goto error;
break;
case VIR_DOMAIN_DEVICE_TPM:
@@ -16136,7 +16146,8 @@ virDomainDefParseXML(xmlDocPtr xml,
for (i = 0; i < n; i++) {
virDomainShmemDefPtr shmem;
ctxt->node = nodes[i];
- shmem = virDomainShmemDefParseXML(nodes[i], ctxt, flags);
+ shmem = virDomainShmemDefParseXML(nodes[i], ctxt, def->seclabels,
+ def->nseclabels, flags);
if (!shmem)
goto error;
@@ -20308,6 +20319,8 @@ virDomainShmemDefFormat(virBufferPtr buf,
virDomainShmemDefPtr def,
unsigned int flags)
{
+ size_t n;
+
virBufferEscapeString(buf, "<shmem name='%s'", def->name);
if (!def->size &&
@@ -20341,6 +20354,9 @@ virDomainShmemDefFormat(virBufferPtr buf,
virBufferAddLit(buf, "/>\n");
}
+ for (n = 0; n < def->nseclabels; n++)
+ virSecurityDeviceLabelDefFormat(buf, def->seclabels[n], flags);
+
if (virDomainDeviceInfoFormat(buf, &def->info, flags) < 0)
return -1;
@@ -23851,11 +23867,25 @@ virDomainObjListExport(virDomainObjListPtr domlist,
}
+static virSecurityDeviceLabelDefPtr
+virDomainGetDeviceSecurityLabelDef(virSecurityDeviceLabelDefPtr *seclabels,
+ size_t nseclabels,
+ const char *model)
+{
+ size_t i;
+
+ for (i = 0; i < nseclabels; i++) {
+ if (STREQ_NULLABLE(seclabels[i]->model, model))
+ return seclabels[i];
+ }
+ return NULL;
+}
+
+
virSecurityLabelDefPtr
virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char *model)
{
size_t i;
- virSecurityLabelDefPtr seclabel = NULL;
if (def == NULL || model == NULL)
return NULL;
@@ -23866,24 +23896,27 @@ virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char
*model)
if (STREQ(def->seclabels[i]->model, model))
return def->seclabels[i];
}
-
- return seclabel;
+ return NULL;
}
virSecurityDeviceLabelDefPtr
virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model)
{
- size_t i;
+ if (def == NULL)
+ return NULL;
+
+ return virDomainGetDeviceSecurityLabelDef(def->seclabels, def->nseclabels,
model);
+}
+
+virSecurityDeviceLabelDefPtr
+virDomainShmemDefGetSecurityLabelDef(virDomainShmemDefPtr def, const char *model)
+{
if (def == NULL)
return NULL;
- for (i = 0; i < def->nseclabels; i++) {
- if (STREQ_NULLABLE(def->seclabels[i]->model, model))
- return def->seclabels[i];
- }
- return NULL;
+ return virDomainGetDeviceSecurityLabelDef(def->seclabels, def->nseclabels,
model);
}
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 0fe6b1a..1a0475e 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1608,6 +1608,8 @@ struct _virDomainShmemDef {
unsigned vectors;
virTristateSwitch ioeventfd;
} msi;
+ size_t nseclabels;
+ virSecurityDeviceLabelDefPtr *seclabels;
virDomainDeviceInfo info;
};
@@ -2943,6 +2945,9 @@ virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char
*model);
virSecurityDeviceLabelDefPtr
virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model);
+virSecurityDeviceLabelDefPtr
+virDomainShmemDefGetSecurityLabelDef(virDomainShmemDefPtr def, const char *model);
+
typedef const char* (*virEventActionToStringFunc)(int type);
typedef int (*virEventActionFromStringFunc)(const char *type);
--
1.8.3.1