Re: [libvirt] [PATCH] Apply security label when entering LXC namespaces
On 03/12/2013 11:28 AM, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Add a new virDomainLxcEnterSecurityLabel() function as a
counterpart to virDomainLxcEnterNamespaces(), which can
change the current calling process to have a new security
context. This call runs client side, not in libvirtd
so we can't use the security driver infrastructure.
When entering a namespace, the process spawned from virsh
will default to running with the security label of virsh.
The actual desired behaviour is to run with the security
label of the container most of the time. So this changes
virsh lxc-enter-namespace command to invoke the
virDomainLxcEnterSecurityLabel method.
include/libvirt/libvirt-lxc.h | 4 ++
python/generator.py | 1 +
src/libvirt-lxc.c | 96 +++++++++++++++++++++++++++++++++++++++++++
tools/virsh-domain.c | 32 +++++++++++++++
4 files changed, 133 insertions(+)
Missing an entry in src/libvirt_lxc.syms to actually expose the new
function in the .so.
+++ b/src/libvirt-lxc.c
@@ -29,6 +29,9 @@
#include "virlog.h"
#include "virprocess.h"
#include "datatypes.h"
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
Will fail 'make syntax-check' if cppi is installed.
@@ -8029,12 +8036,35 @@ cmdLxcEnterNamespace(vshControl *ctl, const
vshCmd *cmd)
if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) < 0)
goto cleanup;
+ if (setlabel) {
+ fprintf(stderr, "Getr sec\n");
Spurious debug message?
ACK with those things addressed.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 621 bytes)