4:07 a.m.
On 2012年12月01日 04:26, Daniel P. Berrange wrote:
From: "Daniel P. Berrange"<berrange(a)redhat.com>
The SELinux security driver needs to learn to label storage/misc
hostdev devices for LXC
Signed-off-by: Daniel P. Berrange<berrange(a)redhat.com>
---
src/security/security_selinux.c | 118 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 118 insertions(+)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ad13490..6f0cd4d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1171,6 +1171,65 @@ done:
static int
+virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
+{
+ int ret = -1;
+ virSecurityLabelDefPtr secdef;
+ char *path;
+
+ secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (secdef == NULL)
+ return -1;
+
+ switch (dev->source.caps.type) {
+ case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
+ if (vroot) {
+ if (virAsprintf(&path, "%s/%s", vroot,
+ dev->source.caps.u.storage.block)< 0) {
+ virReportOOMError();
+ return -1;
+ }
+ } else {
+ if (!(path = strdup(dev->source.caps.u.storage.block))) {
+ virReportOOMError();
+ return -1;
+ }
+ }
+ ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
+ VIR_FREE(path);
+ break;
+ }
+
+ case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
+ if (vroot) {
+ if (virAsprintf(&path, "%s/%s", vroot,
+ dev->source.caps.u.misc.chardev)< 0) {
+ virReportOOMError();
+ return -1;
+ }
+ } else {
+ if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
+ virReportOOMError();
+ return -1;
+ }
+ }
+ ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
+ VIR_FREE(path);
+ break;
+ }
+
+ default:
+ ret = 0;
+ break;
+ }
+
+ return ret;
+}
+
+
+static int
virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def,
virDomainHostdevDefPtr dev,
@@ -1190,6 +1249,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr
ATTRIBUTE_UN
case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);
+ case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
+ return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);
+
default:
return 0;
}
@@ -1265,6 +1327,59 @@ done:
static int
+virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev,
+ const char *vroot)
+{
+ int ret = -1;
+ char *path;
+
+ switch (dev->source.caps.type) {
+ case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
+ if (vroot) {
+ if (virAsprintf(&path, "%s/%s", vroot,
+ dev->source.caps.u.storage.block)< 0) {
+ virReportOOMError();
+ return -1;
+ }
+ } else {
+ if (!(path = strdup(dev->source.caps.u.storage.block))) {
+ virReportOOMError();
+ return -1;
+ }
+ }
+ ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
+ VIR_FREE(path);
+ break;
+ }
+
+ case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
+ if (vroot) {
+ if (virAsprintf(&path, "%s/%s", vroot,
+ dev->source.caps.u.misc.chardev)< 0) {
+ virReportOOMError();
+ return -1;
+ }
+ } else {
+ if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
+ virReportOOMError();
+ return -1;
+ }
+ }
I think it's better helper to get the path to label, to avoid the
duplciate codes in virSecuritySELinuxRestoreSecurityHostdevCapsLabel
and virSecuritySELinuxSetSecurityHostdevCapsLabel.
ACK otherwise.