6:49 a.m.
virSecurityManagerGetBaseLabel queries the default settings used by
a security model.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/security/security_apparmor.c | 7 +++++++
src/security/security_dac.c | 26 +++++++++++++++++++++++++-
src/security/security_driver.h | 3 +++
src/security/security_manager.c | 15 +++++++++++++++
src/security/security_manager.h | 2 ++
src/security/security_nop.c | 9 +++++++++
src/security/security_selinux.c | 9 +++++++++
src/security/security_stack.c | 8 ++++++++
9 files changed, 79 insertions(+), 1 deletion(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 35f0f1b..aea7e94 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1033,6 +1033,7 @@ virSecurityDriverLookup;
# security/security_manager.h
virSecurityManagerClearSocketLabel;
virSecurityManagerGenLabel;
+virSecurityManagerGetBaseLabel;
virSecurityManagerGetDOI;
virSecurityManagerGetModel;
virSecurityManagerGetMountOptions;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index adc9918..6f95ce5 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -931,6 +931,11 @@ AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return opts;
}
+static const char *
+AppArmorGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+ return "";
+}
virSecurityDriver virAppArmorSecurityDriver = {
.privateDataLen = 0,
@@ -972,4 +977,6 @@ virSecurityDriver virAppArmorSecurityDriver = {
.domainSetSecurityTapFDLabel = AppArmorSetFDLabel,
.domainGetSecurityMountOptions = AppArmorGetMountOptions,
+
+ .getBaseLabel = AppArmoryGetBaseLabel,
};
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 6876bd5..d5e93fa 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -47,6 +47,7 @@ struct _virSecurityDACData {
gid_t *groups;
int ngroups;
bool dynamicOwnership;
+ char *baselabel;
};
void
@@ -217,6 +218,7 @@ virSecurityDACClose(virSecurityManagerPtr mgr)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
VIR_FREE(priv->groups);
+ VIR_FREE(priv->baselabel);
return 0;
}
@@ -1114,8 +1116,9 @@ virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (!secdef || !seclabel)
+ if (!secdef || !seclabel) {
return -1;
+ }
if (secdef->label)
ignore_value(virStrcpy(seclabel->label, secdef->label,
@@ -1170,6 +1173,25 @@ virSecurityDACGetMountOptions(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
return NULL;
}
+static const char *
+virSecurityDACGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+ uid_t user;
+ gid_t group;
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ if (priv->baselabel)
+ return priv->baselabel;
+
+ if (virGetUserID(QEMU_USER, &user) < 0 ||
+ virGetGroupID(QEMU_GROUP, &group) < 0 ||
+ virAsprintf(&priv->baselabel, "%u:%u",
+ (unsigned int) priv->user,
+ (unsigned int) priv->group) < 0)
+ return NULL;
+
+ return priv->baselabel;
+}
+
virSecurityDriver virSecurityDriverDAC = {
.privateDataLen = sizeof(virSecurityDACData),
.name = SECURITY_DAC_NAME,
@@ -1212,4 +1234,6 @@ virSecurityDriver virSecurityDriverDAC = {
.domainSetSecurityTapFDLabel = virSecurityDACSetTapFDLabel,
.domainGetSecurityMountOptions = virSecurityDACGetMountOptions,
+
+ .getBaseLabel = virSecurityDACGetBaseLabel,
};
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 8735558..64bd307 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -46,6 +46,7 @@ typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr);
typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr);
typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr);
+typedef const char *(*virSecurityDriverGetBaseLabel) (virSecurityManagerPtr mgr);
typedef int (*virSecurityDriverPreFork) (virSecurityManagerPtr mgr);
@@ -154,6 +155,8 @@ struct _virSecurityDriver {
virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
virSecurityDomainSetHugepages domainSetSecurityHugepages;
+
+ virSecurityDriverGetBaseLabel getBaseLabel;
};
virSecurityDriverPtr virSecurityDriverLookup(const char *name,
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 92fb504..8535c8e 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -273,6 +273,21 @@ virSecurityManagerGetModel(virSecurityManagerPtr mgr)
return NULL;
}
+const char *
+virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+ if (mgr->drv->getBaseLabel) {
+ const char *ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->getBaseLabel(mgr);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ virReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+ return NULL;
+}
+
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
{
return mgr->allowDiskFormatProbing;
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 9252830..381cfc9 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -55,6 +55,8 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr);
const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr);
const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr);
const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
+const char *virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr);
+
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
bool virSecurityManagerGetDefaultConfined(virSecurityManagerPtr mgr);
bool virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 233404c..c0d0f08 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -186,6 +186,13 @@ static char
*virSecurityDomainGetMountOptionsNop(virSecurityManagerPtr mgr ATTRI
return opts;
}
+static const char *
+virSecurityGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+ return "";
+}
+
+
virSecurityDriver virSecurityDriverNop = {
.privateDataLen = 0,
.name = "none",
@@ -226,4 +233,6 @@ virSecurityDriver virSecurityDriverNop = {
.domainSetSecurityTapFDLabel = virSecurityDomainSetFDLabelNop,
.domainGetSecurityMountOptions = virSecurityDomainGetMountOptionsNop,
+
+ .getBaseLabel = virSecurityGetBaseLabel,
};
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 38de060..d7cafc6 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1827,6 +1827,14 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr
def,
}
+static const char *
+virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr)
+{
+ virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ return priv->domain_context;
+}
+
+
static int
virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@@ -2474,4 +2482,5 @@ virSecurityDriver virSecurityDriverSELinux = {
.domainSetSecurityTapFDLabel = virSecuritySELinuxSetTapFDLabel,
.domainGetSecurityMountOptions = virSecuritySELinuxGetSecurityMountOptions,
+ .getBaseLabel = virSecuritySELinuxGetBaseLabel,
};
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 0a0dc92..d704dd9 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -555,6 +555,12 @@ virSecurityStackGetNested(virSecurityManagerPtr mgr)
return list;
}
+static const char *
+virSecurityStackGetBaseLabel(virSecurityManagerPtr mgr)
+{
+ return virSecurityManagerGetBaseLabel(virSecurityStackGetPrimary(mgr));
+}
+
virSecurityDriver virSecurityDriverStack = {
.privateDataLen = sizeof(virSecurityStackData),
.name = "stack",
@@ -599,4 +605,6 @@ virSecurityDriver virSecurityDriverStack = {
.domainGetSecurityMountOptions = virSecurityStackGetMountOptions,
.domainSetSecurityHugepages = virSecurityStackSetHugepages,
+
+ .getBaseLabel = virSecurityStackGetBaseLabel,
};
--
1.8.3.1