To not introduce more redundant code, helpers are added for
both "selinux", "dac", and "apparmor" backends.
Signed-off-by: Han Cheng <hanc.fnst(a)cn.fujitsu.com>
Signed-off-by: Osier Yang <jyang@redhat>
v2.5 - v3:
* Splitted from 8/10 of v2.5
* Don't forget the other backends (DAC, and apparmor)
---
src/security/security_apparmor.c | 49 +++++++++++++++++---------
src/security/security_dac.c | 76 +++++++++++++++++++++++++++++++++-------
src/security/security_selinux.c | 72 ++++++++++++++++++++++++++++++-------
3 files changed, 156 insertions(+), 41 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 5fb5db3..a8eaef8 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -306,8 +306,7 @@ reload_profile(virSecurityManagerPtr mgr,
}
static int
-AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
- const char *file, void *opaque)
+AppArmorSetSecurityHostdevLabelHelper(const char *file, void *opaque)
{
struct SDPDOP *ptr = opaque;
virDomainDefPtr def = ptr->def;
@@ -328,25 +327,24 @@ AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
}
static int
+AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file, void *opaque)
+{
+ return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
+}
+
+static int
AppArmorSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
- struct SDPDOP *ptr = opaque;
- virDomainDefPtr def = ptr->def;
+ return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
+}
- if (reload_profile(ptr->mgr, def, file, true) < 0) {
- const virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(
- def, SECURITY_APPARMOR_NAME);
- if (!secdef) {
- virReportOOMError();
- return -1;
- }
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("cannot update AppArmor profile \'%s\'"),
- secdef->imagelabel);
- return -1;
- }
- return 0;
+static int
+AppArmorSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file, void *opaque)
+{
+ return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
}
/* Called on libvirtd startup to see if AppArmor is available */
@@ -848,6 +846,23 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
break;
}
+ case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+ virSCSIDevicePtr scsi =
+ virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+ dev->source.subsys.u.scsi.bus,
+ dev->source.subsys.u.scsi.target,
+ dev->source.subsys.u.scsi.unit,
+ dev->readonly);
+
+ if (!scsi)
+ goto done;
+
+ ret = virSCSIDeviceFileIterate(scsi, AppArmorSetSecuritySCSILabel, ptr);
+ virSCSIDeviceFree(scsi);
+
+ break;
+ }
+
default:
ret = 0;
break;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index cd214d8..0e3ca6c 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -29,6 +29,7 @@
#include "virlog.h"
#include "virpci.h"
#include "virusb.h"
+#include "virscsi.h"
#include "virstoragefile.h"
#include "virstring.h"
@@ -434,9 +435,8 @@ virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
static int
-virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
- const char *file,
- void *opaque)
+virSecurityDACSetSecurityHostdevLabelHelper(const char *file,
+ void *opaque)
{
void **params = opaque;
virSecurityManagerPtr mgr = params[0];
@@ -453,21 +453,29 @@ virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev
ATTRIBUTE_UNUSED,
static int
+virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque)
+{
+ return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
+}
+
+
+static int
virSecurityDACSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
void *opaque)
{
- void **params = opaque;
- virSecurityManagerPtr mgr = params[0];
- virDomainDefPtr def = params[1];
- virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
- uid_t user;
- gid_t group;
+ return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
+}
- if (virSecurityDACGetIds(def, priv, &user, &group))
- return -1;
- return virSecurityDACSetOwnership(file, user, group);
+static int
+virSecurityDACSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque)
+{
+ return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
}
@@ -535,6 +543,24 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
break;
}
+ case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+ virSCSIDevicePtr scsi =
+ virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+ dev->source.subsys.u.scsi.bus,
+ dev->source.subsys.u.scsi.target,
+ dev->source.subsys.u.scsi.unit,
+ dev->readonly);
+
+ if (!scsi)
+ goto done;
+
+ ret = virSCSIDeviceFileIterate(scsi, virSecurityDACSetSecuritySCSILabel,
+ params);
+ virSCSIDeviceFree(scsi);
+
+ break;
+ }
+
default:
ret = 0;
break;
@@ -564,6 +590,15 @@ virSecurityDACRestoreSecurityUSBLabel(virUSBDevicePtr dev
ATTRIBUTE_UNUSED,
static int
+virSecurityDACRestoreSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ return virSecurityDACRestoreSecurityFileLabel(file);
+}
+
+
+static int
virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev,
@@ -625,6 +660,23 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
break;
}
+ case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+ virSCSIDevicePtr scsi =
+ virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+ dev->source.subsys.u.scsi.bus,
+ dev->source.subsys.u.scsi.target,
+ dev->source.subsys.u.scsi.unit,
+ dev->readonly);
+
+ if (!scsi)
+ goto done;
+
+ ret = virSCSIDeviceFileIterate(scsi, virSecurityDACRestoreSecuritySCSILabel,
mgr);
+ virSCSIDeviceFree(scsi);
+
+ break;
+ }
+
default:
ret = 0;
break;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a85f0a3..5d108b9 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -38,6 +38,7 @@
#include "virlog.h"
#include "virpci.h"
#include "virusb.h"
+#include "virscsi.h"
#include "virstoragefile.h"
#include "virfile.h"
#include "virhash.h"
@@ -1277,10 +1278,8 @@ virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
&cbdata);
}
-
static int
-virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
- const char *file, void *opaque)
+virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
{
virSecurityLabelDefPtr secdef;
virDomainDefPtr def = opaque;
@@ -1292,19 +1291,25 @@ virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev
ATTRIBUTE_UNUSED,
}
static int
-virSecuritySELinuxSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
+virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
- virSecurityLabelDefPtr secdef;
- virDomainDefPtr def = opaque;
-
- secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (secdef == NULL)
- return -1;
+ return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
+}
- return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
+static int
+virSecuritySELinuxSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file, void *opaque)
+{
+ return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
}
+static int
+virSecuritySELinuxSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file, void *opaque)
+{
+ return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
+}
static int
virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
@@ -1359,6 +1364,23 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr
def,
break;
}
+ case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+ virSCSIDevicePtr scsi =
+ virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+ dev->source.subsys.u.scsi.bus,
+ dev->source.subsys.u.scsi.target,
+ dev->source.subsys.u.scsi.unit,
+ dev->readonly);
+
+ if (!scsi)
+ goto done;
+
+ ret = virSCSIDeviceFileIterate(scsi, virSecuritySELinuxSetSecuritySCSILabel,
def);
+ virSCSIDeviceFree(scsi);
+
+ break;
+ }
+
default:
ret = 0;
break;
@@ -1456,7 +1478,6 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr
ATTRIBUTE_UN
}
}
-
static int
virSecuritySELinuxRestoreSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
@@ -1479,6 +1500,16 @@ virSecuritySELinuxRestoreSecurityUSBLabel(virUSBDevicePtr dev
ATTRIBUTE_UNUSED,
static int
+virSecuritySELinuxRestoreSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque)
+{
+ virSecurityManagerPtr mgr = opaque;
+
+ return virSecuritySELinuxRestoreSecurityFileLabel(mgr, file);
+}
+
+static int
virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
virDomainHostdevDefPtr dev,
const char *vroot)
@@ -1532,6 +1563,23 @@
virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
break;
}
+ case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+ virSCSIDevicePtr scsi =
+ virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+ dev->source.subsys.u.scsi.bus,
+ dev->source.subsys.u.scsi.target,
+ dev->source.subsys.u.scsi.unit,
+ dev->readonly);
+
+ if (!scsi)
+ goto done;
+
+ ret = virSCSIDeviceFileIterate(scsi,
virSecuritySELinuxRestoreSecuritySCSILabel, mgr);
+ virSCSIDeviceFree(scsi);
+
+ break;
+ }
+
default:
ret = 0;
break;
--
1.8.1.4