8:39 a.m.
---
src/lxc/lxc_conf.c | 8 ++++++--
src/lxc/lxc_driver.c | 35 ++++++++++++++++++++---------------
2 files changed, 26 insertions(+), 17 deletions(-)
diff --git a/src/lxc/lxc_conf.c b/src/lxc/lxc_conf.c
index 72547c4..807c704 100644
--- a/src/lxc/lxc_conf.c
+++ b/src/lxc/lxc_conf.c
@@ -134,9 +134,13 @@ virCapsPtr lxcCapsInit(lxc_driver_t *driver)
doi = virSecurityManagerGetDOI(driver->securityManager);
model = virSecurityManagerGetModel(driver->securityManager);
if (STRNEQ(model, "none")) {
- if (!(caps->host.secModel.model = strdup(model)))
+ /* Allocate just the primary security driver for LXC. */
+ if (VIR_ALLOC(caps->host.secModels) < 0)
goto no_memory;
- if (!(caps->host.secModel.doi = strdup(doi)))
+ caps->host.nsecModels = 1;
+ if (!(caps->host.secModels[0].model = strdup(model)))
+ goto no_memory;
+ if (!(caps->host.secModels[0].doi = strdup(doi)))
goto no_memory;
}
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 4cccd53..ffd3c9c 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1479,10 +1479,12 @@ static int lxcVmTerminate(lxc_driver_t *driver,
vm->def, false);
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
/* Clear out dynamically assigned labels */
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
- VIR_FREE(vm->def->seclabel.model);
- VIR_FREE(vm->def->seclabel.label);
- VIR_FREE(vm->def->seclabel.imagelabel);
+ /* Manages just the primary sec driver for lxc */
+ if (vm->def->nseclabels
+ && vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
{
+ VIR_FREE(vm->def->seclabels[0]->model);
+ VIR_FREE(vm->def->seclabels[0]->label);
+ VIR_FREE(vm->def->seclabels[0]->imagelabel);
}
if (virCgroupForDomain(driver->cgroup, vm->def->name, &group, 0) == 0)
{
@@ -1818,8 +1820,10 @@ static int lxcVmStart(virConnectPtr conn,
/* If you are using a SecurityDriver with dynamic labelling,
then generate a security label for isolation */
VIR_DEBUG("Generating domain security label (if required)");
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT)
- vm->def->seclabel.type = VIR_DOMAIN_SECLABEL_NONE;
+ if (vm->def->nseclabels
+ && vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT)
{
+ vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
+ }
if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) {
virDomainAuditSecurityLabel(vm, false);
@@ -1990,10 +1994,11 @@ cleanup:
vm->def, false);
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
/* Clear out dynamically assigned labels */
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
- VIR_FREE(vm->def->seclabel.model);
- VIR_FREE(vm->def->seclabel.label);
- VIR_FREE(vm->def->seclabel.imagelabel);
+ if (vm->def->nseclabels
+ && vm->def->seclabels[0]->type ==
VIR_DOMAIN_SECLABEL_DYNAMIC) {
+ VIR_FREE(vm->def->seclabels[0]->model);
+ VIR_FREE(vm->def->seclabels[0]->label);
+ VIR_FREE(vm->def->seclabels[0]->imagelabel);
}
}
for (i = 0 ; i < nttyFDs ; i++)
@@ -2233,12 +2238,12 @@ static int lxcNodeGetSecurityModel(virConnectPtr conn,
lxcDriverLock(driver);
memset(secmodel, 0, sizeof(*secmodel));
- /* NULL indicates no driver, which we treat as
- * success, but simply return no data in *secmodel */
- if (driver->caps->host.secModel.model == NULL)
+ /* we treat no driver as success, but simply return no data in *secmodel */
+ if (driver->caps->host.nsecModels == 0
+ || driver->caps->host.secModels[0].model == NULL)
goto cleanup;
- if (!virStrcpy(secmodel->model, driver->caps->host.secModel.model,
+ if (!virStrcpy(secmodel->model, driver->caps->host.secModels[0].model,
VIR_SECURITY_MODEL_BUFLEN)) {
lxcError(VIR_ERR_INTERNAL_ERROR,
_("security model string exceeds max %d bytes"),
@@ -2247,7 +2252,7 @@ static int lxcNodeGetSecurityModel(virConnectPtr conn,
goto cleanup;
}
- if (!virStrcpy(secmodel->doi, driver->caps->host.secModel.doi,
+ if (!virStrcpy(secmodel->doi, driver->caps->host.secModels[0].doi,
VIR_SECURITY_DOI_BUFLEN)) {
lxcError(VIR_ERR_INTERNAL_ERROR,
_("security DOI string exceeds max %d bytes"),
--
1.7.1