3:23 a.m.
The APIs are designed to label a socket in a way that the libvirt daemon
itself is able to access it (i.e., in SELinux the label is virtd_t based
as opposed to svirt_* we use for labeling resources that need to be
accessed by a vm). The new name reflects this.
---
Notes:
Version 3:
- new patch
src/libvirt_private.syms | 2 +-
src/qemu/qemu_process.c | 3 ++-
src/security/security_dac.c | 6 +++---
src/security/security_driver.h | 6 +++---
src/security/security_manager.c | 8 ++++----
src/security/security_manager.h | 4 ++--
src/security/security_nop.c | 6 +++---
src/security/security_selinux.c | 6 +++---
src/security/security_stack.c | 10 +++++-----
9 files changed, 26 insertions(+), 25 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 0618b49..c3e33b4 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -904,13 +904,13 @@ virSecurityManagerRestoreAllLabel;
virSecurityManagerRestoreHostdevLabel;
virSecurityManagerRestoreSavedStateLabel;
virSecurityManagerSetAllLabel;
+virSecurityManagerSetDaemonSocketLabel;
virSecurityManagerSetImageFDLabel;
virSecurityManagerSetImageLabel;
virSecurityManagerSetHostdevLabel;
virSecurityManagerSetProcessFDLabel;
virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel;
-virSecurityManagerSetSocketLabel;
virSecurityManagerVerify;
# sexpr.h
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index f691bbb..58b4d36 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -821,7 +821,8 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm)
qemuDomainObjPrivatePtr priv = vm->privateData;
int ret = -1;
- if (virSecurityManagerSetSocketLabel(driver->securityManager, vm) < 0) {
+ if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager,
+ vm) < 0) {
VIR_ERROR(_("Failed to set security context for monitor for %s"),
vm->def->name);
goto error;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 58d57ec..6df4087 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -667,8 +667,8 @@ virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
}
static int
-virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
@@ -714,7 +714,7 @@ virSecurityDriver virSecurityDriverDAC = {
virSecurityDACSetSecurityImageLabel,
virSecurityDACRestoreSecurityImageLabel,
- virSecurityDACSetSocketLabel,
+ virSecurityDACSetDaemonSocketLabel,
virSecurityDACClearSocketLabel,
virSecurityDACGenLabel,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 154f197..73c8f04 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -41,8 +41,8 @@ typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr
mgr);
typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm,
virDomainDiskDefPtr disk);
-typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm);
typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
virDomainObjPtr vm);
typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
@@ -101,7 +101,7 @@ struct _virSecurityDriver {
virSecurityDomainSetImageLabel domainSetSecurityImageLabel;
virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
- virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
+ virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
virSecurityDomainGenLabel domainGenSecurityLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 6ae58dc..d30ebcf 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -160,11 +160,11 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
return -1;
}
-int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm)
{
- if (mgr->drv->domainSetSecuritySocketLabel)
- return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
+ if (mgr->drv->domainSetSecurityDaemonSocketLabel)
+ return mgr->drv->domainSetSecurityDaemonSocketLabel(mgr, vm);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 8c3b8b2..8d614a7 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -53,8 +53,8 @@ bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr
mgr);
int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
virDomainDiskDefPtr disk);
-int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm);
int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm);
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 24d36fe..67d3ff6 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -53,8 +53,8 @@ static int virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr
mgr ATTRI
return 0;
}
-static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
@@ -171,7 +171,7 @@ virSecurityDriver virSecurityDriverNop = {
virSecurityDomainSetImageLabelNop,
virSecurityDomainRestoreImageLabelNop,
- virSecurityDomainSetSocketLabelNop,
+ virSecurityDomainSetDaemonSocketLabelNop,
virSecurityDomainClearSocketLabelNop,
virSecurityDomainGenLabelNop,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 5e6145f..f87c9a5 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1066,8 +1066,8 @@ SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
}
static int
-SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm)
{
/* TODO: verify DOI */
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
@@ -1312,7 +1312,7 @@ virSecurityDriver virSecurityDriverSELinux = {
SELinuxSetSecurityImageLabel,
SELinuxRestoreSecurityImageLabel,
- SELinuxSetSecuritySocketLabel,
+ SELinuxSetSecurityDaemonSocketLabel,
SELinuxClearSecuritySocketLabel,
SELinuxGenSecurityLabel,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index b63e4c8..404ff65 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -339,15 +339,15 @@ virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr,
static int
-virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
- if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0)
+ if (virSecurityManagerSetDaemonSocketLabel(priv->secondary, vm) < 0)
rc = -1;
- if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0)
+ if (virSecurityManagerSetDaemonSocketLabel(priv->primary, vm) < 0)
rc = -1;
return rc;
@@ -418,7 +418,7 @@ virSecurityDriver virSecurityDriverStack = {
virSecurityStackSetSecurityImageLabel,
virSecurityStackRestoreSecurityImageLabel,
- virSecurityStackSetSocketLabel,
+ virSecurityStackSetDaemonSocketLabel,
virSecurityStackClearSocketLabel,
virSecurityStackGenLabel,
--
1.7.6.1