Re: [libvirt] [PATCH v2 4/6] Add API to get the system identity
On Wed, Mar 13, 2013 at 15:24:03 +0000, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange(a)redhat.com>
If no user identity is available, some operations may wish to
use the system identity. ie the identity of the current process
itself. Add an API to get such an identity.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/util/viridentity.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++
src/util/viridentity.h | 2 ++
2 files changed, 73 insertions(+)
diff --git a/src/util/viridentity.c b/src/util/viridentity.c
index acb0cb9..1c43081 100644
--- a/src/util/viridentity.c
+++ b/src/util/viridentity.c
...
@@ -116,6 +122,71 @@ int virIdentitySetCurrent(virIdentityPtr ident)
/**
+ * virIdentityGetSystem:
+ *
+ * Returns an identity that represents the system itself.
+ * This is the identity that the process is running as
+ *
+ * Returns a reference to the system identity, or NULL
+ */
+virIdentityPtr virIdentityGetSystem(void)
+{
+ char *username = NULL;
+ char *groupname = NULL;
+ char *seccontext = NULL;
+ virIdentityPtr ret = NULL;
+ gid_t gid = getgid();
+ uid_t uid = getuid();
+#if HAVE_SELINUX
+ security_context_t con;
+#endif
+
+ if (!(username = virGetUserName(uid)))
+ goto cleanup;
+ if (!(groupname = virGetGroupName(gid)))
+ goto cleanup;
Quite cosmetic, but is there any reason why we use uid/gid variables
rather than calling getuid/getgid directly here?
+
+#if HAVE_SELINUX
+ if (getcon(&con) < 0) {
+ virReportSystemError(errno, "%s",
+ _("Unable to lookup SELinux process context"));
+ goto cleanup;
+ }
+ seccontext = strdup(con);
+ freecon(con);
+ if (!seccontext) {
+ virReportOOMError();
+ goto cleanup;
+ }
+#endif
+
+ if (!(ret = virIdentityNew()))
+ goto cleanup;
+
+ if (username &&
+ virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_USER_NAME, username) < 0)
+ goto error;
+ if (groupname &&
+ virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, groupname) < 0)
+ goto error;
+ if (seccontext &&
+ virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_SECURITY_CONTEXT, seccontext) < 0)
+ goto error;
All three lines with virIdentitySetAttr() calls are too long.
+
+cleanup:
+ VIR_FREE(username);
+ VIR_FREE(groupname);
+ VIR_FREE(seccontext);
+ return ret;
+
+error:
+ virObjectUnref(ret);
+ ret = NULL;
+ goto cleanup;
+}
+
+
+/**
* virIdentityNew:
*
* Creates a new empty identity object. After creating, one or
ACK
Jirka