Re: [libvirt] [PATCH 3/4] security: Introduce method for labeling file descriptors of created files
On Wed, Jun 26, 2013 at 03:01:49PM +0200, Peter Krempa wrote:
The method labels the file descriptor even if dynamic
labeling/relabeling
is turned off. This is needed for files created by libvirt and then
passed along to qemu as a FD.
---
src/libvirt_private.syms | 1 +
src/security/security_dac.c | 9 +++++++++
src/security/security_driver.h | 4 ++++
src/security/security_manager.c | 16 ++++++++++++++++
src/security/security_manager.h | 3 +++
src/security/security_nop.c | 1 +
src/security/security_selinux.c | 21 +++++++++++++++++++++
src/security/security_stack.c | 19 +++++++++++++++++++
8 files changed, 74 insertions(+)
diff --git a/src/security/security_selinux.c
b/src/security/security_selinux.c
index 7802dda..5894259 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2446,6 +2446,26 @@ virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr
mgr,
return opts;
}
+static int
+virSecuritySELinuxSetCreatedFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainDefPtr def,
+ int fd)
+{
+ virSecurityLabelDefPtr secdef;
+
+ if ((secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME))) {
+ if (!secdef->imagelabel)
+ secdef->imagelabel = virSecuritySELinuxGenImageLabel(mgr, def);
This is really dubious. None of the methods except for GenSecurityLabel
should be making changes to the secdef state.
+ } else {
+ return -1;
+ }
The style with nested if()s here is not following the pattern used in other
methods here either.
+
+ if (secdef->imagelabel == NULL)
+ return 0;
+
+ return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
+}
In general I'm not really convinced we should be adding a new method
here, as opposed to making the existing SetImageFDLabel do the right
thing.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|