2:26 p.m.
From: "Daniel P. Berrange" <berrange(a)redhat.com>
The SELinux security driver needs to learn to label storage/misc
hostdev devices for LXC
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/security/security_selinux.c | 118 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 118 insertions(+)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ad13490..6f0cd4d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1171,6 +1171,65 @@ done:
static int
+virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
+{
+ int ret = -1;
+ virSecurityLabelDefPtr secdef;
+ char *path;
+
+ secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (secdef == NULL)
+ return -1;
+
+ switch (dev->source.caps.type) {
+ case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
+ if (vroot) {
+ if (virAsprintf(&path, "%s/%s", vroot,
+ dev->source.caps.u.storage.block) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ } else {
+ if (!(path = strdup(dev->source.caps.u.storage.block))) {
+ virReportOOMError();
+ return -1;
+ }
+ }
+ ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
+ VIR_FREE(path);
+ break;
+ }
+
+ case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
+ if (vroot) {
+ if (virAsprintf(&path, "%s/%s", vroot,
+ dev->source.caps.u.misc.chardev) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ } else {
+ if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
+ virReportOOMError();
+ return -1;
+ }
+ }
+ ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
+ VIR_FREE(path);
+ break;
+ }
+
+ default:
+ ret = 0;
+ break;
+ }
+
+ return ret;
+}
+
+
+static int
virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def,
virDomainHostdevDefPtr dev,
@@ -1190,6 +1249,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr
ATTRIBUTE_UN
case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);
+ case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
+ return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);
+
default:
return 0;
}
@@ -1265,6 +1327,59 @@ done:
static int
+virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev,
+ const char *vroot)
+{
+ int ret = -1;
+ char *path;
+
+ switch (dev->source.caps.type) {
+ case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
+ if (vroot) {
+ if (virAsprintf(&path, "%s/%s", vroot,
+ dev->source.caps.u.storage.block) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ } else {
+ if (!(path = strdup(dev->source.caps.u.storage.block))) {
+ virReportOOMError();
+ return -1;
+ }
+ }
+ ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
+ VIR_FREE(path);
+ break;
+ }
+
+ case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
+ if (vroot) {
+ if (virAsprintf(&path, "%s/%s", vroot,
+ dev->source.caps.u.misc.chardev) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ } else {
+ if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
+ virReportOOMError();
+ return -1;
+ }
+ }
+ ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
+ VIR_FREE(path);
+ break;
+ }
+
+ default:
+ ret = 0;
+ break;
+ }
+
+ return ret;
+}
+
+
+static int
virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
virDomainDefPtr def,
virDomainHostdevDefPtr dev,
@@ -1284,6 +1399,9 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr
mgr ATTRIBUT
case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(dev, vroot);
+ case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
+ return virSecuritySELinuxRestoreSecurityHostdevCapsLabel(dev, vroot);
+
default:
return 0;
}
--
1.8.0.1