December 2011 - Devel - libvirt List Archives

[libvirt] virsh bash completion file
by Serge E. Hallyn 14 Feb '12

14 Feb '12

Hi, I've been trying out a bash autocompletion file by Geoff Low (slight hack by me, don't blame him for my hack), and it's working pretty nicely. I'm not sure where to put it in the git tree, but it seems like it'd be nice to have upstream? thanks, -serge ==================================================== #!/bin/bash ############################################################################# # # virsh bash completion # Author: Geoff Low (glow(a)cmedresearch.com) # ############################################################################ VIRSH=$(which virsh) function get_main_option_list { # assume options are specified as [--option1 | --option2 | ...] OPTIONS=$(${VIRSH} help | grep '|' | sed -e 's/.*\[$.*$\]/\1/g;s/|//g') } function get_option_list { # get the options for a choice local option=$1; # assume options are specified as [--option1 | --option2 | ...] OPTIONS=$(${VIRSH} help ${option} 2> /dev/null | grep '|' | sed -e 's/.*\[$.*$\]/\1/g;s/|//g') } function _virsh_complete() { local cur prev opts COMPREPLY=() cur="${COMP_WORDS[COMP_CWORD]}" prev="${COMP_WORDS[COMP_CWORD-1]}" cnxn="" i=0 while [[ $i -lt $COMP_CWORD ]]; do if [ ${COMP_WORDS[i]} = "-c" ]; then tgt=`echo ${COMP_LINE} | sed -e 's/^.* -c $[^ \t]*$.*$/\1/'` cnxn="-c $tgt" break fi let i++ done if [ ! -z $tgt ]; then if [ $COMP_CWORD -eq 5 ]; then prev="${COMP_WORDS[0]}" fi fi _all_domains=$(${VIRSH} ${cnxn} --q list --all 2> /dev/null | grep -E "(running|shut off)$" | awk '{print $2,$3}') all_domains=$(echo "$_all_domains" | cut -d " " -f 1) all_networks=$(${VIRSH} --q net-list --all 2> /dev/null | grep 'active' | cut -d " " -f 1) live_domains=$(echo "$_all_domains" | grep -E "running$" | awk '{print $1}') shutoff_domains=$(echo "$_all_domains" | grep -E "shut$" | awk '{print $1}') case "${prev}" in virsh | --help) get_main_option_list ALL_OPTS=$(${VIRSH} -q help 2> /dev/null | sed '1,2d' | awk '{print $1}') COMPREPLY=( $(compgen -W "$OPTIONS $ALL_OPTS" -- ${cur}) ) ;; list) get_option_list ${prev} COMPREPLY=( $(compgen -W "$OPTIONS" -- ${cur}) ) ;; autostart | dominfo | domuuid | domid | dominfo | domname | dumpxml | setmem ) get_option_list ${prev} COMPREPLY=( $(compgen -W "$OPTIONS $all_domains" -- ${cur}) ) ;; start | undefine) get_option_list ${prev} COMPREPLY=( $(compgen -W "$OPTIONS $shutoff_domains" -- ${cur}) ) ;; create | define) get_option_list ${prev} xml_files=$(ls *.xml) COMPREPLY=( $(compgen -W "$OPTIONS $xml_files" -- ${cur}) ) ;; shutdown | domstate | console | destroy | reboot | save | suspend | resume | vcpuinfo | vncdisplay) get_option_list ${prev} COMPREPLY=( $(compgen -W "$OPTIONS $live_domains" -- ${cur}) ) ;; connect) get_option_list ${prev} URI_TEMPLATES="xen:// qemu:// test:// xen+ssh:// test+tcp:// qemu+unix:// qemu+tls:// qemu+ssh://" COMPREPLY=( $(compgen -W "$OPTIONS $URI_TEMPLATES" -- ${cur}) ) ;; *) COMPREPLY=( $(compgen -f -- ${cur}) ) return 0 ;; esac } complete -F _virsh_complete virsh

4 8

[libvirt] [PATCH 1/4] add a qemu-specific event register API, to passthough the new events come from qemu
by shaohef＠linux.vnet.ibm.com 05 Feb '12

05 Feb '12

From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com> Basically, this feature can go along with qemu monitor passthrough. That way, if we use new commands in the monitor that generate new events, we want some way to receive those new events too. Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com> --- include/libvirt/libvirt-qemu.h | 27 ++++ include/libvirt/libvirt.h.in | 2 +- src/conf/domain_event.c | 293 ++++++++++++++++++++++++++++++++++++++-- src/conf/domain_event.h | 50 ++++++- src/driver.h | 14 ++ src/libvirt-qemu.c | 189 ++++++++++++++++++++++++++ src/libvirt_private.syms | 6 + src/libvirt_qemu.syms | 5 + 8 files changed, 571 insertions(+), 15 deletions(-) diff --git a/include/libvirt/libvirt-qemu.h b/include/libvirt/libvirt-qemu.h index 7f12e4f..3aa944a 100644 --- a/include/libvirt/libvirt-qemu.h +++ b/include/libvirt/libvirt-qemu.h @@ -32,6 +32,33 @@ virDomainPtr virDomainQemuAttach(virConnectPtr domain, unsigned int pid, unsigned int flags); +/** + * virConnectDomainQemuEventCallback: + * @conn: connection object + * @dom: domain on which the event occurred + * @eventName : the name of the unknow or un-implementation event + * @eventArgs: the content of the unknow or un-implementation event + * + * The callback signature to use when registering for an event of type + * VIR_QEMU_DOMAIN_EVENT_ID_UNKNOWN with virConnectDomainQemuEventRegister() + */ +typedef void (*virConnectDomainQemuEventCallback)(virConnectPtr conn, + virDomainPtr dom, + const char *eventName, /* The JSON event name */ + const char *eventArgs, /* The JSON string of args */ + void *opaque); + +int +virConnectDomainQemuEventRegister(virConnectPtr conn, + virDomainPtr dom, /* option to filter */ + const char *eventName, /* JSON event name */ + virConnectDomainQemuEventCallback cb, + void *opaque, + virFreeCallback freecb); +int +virConnectDomainQemuEventDeregister(virConnectPtr conn, + int callbackID); + # ifdef __cplusplus } # endif diff --git a/include/libvirt/libvirt.h.in b/include/libvirt/libvirt.h.in index 2480add..9fcb400 100644 --- a/include/libvirt/libvirt.h.in +++ b/include/libvirt/libvirt.h.in @@ -3207,7 +3207,6 @@ typedef void (*virConnectDomainEventBlockJobCallback)(virConnectPtr conn, int type, int status, void *opaque); - /** * virConnectDomainEventDiskChangeReason: * @@ -3263,6 +3262,7 @@ typedef enum { VIR_DOMAIN_EVENT_ID_CONTROL_ERROR = 7, /* virConnectDomainEventGenericCallback */ VIR_DOMAIN_EVENT_ID_BLOCK_JOB = 8, /* virConnectDomainEventBlockJobCallback */ VIR_DOMAIN_EVENT_ID_DISK_CHANGE = 9, /* virConnectDomainEventDiskChangeCallback */ + VIR_QEMU_DOMAIN_EVENT_ID_UNKNOWN = 10, /* virConnectDomainEventDefaultCallback */ /* * NB: this enum value will increase over time as new events are diff --git a/src/conf/domain_event.c b/src/conf/domain_event.c index 614ab97..0388a66 100644 --- a/src/conf/domain_event.c +++ b/src/conf/domain_event.c @@ -45,7 +45,9 @@ typedef virDomainMeta *virDomainMetaPtr; struct _virDomainEventCallback { int callbackID; + int qemuCallbackID; int eventID; + char *eventName; virConnectPtr conn; virDomainMetaPtr dom; virConnectDomainEventGenericCallback cb; @@ -94,6 +96,10 @@ struct _virDomainEvent { char *devAlias; int reason; } diskChange; + struct { + char *eventName; + char *eventArgs; + }qemuUnknownEvent; } data; }; @@ -112,6 +118,7 @@ virDomainEventCallbackListFree(virDomainEventCallbackListPtr list) for (i=0; i<list->count; i++) { virFreeCallback freecb = list->callbacks[i]->freecb; + VIR_FREE(list->callbacks[i]->eventName); if (freecb) (*freecb)(list->callbacks[i]->opaque); VIR_FREE(list->callbacks[i]); @@ -187,8 +194,10 @@ virDomainEventCallbackListRemoveID(virConnectPtr conn, if (freecb) (*freecb)(cbList->callbacks[i]->opaque); virUnrefConnect(cbList->callbacks[i]->conn); + if (cbList->callbacks[i]->eventID == VIR_QEMU_DOMAIN_EVENT_ID_UNKNOWN) { + VIR_FREE(cbList->callbacks[i]->eventName); + } VIR_FREE(cbList->callbacks[i]); - if (i < (cbList->count - 1)) memmove(cbList->callbacks + i, cbList->callbacks + i + 1, @@ -231,6 +240,9 @@ virDomainEventCallbackListRemoveConn(virConnectPtr conn, if (freecb) (*freecb)(cbList->callbacks[i]->opaque); virUnrefConnect(cbList->callbacks[i]->conn); + if (cbList->callbacks[i]->eventID == VIR_QEMU_DOMAIN_EVENT_ID_UNKNOWN) { + VIR_FREE(cbList->callbacks[i]->eventName); + } VIR_FREE(cbList->callbacks[i]); if (i < (cbList->count - 1)) @@ -299,6 +311,9 @@ int virDomainEventCallbackListPurgeMarked(virDomainEventCallbackListPtr cbList) if (freecb) (*freecb)(cbList->callbacks[i]->opaque); virUnrefConnect(cbList->callbacks[i]->conn); + if (cbList->callbacks[i]->eventID == VIR_QEMU_DOMAIN_EVENT_ID_UNKNOWN) { + VIR_FREE(cbList->callbacks[i]->eventName); + } VIR_FREE(cbList->callbacks[i]); if (i < (cbList->count - 1)) @@ -404,7 +419,98 @@ virDomainEventCallbackListAddID(virConnectPtr conn, cbList->callbacks[cbList->count] = event; cbList->count++; + event->callbackID = cbList->nextID++; + + return event->callbackID; + +no_memory: + virReportOOMError(); + + if (event) { + if (event->dom) + VIR_FREE(event->dom->name); + VIR_FREE(event->dom); + } + VIR_FREE(event); + return -1; +} + + + +/** + * virDomainEventCallbackListAddName: + * @conn: pointer to the connection + * @cbList: the list + * @eventName: the event eventName + * @callback: the callback to add + * @eventID: the specific eventID + * @opaque: opaque data tio pass to callback + * + * Internal function to add a callback from a virDomainEventCallbackListPtr + */ +int +virDomainEventCallbackListAddName(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + virDomainPtr dom, + const char* eventName, + int eventID, + virConnectDomainEventGenericCallback callback, + void *opaque, + virFreeCallback freecb) +{ + virDomainEventCallbackPtr event; + int i; + + /* Check incoming */ + if ( !cbList ) { + return -1; + } + + /* check if we already have this callback on our list */ + for (i = 0 ; i < cbList->count ; i++) { + if (cbList->callbacks[i]->cb == VIR_DOMAIN_EVENT_CALLBACK(callback) && + STREQ(cbList->callbacks[i]->eventName, eventName) && + cbList->callbacks[i]->eventID == eventID && + cbList->callbacks[i]->conn == conn) { + eventReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("event callback already tracked")); + return -1; + } + } + if (eventID > VIR_DOMAIN_EVENT_ID_LAST || eventID < VIR_DOMAIN_EVENT_ID_LIFECYCLE) { + eventReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("not suport this kind of eventID: %d"), eventID); + } + /* Allocate new event */ + if (VIR_ALLOC(event) < 0) + goto no_memory; + event->conn = conn; + event->cb = callback; + if (eventName == NULL) + goto no_memory; + event->eventName = strdup(eventName); + if ( event->eventName == NULL) + goto no_memory; + event->opaque = opaque; + event->freecb = freecb; + event->eventID = eventID; + if (dom) { + if (VIR_ALLOC(event->dom) < 0) + goto no_memory; + if (!(event->dom->name = strdup(dom->name))) + goto no_memory; + memcpy(event->dom->uuid, dom->uuid, VIR_UUID_BUFLEN); + event->dom->id = dom->id; + } + /* Make space on list */ + if (VIR_REALLOC_N(cbList->callbacks, cbList->count + 1) < 0) + goto no_memory; + + event->conn->refs++; + + cbList->callbacks[cbList->count] = event; + cbList->count++; event->callbackID = cbList->nextID++; return event->callbackID; @@ -416,11 +522,40 @@ no_memory: if (event->dom) VIR_FREE(event->dom->name); VIR_FREE(event->dom); + VIR_FREE(event->eventName); } VIR_FREE(event); return -1; } +/** + * virDomainEventCallbackListAddQemuCallbackID: + * @conn: pointer to the connection + * @cbList: the list + * @callbackID: the libvirt callback ID + * @qemuCallbackID: the libvirtd callback ID to add + * + * Internal function to add a Daemon libvirtd callbackID + */ +int +virDomainEventCallbackListAddQemuCallbackID(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + int callbackID, + int qemuCallbackID) +{ + int i; + for (i = 0 ; i < cbList->count ; i++) { + if (cbList->callbacks[i]->callbackID == callbackID && + cbList->callbacks[i]->conn == conn) { + cbList->callbacks[i]->qemuCallbackID = qemuCallbackID; + return 0; + } + } + + eventReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("could not find event callback for deletion")); + return -1; +} int virDomainEventCallbackListCountID(virConnectPtr conn, virDomainEventCallbackListPtr cbList, @@ -442,6 +577,27 @@ int virDomainEventCallbackListCountID(virConnectPtr conn, } +int +virDomainEventCallbackListCountName(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + const char *eventName) +{ + int i; + int count = 0; + + for (i = 0 ; i < cbList->count ; i++) { + if (cbList->callbacks[i]->deleted) + continue; + + if (STREQ(cbList->callbacks[i]->eventName,eventName) && + cbList->callbacks[i]->conn == conn) + count++; + } + + return count; +} + + int virDomainEventCallbackListEventID(virConnectPtr conn, virDomainEventCallbackListPtr cbList, int callbackID) @@ -461,6 +617,44 @@ int virDomainEventCallbackListEventID(virConnectPtr conn, } +const char* +virDomainEventCallbackListEventName(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + int callbackID) +{ + int i; + + for (i = 0 ; i < cbList->count ; i++) { + if (cbList->callbacks[i]->deleted) + continue; + + if (cbList->callbacks[i]->callbackID == callbackID && + cbList->callbacks[i]->conn == conn) + return cbList->callbacks[i]->eventName; + } + + return NULL; +} + +int +virDomainEventCallbackListEventQemuCallbackID(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + int callbackID) +{ + int i; + + for (i = 0 ; i < cbList->count ; i++) { + if (cbList->callbacks[i]->deleted) + continue; + + if (cbList->callbacks[i]->callbackID == callbackID && + cbList->callbacks[i]->conn == conn) + return cbList->callbacks[i]->qemuCallbackID; + } + + return -1; +} + int virDomainEventCallbackListCount(virDomainEventCallbackListPtr cbList) { int i; @@ -521,6 +715,11 @@ void virDomainEventFree(virDomainEventPtr event) VIR_FREE(event->data.diskChange.newSrcPath); VIR_FREE(event->data.diskChange.devAlias); break; + + case VIR_QEMU_DOMAIN_EVENT_ID_UNKNOWN: + VIR_FREE(event->data.qemuUnknownEvent.eventName); + VIR_FREE(event->data.qemuUnknownEvent.eventArgs); + break; } VIR_FREE(event->dom.name); @@ -956,6 +1155,51 @@ virDomainEventPtr virDomainEventBlockJobNewFromDom(virDomainPtr dom, path, type, status); } +static virDomainEventPtr +virDomainEventUnknownNew(int id, const char *name, unsigned char *uuid, + const char *eventName, const char *eventArgs) +{ + virDomainEventPtr ev = + virDomainEventNewInternal(VIR_QEMU_DOMAIN_EVENT_ID_UNKNOWN, + id, name, uuid); + if (ev) { + if (!(ev->data.qemuUnknownEvent.eventName = strdup(eventName))) { + virReportOOMError(); + VIR_FREE(ev->dom.name); + VIR_FREE(ev); + return NULL; + } + if (eventArgs) { + if (!(ev->data.qemuUnknownEvent.eventArgs = strdup(eventArgs))) { + virReportOOMError(); + VIR_FREE(ev->data.qemuUnknownEvent.eventName); + VIR_FREE(ev->dom.name); + VIR_FREE(ev); + return NULL; + } + } + } + + return ev; +} + +virDomainEventPtr virDomainEventUnknownNewFromObj(virDomainObjPtr obj, + const char *eventName, + const char *eventArgs) +{ + + return virDomainEventUnknownNew(obj->def->id, obj->def->name, + obj->def->uuid, eventName, eventArgs); +} + +virDomainEventPtr virDomainEventUnknownNewFromDom(virDomainPtr dom, + const char *eventName, + const char *eventArgs) +{ + return virDomainEventUnknownNew(dom->id, dom->name, dom->uuid, + eventName, eventArgs); +} + virDomainEventPtr virDomainEventControlErrorNewFromDom(virDomainPtr dom) { virDomainEventPtr ev = @@ -1095,11 +1339,12 @@ virDomainEventQueuePush(virDomainEventQueuePtr evtQueue, } -void virDomainEventDispatchDefaultFunc(virConnectPtr conn, - virDomainEventPtr event, - virConnectDomainEventGenericCallback cb, - void *cbopaque, - void *opaque ATTRIBUTE_UNUSED) +void +virDomainEventDispatchDefaultFunc(virConnectPtr conn, + virDomainEventPtr event, + virConnectDomainEventGenericCallback cb, + void *cbopaque, + void *opaque ATTRIBUTE_UNUSED) { virDomainPtr dom = virGetDomain(conn, event->dom.name, event->dom.uuid); if (!dom) @@ -1180,6 +1425,13 @@ void virDomainEventDispatchDefaultFunc(virConnectPtr conn, cbopaque); break; + case VIR_QEMU_DOMAIN_EVENT_ID_UNKNOWN: + ((virConnectDomainQemuEventCallback)cb)(conn, dom, + event->data.qemuUnknownEvent.eventName, + event->data.qemuUnknownEvent.eventArgs, + cbopaque); + break; + default: VIR_WARN("Unexpected event ID %d", event->eventID); break; @@ -1189,8 +1441,9 @@ void virDomainEventDispatchDefaultFunc(virConnectPtr conn, } -static int virDomainEventDispatchMatchCallback(virDomainEventPtr event, - virDomainEventCallbackPtr cb) +static int +virDomainEventDispatchMatchCallback(virDomainEventPtr event, + virDomainEventCallbackPtr cb) { if (!cb) return 0; @@ -1198,7 +1451,12 @@ static int virDomainEventDispatchMatchCallback(virDomainEventPtr event, return 0; if (cb->eventID != event->eventID) return 0; - + if (event->eventID == VIR_QEMU_DOMAIN_EVENT_ID_UNKNOWN) { + if (event->data.qemuUnknownEvent.eventName == NULL || + cb->eventName == NULL || + STRNEQ(cb->eventName, event->data.qemuUnknownEvent.eventName)) + return 0; + } if (cb->dom) { /* Deliberately ignoring 'id' for matching, since that * will cause problems when a domain switches between @@ -1341,3 +1599,20 @@ virDomainEventStateDeregisterAny(virConnectPtr conn, virDomainEventStateUnlock(state); return ret; } +int +virDomainQemuEventStateDeregister(virConnectPtr conn, + virDomainEventStatePtr state, + int callbackID) +{ + int ret; + + virDomainEventStateLock(state); + if (state->isDispatching) + ret = virDomainEventCallbackListMarkDeleteID(conn, + state->callbacks, callbackID); + else + ret = virDomainEventCallbackListRemoveID(conn, + state->callbacks, callbackID); + virDomainEventStateUnlock(state); + return ret; +} diff --git a/src/conf/domain_event.h b/src/conf/domain_event.h index 3ba418e..f2fe847 100644 --- a/src/conf/domain_event.h +++ b/src/conf/domain_event.h @@ -83,14 +83,23 @@ int virDomainEventCallbackListAddID(virConnectPtr conn, virFreeCallback freecb) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(5); +int virDomainEventCallbackListAddName(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + virDomainPtr dom, + const char* eventName, + int eventID, + virConnectDomainEventGenericCallback callback, + void *opaque, + virFreeCallback freecb) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(4) ATTRIBUTE_NONNULL(6); int virDomainEventCallbackListRemove(virConnectPtr conn, virDomainEventCallbackListPtr cbList, virConnectDomainEventCallback callback) ATTRIBUTE_NONNULL(1); -int virDomainEventCallbackListRemoveID(virConnectPtr conn, - virDomainEventCallbackListPtr cbList, - int callbackID) +int virDomainQemuEventCallbackListRemoveID(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + int callbackID) ATTRIBUTE_NONNULL(1); int virDomainEventCallbackListRemoveConn(virConnectPtr conn, virDomainEventCallbackListPtr cbList) @@ -106,9 +115,14 @@ int virDomainEventCallbackListMarkDeleteID(virConnectPtr conn, int callbackID) ATTRIBUTE_NONNULL(1); - int virDomainEventCallbackListPurgeMarked(virDomainEventCallbackListPtr cbList); +int virDomainEventCallbackListAddQemuCallbackID(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + int callbackID, + int qemuCallbackID) + ATTRIBUTE_NONNULL(1); + int virDomainEventCallbackListCount(virDomainEventCallbackListPtr cbList); int virDomainEventCallbackListCountID(virConnectPtr conn, virDomainEventCallbackListPtr cbList, @@ -119,6 +133,21 @@ int virDomainEventCallbackListEventID(virConnectPtr conn, int callbackID) ATTRIBUTE_NONNULL(1); +int virDomainEventCallbackListCountName(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + const char *eventName) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(3); + +int virDomainEventCallbackListEventQemuCallbackID(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + int callbackID) + ATTRIBUTE_NONNULL(1); + +const char* virDomainEventCallbackListEventName(virConnectPtr conn, + virDomainEventCallbackListPtr cbList, + int callbackID) + ATTRIBUTE_NONNULL(1); + virDomainEventQueuePtr virDomainEventQueueNew(void); virDomainEventPtr virDomainEventNew(int id, const char *name, const unsigned char *uuid, int type, int detail); @@ -190,6 +219,13 @@ virDomainEventPtr virDomainEventDiskChangeNewFromDom(virDomainPtr dom, const char *devAlias, int reason); +virDomainEventPtr virDomainEventUnknownNewFromObj(virDomainObjPtr obj, + const char *eventName, + const char *eventArgs); +virDomainEventPtr virDomainEventUnknownNewFromDom(virDomainPtr dom, + const char *eventName, + const char *eventArgs); + int virDomainEventQueuePush(virDomainEventQueuePtr evtQueue, virDomainEventPtr event); @@ -246,5 +282,9 @@ virDomainEventStateDeregisterAny(virConnectPtr conn, virDomainEventStatePtr state, int callbackID) ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); - +int +virDomainQemuEventStateDeregister(virConnectPtr conn, + virDomainEventStatePtr state, + int callbackID) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); #endif diff --git a/src/driver.h b/src/driver.h index 941ff51..51164a9 100644 --- a/src/driver.h +++ b/src/driver.h @@ -635,6 +635,18 @@ typedef virDomainPtr unsigned int flags); typedef int + (*virDrvDomainQemuEventRegister)(virConnectPtr conn, + virDomainPtr dom, /* option to filter */ + const char *eventName, /* JSON event name */ + virConnectDomainEventGenericCallback cb, + void *opaque, + virFreeCallback freecb); + +typedef int + (*virDrvDomainQemuEventDeregister)(virConnectPtr conn, + int callbackID); + +typedef int (*virDrvDomainOpenConsole)(virDomainPtr dom, const char *dev_name, virStreamPtr st, @@ -915,6 +927,8 @@ struct _virDriver { virDrvDomainSnapshotDelete domainSnapshotDelete; virDrvDomainQemuMonitorCommand qemuDomainMonitorCommand; virDrvDomainQemuAttach qemuDomainAttach; + virDrvDomainQemuEventRegister qemuDomainQemuEventRegister; + virDrvDomainQemuEventDeregister qemuDomainQemuEventDeregister; virDrvDomainOpenConsole domainOpenConsole; virDrvDomainOpenGraphics domainOpenGraphics; virDrvDomainInjectNMI domainInjectNMI; diff --git a/src/libvirt-qemu.c b/src/libvirt-qemu.c index 248cc33..7722b7b 100644 --- a/src/libvirt-qemu.c +++ b/src/libvirt-qemu.c @@ -36,6 +36,77 @@ virReportErrorHelper(VIR_FROM_DOM, error, NULL, __FUNCTION__, \ __LINE__, info) +/* Helper macros to implement VIR_DOMAIN_DEBUG using just C99. This + * assumes you pass fewer than 15 arguments to VIR_DOMAIN_DEBUG, but + * can easily be expanded if needed. + * + * Note that gcc provides extensions of "define a(b...) b" or + * "define a(b,...) b,##__VA_ARGS__" as a means of eliding a comma + * when no var-args are present, but we don't want to require gcc. + */ +#define VIR_ARG15(_1, _2, _3, _4, _5, _6, _7, _8, _9, _10, _11, _12, _13, _14, _15, ...) _15 +#define VIR_HAS_COMMA(...) VIR_ARG15(__VA_ARGS__, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0) + +/* Form the name VIR_DOMAIN_DEBUG_[01], then call that macro, + * according to how many arguments are present. Two-phase due to + * macro expansion rules. */ +#define VIR_DOMAIN_DEBUG_EXPAND(a, b, ...) \ + VIR_DOMAIN_DEBUG_PASTE(a, b, __VA_ARGS__) +#define VIR_DOMAIN_DEBUG_PASTE(a, b, ...) \ + a##b(__VA_ARGS__) + +/* Internal use only, when VIR_DOMAIN_DEBUG has one argument. */ +#define VIR_DOMAIN_DEBUG_0(dom) \ + VIR_DOMAIN_DEBUG_2(dom, "%s", "") + +/* Internal use only, when VIR_DOMAIN_DEBUG has three or more arguments. */ +#define VIR_DOMAIN_DEBUG_1(dom, fmt, ...) \ + VIR_DOMAIN_DEBUG_2(dom, ", " fmt, __VA_ARGS__) + +/* Internal use only, with final format. */ +#define VIR_DOMAIN_DEBUG_2(dom, fmt, ...) \ + do { \ + char _uuidstr[VIR_UUID_STRING_BUFLEN]; \ + const char *_domname = NULL; \ + \ + if (!VIR_IS_DOMAIN(dom)) { \ + memset(_uuidstr, 0, sizeof(_uuidstr)); \ + } else { \ + virUUIDFormat((dom)->uuid, _uuidstr); \ + _domname = (dom)->name; \ + } \ + \ + VIR_DEBUG("dom=%p, (VM: name=%s, uuid=%s)" fmt, \ + dom, NULLSTR(_domname), _uuidstr, __VA_ARGS__); \ + } while (0) + +/** + * VIR_DOMAIN_DEBUG: + * @dom: domain + * @fmt: optional format for additional information + * @...: optional arguments corresponding to @fmt. + */ +#define VIR_DOMAIN_DEBUG(...) \ + VIR_DOMAIN_DEBUG_EXPAND(VIR_DOMAIN_DEBUG_, \ + VIR_HAS_COMMA(__VA_ARGS__), \ + __VA_ARGS__) + +/** + * VIR_UUID_DEBUG: + * @conn: connection + * @uuid: possibly null UUID array + */ +#define VIR_UUID_DEBUG(conn, uuid) \ + do { \ + if (uuid) { \ + char _uuidstr[VIR_UUID_STRING_BUFLEN]; \ + virUUIDFormat(uuid, _uuidstr); \ + VIR_DEBUG("conn=%p, uuid=%s", conn, _uuidstr); \ + } else { \ + VIR_DEBUG("conn=%p, uuid=(null)", conn); \ + } \ + } while (0) + /** * virDomainQemuMonitorCommand: * @domain: a domain object @@ -178,3 +249,121 @@ error: virDispatchError(conn); return NULL; } + +/** + * virConnectDomainQemuEventRegister: + * @conn: pointer to the connection + * @dom: pointer to the domain + * @eventName: the event Name to receive + * @cb: callback to the function handling domain events + * @opaque: opaque data to pass on to the callback + * @freecb: optional function to deallocate opaque when not used anymore + * + * Adds a callback to receive notifications of arbitrary qemu domain events + * occurring on a domain. + * + * If dom is NULL, then events will be monitored for any domain. If dom + * is non-NULL, then only the specific domain will be monitored + * + * Most types of event have a callback providing a custom set of parameters + * for the event. When registering an event, it is thus neccessary to use + * the VIR_DOMAIN_EVENT_CALLBACK() macro to cast the supplied function pointer + * to match the signature of this method. + * + * The virDomainPtr object handle passed into the callback upon delivery + * of an event is only valid for the duration of execution of the callback. + * If the callback wishes to keep the domain object after the callback returns, + * it shall take a reference to it, by calling virDomainRef. + * The reference can be released once the object is no longer required + * by calling virDomainFree. + * + * The return value from this method is a positive integer identifier + * for the callback. To unregister a callback, this callback ID should + * be passed to the virConnectDomainQemuEventDeregister method + * + * Returns a callback identifier on success, -1 on failure + */ +int +virConnectDomainQemuEventRegister(virConnectPtr conn, + virDomainPtr dom, /* option to filter */ + const char *eventName, /* JSON event name */ + virConnectDomainQemuEventCallback cb, + void *opaque, + virFreeCallback freecb) +{ + VIR_DOMAIN_DEBUG(dom, "conn=%p, eventName=%s, cb=%p, opaque=%p, freecb=%p", + conn, eventName, cb, opaque, freecb); + + virResetLastError(); + + if (!VIR_IS_CONNECT(conn)) { + virLibConnError(conn, VIR_ERR_INVALID_CONN, __FUNCTION__); + virDispatchError(NULL); + return -1; + } + if (dom != NULL && + !(VIR_IS_CONNECTED_DOMAIN(dom) && dom->conn == conn)) { + virLibConnError(conn, VIR_ERR_INVALID_CONN, __FUNCTION__); + virDispatchError(conn); + return -1; + } + if (eventName == NULL || cb == NULL) { + virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__); + goto error; + } + + if ((conn->driver) && (conn->driver->qemuDomainQemuEventRegister)) { + int ret; + ret = conn->driver->qemuDomainQemuEventRegister(conn, dom, eventName, cb, opaque, freecb); + if (ret < 0) + goto error; + return ret; + } + + virLibConnError(conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); +error: + virDispatchError(conn); + return -1; +} + +/** + * virConnectDomainQemuEventDeregister: + * @conn: pointer to the connection + * @callbackID: the callback identifier + * + * Removes an event callback. The callbackID parameter should be the + * vaule obtained from a previous virConnectDomainQemuEventDeregister method. + * + * Returns 0 on success, -1 on failure + */ +int +virConnectDomainQemuEventDeregister(virConnectPtr conn, + int callbackID) +{ + + VIR_DEBUG("conn=%p, callbackID=%d", conn, callbackID); + + virResetLastError(); + + if (!VIR_IS_CONNECT(conn)) { + virLibConnError(conn, VIR_ERR_INVALID_CONN, __FUNCTION__); + virDispatchError(NULL); + return -1; + } + if (callbackID < 0) { + virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__); + goto error; + } + if ((conn->driver) && (conn->driver->qemuDomainQemuEventDeregister)) { + int ret; + ret = conn->driver->qemuDomainQemuEventDeregister(conn, callbackID); + if (ret < 0) + goto error; + return ret; + } + + virLibConnError(conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); +error: + virDispatchError(conn); + return -1; +} diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 48ffdf2..75e544a 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -471,11 +471,16 @@ virDomainWatchdogModelTypeToString; # domain_event.h virDomainEventBlockJobNewFromObj; virDomainEventBlockJobNewFromDom; +virDomainEventUnknownNewFromObj; +virDomainEventunknownNewFromDom; virDomainEventCallbackListAdd; virDomainEventCallbackListAddID; +virDomainEventCallbackListAddName; virDomainEventCallbackListCount; virDomainEventCallbackListCountID; +virDomainEventCallbackListCountName; virDomainEventCallbackListEventID; +virDomainEventCallbackListEventName; virDomainEventCallbackListFree; virDomainEventCallbackListMarkDelete; virDomainEventCallbackListMarkDeleteID; @@ -512,6 +517,7 @@ virDomainEventRebootNewFromDom; virDomainEventRebootNewFromObj; virDomainEventStateDeregister; virDomainEventStateDeregisterAny; +virDomainQemuEventStateDeregister; virDomainEventStateFlush; virDomainEventStateFree; virDomainEventStateNew; diff --git a/src/libvirt_qemu.syms b/src/libvirt_qemu.syms index 8447730..a17e387 100644 --- a/src/libvirt_qemu.syms +++ b/src/libvirt_qemu.syms @@ -19,3 +19,8 @@ LIBVIRT_QEMU_0.9.4 { global: virDomainQemuAttach; } LIBVIRT_QEMU_0.8.3; +LIBVIRT_QEMU_0.9.9 { + global: + virConnectDomainQemuEventRegister; + virConnectDomainQemuEventDeregister; +} LIBVIRT_QEMU_0.9.4; -- 1.7.5.4

4 16

[libvirt] Build issue with libvirt 0.9.8
by Christophe Fergeau 31 Jan '12

31 Jan '12

Hi, When building libvirt 0.9.8 with jhbuild, I have now reproduced twice some issue during the build. Namely, after successfully building and installing libvirt 0.9.8, when I try to run virsh, I get: virsh: /home/teuf/jhbuild-boxes/opt/lib64/libvirt.so.0: version `LIBVIRT_PRIVATE_0.9.7' not found (required by /home/teuf/jhbuild-boxes/opt/lib64/libvirt-qemu.so.0) This happens when I start from a clean prefix (no libvirt in it), then I install 0.9.7, and then I try to install 0.9.8 on top of it. If I rebuild libvirt-0.9.8 once more this goes away, so this is not a blocking problem for me. I have checked that libvirt-qemu.so.0 is the 0.9.8 version, I have looked in the build logs and in Makefile.am and everything looks correct to me, so I was wondering if anyone had any explanation for this behaviour. Once again, it's easy to workaround so it's not a big issue, but I'm mentioning it in case there would something obvious I missed. I put the build logs at http://people.gnome.org/~teuf/libvirt-0.9.7 and http://people.gnome.org/~teuf/libvirt-0.9.8 Christophe

2 3

[libvirt] libvirt doesn't work with qemu 1.0
by Gerd Hoffmann 26 Jan '12

26 Jan '12

Hi, $subject says all. The error message is: error: internal error cannot parse /home/kraxel/bin/qemu-default version number in 'QEMU emulator version 1.0, Copyright (c) 2003-2008 Fabrice Bellard' cheers, Gerd PS: libvirt-0.9.4-23.el6.x86_64

8 12

[libvirt] [PATCH 0/8 v5] Summary on block IO throttle
by Lei Li 19 Jan '12

19 Jan '12

Changes since V3 - Use virTypedParameterPtr instead of specific struct in libvirt pulic API. - Relevant changes to remote driver, qemu driver, python support and virsh. Changes since V2 - Implement the Python binding support for setting blkio throttling. - Implement --current --live --config options support to unify the libvirt API. - Add changes in docs and tests. - Some changes suggested by Adam Litke, Eric Blake, Daniel P. Berrange. - Change the XML schema. - API name to virDomain{Set, Get}BlockIoTune. - Parameters changed to make them more self-explanatory. - virsh command name to blkdeviotune. - And other fixups. Changes since V1 - Implement the support to get the block io throttling for a device as read only connection - QMP/HMP. - Split virDomainBlockIoThrottle into two separate functions virDomainSetBlockIoThrottle - Set block I/O limits for a device - Requires a connection in 'write' mode. - Limits (info) structure passed as an input parameter virDomainGetBlockIoThrottle - Get the current block I/O limits for a device - Works on a read-only connection. - Current limits are written to the output parameter (reply). - And Other fixups suggested by Adam Litke, Daniel P. Berrange. - For dynamically allocate the blkiothrottle struct, I will fix it when implement --current --live --config options support. Today libvirt supports the cgroups blkio-controller, which handles proportional shares and throughput/iops limits on host block devices. blkio-controller does not support network file systems (NFS) or other QEMU remote block drivers (curl, Ceph/rbd, sheepdog) since they are not host block devices. QEMU I/O throttling works with all types of drive and can be applied independently to each drive attached to a guest and supports throughput/iops limits. To help add QEMU I/O throttling support to libvirt, we plan to complete it with add new API virDomain{Set, Get}BlockIoThrottle(), new command 'blkdeviotune' and Python bindings. Notes: Now all the planed features were implemented (#1#2 were implemented by Zhi Yong Wu), the previous comments were all fixed up too. And the qemu part patches have been accepted upstream and are expected to be part of the QEMU 1.1 release, git tree from Zhi Yong: http://repo.or.cz/w/qemu/kevin.git/shortlog/refs/heads/block 1) Enable the blkio throttling in xml when guest is starting up. Add blkio throttling in xml as follows: <disk type='file' device='disk'> ... <iotune> <total_bytes_sec>nnn</total_bytes_sec> ... </iotune> ... </disk> 2) Enable blkio throttling setting at guest running time. virsh blkdeviotune <domain> <device> [--total_bytes_sec<number>] [--read_bytes_sec<number>] \ [--write_bytes_sec<number>] [--total_iops_sec<number>] [--read_iops_sec<number>] [--write_iops_sec<number>] 3) The support to get the current block i/o throttling for a device - HMP/QMP. virsh blkiothrottle <domain> <device> total_bytes_sec: read_bytes_sec: write_bytes_sec: total_iops_sec: read_iops_sec: write_iops_sec: 4) Python binding support for setting blkio throttling. 5) --current --live --config options support to unify the libvirt API. virsh blkdeviotune <domain> <device> [--total_bytes_sec <number>] [--read_bytes_sec <number>] [--write_bytes_sec <number>] [--total_iops_sec <number>] [--read_iops_sec <number>] [--write_iops_sec <number>] [--config] [--live] [--current] daemon/remote.c | 108 +++++++ docs/formatdomain.html.in | 31 ++ docs/schemas/domaincommon.rng | 24 ++ include/libvirt/libvirt.h.in | 70 ++++ python/generator.py | 2 + python/libvirt-override-api.xml | 16 + python/libvirt-override.c | 179 +++++++++++ src/conf/domain_conf.c | 101 ++++++- src/conf/domain_conf.h | 12 + src/driver.h | 20 ++ src/libvirt.c | 145 +++++++++ src/libvirt_public.syms | 2 + src/qemu/qemu_command.c | 33 ++ src/qemu/qemu_driver.c | 338 ++++++++++++++++++++ src/qemu/qemu_monitor.c | 36 ++ src/qemu/qemu_monitor.h | 22 ++ src/qemu/qemu_monitor_json.c | 185 +++++++++++ src/qemu/qemu_monitor_json.h | 10 + src/qemu/qemu_monitor_text.c | 164 ++++++++++ src/qemu/qemu_monitor_text.h | 10 + src/remote/remote_driver.c | 96 ++++++ src/remote/remote_protocol.x | 26 ++- src/remote_protocol-structs | 24 ++ src/util/xml.h | 2 + .../qemuxml2argv-blkdeviotune.args | 4 + .../qemuxml2argvdata/qemuxml2argv-blkdeviotune.xml | 37 +++ tests/qemuxml2argvtest.c | 1 + tests/qemuxml2xmltest.c | 1 + tools/virsh.c | 240 ++++++++++++++ tools/virsh.pod | 23 ++ 30 files changed, 1958 insertions(+), 4 deletions(-) -- Lei

6 9

[libvirt] [PATCH v2 0/6] Console coruption with two or more clients series
by Peter Krempa 18 Jan '12

18 Jan '12

This series fixes anoying console corruption if two clients try to connect at same time to the console. The current state of this is, that two/more of threads compete for the data from the PTY. This causes that each of the consoles get scrambled and unusable. These patches add mutual exclusion for opening consoles with two different approaches and a option to terminate existing console streams. A sample implementation is done using qemu driver, but i'll add more of them if this will be OK. (They're basicaly the same as in qemu). For convinience, to review these patches: git checkout -b console_corruption 8d16201fe0e63afb5416a8eb7c6478f582ccccc0 git pull git://aeon.pipo.sk/libvirt.git console_dup (The machine should be up most of time) Peter Peter Krempa (6): Add flags for virDomainOpenConsole virsh: add support for VIR_DOMAIN_CONSOLE_FORCE flag fdstream: Emit stream abort callback even if poll() doesnt. fdstream: Add internal callback on stream close util: Add helpers for safe domain console operations qemu: Add ability to abort existing console while creating new one configure.ac | 37 +++- include/libvirt/libvirt.h.in | 12 +- src/Makefile.am | 5 +- src/fdstream.c | 95 +++++++++- src/fdstream.h | 11 + src/libvirt_private.syms | 6 + src/qemu/qemu_domain.c | 5 + src/qemu/qemu_domain.h | 3 + src/qemu/qemu_driver.c | 21 ++- src/util/domain_safe_console.c | 399 ++++++++++++++++++++++++++++++++++++++++ src/util/domain_safe_console.h | 28 +++ tools/console.c | 5 +- tools/console.h | 3 +- tools/virsh.c | 18 ++- 14 files changed, 614 insertions(+), 34 deletions(-) create mode 100644 src/util/domain_safe_console.c create mode 100644 src/util/domain_safe_console.h -- 1.7.3.4

3 24

[libvirt] Using virtEvents in macvtap setup code
by Dirk Herrendoerfer 12 Jan '12

12 Jan '12

Hi all, I'm trying to get libvirt to re-associate lost connections when a vepa connection is lost due to a switch error, or lldpad restart. My take was to use the virtEvent infrastructure to poll for messages on a netlink socket and then restart the association if the message indicates that a link came back up. I ran into a problem, that if I start the polling netlink event from the daemon thread I would get the file events an the netlink messages, but I cannot configure the event handler because the rpc client threads and the daemon do not share the same address space. Is there a way to get file events in the VMs setup code so I can register a callback at VM initialization time to receive netlink messages and restart association if needed ? Best regards, D.Herrendoerfer <herrend at de dot ibm dot com > <d.herrendoerfer at herrendoerfer dot name>

4 4

[libvirt] [PATCH 0/5 v3] Interface pools and passthrough mode
by Shradha Shah 12 Jan '12

12 Jan '12

Interface Pools and Passthrough mode: Current Method: The passthrough mode uses a macvtap direct connection to connect each guest to the network. The physical interface to be used is picked from among those listed in <interface> sub elements of the <forward> element. The current specification for <forward> extends to allow 0 or more <interface> sub-elements: Example: <forward mode='passthrough' dev='eth10'/> <interface dev='eth10'/> <interface dev='eth12'/> <interface dev='eth18'/> <interface dev='eth20'/> </forward> However with an ethernet card with 64 VF's or more, the above method gets tedious on the system. On the other hand, just parameterizing a string (eth%d) is inadequate, eg, when there are multiple non-contiguous ranges. Proposed Method: The 4 patches provided: i) Introduce a new element 'pf' to implicitly create an interface pool of all the Virtual Functions attached to the specified Physical Function. ii) Modify the networkAllocateActualDevice, networkNotifyActualDevice and networkReleaseActualDevice API to use the above mentioned interface pool in the passthrough mode. iii) Allow virsh net-dumpxml to use an option --inactive to differentiate between explicit and implicit interface pools Hence Libvirt will now support both the methods mentioned below: * Explicit interface list. App inputs: <forward mode='passthrough'> <interface dev='eth10'/> <interface dev='eth11'/> <interface dev='eth12'/> <interface dev='eth13'/> </forward> libvirt does not change XML * Automatically interface list from PF. App inputs: <forward mode='passthrough'> <pf dev='eth0'/> </forward> libvirt expands XML to be <forward mode='passthrough'> <pf dev='eth0'/> <interface dev='eth10'/> <interface dev='eth11'/> <interface dev='eth12'/> <interface dev='eth13'/> </forward> In the above case we need to differentiate between the implicit and explicit interface pool, which can be done by comparing the dumpxml from active and inactive domains. This will need the addition of the flag VIR_NETWORK_XML_INACTIVE to virNetworkGetXMLDesc(). This patch series supports the use of option --inactive with virsh net-dumpxml. Shradha Shah (5): Added function pciSysfsFile to enable access to the PCI SYSFS files. Added Function virNetDevGetVirtualFunctions Adding the element pf to network xml. Functionality to implicitly get interface pool from SR-IOV PF. Added new option to virsh net-dumpxml called --inactive docs/schemas/network.rng | 7 +++ include/libvirt/libvirt.h.in | 4 ++ src/conf/network_conf.c | 79 +++++++++++++++++++++++++++++++--- src/conf/network_conf.h | 5 ++- src/network/bridge_driver.c | 97 ++++++++++++++++++++++++++++++++--------- src/test/test_driver.c | 2 +- src/util/pci.c | 39 +++++++++++++++++ src/util/pci.h | 7 +++ src/util/virnetdev.c | 83 ++++++++++++++++++++++++++++++++++++ src/util/virnetdev.h | 6 +++ src/vbox/vbox_tmpl.c | 2 +- tests/networkxml2xmltest.c | 2 +- tools/virsh.c | 13 +++++- 13 files changed, 311 insertions(+), 35 deletions(-) -- 1.7.4.4

3 21

[libvirt] [PATCH] Change security driver APIs to use virDomainDefPtr instead of virDomainObjPtr
by Daniel P. Berrange 11 Jan '12

11 Jan '12

From: "Daniel P. Berrange" <berrange(a)redhat.com> When sVirt is integrated with the LXC driver, it will be neccessary to invoke the security driver APIs using only a virDomainDefPtr since the lxc_container.c code has no virDomainObjPtr available. Aside from two functions which want obj->pid, every bit of the security driver code only touches obj->def. So we don't need to pass a virDomainObjPtr into the security drivers, a virDomainDefPtr is sufficient. Two functions also gain a 'pid_t pid' argument. * src/qemu/qemu_driver.c, src/qemu/qemu_hotplug.c, src/qemu/qemu_migration.c, src/qemu/qemu_process.c, src/security/security_apparmor.c, src/security/security_dac.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_nop.c, src/security/security_selinux.c, src/security/security_stack.c: Change all security APIs to use a virDomainDefPtr instead of virDomainObjPtr --- src/qemu/qemu_driver.c | 10 +- src/qemu/qemu_hotplug.c | 28 ++-- src/qemu/qemu_migration.c | 12 +- src/qemu/qemu_process.c | 24 ++-- src/security/security_apparmor.c | 136 ++++++++++---------- src/security/security_dac.c | 91 +++++++------- src/security/security_driver.h | 36 +++--- src/security/security_manager.c | 40 +++--- src/security/security_manager.h | 36 +++--- src/security/security_nop.c | 36 +++--- src/security/security_selinux.c | 260 +++++++++++++++++++------------------- src/security/security_stack.c | 44 ++++--- 12 files changed, 381 insertions(+), 372 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 6cfdd1d..6e001ce 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -3096,7 +3096,7 @@ qemuDomainScreenshot(virDomainPtr dom, } unlink_tmp = true; - virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp); + virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp); qemuDomainObjEnterMonitor(driver, vm); if (qemuMonitorScreendump(priv->mon, tmp) < 0) { @@ -3868,7 +3868,7 @@ static int qemudDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr sec */ if (virDomainObjIsActive(vm)) { if (virSecurityManagerGetProcessLabel(driver->securityManager, - vm, seclabel) < 0) { + vm->def, vm->pid, seclabel) < 0) { qemuReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to get security label")); goto cleanup; @@ -4167,7 +4167,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn, out: virCommandFree(cmd); if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) VIR_WARN("failed to restore save state label on %s", path); return ret; @@ -7584,7 +7584,7 @@ qemudDomainMemoryPeek (virDomainPtr dom, goto endjob; } - virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp); + virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp); priv = vm->privateData; qemuDomainObjEnterMonitor(driver, vm); @@ -9064,7 +9064,7 @@ qemuDomainSnapshotCreateSingleDiskActive(struct qemud_driver *driver, if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0) goto cleanup; - if (virSecurityManagerSetImageLabel(driver->securityManager, vm, + if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", source); diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c index 96c0070..684fede 100644 --- a/src/qemu/qemu_hotplug.c +++ b/src/qemu/qemu_hotplug.c @@ -88,7 +88,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -120,7 +120,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver, goto error; if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, origdisk) < 0) + vm->def, origdisk) < 0) VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, origdisk) < 0) @@ -141,7 +141,7 @@ error: VIR_FREE(driveAlias); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on new media %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -209,7 +209,7 @@ int qemuDomainAttachPciDiskDevice(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -283,7 +283,7 @@ error: VIR_WARN("Unable to release PCI address on %s", disk->src); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -439,7 +439,7 @@ int qemuDomainAttachSCSIDisk(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -530,7 +530,7 @@ error: VIR_FREE(drivestr); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -562,7 +562,7 @@ int qemuDomainAttachUsbMassstorageDevice(virConnectPtr conn, return -1; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm, disk) < 0) { + vm->def, disk) < 0) { if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) VIR_WARN("Unable to release lock on %s", disk->src); return -1; @@ -623,7 +623,7 @@ error: VIR_FREE(drivestr); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, disk) < 0) + vm->def, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) @@ -1112,7 +1112,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver, if (virSecurityManagerSetHostdevLabel(driver->securityManager, - vm, hostdev) < 0) + vm->def, hostdev) < 0) return -1; switch (hostdev->source.subsys.type) { @@ -1139,7 +1139,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver, error: if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, - vm, hostdev) < 0) + vm->def, hostdev) < 0) VIR_WARN("Unable to restore host device labelling on hotplug fail"); return -1; @@ -1572,7 +1572,7 @@ int qemuDomainDetachPciDiskDevice(struct qemud_driver *driver, virDomainDiskDefFree(detach); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, dev->data.disk) < 0) + vm->def, dev->data.disk) < 0) VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); if (cgroup != NULL) { @@ -1654,7 +1654,7 @@ int qemuDomainDetachDiskDevice(struct qemud_driver *driver, virDomainDiskDefFree(detach); if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm, dev->data.disk) < 0) + vm->def, dev->data.disk) < 0) VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); if (cgroup != NULL) { @@ -2162,7 +2162,7 @@ int qemuDomainDetachHostDevice(struct qemud_driver *driver, } if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, - vm, dev->data.hostdev) < 0) + vm->def, dev->data.hostdev) < 0) VIR_WARN("Failed to restore host device labelling"); return ret; diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 8ae989a..b3ef894 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1749,13 +1749,13 @@ static int doNativeMigrate(struct qemud_driver *driver, virReportOOMError(); goto cleanup; } - if (virSecurityManagerSetSocketLabel(driver->securityManager, vm) < 0) + if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0) goto cleanup; if (virNetSocketNewConnectTCP(uribits->server, tmp, &sock) == 0) { spec.dest.fd.qemu = virNetSocketDupFD(sock, true); virNetSocketFree(sock); } - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0 || + if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0 || spec.dest.fd.qemu == -1) goto cleanup; } else { @@ -1822,7 +1822,7 @@ static int doTunnelMigrate(struct qemud_driver *driver, spec.dest.fd.local = fds[0]; } if (spec.dest.fd.qemu == -1 || - virSecurityManagerSetImageFDLabel(driver->securityManager, vm, + virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, spec.dest.fd.qemu) < 0) { virReportSystemError(errno, "%s", _("cannot create pipe for tunnelled migration")); @@ -2842,7 +2842,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm, * doesn't have to open() the file, so while we still have to * grant SELinux access, we can do it on fd and avoid cleanup * later, as well as skip futzing with cgroup. */ - if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm, + if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, compressor ? pipeFD[1] : fd) < 0) goto cleanup; bypassSecurityDriver = true; @@ -2876,7 +2876,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm, } if ((!bypassSecurityDriver) && virSecurityManagerSetSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) goto cleanup; restoreLabel = true; } @@ -2951,7 +2951,7 @@ cleanup: virCommandFree(cmd); if (restoreLabel && (!bypassSecurityDriver) && virSecurityManagerRestoreSavedStateLabel(driver->securityManager, - vm, path) < 0) + vm->def, path) < 0) VIR_WARN("failed to restore save state label on %s", path); if (cgroup != NULL) { diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 2563f97..58ce333 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -839,7 +839,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm) qemuMonitorPtr mon = NULL; if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager, - vm) < 0) { + vm->def) < 0) { VIR_ERROR(_("Failed to set security context for monitor for %s"), vm->def->name); goto error; @@ -872,7 +872,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm) } priv->mon = mon; - if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0) { + if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) { VIR_ERROR(_("Failed to clear security context for monitor for %s"), vm->def->name); goto error; @@ -2163,7 +2163,7 @@ static int qemuProcessHook(void *data) * sockets the lock driver opens that we don't want * labelled. So far we're ok though. */ - if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; if (virDomainLockProcessStart(h->driver->lockManager, h->vm, @@ -2171,7 +2171,7 @@ static int qemuProcessHook(void *data) true, &fd) < 0) goto cleanup; - if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; if (qemuProcessLimits(h->driver) < 0) @@ -2194,7 +2194,7 @@ static int qemuProcessHook(void *data) return -1; VIR_DEBUG("Setting up security labelling"); - if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm) < 0) + if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm->def) < 0) goto cleanup; ret = 0; @@ -2656,7 +2656,7 @@ qemuProcessReconnect(void *opaque) goto error; } - if (virSecurityManagerReserveLabel(driver->securityManager, obj) < 0) + if (virSecurityManagerReserveLabel(driver->securityManager, obj->def, obj->pid) < 0) goto error; if (qemuProcessNotifyNets(obj->def) < 0) @@ -2894,7 +2894,7 @@ int qemuProcessStart(virConnectPtr conn, /* If you are using a SecurityDriver with dynamic labelling, then generate a security label for isolation */ VIR_DEBUG("Generating domain security label (if required)"); - if (virSecurityManagerGenLabel(driver->securityManager, vm) < 0) { + if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) { virDomainAuditSecurityLabel(vm, false); goto cleanup; } @@ -3128,7 +3128,7 @@ int qemuProcessStart(virConnectPtr conn, VIR_DEBUG("Setting domain security labels"); if (virSecurityManagerSetAllLabel(driver->securityManager, - vm, stdin_path) < 0) + vm->def, stdin_path) < 0) goto cleanup; if (stdin_fd != -1) { @@ -3145,7 +3145,7 @@ int qemuProcessStart(virConnectPtr conn, goto cleanup; } if (S_ISFIFO(stdin_sb.st_mode) && - virSecurityManagerSetImageFDLabel(driver->securityManager, vm, stdin_fd) < 0) + virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, stdin_fd) < 0) goto cleanup; } @@ -3398,8 +3398,8 @@ void qemuProcessStop(struct qemud_driver *driver, /* Reset Security Labels */ virSecurityManagerRestoreAllLabel(driver->securityManager, - vm, migrated); - virSecurityManagerReleaseLabel(driver->securityManager, vm); + vm->def, migrated); + virSecurityManagerReleaseLabel(driver->securityManager, vm->def); /* Clear out dynamically assigned labels */ if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) { @@ -3548,7 +3548,7 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED, if (VIR_ALLOC(seclabel) < 0) goto no_memory; if (virSecurityManagerGetProcessLabel(driver->securityManager, - vm, seclabel) < 0) + vm->def, vm->pid, seclabel) < 0) goto cleanup; if (!(vm->def->seclabel.model = strdup(driver->caps->host.secModel.model))) goto no_memory; diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 299dcc6..4848d85 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -47,7 +47,7 @@ /* Data structure to pass to *FileIterate so we have everything we need */ struct SDPDOP { virSecurityManagerPtr mgr; - virDomainObjPtr vm; + virDomainDefPtr def; }; /* @@ -159,7 +159,7 @@ profile_status_file(const char *str) static int load_profile(virSecurityManagerPtr mgr, const char *profile, - virDomainObjPtr vm, + virDomainDefPtr def, const char *fn, bool append) { @@ -170,7 +170,7 @@ load_profile(virSecurityManagerPtr mgr, const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr) ? "1" : "0"; - xml = virDomainDefFormat(vm->def, VIR_DOMAIN_XML_SECURE); + xml = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE); if (!xml) goto clean; @@ -212,12 +212,12 @@ remove_profile(const char *profile) } static char * -get_profile_name(virDomainObjPtr vm) +get_profile_name(virDomainDefPtr def) { char uuidstr[VIR_UUID_STRING_BUFLEN]; char *name = NULL; - virUUIDFormat(vm->def->uuid, uuidstr); + virUUIDFormat(def->uuid, uuidstr); if (virAsprintf(&name, "%s%s", AA_PREFIX, uuidstr) < 0) { virReportOOMError(); return NULL; @@ -257,23 +257,23 @@ cleanup: */ static int reload_profile(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *fn, bool append) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name = NULL; if (secdef->norelabel) return 0; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; /* Update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(mgr, secdef->imagelabel, vm, fn, append) < 0) { + if (load_profile(mgr, secdef->imagelabel, def, fn, append) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -294,10 +294,10 @@ AppArmorSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { struct SDPDOP *ptr = opaque; - virDomainObjPtr vm = ptr->vm; + virDomainDefPtr def = ptr->def; - if (reload_profile(ptr->mgr, vm, file, true) < 0) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + if (reload_profile(ptr->mgr, def, file, true) < 0) { + const virSecurityLabelDefPtr secdef = &def->seclabel; virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -312,10 +312,10 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { struct SDPDOP *ptr = opaque; - virDomainObjPtr vm = ptr->vm; + virDomainDefPtr def = ptr->def; - if (reload_profile(ptr->mgr, vm, file, true) < 0) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + if (reload_profile(ptr->mgr, def, file, true) < 0) { + const virSecurityLabelDefPtr secdef = &def->seclabel; virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -390,56 +390,56 @@ AppArmorSecurityManagerGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED) */ static int AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { int rc = -1; char *profile_name = NULL; - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; - if (vm->def->seclabel.baselabel) { + if (def->seclabel.baselabel) { virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Cannot set a base label with AppArmour")); return rc; } - if ((vm->def->seclabel.label) || - (vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) { + if ((def->seclabel.label) || + (def->seclabel.model) || (def->seclabel.imagelabel)) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); return rc; } - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; - vm->def->seclabel.label = strndup(profile_name, strlen(profile_name)); - if (!vm->def->seclabel.label) { + def->seclabel.label = strndup(profile_name, strlen(profile_name)); + if (!def->seclabel.label) { virReportOOMError(); goto clean; } /* set imagelabel the same as label (but we won't use it) */ - vm->def->seclabel.imagelabel = strndup(profile_name, + def->seclabel.imagelabel = strndup(profile_name, strlen(profile_name)); - if (!vm->def->seclabel.imagelabel) { + if (!def->seclabel.imagelabel) { virReportOOMError(); goto err; } - vm->def->seclabel.model = strdup(SECURITY_APPARMOR_NAME); - if (!vm->def->seclabel.model) { + def->seclabel.model = strdup(SECURITY_APPARMOR_NAME); + if (!def->seclabel.model) { virReportOOMError(); goto err; } /* Now that we have a label, load the profile into the kernel. */ - if (load_profile(mgr, vm->def->seclabel.label, vm, NULL, false) < 0) { + if (load_profile(mgr, def->seclabel.label, def, NULL, false) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot load AppArmor profile " - "\'%s\'"), vm->def->seclabel.label); + "\'%s\'"), def->seclabel.label); goto err; } @@ -447,9 +447,9 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, goto clean; err: - VIR_FREE(vm->def->seclabel.label); - VIR_FREE(vm->def->seclabel.imagelabel); - VIR_FREE(vm->def->seclabel.model); + VIR_FREE(def->seclabel.label); + VIR_FREE(def->seclabel.imagelabel); + VIR_FREE(def->seclabel.model); clean: VIR_FREE(profile_name); @@ -459,15 +459,15 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, const char *stdin_path) + virDomainDefPtr def, const char *stdin_path) { - if (vm->def->seclabel.norelabel) + if (def->seclabel.norelabel) return 0; /* Reload the profile if stdin_path is specified. Note that GenSecurityLabel() will have already been run. */ if (stdin_path) - return reload_profile(mgr, vm, stdin_path, true); + return reload_profile(mgr, def, stdin_path, true); return 0; } @@ -477,13 +477,14 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, */ static int AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec) { int rc = -1; char *profile_name = NULL; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; if (virStrcpy(sec->label, profile_name, @@ -511,9 +512,9 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, */ static int AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; VIR_FREE(secdef->model); VIR_FREE(secdef->label); @@ -525,10 +526,10 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = 0; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { @@ -545,13 +546,13 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, * LOCALSTATEDIR/log/libvirt/qemu/<vm name>.log */ static int -AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) +AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name = NULL; - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -579,21 +580,21 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) static int AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } @@ -602,18 +603,18 @@ AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, /* Called when hotplugging */ static int AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } /* Called when hotplugging */ static int AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, virDomainDiskDefPtr disk) + virDomainDefPtr def, virDomainDiskDefPtr disk) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int rc = -1; char *profile_name; @@ -631,12 +632,12 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, return rc; } - if ((profile_name = get_profile_name(vm)) == NULL) + if ((profile_name = get_profile_name(def)) == NULL) return rc; /* update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(mgr, secdef->imagelabel, vm, disk->src, + if (load_profile(mgr, secdef->imagelabel, def, disk->src, false) < 0) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " @@ -673,7 +674,8 @@ AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { /* NOOP. Nothing to reserve with AppArmor */ return 0; @@ -681,11 +683,11 @@ AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; struct SDPDOP *ptr; int ret = -1; @@ -701,7 +703,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, if (VIR_ALLOC(ptr) < 0) return -1; ptr->mgr = mgr; - ptr->vm = vm; + ptr->def = def; switch (dev->source.subsys.type) { case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: { @@ -743,44 +745,44 @@ done: static int AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } static int AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - return reload_profile(mgr, vm, savefile, true); + return reload_profile(mgr, def, savefile, true); } static int AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile ATTRIBUTE_UNUSED) { - return reload_profile(mgr, vm, NULL, false); + return reload_profile(mgr, def, NULL, false); } static int AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd) { int rc = -1; char *proc = NULL; char *fd_path = NULL; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->imagelabel == NULL) return 0; @@ -796,7 +798,7 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, return rc; } - return reload_profile(mgr, vm, fd_path, true); + return reload_profile(mgr, def, fd_path, true); } virSecurityDriver virAppArmorSecurityDriver = { diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 0e75319..9c0017b 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -171,7 +171,7 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk) { @@ -190,7 +190,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk, int migrated) { @@ -235,10 +235,10 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - return virSecurityDACRestoreSecurityImageLabelInt(mgr, vm, disk, 0); + return virSecurityDACRestoreSecurityImageLabelInt(mgr, def, disk, 0); } @@ -268,7 +268,7 @@ virSecurityDACSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -338,7 +338,7 @@ virSecurityDACRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev) { @@ -489,7 +489,7 @@ virSecurityDACRestoreChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -501,34 +501,34 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, VIR_DEBUG("Restoring security label on %s migrated=%d", - vm->def->name, migrated); + def->name, migrated); - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (virSecurityDACRestoreSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) rc = -1; } - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { if (virSecurityDACRestoreSecurityImageLabelInt(mgr, - vm, - vm->def->disks[i], + def, + def->disks[i], migrated) < 0) rc = -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, false, virSecurityDACRestoreChardevCallback, mgr) < 0) rc = -1; - if (vm->def->os.kernel && - virSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0) + if (def->os.kernel && + virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0) rc = -1; - if (vm->def->os.initrd && - virSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0) + if (def->os.initrd && + virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0) rc = -1; return rc; @@ -548,7 +548,7 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *stdin_path ATTRIBUTE_UNUSED) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -557,36 +557,36 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, if (!priv->dynamicOwnership) return 0; - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { /* XXX fixme - we need to recursively label the entire tree :-( */ - if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) + if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) continue; if (virSecurityDACSetSecurityImageLabel(mgr, - vm, - vm->def->disks[i]) < 0) + def, + def->disks[i]) < 0) return -1; } - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (virSecurityDACSetSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) return -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, true, virSecurityDACSetChardevCallback, mgr) < 0) return -1; - if (vm->def->os.kernel && - virSecurityDACSetOwnership(vm->def->os.kernel, + if (def->os.kernel && + virSecurityDACSetOwnership(def->os.kernel, priv->user, priv->group) < 0) return -1; - if (vm->def->os.initrd && - virSecurityDACSetOwnership(vm->def->os.initrd, + if (def->os.initrd && + virSecurityDACSetOwnership(def->os.initrd, priv->user, priv->group) < 0) return -1; @@ -597,7 +597,7 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, const char *savefile) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -608,7 +608,7 @@ virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, const char *savefile) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -622,11 +622,11 @@ virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); - VIR_DEBUG("Dropping privileges of VM to %u:%u", + VIR_DEBUG("Dropping privileges of DEF to %u:%u", (unsigned int) priv->user, (unsigned int) priv->group); if (virSetUIDGID(priv->user, priv->group) < 0) @@ -645,28 +645,30 @@ virSecurityDACVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACGenLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACReleaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED, virSecurityLabelPtr seclabel ATTRIBUTE_UNUSED) { return 0; @@ -674,7 +676,7 @@ virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } @@ -682,7 +684,7 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } @@ -690,20 +692,19 @@ virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr def ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, int fd ATTRIBUTE_UNUSED) { return 0; } - virSecurityDriver virSecurityDriverDAC = { sizeof(virSecurityDACData), "virDAC", diff --git a/src/security/security_driver.h b/src/security/security_driver.h index aea90b0..f0ace1c 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -39,50 +39,52 @@ typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr); typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr); typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr vm); typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec, + pid_t pid); typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr sec, + virDomainDefPtr sec, const char *stdin_path); typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated); typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec); typedef int (*virSecurityDomainSetProcessLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr, virDomainDefPtr def); typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd); struct _virSecurityDriver { diff --git a/src/security/security_manager.c b/src/security/security_manager.c index cae9b83..2e4956a 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -150,7 +150,7 @@ bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr) } int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { if (mgr->drv->domainRestoreSecurityImageLabel) @@ -161,7 +161,7 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecurityDaemonSocketLabel) return mgr->drv->domainSetSecurityDaemonSocketLabel(mgr, vm); @@ -171,7 +171,7 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecuritySocketLabel) return mgr->drv->domainSetSecuritySocketLabel(mgr, vm); @@ -181,7 +181,7 @@ int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainClearSecuritySocketLabel) return mgr->drv->domainClearSecuritySocketLabel(mgr, vm); @@ -191,7 +191,7 @@ int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { if (mgr->drv->domainSetSecurityImageLabel) @@ -202,7 +202,7 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { if (mgr->drv->domainRestoreSecurityHostdevLabel) @@ -213,7 +213,7 @@ int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { if (mgr->drv->domainSetSecurityHostdevLabel) @@ -224,7 +224,7 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { if (mgr->drv->domainSetSavedStateLabel) @@ -235,7 +235,7 @@ int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { if (mgr->drv->domainRestoreSavedStateLabel) @@ -246,7 +246,7 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, } int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainGenSecurityLabel) return mgr->drv->domainGenSecurityLabel(mgr, vm); @@ -256,17 +256,18 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, } int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm, + pid_t pid) { if (mgr->drv->domainReserveSecurityLabel) - return mgr->drv->domainReserveSecurityLabel(mgr, vm); + return mgr->drv->domainReserveSecurityLabel(mgr, vm, pid); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); return -1; } int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainReleaseSecurityLabel) return mgr->drv->domainReleaseSecurityLabel(mgr, vm); @@ -276,7 +277,7 @@ int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, } int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *stdin_path) { if (mgr->drv->domainSetSecurityAllLabel) @@ -287,7 +288,7 @@ int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, } int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int migrated) { if (mgr->drv->domainRestoreSecurityAllLabel) @@ -298,18 +299,19 @@ int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, } int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, + pid_t pid, virSecurityLabelPtr sec) { if (mgr->drv->domainGetSecurityProcessLabel) - return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, sec); + return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, pid, sec); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); return -1; } int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { if (mgr->drv->domainSetSecurityProcessLabel) return mgr->drv->domainSetSecurityProcessLabel(mgr, vm); @@ -337,7 +339,7 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr, } int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int fd) { if (mgr->drv->domainSetSecurityImageFDLabel) diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 12cd498..6731d59 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -51,50 +51,52 @@ const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr); bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr); int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr vm); int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk); int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev); int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile); int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec, + pid_t pid); int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec); + virDomainDefPtr sec); int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr sec, + virDomainDefPtr sec, const char *stdin_path); int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated); int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, + pid_t pid, virSecurityLabelPtr sec); int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm); + virDomainDefPtr def); int virSecurityManagerVerify(virSecurityManagerPtr mgr, virDomainDefPtr def); int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, int fd); #endif /* VIR_SECURITY_MANAGER_H__ */ diff --git a/src/security/security_nop.c b/src/security/security_nop.c index a68a6c0..c3bd426 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -47,104 +47,106 @@ static const char * virSecurityDriverGetDOINop(virSecurityManagerPtr mgr ATTRIBU } static int virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, const char *savefile ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, const char *savefile ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainGenLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainReserveLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainReleaseLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED) + virDomainDefPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED, + virDomainDefPtr sec ATTRIBUTE_UNUSED, const char *stdin_path ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, int migrated ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainGetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, + virDomainDefPtr vm ATTRIBUTE_UNUSED, + pid_t pid ATTRIBUTE_UNUSED, virSecurityLabelPtr sec ATTRIBUTE_UNUSED) { return 0; } static int virSecurityDomainSetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virDomainDefPtr vm ATTRIBUTE_UNUSED) { return 0; } @@ -156,7 +158,7 @@ static int virSecurityDomainVerifyNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED } static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr sec ATTRIBUTE_UNUSED, + virDomainDefPtr sec ATTRIBUTE_UNUSED, int fd ATTRIBUTE_UNUSED) { return 0; diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 78c0d45..8b7c0ed 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -162,7 +162,7 @@ SELinuxInitialize(void) static int SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { int rc = -1; char *mcs = NULL; @@ -171,40 +171,40 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, int c2 = 0; context_t ctx = NULL; - if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) && - !vm->def->seclabel.baselabel && - vm->def->seclabel.model) { + if ((def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) && + !def->seclabel.baselabel && + def->seclabel.model) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security model already defined for VM")); return rc; } - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && - vm->def->seclabel.label) { + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && + def->seclabel.label) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); return rc; } - if (vm->def->seclabel.imagelabel) { + if (def->seclabel.imagelabel) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security image label already defined for VM")); return rc; } - if (vm->def->seclabel.model && - STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) { + if (def->seclabel.model && + STRNEQ(def->seclabel.model, SECURITY_SELINUX_NAME)) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("security label model %s is not supported with selinux"), - vm->def->seclabel.model); + def->seclabel.model); return rc; } - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) { - if (!(ctx = context_new(vm->def->seclabel.label)) ) { + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) { + if (!(ctx = context_new(def->seclabel.label)) ) { virReportSystemError(errno, _("unable to allocate socket security context '%s'"), - vm->def->seclabel.label); + def->seclabel.label); return rc; } @@ -237,25 +237,25 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, } } while (mcsAdd(mcs) == -1); - vm->def->seclabel.label = - SELinuxGenNewContext(vm->def->seclabel.baselabel ? - vm->def->seclabel.baselabel : + def->seclabel.label = + SELinuxGenNewContext(def->seclabel.baselabel ? + def->seclabel.baselabel : default_domain_context, mcs); - if (! vm->def->seclabel.label) { + if (! def->seclabel.label) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); goto cleanup; } } - vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); - if (!vm->def->seclabel.imagelabel) { + def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); + if (!def->seclabel.imagelabel) { virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); goto cleanup; } - if (!vm->def->seclabel.model && - !(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) { + if (!def->seclabel.model && + !(def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) { virReportOOMError(); goto cleanup; } @@ -264,12 +264,12 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, cleanup: if (rc != 0) { - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) - VIR_FREE(vm->def->seclabel.label); - VIR_FREE(vm->def->seclabel.imagelabel); - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && - !vm->def->seclabel.baselabel) - VIR_FREE(vm->def->seclabel.model); + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) + VIR_FREE(def->seclabel.label); + VIR_FREE(def->seclabel.imagelabel); + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && + !def->seclabel.baselabel) + VIR_FREE(def->seclabel.model); } if (ctx) @@ -278,28 +278,29 @@ cleanup: VIR_FREE(mcs); VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s", - NULLSTR(vm->def->seclabel.model), - NULLSTR(vm->def->seclabel.label), - NULLSTR(vm->def->seclabel.imagelabel), - NULLSTR(vm->def->seclabel.baselabel)); + NULLSTR(def->seclabel.model), + NULLSTR(def->seclabel.label), + NULLSTR(def->seclabel.imagelabel), + NULLSTR(def->seclabel.baselabel)); return rc; } static int SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def, + pid_t pid) { security_context_t pctx; context_t ctx = NULL; const char *mcs; - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) + if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; - if (getpidcon(vm->pid, &pctx) == -1) { + if (getpidcon(pid, &pctx) == -1) { virReportSystemError(errno, - _("unable to get PID %d security context"), vm->pid); + _("unable to get PID %d security context"), pid); return -1; } @@ -360,15 +361,16 @@ static const char *SELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNU static int SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def ATTRIBUTE_UNUSED, + pid_t pid, virSecurityLabelPtr sec) { security_context_t ctx; - if (getpidcon(vm->pid, &ctx) == -1) { + if (getpidcon(pid, &ctx) == -1) { virReportSystemError(errno, _("unable to get PID %d security context"), - vm->pid); + pid); return -1; } @@ -543,11 +545,11 @@ err: static int SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk, int migrated) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -588,10 +590,10 @@ SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0); + return SELinuxRestoreSecurityImageLabelInt(mgr, def, disk, 0); } @@ -626,11 +628,11 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk, static int SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainDiskDefPtr disk) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr); if (secdef->norelabel) @@ -648,8 +650,8 @@ static int SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { - virDomainObjPtr vm = opaque; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + virDomainDefPtr def = opaque; + const virSecurityLabelDefPtr secdef = &def->seclabel; return SELinuxSetFilecon(file, secdef->imagelabel); } @@ -658,19 +660,19 @@ static int SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, const char *file, void *opaque) { - virDomainObjPtr vm = opaque; - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + virDomainDefPtr def = opaque; + const virSecurityLabelDefPtr secdef = &def->seclabel; return SELinuxSetFilecon(file, secdef->imagelabel); } static int SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int ret = -1; if (secdef->norelabel) @@ -687,7 +689,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (!usb) goto done; - ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm); + ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, def); usbFreeDevice(usb); break; } @@ -701,7 +703,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (!pci) goto done; - ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm); + ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, def); pciFreeDevice(pci); break; @@ -735,11 +737,11 @@ SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, virDomainHostdevDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int ret = -1; if (secdef->norelabel) @@ -788,11 +790,11 @@ done: static int -SELinuxSetSecurityChardevLabel(virDomainObjPtr vm, +SELinuxSetSecurityChardevLabel(virDomainDefPtr def, virDomainChrSourceDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; char *in = NULL, *out = NULL; int ret = -1; @@ -834,11 +836,11 @@ done: } static int -SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm, +SELinuxRestoreSecurityChardevLabel(virDomainDefPtr def, virDomainChrSourceDefPtr dev) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; char *in = NULL, *out = NULL; int ret = -1; @@ -882,27 +884,24 @@ done: static int -SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; - /* This is taken care of by processing of def->serials */ if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE && dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL) return 0; - return SELinuxRestoreSecurityChardevLabel(vm, &dev->source); + return SELinuxRestoreSecurityChardevLabel(def, &dev->source); } static int -SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def, virDomainSmartcardDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; const char *database; switch (dev->type) { @@ -916,7 +915,7 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, return SELinuxRestoreSecurityFileLabel(database); case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: - return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru); + return SELinuxRestoreSecurityChardevLabel(def, &dev->data.passthru); default: virSecurityReportError(VIR_ERR_INTERNAL_ERROR, @@ -931,50 +930,50 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int migrated ATTRIBUTE_UNUSED) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int i; int rc = 0; - VIR_DEBUG("Restoring security label on %s", vm->def->name); + VIR_DEBUG("Restoring security label on %s", def->name); if (secdef->norelabel) return 0; - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (SELinuxRestoreSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) rc = -1; } - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { if (SELinuxRestoreSecurityImageLabelInt(mgr, - vm, - vm->def->disks[i], + def, + def->disks[i], migrated) < 0) rc = -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, false, SELinuxRestoreSecurityChardevCallback, - vm) < 0) + NULL) < 0) rc = -1; - if (virDomainSmartcardDefForeach(vm->def, + if (virDomainSmartcardDefForeach(def, false, SELinuxRestoreSecuritySmartcardCallback, - vm) < 0) + NULL) < 0) rc = -1; - if (vm->def->os.kernel && - SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0) + if (def->os.kernel && + SELinuxRestoreSecurityFileLabel(def->os.kernel) < 0) rc = -1; - if (vm->def->os.initrd && - SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0) + if (def->os.initrd && + SELinuxRestoreSecurityFileLabel(def->os.initrd) < 0) rc = -1; return rc; @@ -982,9 +981,9 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm) + virDomainDefPtr def) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (secdef->label != NULL) { @@ -1006,10 +1005,10 @@ SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -1020,10 +1019,10 @@ SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, const char *savefile) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->norelabel) return 0; @@ -1058,12 +1057,12 @@ SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1089,16 +1088,16 @@ SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, static int SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; context_t execcon = NULL; context_t proccon = NULL; security_context_t scon = NULL; int rc = -1; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1139,7 +1138,7 @@ SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, } VIR_DEBUG("Setting VM %s socket context %s", - vm->def->name, context_str(proccon)); + def->name, context_str(proccon)); if (setsockcreatecon(context_str(proccon)) == -1) { virReportSystemError(errno, _("unable to set socket security context '%s'"), @@ -1160,9 +1159,9 @@ done: static int SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &vm->seclabel; int rc = -1; if (secdef->label == NULL) @@ -1178,7 +1177,7 @@ SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, } VIR_DEBUG("Setting VM %s socket context %s", - vm->def->name, secdef->label); + vm->name, secdef->label); if (setsockcreatecon(secdef->label) == -1) { virReportSystemError(errno, _("unable to set socket security context '%s'"), @@ -1197,12 +1196,12 @@ done: static int SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr def) { /* TODO: verify DOI */ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; - if (vm->def->seclabel.label == NULL) + if (def->seclabel.label == NULL) return 0; if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { @@ -1227,27 +1226,24 @@ SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, static int -SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxSetSecurityChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; - /* This is taken care of by processing of def->serials */ if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE && dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL) return 0; - return SELinuxSetSecurityChardevLabel(vm, &dev->source); + return SELinuxSetSecurityChardevLabel(def, &dev->source); } static int -SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, +SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def, virDomainSmartcardDefPtr dev, - void *opaque) + void *opaque ATTRIBUTE_UNUSED) { - virDomainObjPtr vm = opaque; const char *database; switch (dev->type) { @@ -1261,7 +1257,7 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, return SELinuxSetFilecon(database, default_content_context); case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: - return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru); + return SELinuxSetSecurityChardevLabel(def, &dev->data.passthru); default: virSecurityReportError(VIR_ERR_INTERNAL_ERROR, @@ -1276,53 +1272,53 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, static int SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr def, const char *stdin_path) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; int i; if (secdef->norelabel) return 0; - for (i = 0 ; i < vm->def->ndisks ; i++) { + for (i = 0 ; i < def->ndisks ; i++) { /* XXX fixme - we need to recursively label the entire tree :-( */ - if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) { + if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) { VIR_WARN("Unable to relabel directory tree %s for disk %s", - vm->def->disks[i]->src, vm->def->disks[i]->dst); + def->disks[i]->src, def->disks[i]->dst); continue; } if (SELinuxSetSecurityImageLabel(mgr, - vm, vm->def->disks[i]) < 0) + def, def->disks[i]) < 0) return -1; } - /* XXX fixme process vm->def->fss if relabel == true */ + /* XXX fixme process def->fss if relabel == true */ - for (i = 0 ; i < vm->def->nhostdevs ; i++) { + for (i = 0 ; i < def->nhostdevs ; i++) { if (SELinuxSetSecurityHostdevLabel(mgr, - vm, - vm->def->hostdevs[i]) < 0) + def, + def->hostdevs[i]) < 0) return -1; } - if (virDomainChrDefForeach(vm->def, + if (virDomainChrDefForeach(def, true, SELinuxSetSecurityChardevCallback, - vm) < 0) + NULL) < 0) return -1; - if (virDomainSmartcardDefForeach(vm->def, + if (virDomainSmartcardDefForeach(def, true, SELinuxSetSecuritySmartcardCallback, - vm) < 0) + NULL) < 0) return -1; - if (vm->def->os.kernel && - SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0) + if (def->os.kernel && + SELinuxSetFilecon(def->os.kernel, default_content_context) < 0) return -1; - if (vm->def->os.initrd && - SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0) + if (def->os.initrd && + SELinuxSetFilecon(def->os.initrd, default_content_context) < 0) return -1; if (stdin_path) { @@ -1337,10 +1333,10 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, static int SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, + virDomainDefPtr def, int fd) { - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->imagelabel == NULL) return 0; diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 3f601c1..c82865f 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -106,7 +106,7 @@ virSecurityStackVerify(virSecurityManagerPtr mgr, static int virSecurityStackGenLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -131,7 +131,7 @@ virSecurityStackGenLabel(virSecurityManagerPtr mgr, static int virSecurityStackReleaseLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -150,16 +150,17 @@ virSecurityStackReleaseLabel(virSecurityManagerPtr mgr, static int virSecurityStackReserveLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm, + pid_t pid) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; - if (virSecurityManagerReserveLabel(priv->primary, vm) < 0) + if (virSecurityManagerReserveLabel(priv->primary, vm, pid) < 0) rc = -1; #if 0 /* XXX See note in GenLabel */ - if (virSecurityManagerReserveLabel(priv->secondary, vm) < 0) + if (virSecurityManagerReserveLabel(priv->secondary, vm, pid) < 0) rc = -1; #endif @@ -169,7 +170,7 @@ virSecurityStackReserveLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -186,7 +187,7 @@ virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainDiskDefPtr disk) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -203,7 +204,7 @@ virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { @@ -221,7 +222,7 @@ virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, virDomainHostdevDefPtr dev) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -238,7 +239,7 @@ virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *stdin_path) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -255,7 +256,7 @@ virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int migrated) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -272,7 +273,7 @@ virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -289,7 +290,7 @@ virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, const char *savefile) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); @@ -306,7 +307,7 @@ virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -321,17 +322,18 @@ virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, static int virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, + pid_t pid, virSecurityLabelPtr seclabel) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; #if 0 - if (virSecurityManagerGetProcessLabel(priv->secondary, vm, seclabel) < 0) + if (virSecurityManagerGetProcessLabel(priv->secondary, vm, pid, seclabel) < 0) rc = -1; #endif - if (virSecurityManagerGetProcessLabel(priv->primary, vm, seclabel) < 0) + if (virSecurityManagerGetProcessLabel(priv->primary, vm, pid, seclabel) < 0) rc = -1; return rc; @@ -340,7 +342,7 @@ virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -356,7 +358,7 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -372,7 +374,7 @@ virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm) + virDomainDefPtr vm) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); int rc = 0; @@ -387,7 +389,7 @@ virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr, static int virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, + virDomainDefPtr vm, int fd) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); -- 1.7.6.4

2 2

[libvirt] [PATCH 0/6] nwfilter: Enable access to variables via iterator or index
by Stefan Berger 10 Jan '12

10 Jan '12

This patch enables access to variables in filters using indep. iterators ($TEST[$@2]) or via index ($TEST[1]). Three test cases are added that are also being used for libvirt-TCK to check that the instantiation of the filtering rules is correct. Regards, Stefan

2 17