[libvirt] [PATCH 4/6] security: Ignore to manage the volume type disk if its mode is uri
It's straightforward to not manage security labels for remote URI
like "iscsi://example.org:6000/iqn.1992-01.com.example/1".
---
src/security/security_apparmor.c | 10 ++++++++--
src/security/security_dac.c | 10 ++++++++--
src/security/security_selinux.c | 10 ++++++++--
3 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 87c2777..b8a5be2 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -682,7 +682,10 @@ AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
- if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+ if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+ (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+ disk->srcpool &&
+ disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
return 0;
return reload_profile(mgr, def, NULL, false);
@@ -704,7 +707,10 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
if (secdef->norelabel)
return 0;
- if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+ if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+ (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+ disk->srcpool &&
+ disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
return 0;
if (secdef->imagelabel) {
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index b8d1a92..881101a 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -368,7 +368,10 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
if (!priv->dynamicOwnership)
return 0;
- if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+ if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+ (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+ disk->srcpool &&
+ disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
return 0;
params[0] = mgr;
@@ -391,7 +394,10 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr
mgr,
if (!priv->dynamicOwnership)
return 0;
- if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+ if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+ (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+ disk->srcpool &&
+ disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
return 0;
/* Don't restore labels on readoly/shared disks, because
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b862fbf..829bd89 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1148,7 +1148,10 @@
virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
if (disk->readonly || disk->shared)
return 0;
- if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+ if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+ (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+ disk->srcpool &&
+ disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
return 0;
/* If we have a shared FS & doing migrated, we must not
@@ -1248,7 +1251,10 @@ virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
if (cbdata.secdef->norelabel)
return 0;
- if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+ if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+ (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+ disk->srcpool &&
+ disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
return 0;
return virDomainDiskDefForeachPath(disk,
--
1.8.1.4