Re: [libvirt] [PATCH 09/15] util: add security label setting to virCommand

virCommand gets the new API virCommandSetSecLabel(), which saves a copy of a null-terminated string in the virCommand. During virCommandRun, if the seclabel is non-NULL and we've been compiled with a security driver, the appropriate security library function is called to set the label for the child process. In the case of SELinux, setexeccon_raw() is called, and for AppArmor, aa_change_profile() is called. This functionality has been added so that users of virCommand can use the upcoming virSecurityManagerSetChildProcessLabel() prior to running a child process, rather than needing to setup a hook function to be called (and in turn call virSecurityManagerSetProcessLabel()) *during* the setup of the child process. --- +#if defined(WITH_SECDRIVER_SELINUX) +# include <selinux/selinux.h> +#elif defined(WITH_SECDRIVER_APPARMOR) +# include <sys/apparmor.h> +#endif

+/** + * virCommandSetSecLabel: + * @cmd: the command to modify + * @label: the label to use + * + * Saves a copy of @label to use when calling the appropriate security + * driver after the child process has been started. In the case of + * SELinux, this label will be sent to setexeccon_raw(), and in the + * case of AppArmor, it will be sent to aa_change_profile(). If + * neither of these is configured into libvirt, or if label is NULL, + * nothing will be done. + */ +void +virCommandSetSecLabel(virCommandPtr cmd, const char *label) +{ + if (!cmd || cmd->has_error) + return; + + VIR_FREE(cmd->seclabel); + if (label && !(cmd->seclabel = strdup(label))) + cmd->has_error = ENOMEM; + return; +}