[libvirt] [PATCH v1 03/19] security: Allow a vhost protocol for scsi hostdev
Make sure that the new vhost protocol does not drive the existing
virtio SCSI code.
Signed-off-by: Eric Farman <farman(a)linux.vnet.ibm.com>
Reviewed-by: Bjoern Walk <bwalk(a)linux.vnet.ibm.com>
Reviewed-by: Marc Hartmayer <mhartmay(a)linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy(a)linux.vnet.ibm.com>
---
src/security/security_apparmor.c | 5 +++--
src/security/security_dac.c | 10 ++++++----
src/security/security_selinux.c | 10 ++++++----
3 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index af2b639..e3fcc58 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -842,10 +842,11 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
return 0;
/* Like AppArmorRestoreSecurityImageLabel() for a networked disk,
- * do nothing for an iSCSI hostdev
+ * do nothing for an iSCSI or vhost-scsi hostdev
*/
if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
- scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI ||
+ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_VHOST))
return 0;
if (profile_loaded(secdef->imagelabel) < 0)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 442ce70..75b5819 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -601,10 +601,11 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
return 0;
/* Like virSecurityDACSetImageLabel() for a networked disk,
- * do nothing for an iSCSI hostdev
+ * do nothing for an iSCSI or vhost-scsi hostdev
*/
if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
- scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI ||
+ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_VHOST))
return 0;
cbdata.manager = mgr;
@@ -742,10 +743,11 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
return 0;
/* Like virSecurityDACRestoreImageLabelInt() for a networked disk,
- * do nothing for an iSCSI hostdev
+ * do nothing for an iSCSI or vhost-scsi hostdev
*/
if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
- scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI ||
+ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_VHOST))
return 0;
switch ((virDomainHostdevSubsysType) dev->source.subsys.type) {
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 4be946d..8632d0f 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1430,10 +1430,11 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr
mgr,
int ret = -1;
/* Like virSecuritySELinuxSetImageLabelInternal() for a networked
- * disk, do nothing for an iSCSI hostdev
+ * disk, do nothing for an iSCSI or vhost-scsi hostdev
*/
if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
- scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI ||
+ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_VHOST))
return 0;
switch (dev->source.subsys.type) {
@@ -1634,10 +1635,11 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr
mgr,
int ret = -1;
/* Like virSecuritySELinuxRestoreImageLabelInt() for a networked
- * disk, do nothing for an iSCSI hostdev
+ * disk, do nothing for an iSCSI or vhost-scsi hostdev
*/
if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
- scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI ||
+ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_VHOST))
return 0;
switch (dev->source.subsys.type) {
--
1.9.1