Re: [libvirt] [PATCH 2/4] security: add security part for shmem device
On 07/30/2015 06:00 PM, Daniel P. Berrange wrote:
On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
> A new api to help set/restore the shmem deivce dac/selinux label.
>
> Signed-off-by: Luyao Huang <lhuang(a)redhat.com>
> ---
> src/libvirt_private.syms | 2 ++
> src/security/security_dac.c | 67 +++++++++++++++++++++++++++++++++++++++
> src/security/security_driver.h | 11 +++++++
> src/security/security_manager.c | 38 ++++++++++++++++++++++
> src/security/security_manager.h | 8 +++++
> src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++
> src/security/security_stack.c | 41 ++++++++++++++++++++++++
> 7 files changed, 237 insertions(+)
>
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index deb6980..f954aa5 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -1433,4 +1497,7 @@ virSecurityDriver virSecurityDriverDAC = {
> .domainGetSecurityMountOptions = virSecurityDACGetMountOptions,
>
> .getBaseLabel = virSecurityDACGetBaseLabel,
> +
> + .domainSetSecurityShmemLabel = virSecurityDACSetShmemLabel,
> + .domainRestoreSecurityShmemLabel = virSecurityDACRestoreShmemLabel,
NB, you should also be modifying the virSecurityDACRestoreSecurityAllLabel
and virSecurityDACSetSecurityAllLabel methods to call this code during
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 6e67a86..cbf89ee 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -2549,4 +2616,7 @@ virSecurityDriver virSecurityDriverSELinux = {
>
> .domainGetSecurityMountOptions =
virSecuritySELinuxGetSecurityMountOptions,
> .getBaseLabel = virSecuritySELinuxGetBaseLabel,
> +
> + .domainSetSecurityShmemLabel = virSecuritySELinuxSetShmemLabel,
> + .domainRestoreSecurityShmemLabel = virSecuritySELinuxRestoreShmemLabel,
> };
Likewise virSecuritySELinuxRestoreSecurityAllLabel and
virSecuritySELinuxSetSecurityAllLabel
Doing this avoids the need to manually call these shmem specific
security methods during general guest startup/shutdown. They only
need to be called manually during hotplug/unplug.
Okay, i see, i move these function in
virSecuritySELinuxRestoreSecurityAllLabel and
virSecuritySELinuxSetSecurityAllLabel.
Thanks a lot for your review and advise.
Regards,
Daniel
Luyao