On Sat, Sep 25, 2010 at 12:04:11AM +0530, Harsh Prateek Bora wrote:
This patch introduces new attribute to filesystem element to support customizable security_model for mount type. Valid security_model are: passthrough, mapped and none.
Usage: <filesystem type='mount' security_model='passthrough'>
I'd like to think of a different name for this, because 'security_model' is already used in libvirt in the context of sVirt and I think it'd be better to avoid the same terminology. I've not got any ideas just yet, but I'll think of some....
<source dir='/export/to/guest'/> <target dir='mount_tag'/> </filesystem>
Note: This patch is based on Daniel's patch to support 9pfs. It shall be applied after applying Daniel's patch to support 9pfs.
Signed-off-by: Harsh Prateek Bora <harsh@linux.vnet.ibm.com> --- docs/schemas/domain.rng | 7 +++++++ src/conf/domain_conf.c | 30 ++++++++++++++++++++++++++++-- src/conf/domain_conf.h | 10 ++++++++++ src/qemu/qemu_conf.c | 11 +++++++++-- 4 files changed, 54 insertions(+), 4 deletions(-)
diff --git a/docs/schemas/domain.rng b/docs/schemas/domain.rng index ccb8cf3..43a292d 100644 --- a/docs/schemas/domain.rng +++ b/docs/schemas/domain.rng @@ -761,6 +761,13 @@ </choice> <optional> <ref name="address"/> + <attribute name="security_model"> + <choice> + <value>passthrough</value> + <value>mapped</value> + <value>none</value> + </choice> + </attribute> </optional> </element> </define> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index e05d5d7..a9881d1 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -161,6 +161,12 @@ VIR_ENUM_IMPL(virDomainFS, VIR_DOMAIN_FS_TYPE_LAST, "file", "template")
+VIR_ENUM_IMPL(virDomainFSSecurityModel, VIR_DOMAIN_FS_SECURITY_LAST, + "passthrough", + "mapped", + "none") + + VIR_ENUM_IMPL(virDomainNet, VIR_DOMAIN_NET_TYPE_LAST, "user", "ethernet", @@ -1847,6 +1853,7 @@ virDomainFSDefParseXML(xmlNodePtr node, char *type = NULL; char *source = NULL; char *target = NULL; + char *security_model;
if (VIR_ALLOC(def) < 0) { virReportOOMError(); @@ -1864,6 +1871,17 @@ virDomainFSDefParseXML(xmlNodePtr node, def->type = VIR_DOMAIN_FS_TYPE_MOUNT; }
+ security_model = virXMLPropString(node, "security_model"); + if (security_model) { + if ((def->security_model = virDomainFSSecurityModelTypeFromString(security_model)) < 0) { + virDomainReportError(VIR_ERR_INTERNAL_ERROR, + _("unknown security model '%s'"), security_model); + goto error; + } + } else { + def->security_model = VIR_DOMAIN_FS_SECURITY_PASSTHROUGH; + } + cur = node->children; while (cur != NULL) { if (cur->type == XML_ELEMENT_NODE) { @@ -5602,6 +5620,7 @@ virDomainFSDefFormat(virBufferPtr buf, int flags) { const char *type = virDomainFSTypeToString(def->type); + const char *sec_model = virDomainFSSecurityModelTypeToString(def->security_model);
if (!type) { virDomainReportError(VIR_ERR_INTERNAL_ERROR, @@ -5609,9 +5628,16 @@ virDomainFSDefFormat(virBufferPtr buf, return -1; }
+ if (!sec_model) { + virDomainReportError(VIR_ERR_INTERNAL_ERROR, + _("unexpected security model %d"), def->security_model); + return -1; + } + + virBufferVSprintf(buf, - " <filesystem type='%s'>\n", - type); + " <filesystem type='%s' security_model='%s'>\n", + type, sec_model);
if (def->src) { switch (def->type) { diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 7195c04..6adf027 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -236,10 +236,20 @@ enum virDomainFSType { VIR_DOMAIN_FS_TYPE_LAST };
+/* Filesystem mount security model */ +enum virDomainFSSecurityModel { + VIR_DOMAIN_FS_SECURITY_PASSTHROUGH, + VIR_DOMAIN_FS_SECURITY_MAPPED, + VIR_DOMAIN_FS_SECURITY_NONE, + + VIR_DOMAIN_FS_SECURITY_LAST +};
What is the difference between 'PASSTHROUGH' mode and 'NONE' ? IIUC, 'PASSTHROUGH' just lets the uid/gid and mode appear in the guest unchanged, which seems to be just what 'NONE' would do too. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|