4:54 a.m.
On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
A new api to help set/restore the shmem deivce dac/selinux label.
s/deivce/device/
Signed-off-by: Luyao Huang <lhuang(a)redhat.com>
---
src/libvirt_private.syms | 2 ++
src/security/security_dac.c | 67 +++++++++++++++++++++++++++++++++++++++
src/security/security_driver.h | 11 +++++++
src/security/security_manager.c | 38 ++++++++++++++++++++++
src/security/security_manager.h | 8 +++++
src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++
src/security/security_stack.c | 41 ++++++++++++++++++++++++
7 files changed, 237 insertions(+)
Also need to add to the security_nop.c impl
diff --git a/src/security/security_dac.c
b/src/security/security_dac.c
index deb6980..f954aa5 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -39,6 +39,7 @@
#include "virstoragefile.h"
#include "virstring.h"
#include "virutil.h"
+#include "virshm.h"
#define VIR_FROM_THIS VIR_FROM_SECURITY
@@ -922,6 +923,69 @@ virSecurityDACRestoreSecurityTPMFileLabel(virSecurityManagerPtr
mgr,
static int
+virSecurityDACSetShmemLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainShmemDefPtr shmem,
+ char *path)
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityLabelDefPtr seclabel;
+ virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
+ char *tmppath;
+ uid_t user;
+ gid_t group;
+
+ if (shmem->server.enabled)
+ tmppath = shmem->server.chr.data.nix.path;
+ else
+ tmppath = path;
Even when the server is enabled, QEMU still needs access to the path
doesn't it.
+
+ if (!tmppath)
+ return 0;
+
+ shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_DAC_NAME);
+
+ if (shmem_seclabel && !shmem_seclabel->relabel)
+ return 0;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+
+ if (shmem_seclabel && shmem_seclabel->label) {
+ if (virParseOwnershipIds(shmem_seclabel->label, &user, &group) <
0)
+ return -1;
+ } else {
+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) <
0)
+ return -1;
+ }
+
+ return virSecurityDACSetOwnership(tmppath, user, group);
+}
+
+
+static int
+virSecurityDACRestoreShmemLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainShmemDefPtr shmem,
+ char *path)
+{
+ virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
+
+ shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_DAC_NAME);
+
+ if (shmem_seclabel && !shmem_seclabel->relabel)
+ return 0;
+
+ if (shmem->server.enabled)
+ return virSecurityDACRestoreChardevLabel(mgr, def, NULL,
&shmem->server.chr);
We need to restore path, even when server is enabled
+
+ if (!path)
+ return 0;
+
+ return virSecurityDACRestoreSecurityFileLabel(path);
+}
+
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 6e67a86..cbf89ee 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -46,6 +46,7 @@
#include "virconf.h"
#include "virtpm.h"
#include "virstring.h"
+#include "virshm.h"
#define VIR_FROM_THIS VIR_FROM_SECURITY
@@ -1888,6 +1889,37 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr
def,
}
+static int
+virSecuritySELinuxRestoreShmemLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainShmemDefPtr shmem,
+ char *path)
+{
+ char *tmppath = NULL;
+ virSecurityLabelDefPtr seclabel;
+ virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (!seclabel || !seclabel->relabel)
+ return 0;
+
+ shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem,
SECURITY_SELINUX_NAME);
+
+ if (shmem_seclabel && !shmem_seclabel->relabel)
+ return 0;
+
+ if (shmem->server.enabled)
+ tmppath = shmem->server.chr.data.nix.path;
+ else
+ tmppath = path;
Same comment as earlier
+
+ if (!tmppath)
+ return 0;
+
+ return virSecuritySELinuxRestoreSecurityFileLabel(mgr, tmppath);
+}
+
+
static const char *
virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
{
@@ -2284,6 +2316,41 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr
def,
static int
+virSecuritySELinuxSetShmemLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainShmemDefPtr shmem,
+ char *path)
+{
+ virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
+ char *tmppath = NULL;
+ virSecurityLabelDefPtr seclabel;
+ virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (!seclabel || !seclabel->relabel)
+ return 0;
+
+ shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem,
SECURITY_SELINUX_NAME);
+
+ if (shmem_seclabel && !shmem_seclabel->relabel)
+ return 0;
+
+ if (shmem->server.enabled)
+ tmppath = shmem->server.chr.data.nix.path;
+ else
+ tmppath = path;
And again
+
+ if (!tmppath)
+ return 0;
+
+ if (shmem_seclabel && shmem_seclabel->label)
+ return virSecuritySELinuxSetFilecon(tmppath, shmem_seclabel->label);
+ else
+ return virSecuritySELinuxSetFilecon(tmppath, data->file_context);
+}
+
+
+static int
virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
const char *stdin_path)
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|