On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
A new api to help set/restore the shmem deivce dac/selinux label.
s/deivce/device/
Signed-off-by: Luyao Huang <lhuang@redhat.com> --- src/libvirt_private.syms | 2 ++ src/security/security_dac.c | 67 +++++++++++++++++++++++++++++++++++++++ src/security/security_driver.h | 11 +++++++ src/security/security_manager.c | 38 ++++++++++++++++++++++ src/security/security_manager.h | 8 +++++ src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++ src/security/security_stack.c | 41 ++++++++++++++++++++++++ 7 files changed, 237 insertions(+)
Also need to add to the security_nop.c impl
diff --git a/src/security/security_dac.c b/src/security/security_dac.c index deb6980..f954aa5 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -39,6 +39,7 @@ #include "virstoragefile.h" #include "virstring.h" #include "virutil.h" +#include "virshm.h"
#define VIR_FROM_THIS VIR_FROM_SECURITY
@@ -922,6 +923,69 @@ virSecurityDACRestoreSecurityTPMFileLabel(virSecurityManagerPtr mgr,
static int +virSecurityDACSetShmemLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainShmemDefPtr shmem, + char *path) +{ + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityLabelDefPtr seclabel; + virSecurityDeviceLabelDefPtr shmem_seclabel = NULL; + char *tmppath; + uid_t user; + gid_t group; + + if (shmem->server.enabled) + tmppath = shmem->server.chr.data.nix.path; + else + tmppath = path;
Even when the server is enabled, QEMU still needs access to the path doesn't it.
+ + if (!tmppath) + return 0; + + shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_DAC_NAME); + + if (shmem_seclabel && !shmem_seclabel->relabel) + return 0; + + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); + + if (shmem_seclabel && shmem_seclabel->label) { + if (virParseOwnershipIds(shmem_seclabel->label, &user, &group) < 0) + return -1; + } else { + if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0) + return -1; + } + + return virSecurityDACSetOwnership(tmppath, user, group); +} + + +static int +virSecurityDACRestoreShmemLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainShmemDefPtr shmem, + char *path) +{ + virSecurityDeviceLabelDefPtr shmem_seclabel = NULL; + + shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_DAC_NAME); + + if (shmem_seclabel && !shmem_seclabel->relabel) + return 0; + + if (shmem->server.enabled) + return virSecurityDACRestoreChardevLabel(mgr, def, NULL, &shmem->server.chr);
We need to restore path, even when server is enabled
+ + if (!path) + return 0; + + return virSecurityDACRestoreSecurityFileLabel(path); +} + diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 6e67a86..cbf89ee 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -46,6 +46,7 @@ #include "virconf.h" #include "virtpm.h" #include "virstring.h" +#include "virshm.h"
#define VIR_FROM_THIS VIR_FROM_SECURITY
@@ -1888,6 +1889,37 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def, }
+static int +virSecuritySELinuxRestoreShmemLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainShmemDefPtr shmem, + char *path) +{ + char *tmppath = NULL; + virSecurityLabelDefPtr seclabel; + virSecurityDeviceLabelDefPtr shmem_seclabel = NULL; + + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (!seclabel || !seclabel->relabel) + return 0; + + shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_SELINUX_NAME); + + if (shmem_seclabel && !shmem_seclabel->relabel) + return 0; + + if (shmem->server.enabled) + tmppath = shmem->server.chr.data.nix.path; + else + tmppath = path;
Same comment as earlier
+ + if (!tmppath) + return 0; + + return virSecuritySELinuxRestoreSecurityFileLabel(mgr, tmppath); +} + + static const char * virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType) { @@ -2284,6 +2316,41 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
static int +virSecuritySELinuxSetShmemLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainShmemDefPtr shmem, + char *path) +{ + virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr); + char *tmppath = NULL; + virSecurityLabelDefPtr seclabel; + virSecurityDeviceLabelDefPtr shmem_seclabel = NULL; + + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (!seclabel || !seclabel->relabel) + return 0; + + shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_SELINUX_NAME); + + if (shmem_seclabel && !shmem_seclabel->relabel) + return 0; + + if (shmem->server.enabled) + tmppath = shmem->server.chr.data.nix.path; + else + tmppath = path;
And again
+ + if (!tmppath) + return 0; + + if (shmem_seclabel && shmem_seclabel->label) + return virSecuritySELinuxSetFilecon(tmppath, shmem_seclabel->label); + else + return virSecuritySELinuxSetFilecon(tmppath, data->file_context); +} + + +static int virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, const char *stdin_path)
Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|