Re: [libvirt] [PATCH v4 3/3] capabilities: add baselabel per sec driver/virt type to secmodel
On Fri, Oct 18, 2013 at 02:13:21PM +0200, Giuseppe Scrivano wrote:
Expand the "secmodel" XML fragment of "host" with
a sequence of
baselabel's which describe the default security context used by
libvirt with a specific security model and virtualization type:
<secmodel>
<model>selinux</model>
<doi>0</doi>
<baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
<baselabel
type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>107:107</baselabel>
<baselabel type='qemu'>107:107</baselabel>
</secmodel>
"baselabel" is driver-specific information, e.g. in the DAC security
model, it indicates USER_ID:GROUP_ID.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
docs/schemas/capability.rng | 8 ++++
src/conf/capabilities.c | 60 +++++++++++++++++++++++++++-
src/conf/capabilities.h | 14 +++++++
src/libvirt_private.syms | 1 +
src/lxc/lxc_conf.c | 10 ++++-
src/qemu/qemu_conf.c | 21 ++++++++--
tests/capabilityschemadata/caps-qemu-kvm.xml | 2 +
tests/capabilityschemadata/caps-test3.xml | 2 +
8 files changed, 111 insertions(+), 7 deletions(-)
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 8d7bee8..c234dd0 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -584,12 +584,15 @@ virQEMUDriverCreateXMLConf(virQEMUDriverPtr driver)
virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
{
- size_t i;
+ size_t i, j;
virCapsPtr caps;
virSecurityManagerPtr *sec_managers = NULL;
/* Security driver data */
- const char *doi, *model;
+ const char *doi, *model, *lbl, *type;
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+ const int virtTypes[] = {VIR_DOMAIN_VIRT_KVM,
+ VIR_DOMAIN_VIRT_QEMU,
+ VIR_DOMAIN_VIRT_LAST};
No need for having VIR_DOMAIN_VIRT_LAST here, since we have a
handy ARRAY_CARDINALITY macro
+ for (j = 0; virtTypes[j] != VIR_DOMAIN_VIRT_LAST; j++) {
eg
for (j = 0 ; j < ARRAY_CARDINALITY(virtTypes) ; j++)
+ lbl = virSecurityManagerGetBaseLabel(sec_managers[i],
virtTypes[j]);
+ type = virDomainVirtTypeToString(virtTypes[j]);
+ if (lbl &&
+ virCapabilitiesHostSecModelAddBaseLabel(sm, type, lbl) < 0)
+ goto error;
+ }
+
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|