On 02/08/2013 11:23 AM, Daniel P. Berrange wrote:
On Thu, Feb 07, 2013 at 04:37:50PM -0500, Laine Stump wrote:
virCommand gets the new API virCommandSetSecLabel(), which saves a copy of a null-terminated string in the virCommand. During virCommandRun, if the seclabel is non-NULL and we've been compiled with a security driver, the appropriate security library function is called to set the label for the child process. In the case of SELinux, setexeccon_raw() is called, and for AppArmor, aa_change_profile() is called.
This functionality has been added so that users of virCommand can use the upcoming virSecurityManagerSetChildProcessLabel() prior to running a child process, rather than needing to setup a hook function to be called (and in turn call virSecurityManagerSetProcessLabel()) *during* the setup of the child process. ---
+#if defined(WITH_SECDRIVER_SELINUX) +# include <selinux/selinux.h> +#elif defined(WITH_SECDRIVER_APPARMOR) +# include <sys/apparmor.h> +#endif [snip]
+/** + * virCommandSetSecLabel: + * @cmd: the command to modify + * @label: the label to use + * + * Saves a copy of @label to use when calling the appropriate security + * driver after the child process has been started. In the case of + * SELinux, this label will be sent to setexeccon_raw(), and in the + * case of AppArmor, it will be sent to aa_change_profile(). If + * neither of these is configured into libvirt, or if label is NULL, + * nothing will be done. + */ +void +virCommandSetSecLabel(virCommandPtr cmd, const char *label) +{ + if (!cmd || cmd->has_error) + return; + + VIR_FREE(cmd->seclabel); + if (label && !(cmd->seclabel = strdup(label))) + cmd->has_error = ENOMEM; + return; +} It is technically possible to build libvirt with both apparmour and selinux enabled, and choose between the impl with a libvirtd config.
Until I broke it in the previous patch :-). I'll fix that as well.
This means we need to have separate methods for each in virCommand. So I'd suggest a pair of methods
virCommandSetSELinuxLabel(...) virCommandSetAppArmourProfile(...)
Daniel