Re: [libvirt] [PATCHv2 1/6] schema: rewrite seclabel rng to match code

The RNG for<seclabel> was too strict - if it was present, then it had to have sub-elements, even if those didn't make sense for the given attributes. Also, we didn't have any tests of<seclabel> parsing or XML output. In this patch, I added more parsing tests than output tests (since the output populates and/or reorders fields not present in certain inputs). Making the RNG reliable is a precursor to using<seclabel> variants in more places in the XML in later patches. See also: http://berrange.com/posts/2011/09/29/two-small-improvements-to-svirt-gues... * docs/schemas/domaincommon.rng (seclabel): Tighten rules. * tests/qemuxml2argvtest.c (mymain): New tests. * tests/qemuxml2xmltest.c (mymain): Likewise. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-*.*: New files. --- docs/schemas/domaincommon.rng | 88 ++++++++++++++------ .../qemuxml2argv-seclabel-dynamic-baselabel.args | 4 + .../qemuxml2argv-seclabel-dynamic-baselabel.xml | 28 ++++++ .../qemuxml2argv-seclabel-dynamic.args | 4 + .../qemuxml2argv-seclabel-dynamic.xml | 26 ++++++ .../qemuxml2argv-seclabel-static-relabel.args | 4 + .../qemuxml2argv-seclabel-static-relabel.xml | 29 +++++++ .../qemuxml2argv-seclabel-static.args | 4 + .../qemuxml2argv-seclabel-static.xml | 28 ++++++ tests/qemuxml2argvtest.c | 5 + tests/qemuxml2xmltest.c | 3 + 11 files changed, 199 insertions(+), 24 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 553a6f0..dd76f91 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -50,30 +50,70 @@ </define> <define name="seclabel"> <element name="seclabel"> -<attribute name="model"> -<text/> -</attribute> -<attribute name="type"> -<choice> -<value>dynamic</value> -<value>static</value> -</choice> -</attribute> -<attribute name="relabel"> -<choice> -<value>yes</value> -<value>no</value> -</choice> -</attribute> -<element name="label"> -<text/> -</element> -<element name="imagelabel"> -<text/> -</element> -<element name="baselabel"> -<text/> -</element> +<optional> +<attribute name='model'> +<text/> +</attribute> +</optional> +<choice> +<group> +<!-- with dynamic label (default), relabel must be yes, baselabel + is optional, and label and imagelabel are output-only --> +<optional> +<attribute name='type'> +<value>dynamic</value> +</attribute> +</optional> +<optional> +<attribute name='relabel'> +<value>yes</value> +</attribute> +</optional> +<interleave> +<optional> +<element name='label'> +<text/> +</element> +</optional> +<optional> +<element name='imagelabel'> +<text/> +</element> +</optional> +<optional> +<element name='baselabel'> +<text/> +</element> +</optional> +</interleave> +</group> +<group> +<!-- with static label, relabel can be either format (default + no), label is required, imagelabel is output-only, and no + baselabel is present --> +<attribute name='type'> +<value>static</value> +</attribute> +<optional> +<attribute name='relabel'> +<choice> +<value>yes</value> +<value>no</value> +</choice> +</attribute> +</optional> +<interleave> +<element name='label'> +<text/> +</element> +<optional> +<element name='imagelabel'> +<text/> +</element> +</optional> +</interleave> +</group> +</choice> </element> </define> <define name="hvs"> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args new file mode 100644 index 0000000..651793d --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args @@ -0,0 +1,4 @@ +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \ +pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\ +server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \ +none -parallel none -usb diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml new file mode 100644 index 0000000..fea0eb7 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml @@ -0,0 +1,28 @@ +<domain type='qemu'> +<name>QEMUGuest1</name> +<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> +<memory>219100</memory> +<currentMemory>219100</currentMemory> +<vcpu cpuset='1-4,8-20,525'>1</vcpu> +<os> +<type arch='i686' machine='pc'>hvm</type> +<boot dev='hd'/> +</os> +<clock offset='utc'/> +<on_poweroff>destroy</on_poweroff> +<on_reboot>restart</on_reboot> +<on_crash>destroy</on_crash> +<devices> +<emulator>/usr/bin/qemu</emulator> +<disk type='block' device='disk'> +<source dev='/dev/HostVG/QEMUGuest1'/> +<target dev='hda' bus='ide'/> +<address type='drive' controller='0' bus='0' unit='0'/> +</disk> +<controller type='ide' index='0'/> +<memballoon model='virtio'/> +</devices> +<seclabel type='dynamic' model='selinux' relabel='yes'> +<baselabel>system_u:system_r:svirt_custom_t:s0</baselabel> +</seclabel> +</domain> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args new file mode 100644 index 0000000..651793d --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args @@ -0,0 +1,4 @@ +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \ +pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\ +server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \ +none -parallel none -usb diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml new file mode 100644 index 0000000..096c766 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml @@ -0,0 +1,26 @@ +<domain type='qemu'> +<name>QEMUGuest1</name> +<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> +<memory>219100</memory> +<currentMemory>219100</currentMemory> +<vcpu cpuset='1-4,8-20,525'>1</vcpu> +<os> +<type arch='i686' machine='pc'>hvm</type> +<boot dev='hd'/> +</os> +<clock offset='utc'/> +<on_poweroff>destroy</on_poweroff> +<on_reboot>restart</on_reboot> +<on_crash>destroy</on_crash> +<devices> +<emulator>/usr/bin/qemu</emulator> +<disk type='block' device='disk'> +<source dev='/dev/HostVG/QEMUGuest1'/> +<target dev='hda' bus='ide'/> +<address type='drive' controller='0' bus='0' unit='0'/> +</disk> +<controller type='ide' index='0'/> +<memballoon model='virtio'/> +</devices> +<seclabel type='dynamic' relabel='yes'/> +</domain> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args new file mode 100644 index 0000000..651793d --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args @@ -0,0 +1,4 @@ +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \ +pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\ +server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \ +none -parallel none -usb diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml new file mode 100644 index 0000000..3b2ad04 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml @@ -0,0 +1,29 @@ +<domain type='qemu'> +<name>QEMUGuest1</name> +<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> +<memory>219100</memory> +<currentMemory>219100</currentMemory> +<vcpu cpuset='1-4,8-20,525'>1</vcpu> +<os> +<type arch='i686' machine='pc'>hvm</type> +<boot dev='hd'/> +</os> +<clock offset='utc'/> +<on_poweroff>destroy</on_poweroff> +<on_reboot>restart</on_reboot> +<on_crash>destroy</on_crash> +<devices> +<emulator>/usr/bin/qemu</emulator> +<disk type='block' device='disk'> +<source dev='/dev/HostVG/QEMUGuest1'/> +<target dev='hda' bus='ide'/> +<address type='drive' controller='0' bus='0' unit='0'/> +</disk> +<controller type='ide' index='0'/> +<memballoon model='virtio'/> +</devices> +<seclabel type='static' model='selinux' relabel='yes'> +<label>system_u:system_r:svirt_custom_t:s0:c192,c392</label> +<imagelabel>system_u:system_r:svirt_custom_t:s0:c192,c392</imagelabel> +</seclabel> +</domain> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args new file mode 100644 index 0000000..651793d --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args @@ -0,0 +1,4 @@ +LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \ +pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\ +server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \ +none -parallel none -usb diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml new file mode 100644 index 0000000..416bd86 --- /dev/null +++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml @@ -0,0 +1,28 @@ +<domain type='qemu'> +<name>QEMUGuest1</name> +<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> +<memory>219100</memory> +<currentMemory>219100</currentMemory> +<vcpu cpuset='1-4,8-20,525'>1</vcpu> +<os> +<type arch='i686' machine='pc'>hvm</type> +<boot dev='hd'/> +</os> +<clock offset='utc'/> +<on_poweroff>destroy</on_poweroff> +<on_reboot>restart</on_reboot> +<on_crash>destroy</on_crash> +<devices> +<emulator>/usr/bin/qemu</emulator> +<disk type='block' device='disk'> +<source dev='/dev/HostVG/QEMUGuest1'/> +<target dev='hda' bus='ide'/> +<address type='drive' controller='0' bus='0' unit='0'/> +</disk> +<controller type='ide' index='0'/> +<memballoon model='virtio'/> +</devices> +<seclabel type='static' model='selinux' relabel='no'> +<label>system_u:system_r:svirt_custom_t:s0:c192,c392</label> +</seclabel> +</domain> diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index e1221eb..18e8941 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -660,6 +660,11 @@ mymain(void) QEMU_CAPS_CHARDEV, QEMU_CAPS_MONITOR_JSON, QEMU_CAPS_NODEFCONFIG, QEMU_CAPS_NO_SHUTDOWN); + DO_TEST("seclabel-dynamic", false, QEMU_CAPS_NAME); + DO_TEST("seclabel-dynamic-baselabel", false, QEMU_CAPS_NAME); + DO_TEST("seclabel-static", false, QEMU_CAPS_NAME); + DO_TEST("seclabel-static-relabel", false, QEMU_CAPS_NAME); + free(driver.stateDir); virCapabilitiesFree(driver.caps); free(map); diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c index 35bfdce..e4b99c4 100644 --- a/tests/qemuxml2xmltest.c +++ b/tests/qemuxml2xmltest.c @@ -194,6 +194,9 @@ mymain(void) DO_TEST("usb-redir"); DO_TEST("blkdeviotune"); + DO_TEST("seclabel-dynamic-baselabel"); + DO_TEST("seclabel-static"); + /* These tests generate different XML */ DO_TEST_DIFFERENT("balloon-device-auto"); DO_TEST_DIFFERENT("channel-virtio-auto");