On Thu, Feb 07, 2013 at 04:37:51PM -0500, Laine Stump wrote:
The existing virSecurityManagerSetProcessLabel() API is designed so that it must be called after forking the child process, but before exec'ing the child. Due to the way the virCommand API works, that means it needs to be put in a "hook" function that virCommand is told to call out to at that time.
Setting the child process label is a basic enough need when executing any process that virCommand should have a method of doing that. But virCommand must be told what label to set, and only the security driver knows the answer to that question.
The new virSecurityManagerSet*Child*ProcessLabel() API is the way to transfer the knowledge about what label to set from the security driver to the virCommand object. It is given a virCommandPtr, and each security driver calls the appropriate virCommand* API to tell virCommand what to do between fork and exec.
1) in the case of the DAC security driver, it calls virCommandSetUID/GID() to set a uid and gid that must be set for the child process.
2) for the SELinux and AppArmor security drivers, it calls virCommandSetSecLabel() to save a copy of the char* that will be sent to each driver's respective "SetProcessLabel" API *after forking the child process*.
This will need a tweak based on the change I suggested to the previous patch.
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index bf795b0..4a81118 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -1,7 +1,7 @@ /* * AppArmor security driver for libvirt * - * Copyright (C) 2011 Red Hat, Inc. + * Copyright (C) 2011, 2013 Red Hat, Inc.
You can turn this into a range '2011-2013' - there were plenty of Red Hat changes to this file throughout the last year(s). Likewise for all others. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|