Re: [libvirt] [PATCH v2 4/6] Add API to get the system identity

On Wed, Mar 13, 2013 at 15:24:03 +0000, Daniel P. Berrange wrote:

From: "Daniel P. Berrange" <berrange@redhat.com>

If no user identity is available, some operations may wish to use the system identity. ie the identity of the current process itself. Add an API to get such an identity.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/util/viridentity.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++ src/util/viridentity.h | 2 ++ 2 files changed, 73 insertions(+)

diff --git a/src/util/viridentity.c b/src/util/viridentity.c index acb0cb9..1c43081 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c ... @@ -116,6 +122,71 @@ int virIdentitySetCurrent(virIdentityPtr ident)

/** + * virIdentityGetSystem: + * + * Returns an identity that represents the system itself. + * This is the identity that the process is running as + * + * Returns a reference to the system identity, or NULL + */ +virIdentityPtr virIdentityGetSystem(void) +{ + char *username = NULL; + char *groupname = NULL; + char *seccontext = NULL; + virIdentityPtr ret = NULL; + gid_t gid = getgid(); + uid_t uid = getuid(); +#if HAVE_SELINUX + security_context_t con; +#endif + + if (!(username = virGetUserName(uid))) + goto cleanup; + if (!(groupname = virGetGroupName(gid))) + goto cleanup;

Quite cosmetic, but is there any reason why we use uid/gid variables rather than calling getuid/getgid directly here?

+ +#if HAVE_SELINUX + if (getcon(&con) < 0) { + virReportSystemError(errno, "%s", + _("Unable to lookup SELinux process context")); + goto cleanup; + } + seccontext = strdup(con); + freecon(con); + if (!seccontext) { + virReportOOMError(); + goto cleanup; + } +#endif + + if (!(ret = virIdentityNew())) + goto cleanup; + + if (username && + virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_USER_NAME, username) < 0) + goto error; + if (groupname && + virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, groupname) < 0) + goto error; + if (seccontext && + virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_SECURITY_CONTEXT, seccontext) < 0) + goto error;

All three lines with virIdentitySetAttr() calls are too long.

+ +cleanup: + VIR_FREE(username); + VIR_FREE(groupname); + VIR_FREE(seccontext); + return ret; + +error: + virObjectUnref(ret); + ret = NULL; + goto cleanup; +} + + +/** * virIdentityNew: * * Creates a new empty identity object. After creating, one or

ACK Jirka