Re: [libvirt] [PATCH 5/7] domain: Handle seclabel model with an enum
On Wed, Jan 12, 2011 at 12:23:01PM -0500, Cole Robinson wrote:
This allows us to explicitly handle the 'default' seclabel
case, as
well as provide easier model validation.
Signed-off-by: Cole Robinson <crobinso(a)redhat.com>
---
src/conf/domain_conf.c | 38 ++++++++++++++++++++++++++++++--------
src/conf/domain_conf.h | 14 ++++++++++++--
src/security/security_apparmor.c | 9 +++------
src/security/security_driver.c | 15 ++++++++++-----
src/security/security_selinux.c | 8 ++------
5 files changed, 57 insertions(+), 27 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 8f6ef55..077a396 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -313,6 +313,12 @@ VIR_ENUM_IMPL(virDomainSeclabel, VIR_DOMAIN_SECLABEL_LAST,
"dynamic",
"static")
+VIR_ENUM_IMPL(virDomainSeclabelModel, VIR_DOMAIN_SECLABEL_MODEL_LAST,
+ "default",
+ "selinux",
+ "apparmor",
+ "none")
If we remove 'none' from the enum, this is ok.
+
VIR_ENUM_IMPL(virDomainNetdevMacvtap, VIR_DOMAIN_NETDEV_MACVTAP_MODE_LAST,
"vepa",
"private",
@@ -759,7 +765,7 @@ void virDomainSeclabelDefClear(virSecurityLabelDefPtr seclabel)
if (!seclabel)
return;
- VIR_FREE(seclabel->model);
+ seclabel->model = VIR_DOMAIN_SECLABEL_MODEL_DEFAULT;
VIR_FREE(seclabel->label);
VIR_FREE(seclabel->imagelabel);
}
@@ -4244,7 +4250,15 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
"%s", _("missing security
model"));
goto error;
}
- def->seclabel.model = p;
+
+ def->seclabel.model = virDomainSeclabelModelTypeFromString(p);
+ if (def->seclabel.model < 0) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ _("unknown security model '%s'"),
p);
+ VIR_FREE(p);
+ goto error;
+ }
+ VIR_FREE(p);
p = virXPathStringLimit("string(./seclabel/label[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
@@ -7336,18 +7350,26 @@ char *virDomainDefFormat(virDomainDefPtr def,
virBufferAddLit(&buf, " </devices>\n");
- if (def->seclabel.model) {
- const char *sectype = virDomainSeclabelTypeToString(def->seclabel.type);
+ if (def->seclabel.model != VIR_DOMAIN_SECLABEL_MODEL_DEFAULT) {
+ const char *sectype, *secmodel;
+
+ sectype = virDomainSeclabelTypeToString(def->seclabel.type);
if (!sectype)
goto cleanup;
+
+ secmodel = virDomainSeclabelModelTypeToString(def->seclabel.model);
+ if (!secmodel)
+ goto cleanup;
+
+ virBufferVSprintf(&buf, " <seclabel type='%s'
model='%s'",
+ sectype, secmodel);
+
if (!def->seclabel.label ||
(def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
(flags & VIR_DOMAIN_XML_INACTIVE))) {
- virBufferVSprintf(&buf, " <seclabel type='%s'
model='%s'/>\n",
- sectype, def->seclabel.model);
+ virBufferAddLit(&buf, "/>\n");
} else {
- virBufferVSprintf(&buf, " <seclabel type='%s'
model='%s'>\n",
- sectype, def->seclabel.model);
+ virBufferAddLit(&buf, ">\n");
virBufferEscapeString(&buf, "
<label>%s</label>\n",
def->seclabel.label);
if (def->seclabel.imagelabel &&
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index b5cf433..81409f8 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -782,14 +782,23 @@ enum virDomainSeclabelType {
VIR_DOMAIN_SECLABEL_LAST,
};
+enum virDomainSeclabelModel {
+ VIR_DOMAIN_SECLABEL_MODEL_DEFAULT,
+ VIR_DOMAIN_SECLABEL_MODEL_SELINUX,
+ VIR_DOMAIN_SECLABEL_MODEL_APPARMOR,
+ VIR_DOMAIN_SECLABEL_MODEL_NONE,
+
+ VIR_DOMAIN_SECLABEL_MODEL_LAST,
+};
Remove NONE here too.
ACK, if the 'none' / NONE bits are removed.
Daniel