On Mon, Jun 16, 2014 at 02:07:21PM +0200, Cédric Bosdonnat wrote:
This code depends on new API in libvirt-gconfig to extract the
secmodels handled by the host.
---
Diff to v2:
* Added some missing g_object_unref and _g_list_free
* Moved the SELinux-specific code to a separate function
libvirt-sandbox/libvirt-sandbox-builder.c | 47 +++++++++++++++++++++++++++----
1 file changed, 41 insertions(+), 6 deletions(-)
diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c
b/libvirt-sandbox/libvirt-sandbox-builder.c
index 48b3acc..65af23f 100644
--- a/libvirt-sandbox/libvirt-sandbox-builder.c
+++ b/libvirt-sandbox/libvirt-sandbox-builder.c
@@ -322,12 +322,10 @@ static gboolean
gvir_sandbox_builder_construct_devices(GVirSandboxBuilder *build
return TRUE;
}
-
-static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *builder
G_GNUC_UNUSED,
- GVirSandboxConfig *config
G_GNUC_UNUSED,
- const gchar *statedir
G_GNUC_UNUSED,
- GVirConfigDomain *domain,
- GError **error G_GNUC_UNUSED)
+static gboolean gvir_sandbox_builder_construct_security_selinux (GVirSandboxBuilder
*builder,
+ GVirSandboxConfig
*config,
+ GVirConfigDomain
*domain,
+ GError **error)
{
GVirConfigDomainSeclabel *sec = gvir_config_domain_seclabel_new();
const char *label = gvir_sandbox_config_get_security_label(config);
@@ -360,6 +358,43 @@ static gboolean
gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil
return TRUE;
}
+static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *builder,
+ GVirSandboxConfig *config,
+ const gchar *statedir
G_GNUC_UNUSED,
+ GVirConfigDomain *domain,
+ GError **error)
+{
+ GVirConnection *connection = gvir_sandbox_builder_get_connection(builder);
This needs to be unref'ed too.
+ GVirConfigCapabilities *configCapabilities;
+ GVirConfigCapabilitiesHost *hostCapabilities;
+ GList *secmodels, *iter;
+ gboolean supportsSelinux = FALSE;
+
+ /* What security models are available on the host? */
+ if (!(configCapabilities = gvir_connection_get_capabilities(connection, error))) {
+ return FALSE;
+ }
+
+ hostCapabilities = gvir_config_capabilities_get_host(configCapabilities);
+
+ secmodels = gvir_config_capabilities_host_get_secmodels(hostCapabilities);
+ for (iter = secmodels; iter != NULL; iter = iter->next) {
+ supportsSelinux = g_str_equal(gvir_config_capabilities_host_secmodel_get_model(
+ GVIR_CONFIG_CAPABILITIES_HOST_SECMODEL(iter->data)),
"selinux");
+ g_object_unref(iter->data);
I don't think the logic is correct here, supportsSelinux can only be
TRUE if the last secmodel is "selinux", I assume we want to break out of
the loop as soon as supportsSelinux is set to TRUE? In this case, the
g_object_unref can be removed from here, and the g_list_free changed to
g_list_free_full().
Christophe