8:19 a.m.
diff to v1:
- Add some variety when filling the test driver seclabels array
- Split 2/3 in v1 to function patch and align output patch
link to v1: https://listman.redhat.com/archives/libvir-list/2021-September/msg00015.html
link to CI: https://gitlab.com/lukedyue/libvirt/-/pipelines/422002148
Luke Yue (4):
test_driver: Implement virDomainGetSecurityLabelList
virsh: Add '--full-seclabels' option for dominfo
virsh: Realign some outputs
tests: Add test for virDomainGetSecurityLabelList
docs/manpages/virsh.rst | 5 ++-
src/test/test_driver.c | 43 ++++++++++++++++++
tests/virsh-undefine | 8 ++--
tests/virshtest.c | 77 ++++++++++++++++----------------
tools/virsh-domain-monitor.c | 85 ++++++++++++++++++++++++------------
5 files changed, 147 insertions(+), 71 deletions(-)
--
2.34.1
8:19 a.m.
New subject: [PATCH v2 1/4] test_driver: Implement virDomainGetSecurityLabelList
Signed-off-by: Luke Yue <lukedyue(a)gmail.com>
---
src/test/test_driver.c | 43 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/src/test/test_driver.c b/src/test/test_driver.c
index b6bca884f0..e9d009cfdb 100644
--- a/src/test/test_driver.c
+++ b/src/test/test_driver.c
@@ -137,6 +137,7 @@ VIR_ONCE_GLOBAL_INIT(testDriver);
#define TEST_MODEL "i686"
#define TEST_EMULATOR "/usr/bin/test-hv"
+#define TEST_SECURITY_LABEL_LIST_LENGTH 2
static const virNodeInfo defaultNodeInfo = {
TEST_MODEL,
@@ -5275,6 +5276,47 @@ testDomainGetSecurityLabel(virDomainPtr dom,
return ret;
}
+static int
+testDomainGetSecurityLabelList(virDomainPtr dom,
+ virSecurityLabelPtr* seclabels)
+{
+ virDomainObj *vm;
+ size_t i;
+ int ret = -1;
+
+ if (!(vm = testDomObjFromDomain(dom)))
+ return -1;
+
+ if (!virDomainObjIsActive(vm)) {
+ /* No seclabels */
+ *seclabels = NULL;
+ ret = 0;
+ } else {
+ int len = TEST_SECURITY_LABEL_LIST_LENGTH;
+
+ (*seclabels) = g_new0(virSecurityLabel, len);
+ memset(*seclabels, 0, sizeof(**seclabels) * len);
+
+ /* Fill the array */
+ for (i = 0; i < len; i++) {
+ if (virStrcpyStatic((*seclabels)[i].label, "libvirt-test") < 0)
{
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("security label exceeds maximum: %zu"),
+ sizeof((*seclabels)[i].label) - 1);
+ g_clear_pointer(seclabels, g_free);
+ goto cleanup;
+ }
+ if (i == 0)
+ (*seclabels)[i].enforcing = 1;
+ }
+ ret = len;
+ }
+
+ cleanup:
+ virDomainObjEndAPI(&vm);
+ return ret;
+}
+
static int
testNodeGetSecurityModel(virConnectPtr conn,
virSecurityModelPtr secmodel)
@@ -10049,6 +10091,7 @@ static virHypervisorDriver testHypervisorDriver = {
.domainPinIOThread = testDomainPinIOThread, /* 7.8.0 */
.domainSetIOThreadParams = testDomainSetIOThreadParams, /* 7.8.0 */
.domainGetSecurityLabel = testDomainGetSecurityLabel, /* 7.5.0 */
+ .domainGetSecurityLabelList = testDomainGetSecurityLabelList, /* 8.0.0 */
.nodeGetSecurityModel = testNodeGetSecurityModel, /* 7.5.0 */
.domainGetXMLDesc = testDomainGetXMLDesc, /* 0.1.4 */
.domainSetMemoryParameters = testDomainSetMemoryParameters, /* 5.6.0 */
--
2.34.1
8:19 a.m.
New subject: [PATCH v2 2/4] virsh: Add '--full-seclabels' option for dominfo
There is no virsh command uses virDomainGetSecurityLabelList API, so add
an option for dominfo to call it and print full list of security labels.
Signed-off-by: Luke Yue <lukedyue(a)gmail.com>
---
docs/manpages/virsh.rst | 5 +++--
tools/virsh-domain-monitor.c | 43 +++++++++++++++++++++++++++++++-----
2 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst
index 39636a565e..54391b7557 100644
--- a/docs/manpages/virsh.rst
+++ b/docs/manpages/virsh.rst
@@ -2008,9 +2008,10 @@ dominfo
::
- dominfo domain
+ dominfo domain [--full-seclabels]
-Returns basic information about the domain.
+Returns basic information about the domain. *--full-seclabels* tells virsh
+to print full list of security labels.
domjobabort
diff --git a/tools/virsh-domain-monitor.c b/tools/virsh-domain-monitor.c
index eb3e0ef11a..1bb3bed1cb 100644
--- a/tools/virsh-domain-monitor.c
+++ b/tools/virsh-domain-monitor.c
@@ -1203,6 +1203,10 @@ static const vshCmdInfo info_dominfo[] = {
static const vshCmdOptDef opts_dominfo[] = {
VIRSH_COMMON_OPT_DOMAIN_FULL(0),
+ {.name = "full-seclabels",
+ .type = VSH_OT_BOOL,
+ .help = N_("Show full list of security labels of a domain")
+ },
{.name = NULL}
};
@@ -1222,6 +1226,7 @@ cmdDominfo(vshControl *ctl, const vshCmd *cmd)
int has_managed_save = 0;
virshControl *priv = ctl->privData;
g_auto(GStrv) messages = NULL;
+ bool fullseclabels = vshCommandOptBool(cmd, "full-seclabels");
if (!(dom = virshCommandOptDomain(ctl, cmd, NULL)))
return false;
@@ -1303,16 +1308,42 @@ cmdDominfo(vshControl *ctl, const vshCmd *cmd)
vshPrint(ctl, "%-15s %s\n", _("Security model:"),
secmodel.model);
vshPrint(ctl, "%-15s %s\n", _("Security DOI:"),
secmodel.doi);
- /* Security labels are only valid for active domains */
- seclabel = g_new0(virSecurityLabel, 1);
+ if (fullseclabels) {
+ int len;
+ size_t i;
- if (virDomainGetSecurityLabel(dom, seclabel) == -1) {
- VIR_FREE(seclabel);
- return false;
+ if ((len = virDomainGetSecurityLabelList(dom, &seclabel)) < 0) {
+ g_clear_pointer(&seclabel, g_free);
+ return false;
+ }
+
+ for (i = 0; i < len; i++)
+ if (seclabel[i].label[0] != '\0')
+ vshPrint(ctl, "%-16s %s (%s)\n",
+ i == 0 ? _("Security labels:") :
"",
+ seclabel[i].label,
+ seclabel[i].enforcing ?
+ "enforcing" :
+ "permissive");
+
+ g_clear_pointer(&seclabel, g_free);
} else {
+ /* Security labels are only valid for active domains */
+ seclabel = g_new0(virSecurityLabel, 1);
+
+ if (virDomainGetSecurityLabel(dom, seclabel) < 0) {
+ g_clear_pointer(&seclabel, g_free);
+ return false;
+ }
+
if (seclabel->label[0] != '\0')
vshPrint(ctl, "%-15s %s (%s)\n", _("Security
label:"),
- seclabel->label, seclabel->enforcing ?
"enforcing" : "permissive");
+ seclabel->label,
+ seclabel->enforcing ?
+ "enforcing" :
+ "permissive");
+
+ g_clear_pointer(&seclabel, g_free);
}
VIR_FREE(seclabel);
--
2.34.1
8:19 a.m.
New subject: [PATCH v2 3/4] virsh: Realign some outputs
As it's now "Security labels:" instead of "Security label:".
Signed-off-by: Luke Yue <lukedyue(a)gmail.com>
---
tests/virsh-undefine | 8 ++---
tests/virshtest.c | 70 ++++++++++++++++++------------------
tools/virsh-domain-monitor.c | 42 +++++++++++-----------
3 files changed, 59 insertions(+), 61 deletions(-)
diff --git a/tests/virsh-undefine b/tests/virsh-undefine
index dbbb367391..7feefdec79 100755
--- a/tests/virsh-undefine
+++ b/tests/virsh-undefine
@@ -35,11 +35,11 @@ $abs_top_builddir/tools/virsh -c test:///default \
test $? = 0 || fail=1
sed '/^Persistent/n; /:/d' < out1 > out
cat <<\EOF > exp || fail=1
-Persistent: yes
+Persistent: yes
Domain 'test' has been undefined
-Persistent: no
+Persistent: no
EOF
compare exp out || fail=1
@@ -50,11 +50,11 @@ $abs_top_builddir/tools/virsh -c test:///default \
test $? = 0 || fail=1
sed '/^Persistent/n; /:/d' < out1 > out
cat <<\EOF > exp || fail=1
-Persistent: yes
+Persistent: yes
Domain '1' has been undefined
-Persistent: no
+Persistent: no
EOF
compare exp out || fail=1
diff --git a/tests/virshtest.c b/tests/virshtest.c
index c2c892c60d..012edb8601 100644
--- a/tests/virshtest.c
+++ b/tests/virshtest.c
@@ -25,52 +25,52 @@ main(void)
# define SECURITY_LABEL "libvirt-test (enforcing)"
# define FC4_MESSAGES "tainted: network configuration using opaque shell
scripts"
# define FC5_MESSAGES "tainted: running with undesirable elevated privileges\n\
- tainted: network configuration using opaque shell scripts\n\
- tainted: use of host cdrom passthrough\n\
- tainted: custom device tree blob used\n\
- tainted: use of deprecated configuration settings\n\
- deprecated configuration: CPU model Deprecated-Test"
+ tainted: network configuration using opaque shell scripts\n\
+ tainted: use of host cdrom passthrough\n\
+ tainted: custom device tree blob used\n\
+ tainted: use of deprecated configuration settings\n\
+ deprecated configuration: CPU model Deprecated-Test"
# define GET_BLKIO_PARAMETER "/dev/hda,700"
# define SET_BLKIO_PARAMETER "/dev/hda,1000"
# define EQUAL "="
static const char *dominfo_fc4 = "\
-Id: 2\n\
-Name: fc4\n\
-UUID: " DOM_FC4_UUID "\n\
-OS Type: linux\n\
-State: running\n\
-CPU(s): 1\n\
-Max memory: 261072 KiB\n\
-Used memory: 131072 KiB\n\
-Persistent: yes\n\
-Autostart: disable\n\
-Managed save: no\n\
-Security model: testSecurity\n\
-Security DOI: \n\
-Security label: " SECURITY_LABEL "\n\
-Messages: " FC4_MESSAGES "\n\
+Id: 2\n\
+Name: fc4\n\
+UUID: " DOM_FC4_UUID "\n\
+OS Type: linux\n\
+State: running\n\
+CPU(s): 1\n\
+Max memory: 261072 KiB\n\
+Used memory: 131072 KiB\n\
+Persistent: yes\n\
+Autostart: disable\n\
+Managed save: no\n\
+Security model: testSecurity\n\
+Security DOI: \n\
+Security labels: " SECURITY_LABEL "\n\
+Messages: " FC4_MESSAGES "\n\
\n";
static const char *domuuid_fc4 = DOM_FC4_UUID "\n\n";
static const char *domid_fc4 = "2\n\n";
static const char *domname_fc4 = "fc4\n\n";
static const char *domstate_fc4 = "running\n\n";
static const char *dominfo_fc5 = "\
-Id: 3\n\
-Name: fc5\n\
-UUID: " DOM_FC5_UUID "\n\
-OS Type: linux\n\
-State: running\n\
-CPU(s): 4\n\
-Max memory: 2097152 KiB\n\
-Used memory: 2097152 KiB\n\
-Persistent: yes\n\
-Autostart: disable\n\
-Managed save: no\n\
-Security model: testSecurity\n\
-Security DOI: \n\
-Security label: " SECURITY_LABEL "\n\
-Messages: " FC5_MESSAGES "\n\
+Id: 3\n\
+Name: fc5\n\
+UUID: " DOM_FC5_UUID "\n\
+OS Type: linux\n\
+State: running\n\
+CPU(s): 4\n\
+Max memory: 2097152 KiB\n\
+Used memory: 2097152 KiB\n\
+Persistent: yes\n\
+Autostart: disable\n\
+Managed save: no\n\
+Security model: testSecurity\n\
+Security DOI: \n\
+Security labels: " SECURITY_LABEL "\n\
+Messages: " FC5_MESSAGES "\n\
\n";
static const char *get_blkio_parameters = "\
diff --git a/tools/virsh-domain-monitor.c b/tools/virsh-domain-monitor.c
index 1bb3bed1cb..5ddf48cb06 100644
--- a/tools/virsh-domain-monitor.c
+++ b/tools/virsh-domain-monitor.c
@@ -1233,39 +1233,39 @@ cmdDominfo(vshControl *ctl, const vshCmd *cmd)
id = virDomainGetID(dom);
if (id == ((unsigned int)-1))
- vshPrint(ctl, "%-15s %s\n", _("Id:"), "-");
+ vshPrint(ctl, "%-16s %s\n", _("Id:"), "-");
else
- vshPrint(ctl, "%-15s %d\n", _("Id:"), id);
- vshPrint(ctl, "%-15s %s\n", _("Name:"), virDomainGetName(dom));
+ vshPrint(ctl, "%-16s %d\n", _("Id:"), id);
+ vshPrint(ctl, "%-16s %s\n", _("Name:"), virDomainGetName(dom));
if (virDomainGetUUIDString(dom, &uuid[0]) == 0)
- vshPrint(ctl, "%-15s %s\n", _("UUID:"), uuid);
+ vshPrint(ctl, "%-16s %s\n", _("UUID:"), uuid);
if ((ostype = virDomainGetOSType(dom)))
- vshPrint(ctl, "%-15s %s\n", _("OS Type:"), ostype);
+ vshPrint(ctl, "%-16s %s\n", _("OS Type:"), ostype);
if (virDomainGetInfo(dom, &info) == 0) {
- vshPrint(ctl, "%-15s %s\n", _("State:"),
+ vshPrint(ctl, "%-16s %s\n", _("State:"),
virshDomainStateToString(info.state));
- vshPrint(ctl, "%-15s %d\n", _("CPU(s):"), info.nrVirtCpu);
+ vshPrint(ctl, "%-16s %d\n", _("CPU(s):"), info.nrVirtCpu);
if (info.cpuTime != 0) {
double cpuUsed = info.cpuTime;
cpuUsed /= 1000000000.0;
- vshPrint(ctl, "%-15s %.1lfs\n", _("CPU time:"),
cpuUsed);
+ vshPrint(ctl, "%-16s %.1lfs\n", _("CPU time:"),
cpuUsed);
}
if (info.maxMem != UINT_MAX)
- vshPrint(ctl, "%-15s %lu KiB\n", _("Max memory:"),
+ vshPrint(ctl, "%-16s %lu KiB\n", _("Max memory:"),
info.maxMem);
else
- vshPrint(ctl, "%-15s %s\n", _("Max memory:"),
+ vshPrint(ctl, "%-16s %s\n", _("Max memory:"),
_("no limit"));
- vshPrint(ctl, "%-15s %lu KiB\n", _("Used memory:"),
+ vshPrint(ctl, "%-16s %lu KiB\n", _("Used memory:"),
info.memory);
} else {
@@ -1277,21 +1277,21 @@ cmdDominfo(vshControl *ctl, const vshCmd *cmd)
vshDebug(ctl, VSH_ERR_DEBUG, "Domain persistent flag value: %d\n",
persistent);
if (persistent < 0)
- vshPrint(ctl, "%-15s %s\n", _("Persistent:"),
_("unknown"));
+ vshPrint(ctl, "%-16s %s\n", _("Persistent:"),
_("unknown"));
else
- vshPrint(ctl, "%-15s %s\n", _("Persistent:"), persistent ?
_("yes") : _("no"));
+ vshPrint(ctl, "%-16s %s\n", _("Persistent:"), persistent ?
_("yes") : _("no"));
/* Check and display whether the domain autostarts or not */
if (!virDomainGetAutostart(dom, &autostart)) {
- vshPrint(ctl, "%-15s %s\n", _("Autostart:"),
+ vshPrint(ctl, "%-16s %s\n", _("Autostart:"),
autostart ? _("enable") : _("disable"));
}
has_managed_save = virDomainHasManagedSaveImage(dom, 0);
if (has_managed_save < 0)
- vshPrint(ctl, "%-15s %s\n", _("Managed save:"),
_("unknown"));
+ vshPrint(ctl, "%-16s %s\n", _("Managed save:"),
_("unknown"));
else
- vshPrint(ctl, "%-15s %s\n", _("Managed save:"),
+ vshPrint(ctl, "%-16s %s\n", _("Managed save:"),
has_managed_save ? _("yes") : _("no"));
/* Security model and label information */
@@ -1305,8 +1305,8 @@ cmdDominfo(vshControl *ctl, const vshCmd *cmd)
} else {
/* Only print something if a security model is active */
if (secmodel.model[0] != '\0') {
- vshPrint(ctl, "%-15s %s\n", _("Security model:"),
secmodel.model);
- vshPrint(ctl, "%-15s %s\n", _("Security DOI:"),
secmodel.doi);
+ vshPrint(ctl, "%-16s %s\n", _("Security model:"),
secmodel.model);
+ vshPrint(ctl, "%-16s %s\n", _("Security DOI:"),
secmodel.doi);
if (fullseclabels) {
int len;
@@ -1337,7 +1337,7 @@ cmdDominfo(vshControl *ctl, const vshCmd *cmd)
}
if (seclabel->label[0] != '\0')
- vshPrint(ctl, "%-15s %s (%s)\n", _("Security
label:"),
+ vshPrint(ctl, "%-16s %s (%s)\n", _("Security
labels:"),
seclabel->label,
seclabel->enforcing ?
"enforcing" :
@@ -1345,15 +1345,13 @@ cmdDominfo(vshControl *ctl, const vshCmd *cmd)
g_clear_pointer(&seclabel, g_free);
}
-
- VIR_FREE(seclabel);
}
}
if (virDomainGetMessages(dom, &messages, 0) > 0) {
size_t i;
for (i = 0; messages[i] != NULL; i++) {
- vshPrint(ctl, "%-15s %s\n",
+ vshPrint(ctl, "%-16s %s\n",
i == 0 ? _("Messages:") : "", messages[i]);
}
}
--
2.34.1
8:19 a.m.
New subject: [PATCH v2 4/4] tests: Add test for virDomainGetSecurityLabelList
Signed-off-by: Luke Yue <lukedyue(a)gmail.com>
---
tests/virshtest.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/tests/virshtest.c b/tests/virshtest.c
index 012edb8601..fc7caf6bc3 100644
--- a/tests/virshtest.c
+++ b/tests/virshtest.c
@@ -22,7 +22,8 @@ main(void)
# define DOM_FC4_UUID "ef861801-45b9-11cb-88e3-afbfe5370493"
# define DOM_FC5_UUID "08721f99-3d1d-4aec-96eb-97803297bb36"
-# define SECURITY_LABEL "libvirt-test (enforcing)"
+# define SECLABEL_ENFORCING "libvirt-test (enforcing)"
+# define SECLABEL_PERMISSIVE "libvirt-test (permissive)"
# define FC4_MESSAGES "tainted: network configuration using opaque shell
scripts"
# define FC5_MESSAGES "tainted: running with undesirable elevated privileges\n\
tainted: network configuration using opaque shell scripts\n\
@@ -48,7 +49,7 @@ Autostart: disable\n\
Managed save: no\n\
Security model: testSecurity\n\
Security DOI: \n\
-Security labels: " SECURITY_LABEL "\n\
+Security labels: " SECLABEL_ENFORCING "\n\
Messages: " FC4_MESSAGES "\n\
\n";
static const char *domuuid_fc4 = DOM_FC4_UUID "\n\n";
@@ -69,7 +70,8 @@ Autostart: disable\n\
Managed save: no\n\
Security model: testSecurity\n\
Security DOI: \n\
-Security labels: " SECURITY_LABEL "\n\
+Security labels: " SECLABEL_ENFORCING "\n\
+ " SECLABEL_PERMISSIVE "\n\
Messages: " FC5_MESSAGES "\n\
\n";
@@ -238,7 +240,8 @@ static int testCompareDominfoByName(const void *data G_GNUC_UNUSED)
static int testCompareTaintedDominfoByName(const void *data G_GNUC_UNUSED)
{
- const char *const argv[] = { VIRSH_CUSTOM, "dominfo", "fc5", NULL
};
+ const char *const argv[] = { VIRSH_CUSTOM, "dominfo", "fc5",
+ "--full-seclabels", NULL };
const char *exp = dominfo_fc5;
return testCompareOutputLit(exp, "\nCPU time:", argv);
}
--
2.34.1
1085
days inactive
1085
days old
4 comments
1 participants
participants (1)
-
Luke Yue