[libvirt] [PATCH] Ensure QEMU DAC security driver is activated at all times
If the primary security driver (SELinux/AppArmour) was disabled then the secondary QEMU DAC security driver was also disabled. This is mistaken, because the latter must be active at all times * src/qemu/qemu_driver.c: Ensure DAC driver is always active --- src/qemu/qemu_driver.c | 22 ++++++++++++---------- 1 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 16e9b56..a9313e7 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -897,26 +897,28 @@ qemudSecurityInit(struct qemud_driver *qemud_drv) int ret; virSecurityDriverPtr security_drv; + qemuSecurityStackedSetDriver(qemud_drv); + qemuSecurityDACSetDriver(qemud_drv); + ret = virSecurityDriverStartup(&security_drv, qemud_drv->securityDriverName); if (ret == -1) { VIR_ERROR0(_("Failed to start security driver")); return -1; } - /* No security driver wanted to be enabled: just return */ + + /* No primary security driver wanted to be enabled: just setup + * the DAC driver on its own */ if (ret == -2) { + qemud_drv->securityDriver = &qemuDACSecurityDriver; VIR_INFO0(_("No security driver available")); - return 0; + } else { + qemud_drv->securityPrimaryDriver = security_drv; + qemud_drv->securitySecondaryDriver = &qemuDACSecurityDriver; + qemud_drv->securityDriver = &qemuStackedSecurityDriver; + VIR_INFO("Initialized security driver %s", security_drv->name); } - qemuSecurityStackedSetDriver(qemud_drv); - qemuSecurityDACSetDriver(qemud_drv); - - qemud_drv->securityPrimaryDriver = security_drv; - qemud_drv->securitySecondaryDriver = &qemuDACSecurityDriver; - qemud_drv->securityDriver = &qemuStackedSecurityDriver; - - VIR_INFO("Initialized security driver %s", security_drv->name); return 0; } -- 1.6.6
On Tue, Feb 02, 2010 at 04:20:39PM +0000, Daniel P. Berrange wrote:
If the primary security driver (SELinux/AppArmour) was disabled then the secondary QEMU DAC security driver was also disabled. This is mistaken, because the latter must be active at all times
* src/qemu/qemu_driver.c: Ensure DAC driver is always active --- src/qemu/qemu_driver.c | 22 ++++++++++++---------- 1 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 16e9b56..a9313e7 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -897,26 +897,28 @@ qemudSecurityInit(struct qemud_driver *qemud_drv) int ret; virSecurityDriverPtr security_drv;
+ qemuSecurityStackedSetDriver(qemud_drv); + qemuSecurityDACSetDriver(qemud_drv); + ret = virSecurityDriverStartup(&security_drv, qemud_drv->securityDriverName); if (ret == -1) { VIR_ERROR0(_("Failed to start security driver")); return -1; } - /* No security driver wanted to be enabled: just return */ + + /* No primary security driver wanted to be enabled: just setup + * the DAC driver on its own */ if (ret == -2) { + qemud_drv->securityDriver = &qemuDACSecurityDriver; VIR_INFO0(_("No security driver available")); - return 0; + } else { + qemud_drv->securityPrimaryDriver = security_drv; + qemud_drv->securitySecondaryDriver = &qemuDACSecurityDriver; + qemud_drv->securityDriver = &qemuStackedSecurityDriver; + VIR_INFO("Initialized security driver %s", security_drv->name); }
- qemuSecurityStackedSetDriver(qemud_drv); - qemuSecurityDACSetDriver(qemud_drv); - - qemud_drv->securityPrimaryDriver = security_drv; - qemud_drv->securitySecondaryDriver = &qemuDACSecurityDriver; - qemud_drv->securityDriver = &qemuStackedSecurityDriver; - - VIR_INFO("Initialized security driver %s", security_drv->name); return 0; }
Okay, understood, ACK, Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
participants (2)
-
Daniel P. Berrange -
Daniel Veillard