[libvirt] [PATCH] qemu: Clean up security driver initialisation and config file
Commit d0c0e79ac646462aaa815f81ad324a0d3ef12954 left behind some dead code. (hasDAC can't be efectively set to true, because virSecurityManagerNew fails to load the "dac" driver) Also the configuration file for qemu driver still contains reference to the DAC driver that can't be enabled manualy. --- src/qemu/qemu.conf | 4 +++- src/qemu/qemu_driver.c | 16 ++++------------ 2 files changed, 7 insertions(+), 13 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index fb22b7c..d3175fa 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -162,7 +162,9 @@ # driver at the same time, for this use a list of names separated by # comma and delimited by square brackets. For example: # -# security_driver = [ "selinux", "dac" ] +# security_driver = [ "selinux", "apparmor" ] +# +# Note: The DAC security driver is always enabled. # #security_driver = "selinux" diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 5d9f8c9..482a910 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -251,14 +251,10 @@ qemuSecurityInit(struct qemud_driver *driver) char **names; virSecurityManagerPtr mgr = NULL; virSecurityManagerPtr stack = NULL; - bool hasDAC = false; if (driver->securityDriverNames) { names = driver->securityDriverNames; while (names && *names) { - if (STREQ("dac", *names)) - hasDAC = true; - if (!(mgr = virSecurityManagerNew(*names, QEMU_DRIVER_NAME, driver->allowDiskFormatProbing, @@ -287,7 +283,7 @@ qemuSecurityInit(struct qemud_driver *driver) mgr = NULL; } - if (!hasDAC && driver->privileged) { + if (driver->privileged) { if (!(mgr = virSecurityManagerNewDAC(QEMU_DRIVER_NAME, driver->user, driver->group, @@ -296,13 +292,9 @@ qemuSecurityInit(struct qemud_driver *driver) driver->securityRequireConfined, driver->dynamicOwnership))) goto error; - if (!stack) { - if (!(stack = virSecurityManagerNewStack(mgr))) - goto error; - } else { - if (virSecurityManagerStackAddNested(stack, mgr) < 0) - goto error; - } + /* the stack is always initialized here */ + if (virSecurityManagerStackAddNested(stack, mgr) < 0) + goto error; mgr = NULL; } -- 1.7.12
Commit d0c0e79ac646462aaa815f81ad324a0d3ef12954 left behind some dead code (hasDAC can't be efectively set to true, because virSecurityManagerNew fails to load the "dac" driver). This patch also enhances the condition for adding the default auto-detected security manager if the manager array is allocated but empty. Also the configuration file for qemu driver still contains reference to the DAC driver that can't be enabled manualy. --- src/qemu/qemu.conf | 4 +++- src/qemu/qemu_driver.c | 9 +++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index fb22b7c..d3175fa 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -162,7 +162,9 @@ # driver at the same time, for this use a list of names separated by # comma and delimited by square brackets. For example: # -# security_driver = [ "selinux", "dac" ] +# security_driver = [ "selinux", "apparmor" ] +# +# Note: The DAC security driver is always enabled. # #security_driver = "selinux" diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 5d9f8c9..7c0a5c3 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -251,14 +251,11 @@ qemuSecurityInit(struct qemud_driver *driver) char **names; virSecurityManagerPtr mgr = NULL; virSecurityManagerPtr stack = NULL; - bool hasDAC = false; - if (driver->securityDriverNames) { + if (driver->securityDriverNames && + driver->securityDriverNames[0]) { names = driver->securityDriverNames; while (names && *names) { - if (STREQ("dac", *names)) - hasDAC = true; - if (!(mgr = virSecurityManagerNew(*names, QEMU_DRIVER_NAME, driver->allowDiskFormatProbing, @@ -287,7 +284,7 @@ qemuSecurityInit(struct qemud_driver *driver) mgr = NULL; } - if (!hasDAC && driver->privileged) { + if (driver->privileged) { if (!(mgr = virSecurityManagerNewDAC(QEMU_DRIVER_NAME, driver->user, driver->group, -- 1.7.12
On Thu, Aug 30, 2012 at 02:13:01PM +0200, Peter Krempa wrote:
Commit d0c0e79ac646462aaa815f81ad324a0d3ef12954 left behind some dead code (hasDAC can't be efectively set to true, because virSecurityManagerNew fails to load the "dac" driver).
This patch also enhances the condition for adding the default auto-detected security manager if the manager array is allocated but empty.
Also the configuration file for qemu driver still contains reference to the DAC driver that can't be enabled manualy. --- src/qemu/qemu.conf | 4 +++- src/qemu/qemu_driver.c | 9 +++------ 2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index fb22b7c..d3175fa 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -162,7 +162,9 @@ # driver at the same time, for this use a list of names separated by # comma and delimited by square brackets. For example: # -# security_driver = [ "selinux", "dac" ] +# security_driver = [ "selinux", "apparmor" ] +# +# Note: The DAC security driver is always enabled. # #security_driver = "selinux"
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 5d9f8c9..7c0a5c3 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -251,14 +251,11 @@ qemuSecurityInit(struct qemud_driver *driver) char **names; virSecurityManagerPtr mgr = NULL; virSecurityManagerPtr stack = NULL; - bool hasDAC = false;
- if (driver->securityDriverNames) { + if (driver->securityDriverNames && + driver->securityDriverNames[0]) { names = driver->securityDriverNames; while (names && *names) { - if (STREQ("dac", *names)) - hasDAC = true; - if (!(mgr = virSecurityManagerNew(*names, QEMU_DRIVER_NAME, driver->allowDiskFormatProbing, @@ -287,7 +284,7 @@ qemuSecurityInit(struct qemud_driver *driver) mgr = NULL; }
- if (!hasDAC && driver->privileged) { + if (driver->privileged) { if (!(mgr = virSecurityManagerNewDAC(QEMU_DRIVER_NAME, driver->user, driver->group,
ACK :-) thanks ! Daniel -- Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/ daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/ http://veillard.com/ | virtualization library http://libvirt.org/
On 08/30/12 14:25, Daniel Veillard wrote:
On Thu, Aug 30, 2012 at 02:13:01PM +0200, Peter Krempa wrote:
Commit d0c0e79ac646462aaa815f81ad324a0d3ef12954 left behind some dead code (hasDAC can't be efectively set to true, because virSecurityManagerNew fails to load the "dac" driver).
This patch also enhances the condition for adding the default auto-detected security manager if the manager array is allocated but empty.
Also the configuration file for qemu driver still contains reference to the DAC driver that can't be enabled manualy. --- src/qemu/qemu.conf | 4 +++- src/qemu/qemu_driver.c | 9 +++------ 2 files changed, 6 insertions(+), 7 deletions(-)
ACK :-)
thanks !
Hopefuly it's right now. Pushed. Thanks, Peter
Daniel
participants (2)
-
Daniel Veillard -
Peter Krempa