6:47 p.m.
In a system that uses dynamic_ownership=0 and NFS disks, the _only_
path in the virDomainDestroy path where libvirt itself performs a
syscall on the NFS file system was on attempting to relabel a disk
back to its default label. If an NFS server hosting a domain's
disk image hangs, then this renders libvirtd stuck in an lstat()
call, with the driver lock held, effectively blocking out _all_
other attempts to connect to libvirtd for any remaining domains not
tied to the hung NFS server. (Verification that the SELinux relabel
was the only point where libvirtd, rather than not qemu, could hang,
was done by Red Hat VDSM folks in https://bugzilla.redhat.com/746666;
with a hack to avoid the relabel, the destroy no longer hangs.)
But without bleeding edge NFS servers, you can't put a SELinux
label on the file in the first place; libvirt was happily ignoring
the failure to change the label on domain start (thanks to the
selinux virt_use_nfs bool), only to hang on the stuck server on
domain destroy that it would have again ignored had the server not
been stuck. If we allow the users to modify the XML to mark that
a file does not need to be labeled in the first place, then we can
avoid both attempts to label at startup and relabel at destroy, thus
preventing libvirtd from getting stuck on a virDomainDestroy()
called on a guest whose NFS server went down.
This patch series is based on an earlier attempt (the hack which
got tested in the above-mentioned bz 746666), incorporating feedback
from Dan Berrange suggesting that the ability for the user to
override labeling on a per-disk basis is smarter than marking
ignored failure to label in internal XML used only by libvirtd:
v1: https://www.redhat.com/archives/libvir-list/2011-December/msg00246.html
I'm still working on patch 6/6 (actually hooking up the security
manager to honor the relabel='no' request), and hope to post that
tomorrow as part of this thread; that's really the only patch that
resembles anything from v1 (the first 5 patches are basically brand
new to this series), but I'm posting the first 5 patches now to get
review started and make sure the proposed XML makes sense.
I envision that this can be further expanded (sticking <seclabel>
elements on more XML items that get labeled in the host), but for
now I focused just on disk devices, as those are the most likely
to reside over NFS.
Ultimately, this patch series is only a bandaid; the underlying
problem (making a syscall that can block indefinitely on a hung
NFS server while holding the driver lock) is still present, and
triggered if you have dynamic_ownership=1 (where we also attempt
a chown of the disk image, regardless of the SELinux labels).
Later down the road, I also plan to work on Dan's proposal to
break the driver lock into smaller, more manageable sections, so
we can get back to our documented goal of never blocking while
holding lock, but instead using the job condition variables to
detect when a single domain is stuck on a blocked call:
https://www.redhat.com/archives/libvir-list/2011-November/msg00267.html
Eric Blake (5):
schema: rewrite seclabel rng to match code
seclabel: refactor existing domain_conf usage
seclabel: move seclabel stuff earlier
seclabel: extend XML to allow per-disk label overrides
seclabel: allow a seclabel override on a disk src
docs/formatdomain.html.in | 29 ++-
docs/schemas/domaincommon.rng | 115 +++++--
src/conf/domain_conf.c | 414 ++++++++++++--------
src/conf/domain_conf.h | 39 +-
.../qemuxml2argv-seclabel-dynamic-baselabel.args | 4 +
.../qemuxml2argv-seclabel-dynamic-baselabel.xml | 28 ++
.../qemuxml2argv-seclabel-dynamic-override.args | 5 +
.../qemuxml2argv-seclabel-dynamic-override.xml | 40 ++
.../qemuxml2argv-seclabel-dynamic.args | 4 +
.../qemuxml2argv-seclabel-dynamic.xml | 26 ++
.../qemuxml2argv-seclabel-static-relabel.args | 4 +
.../qemuxml2argv-seclabel-static-relabel.xml | 29 ++
.../qemuxml2argv-seclabel-static.args | 4 +
.../qemuxml2argv-seclabel-static.xml | 28 ++
tests/qemuxml2argvtest.c | 6 +
tests/qemuxml2xmltest.c | 4 +
16 files changed, 575 insertions(+), 204 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
--
1.7.7.4
6:47 p.m.
New subject: [libvirt] [PATCHv2 1/6] schema: rewrite seclabel rng to match code
The RNG for <seclabel> was too strict - if it was present, then it
had to have sub-elements, even if those didn't make sense for the
given attributes. Also, we didn't have any tests of <seclabel>
parsing or XML output.
In this patch, I added more parsing tests than output tests (since
the output populates and/or reorders fields not present in certain
inputs). Making the RNG reliable is a precursor to using <seclabel>
variants in more places in the XML in later patches.
See also:
http://berrange.com/posts/2011/09/29/two-small-improvements-to-svirt-gues...
* docs/schemas/domaincommon.rng (seclabel): Tighten rules.
* tests/qemuxml2argvtest.c (mymain): New tests.
* tests/qemuxml2xmltest.c (mymain): Likewise.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-*.*: New files.
---
docs/schemas/domaincommon.rng | 88 ++++++++++++++------
.../qemuxml2argv-seclabel-dynamic-baselabel.args | 4 +
.../qemuxml2argv-seclabel-dynamic-baselabel.xml | 28 ++++++
.../qemuxml2argv-seclabel-dynamic.args | 4 +
.../qemuxml2argv-seclabel-dynamic.xml | 26 ++++++
.../qemuxml2argv-seclabel-static-relabel.args | 4 +
.../qemuxml2argv-seclabel-static-relabel.xml | 29 +++++++
.../qemuxml2argv-seclabel-static.args | 4 +
.../qemuxml2argv-seclabel-static.xml | 28 ++++++
tests/qemuxml2argvtest.c | 5 +
tests/qemuxml2xmltest.c | 3 +
11 files changed, 199 insertions(+), 24 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 553a6f0..dd76f91 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -50,30 +50,70 @@
</define>
<define name="seclabel">
<element name="seclabel">
- <attribute name="model">
- <text/>
- </attribute>
- <attribute name="type">
- <choice>
- <value>dynamic</value>
- <value>static</value>
- </choice>
- </attribute>
- <attribute name="relabel">
- <choice>
- <value>yes</value>
- <value>no</value>
- </choice>
- </attribute>
- <element name="label">
- <text/>
- </element>
- <element name="imagelabel">
- <text/>
- </element>
- <element name="baselabel">
- <text/>
- </element>
+ <optional>
+ <attribute name='model'>
+ <text/>
+ </attribute>
+ </optional>
+ <choice>
+ <group>
+ <!-- with dynamic label (default), relabel must be yes, baselabel
+ is optional, and label and imagelabel are output-only -->
+ <optional>
+ <attribute name='type'>
+ <value>dynamic</value>
+ </attribute>
+ </optional>
+ <optional>
+ <attribute name='relabel'>
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <interleave>
+ <optional>
+ <element name='label'>
+ <text/>
+ </element>
+ </optional>
+ <optional>
+ <element name='imagelabel'>
+ <text/>
+ </element>
+ </optional>
+ <optional>
+ <element name='baselabel'>
+ <text/>
+ </element>
+ </optional>
+ </interleave>
+ </group>
+ <group>
+ <!-- with static label, relabel can be either format (default
+ no), label is required, imagelabel is output-only, and no
+ baselabel is present -->
+ <attribute name='type'>
+ <value>static</value>
+ </attribute>
+ <optional>
+ <attribute name='relabel'>
+ <choice>
+ <value>yes</value>
+ <value>no</value>
+ </choice>
+ </attribute>
+ </optional>
+ <interleave>
+ <element name='label'>
+ <text/>
+ </element>
+ <optional>
+ <element name='imagelabel'>
+ <text/>
+ </element>
+ </optional>
+ </interleave>
+ </group>
+ </choice>
</element>
</define>
<define name="hvs">
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
new file mode 100644
index 0000000..fea0eb7
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory>219100</memory>
+ <currentMemory>219100</currentMemory>
+ <vcpu cpuset='1-4,8-20,525'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <disk type='block' device='disk'>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='hda' bus='ide'/>
+ <address type='drive' controller='0' bus='0'
unit='0'/>
+ </disk>
+ <controller type='ide' index='0'/>
+ <memballoon model='virtio'/>
+ </devices>
+ <seclabel type='dynamic' model='selinux' relabel='yes'>
+ <baselabel>system_u:system_r:svirt_custom_t:s0</baselabel>
+ </seclabel>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
new file mode 100644
index 0000000..096c766
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
@@ -0,0 +1,26 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory>219100</memory>
+ <currentMemory>219100</currentMemory>
+ <vcpu cpuset='1-4,8-20,525'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <disk type='block' device='disk'>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='hda' bus='ide'/>
+ <address type='drive' controller='0' bus='0'
unit='0'/>
+ </disk>
+ <controller type='ide' index='0'/>
+ <memballoon model='virtio'/>
+ </devices>
+ <seclabel type='dynamic' relabel='yes'/>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
new file mode 100644
index 0000000..3b2ad04
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
@@ -0,0 +1,29 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory>219100</memory>
+ <currentMemory>219100</currentMemory>
+ <vcpu cpuset='1-4,8-20,525'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <disk type='block' device='disk'>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='hda' bus='ide'/>
+ <address type='drive' controller='0' bus='0'
unit='0'/>
+ </disk>
+ <controller type='ide' index='0'/>
+ <memballoon model='virtio'/>
+ </devices>
+ <seclabel type='static' model='selinux' relabel='yes'>
+ <label>system_u:system_r:svirt_custom_t:s0:c192,c392</label>
+ <imagelabel>system_u:system_r:svirt_custom_t:s0:c192,c392</imagelabel>
+ </seclabel>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
new file mode 100644
index 0000000..416bd86
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory>219100</memory>
+ <currentMemory>219100</currentMemory>
+ <vcpu cpuset='1-4,8-20,525'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <disk type='block' device='disk'>
+ <source dev='/dev/HostVG/QEMUGuest1'/>
+ <target dev='hda' bus='ide'/>
+ <address type='drive' controller='0' bus='0'
unit='0'/>
+ </disk>
+ <controller type='ide' index='0'/>
+ <memballoon model='virtio'/>
+ </devices>
+ <seclabel type='static' model='selinux' relabel='no'>
+ <label>system_u:system_r:svirt_custom_t:s0:c192,c392</label>
+ </seclabel>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index e1221eb..18e8941 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -660,6 +660,11 @@ mymain(void)
QEMU_CAPS_CHARDEV, QEMU_CAPS_MONITOR_JSON, QEMU_CAPS_NODEFCONFIG,
QEMU_CAPS_NO_SHUTDOWN);
+ DO_TEST("seclabel-dynamic", false, QEMU_CAPS_NAME);
+ DO_TEST("seclabel-dynamic-baselabel", false, QEMU_CAPS_NAME);
+ DO_TEST("seclabel-static", false, QEMU_CAPS_NAME);
+ DO_TEST("seclabel-static-relabel", false, QEMU_CAPS_NAME);
+
free(driver.stateDir);
virCapabilitiesFree(driver.caps);
free(map);
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 35bfdce..e4b99c4 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -194,6 +194,9 @@ mymain(void)
DO_TEST("usb-redir");
DO_TEST("blkdeviotune");
+ DO_TEST("seclabel-dynamic-baselabel");
+ DO_TEST("seclabel-static");
+
/* These tests generate different XML */
DO_TEST_DIFFERENT("balloon-device-auto");
DO_TEST_DIFFERENT("channel-virtio-auto");
--
1.7.7.4
7:48 a.m.
New subject: [libvirt] [PATCHv2 1/6] schema: rewrite seclabel rng to match code
On 2011年12月23日 08:47, Eric Blake wrote:
The RNG for<seclabel> was too strict - if it was present, then
it
had to have sub-elements, even if those didn't make sense for the
given attributes. Also, we didn't have any tests of<seclabel>
parsing or XML output.
In this patch, I added more parsing tests than output tests (since
the output populates and/or reorders fields not present in certain
inputs). Making the RNG reliable is a precursor to using<seclabel>
variants in more places in the XML in later patches.
See also:
http://berrange.com/posts/2011/09/29/two-small-improvements-to-svirt-gues...
* docs/schemas/domaincommon.rng (seclabel): Tighten rules.
* tests/qemuxml2argvtest.c (mymain): New tests.
* tests/qemuxml2xmltest.c (mymain): Likewise.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-*.*: New files.
---
docs/schemas/domaincommon.rng | 88 ++++++++++++++------
.../qemuxml2argv-seclabel-dynamic-baselabel.args | 4 +
.../qemuxml2argv-seclabel-dynamic-baselabel.xml | 28 ++++++
.../qemuxml2argv-seclabel-dynamic.args | 4 +
.../qemuxml2argv-seclabel-dynamic.xml | 26 ++++++
.../qemuxml2argv-seclabel-static-relabel.args | 4 +
.../qemuxml2argv-seclabel-static-relabel.xml | 29 +++++++
.../qemuxml2argv-seclabel-static.args | 4 +
.../qemuxml2argv-seclabel-static.xml | 28 ++++++
tests/qemuxml2argvtest.c | 5 +
tests/qemuxml2xmltest.c | 3 +
11 files changed, 199 insertions(+), 24 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 553a6f0..dd76f91 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -50,30 +50,70 @@
</define>
<define name="seclabel">
<element name="seclabel">
-<attribute name="model">
-<text/>
-</attribute>
-<attribute name="type">
-<choice>
-<value>dynamic</value>
-<value>static</value>
-</choice>
-</attribute>
-<attribute name="relabel">
-<choice>
-<value>yes</value>
-<value>no</value>
-</choice>
-</attribute>
-<element name="label">
-<text/>
-</element>
-<element name="imagelabel">
-<text/>
-</element>
-<element name="baselabel">
-<text/>
-</element>
+<optional>
+<attribute name='model'>
+<text/>
+</attribute>
+</optional>
+<choice>
+<group>
+<!-- with dynamic label (default), relabel must be yes, baselabel
+ is optional, and label and imagelabel are output-only -->
+<optional>
+<attribute name='type'>
+<value>dynamic</value>
+</attribute>
+</optional>
+<optional>
+<attribute name='relabel'>
+<value>yes</value>
+</attribute>
+</optional>
+<interleave>
+<optional>
+<element name='label'>
+<text/>
+</element>
+</optional>
+<optional>
+<element name='imagelabel'>
+<text/>
+</element>
+</optional>
+<optional>
+<element name='baselabel'>
+<text/>
+</element>
+</optional>
+</interleave>
+</group>
+<group>
+<!-- with static label, relabel can be either format (default
+ no), label is required, imagelabel is output-only, and no
+ baselabel is present -->
+<attribute name='type'>
+<value>static</value>
+</attribute>
+<optional>
+<attribute name='relabel'>
+<choice>
+<value>yes</value>
+<value>no</value>
+</choice>
+</attribute>
+</optional>
+<interleave>
+<element name='label'>
+<text/>
+</element>
+<optional>
+<element name='imagelabel'>
+<text/>
+</element>
+</optional>
+</interleave>
+</group>
+</choice>
</element>
</define>
<define name="hvs">
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
new file mode 100644
index 0000000..fea0eb7
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-baselabel.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+<name>QEMUGuest1</name>
+<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+<memory>219100</memory>
+<currentMemory>219100</currentMemory>
+<vcpu cpuset='1-4,8-20,525'>1</vcpu>
+<os>
+<type arch='i686' machine='pc'>hvm</type>
+<boot dev='hd'/>
+</os>
+<clock offset='utc'/>
+<on_poweroff>destroy</on_poweroff>
+<on_reboot>restart</on_reboot>
+<on_crash>destroy</on_crash>
+<devices>
+<emulator>/usr/bin/qemu</emulator>
+<disk type='block' device='disk'>
+<source dev='/dev/HostVG/QEMUGuest1'/>
+<target dev='hda' bus='ide'/>
+<address type='drive' controller='0' bus='0'
unit='0'/>
+</disk>
+<controller type='ide' index='0'/>
+<memballoon model='virtio'/>
+</devices>
+<seclabel type='dynamic' model='selinux' relabel='yes'>
+<baselabel>system_u:system_r:svirt_custom_t:s0</baselabel>
+</seclabel>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
new file mode 100644
index 0000000..096c766
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic.xml
@@ -0,0 +1,26 @@
+<domain type='qemu'>
+<name>QEMUGuest1</name>
+<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+<memory>219100</memory>
+<currentMemory>219100</currentMemory>
+<vcpu cpuset='1-4,8-20,525'>1</vcpu>
+<os>
+<type arch='i686' machine='pc'>hvm</type>
+<boot dev='hd'/>
+</os>
+<clock offset='utc'/>
+<on_poweroff>destroy</on_poweroff>
+<on_reboot>restart</on_reboot>
+<on_crash>destroy</on_crash>
+<devices>
+<emulator>/usr/bin/qemu</emulator>
+<disk type='block' device='disk'>
+<source dev='/dev/HostVG/QEMUGuest1'/>
+<target dev='hda' bus='ide'/>
+<address type='drive' controller='0' bus='0'
unit='0'/>
+</disk>
+<controller type='ide' index='0'/>
+<memballoon model='virtio'/>
+</devices>
+<seclabel type='dynamic' relabel='yes'/>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
new file mode 100644
index 0000000..3b2ad04
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static-relabel.xml
@@ -0,0 +1,29 @@
+<domain type='qemu'>
+<name>QEMUGuest1</name>
+<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+<memory>219100</memory>
+<currentMemory>219100</currentMemory>
+<vcpu cpuset='1-4,8-20,525'>1</vcpu>
+<os>
+<type arch='i686' machine='pc'>hvm</type>
+<boot dev='hd'/>
+</os>
+<clock offset='utc'/>
+<on_poweroff>destroy</on_poweroff>
+<on_reboot>restart</on_reboot>
+<on_crash>destroy</on_crash>
+<devices>
+<emulator>/usr/bin/qemu</emulator>
+<disk type='block' device='disk'>
+<source dev='/dev/HostVG/QEMUGuest1'/>
+<target dev='hda' bus='ide'/>
+<address type='drive' controller='0' bus='0'
unit='0'/>
+</disk>
+<controller type='ide' index='0'/>
+<memballoon model='virtio'/>
+</devices>
+<seclabel type='static' model='selinux' relabel='yes'>
+<label>system_u:system_r:svirt_custom_t:s0:c192,c392</label>
+<imagelabel>system_u:system_r:svirt_custom_t:s0:c192,c392</imagelabel>
+</seclabel>
+</domain>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
new file mode 100644
index 0000000..651793d
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.args
@@ -0,0 +1,4 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
new file mode 100644
index 0000000..416bd86
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-static.xml
@@ -0,0 +1,28 @@
+<domain type='qemu'>
+<name>QEMUGuest1</name>
+<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+<memory>219100</memory>
+<currentMemory>219100</currentMemory>
+<vcpu cpuset='1-4,8-20,525'>1</vcpu>
+<os>
+<type arch='i686' machine='pc'>hvm</type>
+<boot dev='hd'/>
+</os>
+<clock offset='utc'/>
+<on_poweroff>destroy</on_poweroff>
+<on_reboot>restart</on_reboot>
+<on_crash>destroy</on_crash>
+<devices>
+<emulator>/usr/bin/qemu</emulator>
+<disk type='block' device='disk'>
+<source dev='/dev/HostVG/QEMUGuest1'/>
+<target dev='hda' bus='ide'/>
+<address type='drive' controller='0' bus='0'
unit='0'/>
+</disk>
+<controller type='ide' index='0'/>
+<memballoon model='virtio'/>
+</devices>
+<seclabel type='static' model='selinux' relabel='no'>
+<label>system_u:system_r:svirt_custom_t:s0:c192,c392</label>
+</seclabel>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index e1221eb..18e8941 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -660,6 +660,11 @@ mymain(void)
QEMU_CAPS_CHARDEV, QEMU_CAPS_MONITOR_JSON, QEMU_CAPS_NODEFCONFIG,
QEMU_CAPS_NO_SHUTDOWN);
+ DO_TEST("seclabel-dynamic", false, QEMU_CAPS_NAME);
+ DO_TEST("seclabel-dynamic-baselabel", false, QEMU_CAPS_NAME);
+ DO_TEST("seclabel-static", false, QEMU_CAPS_NAME);
+ DO_TEST("seclabel-static-relabel", false, QEMU_CAPS_NAME);
+
free(driver.stateDir);
virCapabilitiesFree(driver.caps);
free(map);
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 35bfdce..e4b99c4 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -194,6 +194,9 @@ mymain(void)
DO_TEST("usb-redir");
DO_TEST("blkdeviotune");
+ DO_TEST("seclabel-dynamic-baselabel");
+ DO_TEST("seclabel-static");
+
/* These tests generate different XML */
DO_TEST_DIFFERENT("balloon-device-auto");
DO_TEST_DIFFERENT("channel-virtio-auto");
ACK.
6:47 p.m.
New subject: [libvirt] [PATCHv2 2/6] seclabel: refactor existing domain_conf usage
A future patch will parse and output <seclabel> in more than one
location in a <domain> xml; make it easier to reuse code.
* src/conf/domain_conf.c (virSecurityLabelDefFree): Rename...
(virSecurityLabelDefClear): ...and make static.
(virSecurityLabelDefParseXML): Alter signature.
(virDomainDefParseXML, virDomainDefFree): Adjust callers.
(virDomainDefFormatInternal): Split output...
(virSecurityLabelDefFormat): ...into new helper.
---
src/conf/domain_conf.c | 118 ++++++++++++++++++++++++++---------------------
1 files changed, 65 insertions(+), 53 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 2897b4a..2379c81 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1326,14 +1326,13 @@ void virDomainDeviceDefFree(virDomainDeviceDefPtr def)
VIR_FREE(def);
}
-void virSecurityLabelDefFree(virDomainDefPtr def);
-
-void virSecurityLabelDefFree(virDomainDefPtr def)
+static void
+virSecurityLabelDefClear(virSecurityLabelDefPtr def)
{
- VIR_FREE(def->seclabel.model);
- VIR_FREE(def->seclabel.label);
- VIR_FREE(def->seclabel.imagelabel);
- VIR_FREE(def->seclabel.baselabel);
+ VIR_FREE(def->model);
+ VIR_FREE(def->label);
+ VIR_FREE(def->imagelabel);
+ VIR_FREE(def->baselabel);
}
static void
@@ -1467,7 +1466,7 @@ void virDomainDefFree(virDomainDefPtr def)
virDomainMemballoonDefFree(def->memballoon);
- virSecurityLabelDefFree(def);
+ virSecurityLabelDefClear(&def->seclabel);
virCPUDefFree(def->cpu);
@@ -6212,7 +6211,7 @@ static int virDomainLifecycleParseXML(xmlXPathContextPtr ctxt,
}
static int
-virSecurityLabelDefParseXML(const virDomainDefPtr def,
+virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
xmlXPathContextPtr ctxt,
unsigned int flags)
{
@@ -6228,9 +6227,9 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
"%s", _("missing security type"));
goto error;
}
- def->seclabel.type = virDomainSeclabelTypeFromString(p);
+ def->type = virDomainSeclabelTypeFromString(p);
VIR_FREE(p);
- if (def->seclabel.type < 0) {
+ if (def->type < 0) {
virDomainReportError(VIR_ERR_XML_ERROR,
"%s", _("invalid security type"));
goto error;
@@ -6239,9 +6238,9 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p != NULL) {
if (STREQ(p, "yes")) {
- def->seclabel.norelabel = false;
+ def->norelabel = false;
} else if (STREQ(p, "no")) {
- def->seclabel.norelabel = true;
+ def->norelabel = true;
} else {
virDomainReportError(VIR_ERR_XML_ERROR,
_("invalid security relabel value %s"), p);
@@ -6249,23 +6248,23 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
goto error;
}
VIR_FREE(p);
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
- def->seclabel.norelabel) {
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+ def->norelabel) {
virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("dynamic label type must use
resource relabeling"));
goto error;
}
} else {
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
- def->seclabel.norelabel = true;
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC)
+ def->norelabel = true;
else
- def->seclabel.norelabel = false;
+ def->norelabel = false;
}
/* Only parse label, if using static labels, or
* if the 'live' VM XML is requested
*/
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC ||
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
!(flags & VIR_DOMAIN_XML_INACTIVE)) {
p = virXPathStringLimit("string(./seclabel/label[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
@@ -6275,11 +6274,11 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
goto error;
}
- def->seclabel.label = p;
+ def->label = p;
}
/* Only parse imagelabel, if requested live XML with relabeling */
- if (!def->seclabel.norelabel &&
+ if (!def->norelabel &&
!(flags & VIR_DOMAIN_XML_INACTIVE)) {
p = virXPathStringLimit("string(./seclabel/imagelabel[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
@@ -6288,22 +6287,22 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
"%s", _("security imagelabel is
missing"));
goto error;
}
- def->seclabel.imagelabel = p;
+ def->imagelabel = p;
}
/* Only parse baselabel, for dynamic label */
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
p = virXPathStringLimit("string(./seclabel/baselabel[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p != NULL)
- def->seclabel.baselabel = p;
+ def->baselabel = p;
}
/* Only parse model, if static labelling, or a base
* label is set, or doing active XML
*/
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC ||
- def->seclabel.baselabel ||
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
+ def->baselabel ||
!(flags & VIR_DOMAIN_XML_INACTIVE)) {
p = virXPathStringLimit("string(./seclabel/@model)",
VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
@@ -6312,13 +6311,13 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
"%s", _("missing security model"));
goto error;
}
- def->seclabel.model = p;
+ def->model = p;
}
return 0;
error:
- virSecurityLabelDefFree(def);
+ virSecurityLabelDefClear(def);
return -1;
}
@@ -7939,7 +7938,7 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
VIR_FREE(nodes);
/* analysis of security label */
- if (virSecurityLabelDefParseXML(def, ctxt, flags) == -1)
+ if (virSecurityLabelDefParseXML(&def->seclabel, ctxt, flags) == -1)
goto error;
if ((node = virXPathNode("./cpu[1]", ctxt)) != NULL) {
@@ -9739,6 +9738,40 @@ virDomainLifecycleDefFormat(virBufferPtr buf,
static int
+virSecurityLabelDefFormat(virBufferPtr buf, virSecurityLabelDefPtr def,
+ unsigned int flags)
+{
+ const char *sectype = virDomainSeclabelTypeToString(def->type);
+ int ret = -1;
+
+ if (!sectype)
+ goto cleanup;
+
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+ !def->baselabel &&
+ (flags & VIR_DOMAIN_XML_INACTIVE)) {
+ /* This is the default for inactive xml, so nothing to output. */
+ } else {
+ virBufferAsprintf(buf, "<seclabel type='%s' model='%s'
relabel='%s'>\n",
+ sectype, def->model,
+ def->norelabel ? "no" : "yes");
+ virBufferEscapeString(buf, " <label>%s</label>\n",
+ def->label);
+ if (!def->norelabel)
+ virBufferEscapeString(buf, "
<imagelabel>%s</imagelabel>\n",
+ def->imagelabel);
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
+ virBufferEscapeString(buf, "
<baselabel>%s</baselabel>\n",
+ def->baselabel);
+ virBufferAddLit(buf, "</seclabel>\n");
+ }
+ ret = 0;
+cleanup:
+ return ret;
+}
+
+
+static int
virDomainLeaseDefFormat(virBufferPtr buf,
virDomainLeaseDefPtr def)
{
@@ -11679,31 +11712,10 @@ virDomainDefFormatInternal(virDomainDefPtr def,
virBufferAddLit(buf, " </devices>\n");
if (def->seclabel.model) {
- const char *sectype = virDomainSeclabelTypeToString(def->seclabel.type);
- if (!sectype)
+ virBufferAdjustIndent(buf, 2);
+ if (virSecurityLabelDefFormat(buf, &def->seclabel, flags) < 0)
goto cleanup;
-
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
- !def->seclabel.baselabel &&
- (flags & VIR_DOMAIN_XML_INACTIVE)) {
- /* This is the default for inactive xml, so nothing to output. */
- } else {
- virBufferAsprintf(buf, " <seclabel type='%s'
model='%s' "
- "relabel='%s'>\n",
- sectype, def->seclabel.model,
- def->seclabel.norelabel ? "no" :
"yes");
- virBufferEscapeString(buf, " <label>%s</label>\n",
- def->seclabel.label);
- if (!def->seclabel.norelabel)
- virBufferEscapeString(buf,
- "
<imagelabel>%s</imagelabel>\n",
- def->seclabel.imagelabel);
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
- virBufferEscapeString(buf,
- "
<baselabel>%s</baselabel>\n",
- def->seclabel.baselabel);
- virBufferAddLit(buf, " </seclabel>\n");
- }
+ virBufferAdjustIndent(buf, -2);
}
if (def->namespaceData && def->ns.format) {
--
1.7.7.4
9:52 a.m.
New subject: [libvirt] [PATCHv2 2/6] seclabel: refactor existing domain_conf usage
On 2011年12月23日 08:47, Eric Blake wrote:
A future patch will parse and output<seclabel> in more than
one
location in a<domain> xml; make it easier to reuse code.
* src/conf/domain_conf.c (virSecurityLabelDefFree): Rename...
(virSecurityLabelDefClear): ...and make static.
(virSecurityLabelDefParseXML): Alter signature.
(virDomainDefParseXML, virDomainDefFree): Adjust callers.
(virDomainDefFormatInternal): Split output...
(virSecurityLabelDefFormat): ...into new helper.
---
src/conf/domain_conf.c | 118 ++++++++++++++++++++++++++---------------------
1 files changed, 65 insertions(+), 53 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 2897b4a..2379c81 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -1326,14 +1326,13 @@ void virDomainDeviceDefFree(virDomainDeviceDefPtr def)
VIR_FREE(def);
}
-void virSecurityLabelDefFree(virDomainDefPtr def);
-
-void virSecurityLabelDefFree(virDomainDefPtr def)
+static void
+virSecurityLabelDefClear(virSecurityLabelDefPtr def)
{
- VIR_FREE(def->seclabel.model);
- VIR_FREE(def->seclabel.label);
- VIR_FREE(def->seclabel.imagelabel);
- VIR_FREE(def->seclabel.baselabel);
+ VIR_FREE(def->model);
+ VIR_FREE(def->label);
+ VIR_FREE(def->imagelabel);
+ VIR_FREE(def->baselabel);
}
static void
@@ -1467,7 +1466,7 @@ void virDomainDefFree(virDomainDefPtr def)
virDomainMemballoonDefFree(def->memballoon);
- virSecurityLabelDefFree(def);
+ virSecurityLabelDefClear(&def->seclabel);
virCPUDefFree(def->cpu);
@@ -6212,7 +6211,7 @@ static int virDomainLifecycleParseXML(xmlXPathContextPtr ctxt,
}
static int
-virSecurityLabelDefParseXML(const virDomainDefPtr def,
+virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
xmlXPathContextPtr ctxt,
unsigned int flags)
{
@@ -6228,9 +6227,9 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
"%s", _("missing security type"));
goto error;
}
- def->seclabel.type = virDomainSeclabelTypeFromString(p);
+ def->type = virDomainSeclabelTypeFromString(p);
VIR_FREE(p);
- if (def->seclabel.type< 0) {
+ if (def->type< 0) {
virDomainReportError(VIR_ERR_XML_ERROR,
"%s", _("invalid security type"));
goto error;
@@ -6239,9 +6238,9 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p != NULL) {
if (STREQ(p, "yes")) {
- def->seclabel.norelabel = false;
+ def->norelabel = false;
} else if (STREQ(p, "no")) {
- def->seclabel.norelabel = true;
+ def->norelabel = true;
} else {
virDomainReportError(VIR_ERR_XML_ERROR,
_("invalid security relabel value %s"), p);
@@ -6249,23 +6248,23 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
goto error;
}
VIR_FREE(p);
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC&&
- def->seclabel.norelabel) {
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC&&
+ def->norelabel) {
virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("dynamic label type must use
resource relabeling"));
goto error;
}
} else {
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
- def->seclabel.norelabel = true;
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC)
+ def->norelabel = true;
else
- def->seclabel.norelabel = false;
+ def->norelabel = false;
}
/* Only parse label, if using static labels, or
* if the 'live' VM XML is requested
*/
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC ||
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
!(flags& VIR_DOMAIN_XML_INACTIVE)) {
p = virXPathStringLimit("string(./seclabel/label[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
@@ -6275,11 +6274,11 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
goto error;
}
- def->seclabel.label = p;
+ def->label = p;
}
/* Only parse imagelabel, if requested live XML with relabeling */
- if (!def->seclabel.norelabel&&
+ if (!def->norelabel&&
!(flags& VIR_DOMAIN_XML_INACTIVE)) {
p = virXPathStringLimit("string(./seclabel/imagelabel[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
@@ -6288,22 +6287,22 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
"%s", _("security imagelabel is
missing"));
goto error;
}
- def->seclabel.imagelabel = p;
+ def->imagelabel = p;
}
/* Only parse baselabel, for dynamic label */
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
p = virXPathStringLimit("string(./seclabel/baselabel[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p != NULL)
- def->seclabel.baselabel = p;
+ def->baselabel = p;
}
/* Only parse model, if static labelling, or a base
* label is set, or doing active XML
*/
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC ||
- def->seclabel.baselabel ||
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
+ def->baselabel ||
!(flags& VIR_DOMAIN_XML_INACTIVE)) {
p = virXPathStringLimit("string(./seclabel/@model)",
VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
@@ -6312,13 +6311,13 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
"%s", _("missing security
model"));
goto error;
}
- def->seclabel.model = p;
+ def->model = p;
}
return 0;
error:
- virSecurityLabelDefFree(def);
+ virSecurityLabelDefClear(def);
return -1;
}
@@ -7939,7 +7938,7 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
VIR_FREE(nodes);
/* analysis of security label */
- if (virSecurityLabelDefParseXML(def, ctxt, flags) == -1)
+ if (virSecurityLabelDefParseXML(&def->seclabel, ctxt, flags) == -1)
goto error;
if ((node = virXPathNode("./cpu[1]", ctxt)) != NULL) {
@@ -9739,6 +9738,40 @@ virDomainLifecycleDefFormat(virBufferPtr buf,
static int
+virSecurityLabelDefFormat(virBufferPtr buf, virSecurityLabelDefPtr def,
+ unsigned int flags)
+{
+ const char *sectype = virDomainSeclabelTypeToString(def->type);
+ int ret = -1;
+
+ if (!sectype)
+ goto cleanup;
+
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC&&
+ !def->baselabel&&
+ (flags& VIR_DOMAIN_XML_INACTIVE)) {
+ /* This is the default for inactive xml, so nothing to output. */
+ } else {
+ virBufferAsprintf(buf, "<seclabel type='%s' model='%s'
relabel='%s'>\n",
+ sectype, def->model,
+ def->norelabel ? "no" : "yes");
+ virBufferEscapeString(buf, "<label>%s</label>\n",
+ def->label);
+ if (!def->norelabel)
+ virBufferEscapeString(buf,
"<imagelabel>%s</imagelabel>\n",
+ def->imagelabel);
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
+ virBufferEscapeString(buf,
"<baselabel>%s</baselabel>\n",
+ def->baselabel);
+ virBufferAddLit(buf, "</seclabel>\n");
+ }
+ ret = 0;
+cleanup:
+ return ret;
+}
+
+
+static int
virDomainLeaseDefFormat(virBufferPtr buf,
virDomainLeaseDefPtr def)
{
@@ -11679,31 +11712,10 @@ virDomainDefFormatInternal(virDomainDefPtr def,
virBufferAddLit(buf, "</devices>\n");
if (def->seclabel.model) {
- const char *sectype = virDomainSeclabelTypeToString(def->seclabel.type);
- if (!sectype)
+ virBufferAdjustIndent(buf, 2);
+ if (virSecurityLabelDefFormat(buf,&def->seclabel, flags)< 0)
goto cleanup;
-
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC&&
- !def->seclabel.baselabel&&
- (flags& VIR_DOMAIN_XML_INACTIVE)) {
- /* This is the default for inactive xml, so nothing to output. */
- } else {
- virBufferAsprintf(buf, "<seclabel type='%s'
model='%s' "
- "relabel='%s'>\n",
- sectype, def->seclabel.model,
- def->seclabel.norelabel ? "no" :
"yes");
- virBufferEscapeString(buf, "<label>%s</label>\n",
- def->seclabel.label);
- if (!def->seclabel.norelabel)
- virBufferEscapeString(buf,
-
"<imagelabel>%s</imagelabel>\n",
- def->seclabel.imagelabel);
- if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
- virBufferEscapeString(buf,
-
"<baselabel>%s</baselabel>\n",
- def->seclabel.baselabel);
- virBufferAddLit(buf, "</seclabel>\n");
- }
+ virBufferAdjustIndent(buf, -2);
}
if (def->namespaceData&& def->ns.format) {
ACK.
6:47 p.m.
New subject: [libvirt] [PATCHv2 3/6] seclabel: move seclabel stuff earlier
Pure code motion; no semantic change.
* src/conf/domain_conf.h (virDomainSeclabelType)
(virSecurityLabelDefPtr): Declare earlier.
* src/conf/domain_conf.c (virSecurityLabelDefClear)
(virSecurityLabelDefParseXML): Move earlier.
(virDomainDefParseXML): Move seclabel parsing earlier.
---
src/conf/domain_conf.c | 250 ++++++++++++++++++++++++------------------------
src/conf/domain_conf.h | 38 ++++----
2 files changed, 145 insertions(+), 143 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 2379c81..41db117 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -788,6 +788,15 @@ virDomainGraphicsListenDefClear(virDomainGraphicsListenDefPtr def)
return;
}
+static void
+virSecurityLabelDefClear(virSecurityLabelDefPtr def)
+{
+ VIR_FREE(def->model);
+ VIR_FREE(def->label);
+ VIR_FREE(def->imagelabel);
+ VIR_FREE(def->baselabel);
+}
+
void virDomainGraphicsDefFree(virDomainGraphicsDefPtr def)
{
int ii;
@@ -1327,15 +1336,6 @@ void virDomainDeviceDefFree(virDomainDeviceDefPtr def)
}
static void
-virSecurityLabelDefClear(virSecurityLabelDefPtr def)
-{
- VIR_FREE(def->model);
- VIR_FREE(def->label);
- VIR_FREE(def->imagelabel);
- VIR_FREE(def->baselabel);
-}
-
-static void
virDomainClockDefClear(virDomainClockDefPtr def)
{
if (def->offset == VIR_DOMAIN_CLOCK_OFFSET_TIMEZONE)
@@ -2517,6 +2517,117 @@ virDomainDiskDefAssignAddress(virCapsPtr caps, virDomainDiskDefPtr
def)
return 0;
}
+static int
+virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
+ xmlXPathContextPtr ctxt,
+ unsigned int flags)
+{
+ char *p;
+
+ if (virXPathNode("./seclabel", ctxt) == NULL)
+ return 0;
+
+ p = virXPathStringLimit("string(./seclabel/@type)",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p == NULL) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("missing security type"));
+ goto error;
+ }
+ def->type = virDomainSeclabelTypeFromString(p);
+ VIR_FREE(p);
+ if (def->type < 0) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("invalid security type"));
+ goto error;
+ }
+ p = virXPathStringLimit("string(./seclabel/@relabel)",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p != NULL) {
+ if (STREQ(p, "yes")) {
+ def->norelabel = false;
+ } else if (STREQ(p, "no")) {
+ def->norelabel = true;
+ } else {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ _("invalid security relabel value %s"), p);
+ VIR_FREE(p);
+ goto error;
+ }
+ VIR_FREE(p);
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+ def->norelabel) {
+ virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ "%s", _("dynamic label type must use
resource relabeling"));
+ goto error;
+ }
+ } else {
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC)
+ def->norelabel = true;
+ else
+ def->norelabel = false;
+ }
+
+ /* Only parse label, if using static labels, or
+ * if the 'live' VM XML is requested
+ */
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
+ !(flags & VIR_DOMAIN_XML_INACTIVE)) {
+ p = virXPathStringLimit("string(./seclabel/label[1])",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p == NULL) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("security label is
missing"));
+ goto error;
+ }
+
+ def->label = p;
+ }
+
+ /* Only parse imagelabel, if requested live XML with relabeling */
+ if (!def->norelabel &&
+ !(flags & VIR_DOMAIN_XML_INACTIVE)) {
+ p = virXPathStringLimit("string(./seclabel/imagelabel[1])",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p == NULL) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("security imagelabel is
missing"));
+ goto error;
+ }
+ def->imagelabel = p;
+ }
+
+ /* Only parse baselabel, for dynamic label */
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
+ p = virXPathStringLimit("string(./seclabel/baselabel[1])",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p != NULL)
+ def->baselabel = p;
+ }
+
+ /* Only parse model, if static labelling, or a base
+ * label is set, or doing active XML
+ */
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
+ def->baselabel ||
+ !(flags & VIR_DOMAIN_XML_INACTIVE)) {
+ p = virXPathStringLimit("string(./seclabel/@model)",
+ VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
+ if (p == NULL) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("missing security model"));
+ goto error;
+ }
+ def->model = p;
+ }
+
+ return 0;
+
+error:
+ virSecurityLabelDefClear(def);
+ return -1;
+}
+
/* Parse the XML definition for a lease
*/
static virDomainLeaseDefPtr
@@ -6210,117 +6321,6 @@ static int virDomainLifecycleParseXML(xmlXPathContextPtr ctxt,
return 0;
}
-static int
-virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
- xmlXPathContextPtr ctxt,
- unsigned int flags)
-{
- char *p;
-
- if (virXPathNode("./seclabel", ctxt) == NULL)
- return 0;
-
- p = virXPathStringLimit("string(./seclabel/@type)",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p == NULL) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("missing security type"));
- goto error;
- }
- def->type = virDomainSeclabelTypeFromString(p);
- VIR_FREE(p);
- if (def->type < 0) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("invalid security type"));
- goto error;
- }
- p = virXPathStringLimit("string(./seclabel/@relabel)",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p != NULL) {
- if (STREQ(p, "yes")) {
- def->norelabel = false;
- } else if (STREQ(p, "no")) {
- def->norelabel = true;
- } else {
- virDomainReportError(VIR_ERR_XML_ERROR,
- _("invalid security relabel value %s"), p);
- VIR_FREE(p);
- goto error;
- }
- VIR_FREE(p);
- if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
- def->norelabel) {
- virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
- "%s", _("dynamic label type must use
resource relabeling"));
- goto error;
- }
- } else {
- if (def->type == VIR_DOMAIN_SECLABEL_STATIC)
- def->norelabel = true;
- else
- def->norelabel = false;
- }
-
- /* Only parse label, if using static labels, or
- * if the 'live' VM XML is requested
- */
- if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
- !(flags & VIR_DOMAIN_XML_INACTIVE)) {
- p = virXPathStringLimit("string(./seclabel/label[1])",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p == NULL) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("security label is
missing"));
- goto error;
- }
-
- def->label = p;
- }
-
- /* Only parse imagelabel, if requested live XML with relabeling */
- if (!def->norelabel &&
- !(flags & VIR_DOMAIN_XML_INACTIVE)) {
- p = virXPathStringLimit("string(./seclabel/imagelabel[1])",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p == NULL) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("security imagelabel is
missing"));
- goto error;
- }
- def->imagelabel = p;
- }
-
- /* Only parse baselabel, for dynamic label */
- if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
- p = virXPathStringLimit("string(./seclabel/baselabel[1])",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p != NULL)
- def->baselabel = p;
- }
-
- /* Only parse model, if static labelling, or a base
- * label is set, or doing active XML
- */
- if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
- def->baselabel ||
- !(flags & VIR_DOMAIN_XML_INACTIVE)) {
- p = virXPathStringLimit("string(./seclabel/@model)",
- VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
- if (p == NULL) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("missing security model"));
- goto error;
- }
- def->model = p;
- }
-
- return 0;
-
-error:
- virSecurityLabelDefClear(def);
- return -1;
-}
-
virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps,
const virDomainDefPtr def,
const char *xmlStr,
@@ -7030,6 +7030,11 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
/* Extract documentation if present */
def->description = virXPathString("string(./description[1])", ctxt);
+ /* analysis of security label, done early even though we format it
+ * late, so devices can refer to this for defaults */
+ if (virSecurityLabelDefParseXML(&def->seclabel, ctxt, flags) == -1)
+ goto error;
+
/* Extract domain memory */
if (virXPathULong("string(./memory[1])", ctxt,
&def->mem.max_balloon) < 0) {
@@ -7937,10 +7942,7 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
}
VIR_FREE(nodes);
- /* analysis of security label */
- if (virSecurityLabelDefParseXML(&def->seclabel, ctxt, flags) == -1)
- goto error;
-
+ /* analysis of cpu handling */
if ((node = virXPathNode("./cpu[1]", ctxt)) != NULL) {
xmlNodePtr oldnode = ctxt->node;
ctxt->node = node;
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 1f6e442..7c5946f 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -161,6 +161,25 @@ struct _virDomainDeviceInfo {
} master;
};
+enum virDomainSeclabelType {
+ VIR_DOMAIN_SECLABEL_DYNAMIC,
+ VIR_DOMAIN_SECLABEL_STATIC,
+
+ VIR_DOMAIN_SECLABEL_LAST,
+};
+
+/* Security configuration for domain */
+typedef struct _virSecurityLabelDef virSecurityLabelDef;
+typedef virSecurityLabelDef *virSecurityLabelDefPtr;
+struct _virSecurityLabelDef {
+ char *model; /* name of security model */
+ char *label; /* security label string */
+ char *imagelabel; /* security image label string */
+ char *baselabel; /* base name of label string */
+ int type; /* virDomainSeclabelType */
+ bool norelabel;
+};
+
typedef struct _virDomainHostdevOrigStates virDomainHostdevOrigStates;
typedef virDomainHostdevOrigStates *virDomainHostdevOrigStatesPtr;
struct _virDomainHostdevOrigStates {
@@ -1238,25 +1257,6 @@ struct _virDomainOSDef {
virDomainBIOSDef bios;
};
-enum virDomainSeclabelType {
- VIR_DOMAIN_SECLABEL_DYNAMIC,
- VIR_DOMAIN_SECLABEL_STATIC,
-
- VIR_DOMAIN_SECLABEL_LAST,
-};
-
-/* Security configuration for domain */
-typedef struct _virSecurityLabelDef virSecurityLabelDef;
-typedef virSecurityLabelDef *virSecurityLabelDefPtr;
-struct _virSecurityLabelDef {
- char *model; /* name of security model */
- char *label; /* security label string */
- char *imagelabel; /* security image label string */
- char *baselabel; /* base name of label string */
- int type; /* virDomainSeclabelType */
- bool norelabel;
-};
-
enum virDomainTimerNameType {
VIR_DOMAIN_TIMER_NAME_PLATFORM = 0,
VIR_DOMAIN_TIMER_NAME_PIT,
--
1.7.7.4
9:52 a.m.
New subject: [libvirt] [PATCHv2 3/6] seclabel: move seclabel stuff earlier
On 2011年12月23日 08:47, Eric Blake wrote:
Pure code motion; no semantic change.
* src/conf/domain_conf.h (virDomainSeclabelType)
(virSecurityLabelDefPtr): Declare earlier.
* src/conf/domain_conf.c (virSecurityLabelDefClear)
(virSecurityLabelDefParseXML): Move earlier.
(virDomainDefParseXML): Move seclabel parsing earlier.
---
src/conf/domain_conf.c | 250 ++++++++++++++++++++++++------------------------
src/conf/domain_conf.h | 38 ++++----
2 files changed, 145 insertions(+), 143 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 2379c81..41db117 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -788,6 +788,15 @@ virDomainGraphicsListenDefClear(virDomainGraphicsListenDefPtr def)
return;
}
+static void
+virSecurityLabelDefClear(virSecurityLabelDefPtr def)
+{
+ VIR_FREE(def->model);
+ VIR_FREE(def->label);
+ VIR_FREE(def->imagelabel);
+ VIR_FREE(def->baselabel);
+}
+
void virDomainGraphicsDefFree(virDomainGraphicsDefPtr def)
{
int ii;
@@ -1327,15 +1336,6 @@ void virDomainDeviceDefFree(virDomainDeviceDefPtr def)
}
static void
-virSecurityLabelDefClear(virSecurityLabelDefPtr def)
-{
- VIR_FREE(def->model);
- VIR_FREE(def->label);
- VIR_FREE(def->imagelabel);
- VIR_FREE(def->baselabel);
-}
-
-static void
virDomainClockDefClear(virDomainClockDefPtr def)
{
if (def->offset == VIR_DOMAIN_CLOCK_OFFSET_TIMEZONE)
@@ -2517,6 +2517,117 @@ virDomainDiskDefAssignAddress(virCapsPtr caps,
virDomainDiskDefPtr def)
return 0;
}
+static int
+virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
+ xmlXPathContextPtr ctxt,
+ unsigned int flags)
+{
+ char *p;
+
+ if (virXPathNode("./seclabel", ctxt) == NULL)
+ return 0;
+
+ p = virXPathStringLimit("string(./seclabel/@type)",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p == NULL) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("missing security type"));
+ goto error;
+ }
+ def->type = virDomainSeclabelTypeFromString(p);
+ VIR_FREE(p);
+ if (def->type< 0) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("invalid security type"));
+ goto error;
+ }
+ p = virXPathStringLimit("string(./seclabel/@relabel)",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p != NULL) {
+ if (STREQ(p, "yes")) {
+ def->norelabel = false;
+ } else if (STREQ(p, "no")) {
+ def->norelabel = true;
+ } else {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ _("invalid security relabel value %s"), p);
+ VIR_FREE(p);
+ goto error;
+ }
+ VIR_FREE(p);
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC&&
+ def->norelabel) {
+ virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ "%s", _("dynamic label type must use
resource relabeling"));
+ goto error;
+ }
+ } else {
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC)
+ def->norelabel = true;
+ else
+ def->norelabel = false;
+ }
+
+ /* Only parse label, if using static labels, or
+ * if the 'live' VM XML is requested
+ */
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
+ !(flags& VIR_DOMAIN_XML_INACTIVE)) {
+ p = virXPathStringLimit("string(./seclabel/label[1])",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p == NULL) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("security label is
missing"));
+ goto error;
+ }
+
+ def->label = p;
+ }
+
+ /* Only parse imagelabel, if requested live XML with relabeling */
+ if (!def->norelabel&&
+ !(flags& VIR_DOMAIN_XML_INACTIVE)) {
+ p = virXPathStringLimit("string(./seclabel/imagelabel[1])",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p == NULL) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("security imagelabel is
missing"));
+ goto error;
+ }
+ def->imagelabel = p;
+ }
+
+ /* Only parse baselabel, for dynamic label */
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
+ p = virXPathStringLimit("string(./seclabel/baselabel[1])",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p != NULL)
+ def->baselabel = p;
+ }
+
+ /* Only parse model, if static labelling, or a base
+ * label is set, or doing active XML
+ */
+ if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
+ def->baselabel ||
+ !(flags& VIR_DOMAIN_XML_INACTIVE)) {
+ p = virXPathStringLimit("string(./seclabel/@model)",
+ VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
+ if (p == NULL) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("missing security
model"));
+ goto error;
+ }
+ def->model = p;
+ }
+
+ return 0;
+
+error:
+ virSecurityLabelDefClear(def);
+ return -1;
+}
+
/* Parse the XML definition for a lease
*/
static virDomainLeaseDefPtr
@@ -6210,117 +6321,6 @@ static int virDomainLifecycleParseXML(xmlXPathContextPtr ctxt,
return 0;
}
-static int
-virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
- xmlXPathContextPtr ctxt,
- unsigned int flags)
-{
- char *p;
-
- if (virXPathNode("./seclabel", ctxt) == NULL)
- return 0;
-
- p = virXPathStringLimit("string(./seclabel/@type)",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p == NULL) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("missing security type"));
- goto error;
- }
- def->type = virDomainSeclabelTypeFromString(p);
- VIR_FREE(p);
- if (def->type< 0) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("invalid security type"));
- goto error;
- }
- p = virXPathStringLimit("string(./seclabel/@relabel)",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p != NULL) {
- if (STREQ(p, "yes")) {
- def->norelabel = false;
- } else if (STREQ(p, "no")) {
- def->norelabel = true;
- } else {
- virDomainReportError(VIR_ERR_XML_ERROR,
- _("invalid security relabel value %s"), p);
- VIR_FREE(p);
- goto error;
- }
- VIR_FREE(p);
- if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC&&
- def->norelabel) {
- virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
- "%s", _("dynamic label type must use
resource relabeling"));
- goto error;
- }
- } else {
- if (def->type == VIR_DOMAIN_SECLABEL_STATIC)
- def->norelabel = true;
- else
- def->norelabel = false;
- }
-
- /* Only parse label, if using static labels, or
- * if the 'live' VM XML is requested
- */
- if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
- !(flags& VIR_DOMAIN_XML_INACTIVE)) {
- p = virXPathStringLimit("string(./seclabel/label[1])",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p == NULL) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("security label is
missing"));
- goto error;
- }
-
- def->label = p;
- }
-
- /* Only parse imagelabel, if requested live XML with relabeling */
- if (!def->norelabel&&
- !(flags& VIR_DOMAIN_XML_INACTIVE)) {
- p = virXPathStringLimit("string(./seclabel/imagelabel[1])",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p == NULL) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("security imagelabel is
missing"));
- goto error;
- }
- def->imagelabel = p;
- }
-
- /* Only parse baselabel, for dynamic label */
- if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
- p = virXPathStringLimit("string(./seclabel/baselabel[1])",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p != NULL)
- def->baselabel = p;
- }
-
- /* Only parse model, if static labelling, or a base
- * label is set, or doing active XML
- */
- if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
- def->baselabel ||
- !(flags& VIR_DOMAIN_XML_INACTIVE)) {
- p = virXPathStringLimit("string(./seclabel/@model)",
- VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
- if (p == NULL) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("missing security
model"));
- goto error;
- }
- def->model = p;
- }
-
- return 0;
-
-error:
- virSecurityLabelDefClear(def);
- return -1;
-}
-
virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps,
const virDomainDefPtr def,
const char *xmlStr,
@@ -7030,6 +7030,11 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
/* Extract documentation if present */
def->description = virXPathString("string(./description[1])", ctxt);
+ /* analysis of security label, done early even though we format it
+ * late, so devices can refer to this for defaults */
+ if (virSecurityLabelDefParseXML(&def->seclabel, ctxt, flags) == -1)
+ goto error;
+
/* Extract domain memory */
if (virXPathULong("string(./memory[1])", ctxt,
&def->mem.max_balloon)< 0) {
@@ -7937,10 +7942,7 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
}
VIR_FREE(nodes);
- /* analysis of security label */
- if (virSecurityLabelDefParseXML(&def->seclabel, ctxt, flags) == -1)
- goto error;
-
+ /* analysis of cpu handling */
if ((node = virXPathNode("./cpu[1]", ctxt)) != NULL) {
xmlNodePtr oldnode = ctxt->node;
ctxt->node = node;
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 1f6e442..7c5946f 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -161,6 +161,25 @@ struct _virDomainDeviceInfo {
} master;
};
+enum virDomainSeclabelType {
+ VIR_DOMAIN_SECLABEL_DYNAMIC,
+ VIR_DOMAIN_SECLABEL_STATIC,
+
+ VIR_DOMAIN_SECLABEL_LAST,
+};
+
+/* Security configuration for domain */
+typedef struct _virSecurityLabelDef virSecurityLabelDef;
+typedef virSecurityLabelDef *virSecurityLabelDefPtr;
+struct _virSecurityLabelDef {
+ char *model; /* name of security model */
+ char *label; /* security label string */
+ char *imagelabel; /* security image label string */
+ char *baselabel; /* base name of label string */
+ int type; /* virDomainSeclabelType */
+ bool norelabel;
+};
+
typedef struct _virDomainHostdevOrigStates virDomainHostdevOrigStates;
typedef virDomainHostdevOrigStates *virDomainHostdevOrigStatesPtr;
struct _virDomainHostdevOrigStates {
@@ -1238,25 +1257,6 @@ struct _virDomainOSDef {
virDomainBIOSDef bios;
};
-enum virDomainSeclabelType {
- VIR_DOMAIN_SECLABEL_DYNAMIC,
- VIR_DOMAIN_SECLABEL_STATIC,
-
- VIR_DOMAIN_SECLABEL_LAST,
-};
-
-/* Security configuration for domain */
-typedef struct _virSecurityLabelDef virSecurityLabelDef;
-typedef virSecurityLabelDef *virSecurityLabelDefPtr;
-struct _virSecurityLabelDef {
- char *model; /* name of security model */
- char *label; /* security label string */
- char *imagelabel; /* security image label string */
- char *baselabel; /* base name of label string */
- int type; /* virDomainSeclabelType */
- bool norelabel;
-};
-
enum virDomainTimerNameType {
VIR_DOMAIN_TIMER_NAME_PLATFORM = 0,
VIR_DOMAIN_TIMER_NAME_PIT,
ACK.
6:47 p.m.
New subject: [libvirt] [PATCHv2 4/6] seclabel: extend XML to allow per-disk label overrides
When doing security relabeling, there are cases where a per-file
override might be appropriate. For example, with a static label
and relabeling, it might be appropriate to skip relabeling on a
particular disk, where the backing file lives on NFS that lacks
the ability to track labeling. Or with dynamic labeling, it might
be appropriate to use a custom (non-dynamic) label for a disk
specifically intended to be shared across domains.
The new XML resembles the top-level <seclabel>, but with fewer
options (basically relabel='no', or <label>text</label>):
<domain ...>
...
<devices>
<disk type='file' device='disk'>
<source file='/path/to/image1'>
<seclabel relabel='no'/> <!-- override for just this disk -->
</source>
...
</disk>
<disk type='file' device='disk'>
<source file='/path/to/image1'>
<seclabel relabel='yes'> <!-- override for just this disk -->
<label>system_u:object_r:shared_content_t:s0</label>
</seclabel>
</source>
...
</disk>
...
</devices>
<seclabel type='dynamic' model='selinux'>
<baselabel>text</baselabel> <!-- used for all devices without override
-->
</seclabel>
</domain>
This patch only introduces the XML and documentation; future patches
will actually parse and make use of it. The intent is that we can
further extend things as needed, adding a per-device <seclabel> in
more places (such as the source of a console device), and possibly
allowing a <baselabel> instead of <label> for labeling where we want
to reuse the cNNN,cNNN pair of a dynamically labeled domain but a
different base label.
First suggested by Daniel P. Berrange here:
https://www.redhat.com/archives/libvir-list/2011-December/msg00258.html
* docs/schemas/domaincommon.rng (devSeclabel): New define.
(disk): Use it.
* docs/formatdomain.html.in (elementsDisks, seclabel): Document
the new XML.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml:
New test, to validate RNG.
---
docs/formatdomain.html.in | 29 ++++++++++++--
docs/schemas/domaincommon.rng | 29 +++++++++++++-
.../qemuxml2argv-seclabel-dynamic-override.xml | 40 ++++++++++++++++++++
3 files changed, 91 insertions(+), 7 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 06181b1..d468299 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -947,7 +947,9 @@
<devices>
<disk type='file' snapshot='external'>
<driver name="tap" type="aio"
cache="default"/>
- <source file='/var/lib/xen/images/fv0'/
startupPolicy='optional'/>
+ <source file='/var/lib/xen/images/fv0'/
startupPolicy='optional'>
+ <seclabel relabel='no'/>
+ </source>
<target dev='hda' bus='ide'/>
<iotune>
<total_bytes_sec>10000000</total_bytes_sec>
@@ -1023,7 +1025,11 @@
path to the file holding the disk. If the disk
<code>type</code> is "block", then the
<code>dev</code>
attribute specifies the path to the host device to serve as
- the disk. If the disk <code>type</code> is "dir", then the
+ the disk. With both "file" and "block", an optional
+ sub-element <code>seclabel</code>, <a
href="#seclabel">described
+ below</a> (and <span class="since">since
0.9.9</span>), can be
+ used to override the domain security labeling policy for just
+ that source file. If the disk <code>type</code> is "dir",
then the
<code>dir</code> attribute specifies the fully-qualified path
to the directory to use as the disk. If the disk <code>type</code>
is "network", then the <code>protocol</code> attribute
specifies
@@ -1031,7 +1037,7 @@
are "nbd", "rbd", and "sheepdog". If the
<code>protocol</code>
attribute is "rbd" or "sheepdog", an additional
attribute <code>name</code> is mandatory to specify which
- image to be used. When the disk <code>type</code> is
+ image will be used. When the disk <code>type</code> is
"network", the <code>source</code> may have zero or
more <code>host</code> sub-elements used to specify the hosts
to connect.
@@ -3372,11 +3378,11 @@ qemu-kvm -net nic,model=? /dev/null
With static label assignment, by default, the administrator
or application must ensure labels are set correctly on any
resources, however, automatic relabeling can be enabled
- if desired
+ if desired.
</p>
<p>
- Valid input XML configurations for the security label
+ Valid input XML configurations for the top-level security label
are:
</p>
@@ -3435,6 +3441,19 @@ qemu-kvm -net nic,model=? /dev/null
</dd>
</dl>
+ <p>When relabeling is in effect, it is also possible to fine-tune
+ the labeling done for specific source file names, by either
+ disabling the labeling (useful if the file lives on NFS or other
+ file system that lacks security labeling) or requesting an
+ alternate label (useful when a management application creates a
+ special label to allow sharing of some, but not all, resources
+ between domains), <span class="since">since 0.9.9</span>.
When
+ a <code>seclabel</code> element is attached to a specific path
+ rather than the top-level domain assignment, only the
+ attribute <code>relabel</code> or the
+ sub-element <code>label</code> are supported.
+ </p>
+
<h2><a name="examples">Example configs</a></h2>
<p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index dd76f91..7a8f7f4 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -116,6 +116,27 @@
</choice>
</element>
</define>
+ <define name="devSeclabel">
+ <element name="seclabel">
+ <!-- A per-device seclabel override is more limited, either
+ relabel=no or a <label> must be present. -->
+ <choice>
+ <attribute name='relabel'>
+ <value>no</value>
+ </attribute>
+ <group>
+ <optional>
+ <attribute name='relabel'>
+ <value>yes</value>
+ </attribute>
+ </optional>
+ <element name='label'>
+ <text/>
+ </element>
+ </group>
+ </choice>
+ </element>
+ </define>
<define name="hvs">
<attribute name="type">
<choice>
@@ -795,7 +816,9 @@
<optional>
<ref name="startupPolicy"/>
</optional>
- <empty/>
+ <optional>
+ <ref name='devSeclabel'/>
+ </optional>
</element>
</optional>
<ref name="diskspec"/>
@@ -811,7 +834,9 @@
<attribute name="dev">
<ref name="absFilePath"/>
</attribute>
- <empty/>
+ <optional>
+ <ref name='devSeclabel'/>
+ </optional>
</element>
</optional>
<ref name="diskspec"/>
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml
new file mode 100644
index 0000000..19b1cbb
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.xml
@@ -0,0 +1,40 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory>219100</memory>
+ <currentMemory>219100</currentMemory>
+ <vcpu cpuset='1-4,8-20,525'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <disk type='block' device='disk'>
+ <source dev='/dev/HostVG/QEMUGuest1'>
+ <seclabel relabel='no'/>
+ </source>
+ <target dev='hda' bus='ide'/>
+ <address type='drive' controller='0' bus='0'
unit='0'/>
+ </disk>
+ <disk type='block' device='disk'>
+ <source dev='/dev/HostVG/QEMUGuest2'>
+ <seclabel relabel='yes'>
+ <label>system_u:system_r:public_content_t:s0</label>
+ </seclabel>
+ </source>
+ <target dev='hdb' bus='ide'/>
+ <readonly/>
+ <address type='drive' controller='0' bus='0'
unit='0'/>
+ </disk>
+ <controller type='ide' index='0'/>
+ <memballoon model='virtio'/>
+ </devices>
+ <seclabel type='dynamic' model='selinux' relabel='yes'>
+ <baselabel>system_u:system_r:svirt_custom_t:s0</baselabel>
+ </seclabel>
+</domain>
--
1.7.7.4
6:47 p.m.
New subject: [libvirt] [PATCHv2 5/6] seclabel: allow a seclabel override on a disk src
Implement the parsing and formatting of the XML addition of
the previous commit. The new XML doesn't affect qemu command
line, so we can now test round-trip XML->memory->XML handling.
I chose to reuse the existing structure, even though per-device
override doesn't use all of those fields, rather than create a
new structure, in order to reuse more code.
* src/conf/domain_conf.h (_virDomainDiskDef): Add seclabel member.
* src/conf/domain_conf.c (virDomainDiskDefFree): Free it.
(virSecurityLabelDefFree): New function.
(virDomainDiskDefFormat): Print it.
(virSecurityLabelDefFormat): Reduce output if model not present.
(virDomainDiskDefParseXML): Alter signature, and parse seclabel.
(virSecurityLabelDefParseXML): Split...
(virSecurityLabelDefParseXMLHelper): ...into new helper.
(virDomainDeviceDefParse, virDomainDefParseXML): Update callers.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.args:
New file.
* tests/qemuxml2xmltest.c (mymain): Enhance test.
* tests/qemuxml2argvtest.c (mymain): Likewise.
---
src/conf/domain_conf.c | 178 +++++++++++++++-----
src/conf/domain_conf.h | 1 +
.../qemuxml2argv-seclabel-dynamic-override.args | 5 +
tests/qemuxml2argvtest.c | 1 +
tests/qemuxml2xmltest.c | 1 +
5 files changed, 142 insertions(+), 44 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.args
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 41db117..dcead7f 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -797,6 +797,15 @@ virSecurityLabelDefClear(virSecurityLabelDefPtr def)
VIR_FREE(def->baselabel);
}
+static void
+virSecurityLabelDefFree(virSecurityLabelDefPtr def)
+{
+ if (!def)
+ return;
+ virSecurityLabelDefClear(def);
+ VIR_FREE(def);
+}
+
void virDomainGraphicsDefFree(virDomainGraphicsDefPtr def)
{
int ii;
@@ -866,6 +875,7 @@ void virDomainDiskDefFree(virDomainDiskDefPtr def)
VIR_FREE(def->serial);
VIR_FREE(def->src);
+ virSecurityLabelDefFree(def->seclabel);
VIR_FREE(def->dst);
VIR_FREE(def->driverName);
VIR_FREE(def->driverType);
@@ -2517,31 +2527,32 @@ virDomainDiskDefAssignAddress(virCapsPtr caps, virDomainDiskDefPtr
def)
return 0;
}
+/* Parse the portion of a SecurityLabel that is common to both the
+ * top-level <seclabel> and to a per-device override.
+ * default_seclabel is NULL for top-level, or points to the top-level
+ * when parsing an override. */
static int
-virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
- xmlXPathContextPtr ctxt,
- unsigned int flags)
+virSecurityLabelDefParseXMLHelper(virSecurityLabelDefPtr def,
+ xmlNodePtr node,
+ xmlXPathContextPtr ctxt,
+ virSecurityLabelDefPtr default_seclabel,
+ unsigned int flags)
{
char *p;
+ xmlNodePtr save_ctxt = ctxt->node;
+ int ret = -1;
- if (virXPathNode("./seclabel", ctxt) == NULL)
- return 0;
+ ctxt->node = node;
- p = virXPathStringLimit("string(./seclabel/@type)",
- VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
- if (p == NULL) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("missing security type"));
- goto error;
- }
- def->type = virDomainSeclabelTypeFromString(p);
- VIR_FREE(p);
- if (def->type < 0) {
- virDomainReportError(VIR_ERR_XML_ERROR,
- "%s", _("invalid security type"));
- goto error;
+ /* Can't use overrides if top-level doesn't allow relabeling. */
+ if (default_seclabel && default_seclabel->norelabel) {
+ virDomainReportError(VIR_ERR_XML_ERROR, "%s",
+ _("label overrides require relabeling to be "
+ "enabled at the domain level"));
+ goto cleanup;
}
- p = virXPathStringLimit("string(./seclabel/@relabel)",
+
+ p = virXPathStringLimit("string(./@relabel)",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p != NULL) {
if (STREQ(p, "yes")) {
@@ -2552,38 +2563,76 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
virDomainReportError(VIR_ERR_XML_ERROR,
_("invalid security relabel value %s"), p);
VIR_FREE(p);
- goto error;
+ goto cleanup;
}
VIR_FREE(p);
- if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+ if (!default_seclabel &&
+ def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
def->norelabel) {
virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("dynamic label type must use
resource relabeling"));
- goto error;
+ goto cleanup;
}
} else {
- if (def->type == VIR_DOMAIN_SECLABEL_STATIC)
+ if (!default_seclabel && def->type == VIR_DOMAIN_SECLABEL_STATIC)
def->norelabel = true;
else
def->norelabel = false;
}
/* Only parse label, if using static labels, or
- * if the 'live' VM XML is requested
+ * if the 'live' VM XML is requested, or if this is a device override
*/
if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
- !(flags & VIR_DOMAIN_XML_INACTIVE)) {
- p = virXPathStringLimit("string(./seclabel/label[1])",
+ !(flags & VIR_DOMAIN_XML_INACTIVE) ||
+ (default_seclabel && !def->norelabel)) {
+ p = virXPathStringLimit("string(./label[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p == NULL) {
virDomainReportError(VIR_ERR_XML_ERROR,
"%s", _("security label is
missing"));
- goto error;
+ goto cleanup;
}
def->label = p;
}
+ ret = 0;
+cleanup:
+ ctxt->node = save_ctxt;
+ return ret;
+}
+
+/* Parse the top-level <seclabel>, if present. */
+static int
+virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
+ xmlXPathContextPtr ctxt,
+ unsigned int flags)
+{
+ char *p;
+ xmlNodePtr node = virXPathNode("./seclabel", ctxt);
+
+ if (node == NULL)
+ return 0;
+
+ p = virXPathStringLimit("string(./seclabel/@type)",
+ VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
+ if (p == NULL) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("missing security type"));
+ goto error;
+ }
+ def->type = virDomainSeclabelTypeFromString(p);
+ VIR_FREE(p);
+ if (def->type < 0) {
+ virDomainReportError(VIR_ERR_XML_ERROR,
+ "%s", _("invalid security type"));
+ goto error;
+ }
+
+ if (virSecurityLabelDefParseXMLHelper(def, node, ctxt, NULL, flags) < 0)
+ goto error;
+
/* Only parse imagelabel, if requested live XML with relabeling */
if (!def->norelabel &&
!(flags & VIR_DOMAIN_XML_INACTIVE)) {
@@ -2709,6 +2758,7 @@ virDomainDiskDefParseXML(virCapsPtr caps,
xmlNodePtr node,
xmlXPathContextPtr ctxt,
virBitmapPtr bootMap,
+ virSecurityLabelDefPtr default_seclabel,
unsigned int flags)
{
virDomainDiskDefPtr def;
@@ -3016,6 +3066,16 @@ virDomainDiskDefParseXML(virCapsPtr caps,
goto error;
}
+ /* If source is present, check for an optional seclabel override. */
+ if (source) {
+ xmlNodePtr seclabel = virXPathNode("./source/seclabel", ctxt);
+ if (seclabel &&
+ (VIR_ALLOC(def->seclabel) < 0 ||
+ virSecurityLabelDefParseXMLHelper(def->seclabel, seclabel, ctxt,
+ default_seclabel, flags) < 0))
+ goto error;
+ }
+
if (target == NULL) {
virDomainReportError(VIR_ERR_NO_TARGET,
source ? "%s" : NULL, source);
@@ -6344,7 +6404,8 @@ virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps,
if (xmlStrEqual(node->name, BAD_CAST "disk")) {
dev->type = VIR_DOMAIN_DEVICE_DISK;
if (!(dev->data.disk = virDomainDiskDefParseXML(caps, node, ctxt,
- NULL, flags)))
+ NULL, &def->seclabel,
+ flags)))
goto error;
} else if (xmlStrEqual(node->name, BAD_CAST "lease")) {
dev->type = VIR_DOMAIN_DEVICE_LEASE;
@@ -7446,6 +7507,7 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
nodes[i],
ctxt,
bootMap,
+ &def->seclabel,
flags);
if (!disk)
goto error;
@@ -9749,23 +9811,32 @@ virSecurityLabelDefFormat(virBufferPtr buf, virSecurityLabelDefPtr
def,
if (!sectype)
goto cleanup;
- if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+ if (def->model &&
+ def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
!def->baselabel &&
(flags & VIR_DOMAIN_XML_INACTIVE)) {
/* This is the default for inactive xml, so nothing to output. */
} else {
- virBufferAsprintf(buf, "<seclabel type='%s' model='%s'
relabel='%s'>\n",
- sectype, def->model,
+ virBufferAddLit(buf, "<seclabel");
+ if (def->model)
+ virBufferAsprintf(buf, " type='%s' model='%s'",
+ sectype, def->model);
+ virBufferAsprintf(buf, " relabel='%s'",
def->norelabel ? "no" : "yes");
- virBufferEscapeString(buf, " <label>%s</label>\n",
- def->label);
- if (!def->norelabel)
- virBufferEscapeString(buf, "
<imagelabel>%s</imagelabel>\n",
- def->imagelabel);
- if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
- virBufferEscapeString(buf, "
<baselabel>%s</baselabel>\n",
- def->baselabel);
- virBufferAddLit(buf, "</seclabel>\n");
+ if (def->label || def->baselabel) {
+ virBufferAddLit(buf, ">\n");
+ virBufferEscapeString(buf, " <label>%s</label>\n",
+ def->label);
+ if (!def->norelabel)
+ virBufferEscapeString(buf, "
<imagelabel>%s</imagelabel>\n",
+ def->imagelabel);
+ if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
+ virBufferEscapeString(buf, "
<baselabel>%s</baselabel>\n",
+ def->baselabel);
+ virBufferAddLit(buf, "</seclabel>\n");
+ } else {
+ virBufferAddLit(buf, "/>\n");
+ }
}
ret = 0;
cleanup:
@@ -9885,17 +9956,36 @@ virDomainDiskDefFormat(virBufferPtr buf,
def->startupPolicy) {
switch (def->type) {
case VIR_DOMAIN_DISK_TYPE_FILE:
- virBufferAsprintf(buf," <source");
+ virBufferAddLit(buf, " <source");
if (def->src)
virBufferEscapeString(buf, " file='%s'", def->src);
if (def->startupPolicy)
virBufferEscapeString(buf, " startupPolicy='%s'",
startupPolicy);
- virBufferAsprintf(buf, "/>\n");
+ if (def->seclabel) {
+ virBufferAddLit(buf, ">\n");
+ virBufferAdjustIndent(buf, 8);
+ if (virSecurityLabelDefFormat(buf, def->seclabel, flags) < 0)
+ return -1;
+ virBufferAdjustIndent(buf, -8);
+ virBufferAddLit(buf, " </source>\n");
+ } else {
+ virBufferAddLit(buf, "/>\n");
+ }
break;
case VIR_DOMAIN_DISK_TYPE_BLOCK:
- virBufferEscapeString(buf, " <source
dev='%s'/>\n",
- def->src);
+ if (def->src && def->seclabel) {
+ virBufferEscapeString(buf, " <source
dev='%s'>\n",
+ def->src);
+ virBufferAdjustIndent(buf, 8);
+ if (virSecurityLabelDefFormat(buf, def->seclabel, flags) < 0)
+ return -1;
+ virBufferAdjustIndent(buf, -8);
+ virBufferAddLit(buf, " </source>\n");
+ } else {
+ virBufferEscapeString(buf, " <source
dev='%s'/>\n",
+ def->src);
+ }
break;
case VIR_DOMAIN_DISK_TYPE_DIR:
virBufferEscapeString(buf, " <source
dir='%s'/>\n",
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 7c5946f..d894288 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -357,6 +357,7 @@ struct _virDomainDiskDef {
int device;
int bus;
char *src;
+ virSecurityLabelDefPtr seclabel;
char *dst;
int protocol;
int nhosts;
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.args
b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.args
new file mode 100644
index 0000000..8f78dcf
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-seclabel-dynamic-override.args
@@ -0,0 +1,5 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
+pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
+server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 \
+-hdb /dev/HostVG/QEMUGuest2 -net none -serial \
+none -parallel none -usb
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 18e8941..69e2612 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -662,6 +662,7 @@ mymain(void)
DO_TEST("seclabel-dynamic", false, QEMU_CAPS_NAME);
DO_TEST("seclabel-dynamic-baselabel", false, QEMU_CAPS_NAME);
+ DO_TEST("seclabel-dynamic-override", false, QEMU_CAPS_NAME);
DO_TEST("seclabel-static", false, QEMU_CAPS_NAME);
DO_TEST("seclabel-static-relabel", false, QEMU_CAPS_NAME);
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index e4b99c4..0a8a28e 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -195,6 +195,7 @@ mymain(void)
DO_TEST("blkdeviotune");
DO_TEST("seclabel-dynamic-baselabel");
+ DO_TEST("seclabel-dynamic-override");
DO_TEST("seclabel-static");
/* These tests generate different XML */
--
1.7.7.4
9:31 a.m.
New subject: [libvirt] [PATCHv2 6/6] seclabel: honor device override in selinux
This wires up the XML changes in the previous patch to let SELinux
labeling honor user overrides, as well as affecting the live XML
configuration in one case where the user didn't specify anything
in the offline XML.
I noticed that the logs contained messages like this:
2011-12-05 23:32:40.382+0000: 26569: warning : SELinuxRestoreSecurityFileLabel:533 :
cannot lookup default selinux label for /nfs/libvirt/images/dom.img
for all my domain images living on NFS. But if we would just remember
that on domain creation that we were unable to set a SELinux label (due to
NFSv3 lacking labels, or NFSv4 not being configured to expose attributes),
then we could avoid wasting the time trying to clear the label on
domain shutdown. This in turn is one less point of NFS failure,
especially since there have been documented cases of virDomainDestroy
hanging during an attempted operation on a failed NFS connection.
* src/security/security_selinux.c (SELinuxSetFilecon): Move guts...
(SELinuxSetFileconHelper): ...to new function.
(SELinuxSetFileconOptional): New function.
(SELinuxSetSecurityFileLabel): Honor override label, and remember
if labeling failed.
(SELinuxRestoreSecurityImageLabelInt): Skip relabeling based on
override.
---
Tested on a system with NFS, and /etc/libvirt/qemu.conf having
dynamic_ownership=0; without this patch, killing NFS via
'iptables -I INPUT -s $server -j DROP' while a guest was running,
then trying 'virsh destroy guest', would hang, and lock out
attempts to use virsh from other terminals. After this patch,
'virsh destroy guest' succeeded without hanging.
Also tested that custom labels are honored.
src/security/security_selinux.c | 53 ++++++++++++++++++++++++++++++---------
1 files changed, 41 insertions(+), 12 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 6ef61c7..cdc28ad 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -394,8 +394,11 @@ SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
return 0;
}
+/* Attempt to change the label of PATH to TCON. If OPTIONAL is true,
+ * return 1 if labelling was not possible. Otherwise, require a label
+ * change, and return 0 for success, -1 for failure. */
static int
-SELinuxSetFilecon(const char *path, char *tcon)
+SELinuxSetFileconHelper(const char *path, char *tcon, bool optional)
{
security_context_t econ;
@@ -408,7 +411,7 @@ SELinuxSetFilecon(const char *path, char *tcon)
if (STREQ(tcon, econ)) {
freecon(econ);
/* It's alright, there's nothing to change anyway. */
- return 0;
+ return optional ? 1 : 0;
}
freecon(econ);
}
@@ -440,12 +443,26 @@ SELinuxSetFilecon(const char *path, char *tcon)
VIR_INFO("Setting security context '%s' on '%s' not
supported",
tcon, path);
}
+ if (optional)
+ return 1;
}
}
return 0;
}
static int
+SELinuxSetFileconOptional(const char *path, char *tcon)
+{
+ return SELinuxSetFileconHelper(path, tcon, true);
+}
+
+static int
+SELinuxSetFilecon(const char *path, char *tcon)
+{
+ return SELinuxSetFileconHelper(path, tcon, false);
+}
+
+static int
SELinuxFSetFilecon(int fd, char *tcon)
{
security_context_t econ;
@@ -549,7 +566,7 @@ SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
- if (secdef->norelabel)
+ if (secdef->norelabel || (disk->seclabel &&
disk->seclabel->norelabel))
return 0;
/* Don't restore labels on readoly/shared disks, because
@@ -604,23 +621,35 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
const virSecurityLabelDefPtr secdef = opaque;
int ret;
- if (depth == 0) {
+ if (disk->seclabel && disk->seclabel->norelabel)
+ return 0;
+
+ if (disk->seclabel && !disk->seclabel->norelabel &&
+ disk->seclabel->label) {
+ ret = SELinuxSetFilecon(path, disk->seclabel->label);
+ } else if (depth == 0) {
if (disk->shared) {
- ret = SELinuxSetFilecon(path, default_image_context);
+ ret = SELinuxSetFileconOptional(path, default_image_context);
} else if (disk->readonly) {
- ret = SELinuxSetFilecon(path, default_content_context);
+ ret = SELinuxSetFileconOptional(path, default_content_context);
} else if (secdef->imagelabel) {
- ret = SELinuxSetFilecon(path, secdef->imagelabel);
+ ret = SELinuxSetFileconOptional(path, secdef->imagelabel);
} else {
ret = 0;
}
} else {
- ret = SELinuxSetFilecon(path, default_content_context);
+ ret = SELinuxSetFileconOptional(path, default_content_context);
+ }
+ if (ret == 1 && !disk->seclabel) {
+ /* If we failed to set a label, but virt_use_nfs let us
+ * proceed anyway, then we don't need to relabel later. */
+ if (VIR_ALLOC(disk->seclabel) < 0) {
+ virReportOOMError();
+ return -1;
+ }
+ disk->seclabel->norelabel = true;
+ ret = 0;
}
- if (ret < 0 &&
- virStorageFileIsSharedFSType(path,
- VIR_STORAGE_FILE_SHFS_NFS) == 1)
- ret = 0;
return ret;
}
--
1.7.7.4
9:04 p.m.
On Thu, Dec 22, 2011 at 05:47:45PM -0700, Eric Blake wrote:
In a system that uses dynamic_ownership=0 and NFS disks, the _only_
path in the virDomainDestroy path where libvirt itself performs a
syscall on the NFS file system was on attempting to relabel a disk
back to its default label. If an NFS server hosting a domain's
disk image hangs, then this renders libvirtd stuck in an lstat()
call, with the driver lock held, effectively blocking out _all_
other attempts to connect to libvirtd for any remaining domains not
tied to the hung NFS server. (Verification that the SELinux relabel
was the only point where libvirtd, rather than not qemu, could hang,
was done by Red Hat VDSM folks in https://bugzilla.redhat.com/746666;
with a hack to avoid the relabel, the destroy no longer hangs.)
But without bleeding edge NFS servers, you can't put a SELinux
label on the file in the first place; libvirt was happily ignoring
the failure to change the label on domain start (thanks to the
selinux virt_use_nfs bool), only to hang on the stuck server on
domain destroy that it would have again ignored had the server not
been stuck. If we allow the users to modify the XML to mark that
a file does not need to be labeled in the first place, then we can
avoid both attempts to label at startup and relabel at destroy, thus
preventing libvirtd from getting stuck on a virDomainDestroy()
called on a guest whose NFS server went down.
This patch series is based on an earlier attempt (the hack which
got tested in the above-mentioned bz 746666), incorporating feedback
from Dan Berrange suggesting that the ability for the user to
override labeling on a per-disk basis is smarter than marking
ignored failure to label in internal XML used only by libvirtd:
v1: https://www.redhat.com/archives/libvir-list/2011-December/msg00246.html
I'm still working on patch 6/6 (actually hooking up the security
manager to honor the relabel='no' request), and hope to post that
tomorrow as part of this thread; that's really the only patch that
resembles anything from v1 (the first 5 patches are basically brand
new to this series), but I'm posting the first 5 patches now to get
review started and make sure the proposed XML makes sense.
I envision that this can be further expanded (sticking <seclabel>
elements on more XML items that get labeled in the host), but for
now I focused just on disk devices, as those are the most likely
to reside over NFS.
Ultimately, this patch series is only a bandaid; the underlying
problem (making a syscall that can block indefinitely on a hung
NFS server while holding the driver lock) is still present, and
triggered if you have dynamic_ownership=1 (where we also attempt
a chown of the disk image, regardless of the SELinux labels).
Later down the road, I also plan to work on Dan's proposal to
break the driver lock into smaller, more manageable sections, so
we can get back to our documented goal of never blocking while
holding lock, but instead using the job condition variables to
detect when a single domain is stuck on a blocked call:
https://www.redhat.com/archives/libvir-list/2011-November/msg00267.html
Okay, I have reviewed the patch set, it looks sane to me.
The devil of course lies in the details, and for this kind of changes
I tend to think only serious testing can really validate the approach.
That's why I'm inclined to push this as part of the release candidate
to try to augment testing.
So ACK, I'm pushing this, I just had to slightly rebase patch #4
because the context in one of the documentation example XML changed
slightly.
Pushed to git head,
thanks !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
7:45 a.m.
New subject: [libvirt] [PATCH] docs: re-fix stray /
Commit 6cb4acc reintroduced the bug fixed in commit d145fe3.
* docs/formatdomain.html.in (elementsDisks): Fix again.
---
So ACK, I'm pushing this, I just had to slightly rebase patch #4
because the context in one of the documentation example XML changed
slightly.
Except that you resolved the conflict in the wrong direction. Oh well.
Pushing this under the trivial rule.
docs/formatdomain.html.in | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index d468299..18b7e22 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -947,7 +947,7 @@
<devices>
<disk type='file' snapshot='external'>
<driver name="tap" type="aio"
cache="default"/>
- <source file='/var/lib/xen/images/fv0'/
startupPolicy='optional'>
+ <source file='/var/lib/xen/images/fv0'
startupPolicy='optional'>
<seclabel relabel='no'/>
</source>
<target dev='hda' bus='ide'/>
--
1.7.7.4
4713
days inactive
4721
days old
11 comments
3 participants
participants (3)
-
Daniel Veillard -
Eric Blake -
Osier Yang