[libvirt] [PATCH 1/2] security: Add DAC to security_drivers
Currently, if users set 'security_driver="dac"' in qemu.conf libvirtd fails to initialize as DAC driver is not found because it is missing in our security drivers array. --- src/security/security_driver.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/src/security/security_driver.c b/src/security/security_driver.c index f450a94..e6da220 100644 --- a/src/security/security_driver.c +++ b/src/security/security_driver.c @@ -35,6 +35,7 @@ # include "security_apparmor.h" #endif +#include "security_dac.h" #include "security_nop.h" #define VIR_FROM_THIS VIR_FROM_SECURITY @@ -46,6 +47,7 @@ static virSecurityDriverPtr security_drivers[] = { #ifdef WITH_SECDRIVER_APPARMOR &virAppArmorSecurityDriver, #endif + &virSecurityDriverDAC, &virSecurityDriverNop, /* Must always be last, since it will always probe */ }; -- 1.7.8.6
Only parse model, if static labelling, or a base label is set, or doing active XML. --- src/conf/domain_conf.c | 39 ++++++++++++++++++++++++--------------- 1 files changed, 24 insertions(+), 15 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 419088c..0f7bf78 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -3121,14 +3121,22 @@ virSecurityLabelDefParseXML(xmlXPathContextPtr ctxt, def->baselabel = p; } - /* Always parse model */ - p = virXPathStringLimit("string(./@model)", - VIR_SECURITY_MODEL_BUFLEN-1, ctxt); - if (p == NULL && def->type != VIR_DOMAIN_SECLABEL_NONE) { - virReportError(VIR_ERR_XML_ERROR, - "%s", _("missing security model")); + /* Only parse model, if static labelling, or a base + * label is set, or doing active XML + */ + if (def->type == VIR_DOMAIN_SECLABEL_STATIC || + def->baselabel || + (!(flags & VIR_DOMAIN_XML_INACTIVE) && + def->type != VIR_DOMAIN_SECLABEL_NONE)) { + + p = virXPathStringLimit("string(./@model)", + VIR_SECURITY_MODEL_BUFLEN-1, ctxt); + if (p == NULL && def->type != VIR_DOMAIN_SECLABEL_NONE) { + virReportError(VIR_ERR_XML_ERROR, + "%s", _("missing security model")); + } + def->model = p; } - def->model = p; return def; @@ -3225,11 +3233,7 @@ virSecurityDeviceLabelDefParseXML(virDomainDiskDefPtr def, for (i = 0; i < n; i++) { /* get model associated to this override */ model = virXMLPropString(list[i], "model"); - if (model == NULL) { - virReportError(VIR_ERR_XML_ERROR, "%s", - _("invalid security model")); - goto error; - } else { + if (model) { /* find the security label that it's being overriden */ for (j = 0; j < nvmSeclabels; j++) { if (STREQ(vmSeclabels[j]->model, model)) { @@ -3275,7 +3279,7 @@ virSecurityDeviceLabelDefParseXML(virDomainDiskDefPtr def, virReportError(VIR_ERR_XML_ERROR, _("Cannot specify a label if relabelling is " "turned off. model=%s"), - def->seclabels[i]->model); + NULLSTR(def->seclabels[i]->model)); goto error; } } @@ -11271,8 +11275,13 @@ static void virSecurityDeviceLabelDefFormat(virBufferPtr buf, virSecurityDeviceLabelDefPtr def) { - virBufferAsprintf(buf, "<seclabel model='%s' relabel='%s'", - def->model, def->norelabel ? "no" : "yes"); + virBufferAsprintf(buf, "<seclabel"); + + if (def->model) + virBufferAsprintf(buf, " model='%s'", def->model); + + virBufferAsprintf(buf, " relabel='%s'", def->norelabel ? "no" : "yes"); + if (def->label) { virBufferAddLit(buf, ">\n"); virBufferEscapeString(buf, " <label>%s</label>\n", -- 1.7.8.6
On 08/24/2012 07:15 AM, Michal Privoznik wrote:
Only parse model, if static labelling, or a base label is set, or doing active XML. --- src/conf/domain_conf.c | 39 ++++++++++++++++++++++++--------------- 1 files changed, 24 insertions(+), 15 deletions(-)
I can confirm that this solves a regression where a running domain under rc0 fails to list when reloading rc1.
@@ -3225,11 +3233,7 @@ virSecurityDeviceLabelDefParseXML(virDomainDiskDefPtr def, for (i = 0; i < n; i++) { /* get model associated to this override */ model = virXMLPropString(list[i], "model"); - if (model == NULL) { - virReportError(VIR_ERR_XML_ERROR, "%s", - _("invalid security model")); - goto error; - } else { + if (model) { /* find the security label that it's being overriden */
As long as you're here, s/overriden/overridden/ ACK. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 24.08.2012 16:07, Eric Blake wrote:
On 08/24/2012 07:15 AM, Michal Privoznik wrote:
Only parse model, if static labelling, or a base label is set, or doing active XML. --- src/conf/domain_conf.c | 39 ++++++++++++++++++++++++--------------- 1 files changed, 24 insertions(+), 15 deletions(-)
I can confirm that this solves a regression where a running domain under rc0 fails to list when reloading rc1.
@@ -3225,11 +3233,7 @@ virSecurityDeviceLabelDefParseXML(virDomainDiskDefPtr def, for (i = 0; i < n; i++) { /* get model associated to this override */ model = virXMLPropString(list[i], "model"); - if (model == NULL) { - virReportError(VIR_ERR_XML_ERROR, "%s", - _("invalid security model")); - goto error; - } else { + if (model) { /* find the security label that it's being overriden */
As long as you're here, s/overriden/overridden/
ACK.
Yep. Fixed and pushed. Thanks! Michal
On 08/24/2012 07:15 AM, Michal Privoznik wrote:
Currently, if users set 'security_driver="dac"' in qemu.conf libvirtd fails to initialize as DAC driver is not found because it is missing in our security drivers array. --- src/security/security_driver.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
ACK. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
participants (2)
-
Eric Blake -
Michal Privoznik