[libvirt] [PATCH 0/2] WIP: additional fixes to the security driver
Hi, these patches are a work in progress and apply on top of the two recent patches from Marcelo. Jiri Denemark (2): Fix seclabels parsing Format seclabels in a compatible way src/conf/domain_conf.c | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) -- 1.7.12
--- src/conf/domain_conf.c | 39 ++++++++++++++++++++++++--------------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 3819ed9..1394297 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -3161,27 +3161,36 @@ virSecurityLabelDefsParseXML(virDomainDefPtr def, * defined in host's capabilities is used as model for the seclabel. */ if (def->nseclabels == 1 && - def->seclabels[0]->model == NULL && - def->seclabels[0]->type != VIR_DOMAIN_SECLABEL_STATIC && - def->seclabels[0]->baselabel == NULL && - (flags & VIR_DOMAIN_XML_INACTIVE) && + !def->seclabels[0]->model && host->nsecModels > 0) { - - /* Copy model from host. */ - def->seclabels[0]->model = strdup(host->secModels[0].model); - if (def->seclabels[0]->model == NULL) { - virReportOOMError(); + if (def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_NONE || + (def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC && + !def->seclabels[0]->baselabel && + (flags & VIR_DOMAIN_XML_INACTIVE))) { + /* Copy model from host. */ + VIR_DEBUG("Found seclabel without a model, using '%s'", + host->secModels[0].model); + def->seclabels[0]->model = strdup(host->secModels[0].model); + if (!def->seclabels[0]->model) { + virReportOOMError(); + goto error; + } + } else { + virReportError(VIR_ERR_XML_ERROR, "%s", + _("missing security model in domain seclabel")); goto error; } } /* Checking missing model information */ - for(; n; n--) { - if (def->seclabels[n - 1]->model == NULL) { - virReportError(VIR_ERR_XML_ERROR, "%s", - _("missing security model " - "when using multiple labels")); - goto error; + if (def->nseclabels > 1) { + for(; n; n--) { + if (def->seclabels[n - 1]->model == NULL) { + virReportError(VIR_ERR_XML_ERROR, "%s", + _("missing security model " + "when using multiple labels")); + goto error; + } } } -- 1.7.12
--- src/conf/domain_conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 1394297..49327df 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -11253,7 +11253,7 @@ virSecurityLabelDefFormat(virBufferPtr buf, virSecurityLabelDefPtr def) virBufferAsprintf(buf, "<seclabel type='%s'", sectype); - if (def->model) + if (def->model && STRNEQ(def->model, "none")) virBufferEscapeString(buf, " model='%s'", def->model); if (def->type == VIR_DOMAIN_SECLABEL_NONE) { -- 1.7.12
On Fri, Aug 31, 2012 at 09:49:40 +0200, Jiri Denemark wrote:
Hi,
these patches are a work in progress and apply on top of the two recent patches from Marcelo.
Jiri Denemark (2): Fix seclabels parsing Format seclabels in a compatible way
src/conf/domain_conf.c | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-)
Looks like testing confirms that basic functionality works, libvirtd can be restarted without losing domains and domain can be migrated to older libvirtd. There are still some issues with the new security driver, e.g., adding <seclabel type='none'/> does not really disable selinux labeling if selinux driver is enabled, but these additional issues can be fixed for the next release after additional testing. I'll repost the Marcelo's patches with these additional fixes squashed in. Jirka
participants (1)
-
Jiri Denemark