security: Allow 'remember' to be set for HostdevLabelHelper

There is a case in which we do not want 'remember' to be
set to true in SetOwnership() calls inside the
HostdevLabelHelper() functions of both DAC and SELinux drivers.
Next patch will explain and handle that scenario.

For now, let's make virSecurityDACSetOwnership() and
virSecuritySELinuxSetHostdevLabelHelper() accept a 'remember'
flag, which will be used to set the 'remember' parameter
of their respective SetOwnership() calls. No functional
change is made.

Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Daniel Henrique Barboza 2020-01-27 15:23:20 -03:00 committed by Michal Privoznik
parent 5b971b0f76
commit 09804edd0a
2 changed files with 15 additions and 12 deletions

View File

@ -1144,6 +1144,7 @@ virSecurityDACMoveImageMetadata(virSecurityManagerPtr mgr,
static int static int
virSecurityDACSetHostdevLabelHelper(const char *file, virSecurityDACSetHostdevLabelHelper(const char *file,
bool remember,
void *opaque) void *opaque)
{ {
virSecurityDACCallbackDataPtr cbdata = opaque; virSecurityDACCallbackDataPtr cbdata = opaque;
@ -1156,7 +1157,7 @@ virSecurityDACSetHostdevLabelHelper(const char *file,
if (virSecurityDACGetIds(secdef, priv, &user, &group, NULL, NULL) < 0) if (virSecurityDACGetIds(secdef, priv, &user, &group, NULL, NULL) < 0)
return -1; return -1;
return virSecurityDACSetOwnership(mgr, NULL, file, user, group, true); return virSecurityDACSetOwnership(mgr, NULL, file, user, group, remember);
} }
@ -1165,7 +1166,7 @@ virSecurityDACSetPCILabel(virPCIDevicePtr dev G_GNUC_UNUSED,
const char *file, const char *file,
void *opaque) void *opaque)
{ {
return virSecurityDACSetHostdevLabelHelper(file, opaque); return virSecurityDACSetHostdevLabelHelper(file, true, opaque);
} }
@ -1174,7 +1175,7 @@ virSecurityDACSetUSBLabel(virUSBDevicePtr dev G_GNUC_UNUSED,
const char *file, const char *file,
void *opaque) void *opaque)
{ {
return virSecurityDACSetHostdevLabelHelper(file, opaque); return virSecurityDACSetHostdevLabelHelper(file, true, opaque);
} }
@ -1183,7 +1184,7 @@ virSecurityDACSetSCSILabel(virSCSIDevicePtr dev G_GNUC_UNUSED,
const char *file, const char *file,
void *opaque) void *opaque)
{ {
return virSecurityDACSetHostdevLabelHelper(file, opaque); return virSecurityDACSetHostdevLabelHelper(file, true, opaque);
} }
@ -1192,7 +1193,7 @@ virSecurityDACSetHostLabel(virSCSIVHostDevicePtr dev G_GNUC_UNUSED,
const char *file, const char *file,
void *opaque) void *opaque)
{ {
return virSecurityDACSetHostdevLabelHelper(file, opaque); return virSecurityDACSetHostdevLabelHelper(file, true, opaque);
} }
@ -1312,7 +1313,7 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr))) if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
return -1; return -1;
ret = virSecurityDACSetHostdevLabelHelper(vfiodev, &cbdata); ret = virSecurityDACSetHostdevLabelHelper(vfiodev, true, &cbdata);
VIR_FREE(vfiodev); VIR_FREE(vfiodev);
break; break;

View File

@ -2001,7 +2001,9 @@ virSecuritySELinuxMoveImageMetadata(virSecurityManagerPtr mgr,
static int static int
virSecuritySELinuxSetHostdevLabelHelper(const char *file, void *opaque) virSecuritySELinuxSetHostdevLabelHelper(const char *file,
bool remember,
void *opaque)
{ {
virSecurityLabelDefPtr secdef; virSecurityLabelDefPtr secdef;
virSecuritySELinuxCallbackDataPtr data = opaque; virSecuritySELinuxCallbackDataPtr data = opaque;
@ -2011,21 +2013,21 @@ virSecuritySELinuxSetHostdevLabelHelper(const char *file, void *opaque)
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (secdef == NULL)
return 0; return 0;
return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel, true); return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel, remember);
} }
static int static int
virSecuritySELinuxSetPCILabel(virPCIDevicePtr dev G_GNUC_UNUSED, virSecuritySELinuxSetPCILabel(virPCIDevicePtr dev G_GNUC_UNUSED,
const char *file, void *opaque) const char *file, void *opaque)
{ {
return virSecuritySELinuxSetHostdevLabelHelper(file, opaque); return virSecuritySELinuxSetHostdevLabelHelper(file, true, opaque);
} }
static int static int
virSecuritySELinuxSetUSBLabel(virUSBDevicePtr dev G_GNUC_UNUSED, virSecuritySELinuxSetUSBLabel(virUSBDevicePtr dev G_GNUC_UNUSED,
const char *file, void *opaque) const char *file, void *opaque)
{ {
return virSecuritySELinuxSetHostdevLabelHelper(file, opaque); return virSecuritySELinuxSetHostdevLabelHelper(file, true, opaque);
} }
static int static int
@ -2056,7 +2058,7 @@ static int
virSecuritySELinuxSetHostLabel(virSCSIVHostDevicePtr dev G_GNUC_UNUSED, virSecuritySELinuxSetHostLabel(virSCSIVHostDevicePtr dev G_GNUC_UNUSED,
const char *file, void *opaque) const char *file, void *opaque)
{ {
return virSecuritySELinuxSetHostdevLabelHelper(file, opaque); return virSecuritySELinuxSetHostdevLabelHelper(file, true, opaque);
} }
@ -2164,7 +2166,7 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr))) if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
return ret; return ret;
ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, &data); ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, true, &data);
VIR_FREE(vfiodev); VIR_FREE(vfiodev);
break; break;