diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 53057aa82e..de4ec4d442 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1276,6 +1276,7 @@ virSecurityManagerPreFork; virSecurityManagerReleaseLabel; virSecurityManagerReserveLabel; virSecurityManagerRestoreAllLabel; +virSecurityManagerRestoreChardevLabel; virSecurityManagerRestoreDiskLabel; virSecurityManagerRestoreHostdevLabel; virSecurityManagerRestoreImageLabel; @@ -1283,6 +1284,7 @@ virSecurityManagerRestoreInputLabel; virSecurityManagerRestoreMemoryLabel; virSecurityManagerRestoreSavedStateLabel; virSecurityManagerSetAllLabel; +virSecurityManagerSetChardevLabel; virSecurityManagerSetChildProcessLabel; virSecurityManagerSetDaemonSocketLabel; virSecurityManagerSetDiskLabel; diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 52ca07a10f..609d2595b2 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -2155,4 +2155,7 @@ virSecurityDriver virSecurityDriverDAC = { .getBaseLabel = virSecurityDACGetBaseLabel, .domainSetPathLabel = virSecurityDACDomainSetPathLabel, + + .domainSetSecurityChardevLabel = virSecurityDACSetChardevLabel, + .domainRestoreSecurityChardevLabel = virSecurityDACRestoreChardevLabel, }; diff --git a/src/security/security_driver.h b/src/security/security_driver.h index 1b3070d06d..47dad8ba20 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -140,6 +140,14 @@ typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr, virDomainDefPtr def, const char *path); +typedef int (*virSecurityDomainSetChardevLabel) (virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd); +typedef int (*virSecurityDomainRestoreChardevLabel) (virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd); struct _virSecurityDriver { @@ -201,6 +209,9 @@ struct _virSecurityDriver { virSecurityDriverGetBaseLabel getBaseLabel; virSecurityDomainSetPathLabel domainSetPathLabel; + + virSecurityDomainSetChardevLabel domainSetSecurityChardevLabel; + virSecurityDomainRestoreChardevLabel domainRestoreSecurityChardevLabel; }; virSecurityDriverPtr virSecurityDriverLookup(const char *name, diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 3cf12188a0..9249aba1fa 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -1152,3 +1152,43 @@ virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr, virReportUnsupportedError(); return -1; } + + +int +virSecurityManagerSetChardevLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd) +{ + if (mgr->drv->domainSetSecurityChardevLabel) { + int ret; + virObjectLock(mgr); + ret = mgr->drv->domainSetSecurityChardevLabel(mgr, def, dev_source, + chardevStdioLogd); + virObjectUnlock(mgr); + return ret; + } + + virReportUnsupportedError(); + return -1; +} + + +int +virSecurityManagerRestoreChardevLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd) +{ + if (mgr->drv->domainRestoreSecurityChardevLabel) { + int ret; + virObjectLock(mgr); + ret = mgr->drv->domainRestoreSecurityChardevLabel(mgr, def, dev_source, + chardevStdioLogd); + virObjectUnlock(mgr); + return ret; + } + + virReportUnsupportedError(); + return -1; +} diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 834c7f1593..013e3b9b18 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -184,4 +184,14 @@ int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm, const char *path); +int virSecurityManagerSetChardevLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd); + +int virSecurityManagerRestoreChardevLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd); + #endif /* VIR_SECURITY_MANAGER_H__ */ diff --git a/src/security/security_nop.c b/src/security/security_nop.c index cfb032c686..ff739f8199 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -262,6 +262,23 @@ virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, return 0; } +static int +virSecurityDomainSetChardevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, + virDomainChrSourceDefPtr dev_source ATTRIBUTE_UNUSED, + bool chardevStdioLogd ATTRIBUTE_UNUSED) +{ + return 0; +} + +static int +virSecurityDomainRestoreChardevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, + virDomainChrSourceDefPtr dev_source ATTRIBUTE_UNUSED, + bool chardevStdioLogd ATTRIBUTE_UNUSED) +{ + return 0; +} virSecurityDriver virSecurityDriverNop = { .privateDataLen = 0, @@ -314,4 +331,7 @@ virSecurityDriver virSecurityDriverNop = { .domainGetSecurityMountOptions = virSecurityDomainGetMountOptionsNop, .getBaseLabel = virSecurityGetBaseLabel, + + .domainSetSecurityChardevLabel = virSecurityDomainSetChardevLabelNop, + .domainRestoreSecurityChardevLabel = virSecurityDomainRestoreChardevLabelNop, }; diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index b677fbcda7..0815a02d18 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -3095,4 +3095,7 @@ virSecurityDriver virSecurityDriverSELinux = { .getBaseLabel = virSecuritySELinuxGetBaseLabel, .domainSetPathLabel = virSecuritySELinuxDomainSetPathLabel, + + .domainSetSecurityChardevLabel = virSecuritySELinuxSetChardevLabel, + .domainRestoreSecurityChardevLabel = virSecuritySELinuxRestoreChardevLabel, }; diff --git a/src/security/security_stack.c b/src/security/security_stack.c index cd916382b2..0375e7d89d 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -719,6 +719,46 @@ virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr, return rc; } +static int +virSecurityStackDomainSetChardevLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd) +{ + virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityStackItemPtr item = priv->itemsHead; + int rc = 0; + + for (; item; item = item->next) { + if (virSecurityManagerSetChardevLabel(item->securityManager, + def, dev_source, + chardevStdioLogd) < 0) + rc = -1; + } + + return rc; +} + +static int +virSecurityStackDomainRestoreChardevLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd) +{ + virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityStackItemPtr item = priv->itemsHead; + int rc = 0; + + for (; item; item = item->next) { + if (virSecurityManagerRestoreChardevLabel(item->securityManager, + def, dev_source, + chardevStdioLogd) < 0) + rc = -1; + } + + return rc; +} + virSecurityDriver virSecurityDriverStack = { .privateDataLen = sizeof(virSecurityStackData), .name = "stack", @@ -778,4 +818,7 @@ virSecurityDriver virSecurityDriverStack = { .getBaseLabel = virSecurityStackGetBaseLabel, .domainSetPathLabel = virSecurityStackDomainSetPathLabel, + + .domainSetSecurityChardevLabel = virSecurityStackDomainSetChardevLabel, + .domainRestoreSecurityChardevLabel = virSecurityStackDomainRestoreChardevLabel, };