External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

security_selinux: Track if transaction is restore

Browse Source 
It is going to be important to know if the current transaction we
are running is a restore operation or set label operation so that
we know whether to call virSecurityGetRememberedLabel() or
virSecuritySetRememberedLabel(). That is, whether we are in a
restore and therefore have to fetch the remembered label, or we
are in set operation and therefore have to store the original
label.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Michal Privoznik 2018-09-25 16:32:47 +02:00
parent d7420430ce
commit 1e9c472452
1 changed files with 25 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/security/security_selinux.c
View File

@ -81,6 +81,7 @@ struct _virSecuritySELinuxContextItem {
char *path; char *path;
char *tcon; char *tcon;
bool optional; bool optional;
bool restore;
}; };
typedef struct _virSecuritySELinuxContextList virSecuritySELinuxContextList; typedef struct _virSecuritySELinuxContextList virSecuritySELinuxContextList;
@ -119,7 +120,8 @@ static int
virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list, virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
const char *path, const char *path,
const char *tcon, const char *tcon,
bool optional) bool optional,
bool restore)
{ {
int ret = -1; int ret = -1;
virSecuritySELinuxContextItemPtr item = NULL; virSecuritySELinuxContextItemPtr item = NULL;
@ -131,6 +133,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
goto cleanup; goto cleanup;
item->optional = optional; item->optional = optional;
item->restore = restore;
if (VIR_APPEND_ELEMENT(list->items, list->nItems, item) < 0) if (VIR_APPEND_ELEMENT(list->items, list->nItems, item) < 0)
goto cleanup; goto cleanup;
@ -174,7 +177,8 @@ virSecuritySELinuxContextListFree(void *opaque)
static int static int
virSecuritySELinuxTransactionAppend(const char *path, virSecuritySELinuxTransactionAppend(const char *path,
const char *tcon, const char *tcon,
bool optional) bool optional,
bool restore)
{ {
virSecuritySELinuxContextListPtr list; virSecuritySELinuxContextListPtr list;
@ -182,7 +186,7 @@ virSecuritySELinuxTransactionAppend(const char *path,
if (!list) if (!list)
return 0; return 0;
if (virSecuritySELinuxContextListAppend(list, path, tcon, optional) < 0) if (virSecuritySELinuxContextListAppend(list, path, tcon, optional, restore) < 0)
return -1; return -1;
return 1; return 1;
@ -194,6 +198,11 @@ static int virSecuritySELinuxSetFileconHelper(const char *path,
bool optional, bool optional,
bool privileged); bool privileged);
static int virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
const char *path);
/** /**
* virSecuritySELinuxTransactionRun: * virSecuritySELinuxTransactionRun:
* @pid: process pid * @pid: process pid
@ -238,13 +247,18 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
virSecuritySELinuxContextItemPtr item = list->items[i]; virSecuritySELinuxContextItemPtr item = list->items[i];
/* TODO Implement rollback */ /* TODO Implement rollback */
if (virSecuritySELinuxSetFileconHelper(item->path, if (!item->restore) {
item->tcon, rv = virSecuritySELinuxSetFileconHelper(item->path,
item->optional, item->tcon,
privileged) < 0) { item->optional,
rv = -1; privileged);
break; } else {
rv = virSecuritySELinuxRestoreFileLabel(list->manager,
item->path);
} }
if (rv < 0)
break;
} }
if (list->lock) if (list->lock)
@ -1261,7 +1275,7 @@ virSecuritySELinuxSetFileconHelper(const char *path, const char *tcon,
{ {
int rc; int rc;
if ((rc = virSecuritySELinuxTransactionAppend(path, tcon, optional)) < 0) if ((rc = virSecuritySELinuxTransactionAppend(path, tcon, optional, false)) < 0)
return -1; return -1;
else if (rc > 0) else if (rc > 0)
return 0; return 0;
@ -1383,7 +1397,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
goto cleanup; goto cleanup;
} }
if ((rc = virSecuritySELinuxTransactionAppend(path, fcon, false)) < 0) if ((rc = virSecuritySELinuxTransactionAppend(path, fcon, false, true)) < 0)
return -1; return -1;
else if (rc > 0) else if (rc > 0)
return 0; return 0;