External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-22 19:32:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: Manage the security label for scsi host device

Browse Source 
To not introduce more redundant code, helpers are added for
both "selinux", "dac", and "apparmor" backends.

Signed-off-by: Han Cheng <hanc.fnst@cn.fujitsu.com>
Signed-off-by: Osier Yang <jyang@redhat>

v2.5 - v3:
  * Splitted from 8/10 of v2.5
  * Don't forget the other backends (DAC, and apparmor)
This commit is contained in:
Osier Yang 2013-05-04 02:07:28 +08:00
parent 6eb42e38e8
commit 2691cd5fe8
3 changed files with 156 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
src/security/security_apparmor.c
View File

@ -306,8 +306,7 @@ reload_profile(virSecurityManagerPtr mgr,
}
static int
AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
AppArmorSetSecurityHostdevLabelHelper(const char *file, void *opaque)
{
struct SDPDOP *ptr = opaque;
virDomainDefPtr def = ptr->def;
@ -327,26 +326,25 @@ AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
return 0;
}
static int
AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
}
static int
AppArmorSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
struct SDPDOP *ptr = opaque;
virDomainDefPtr def = ptr->def;
return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
}
if (reload_profile(ptr->mgr, def, file, true) < 0) {
const virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(
def, SECURITY_APPARMOR_NAME);
if (!secdef) {
virReportOOMError();
return -1;
}
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile \'%s\'"),
secdef->imagelabel);
return -1;
}
return 0;
static int
AppArmorSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
}
/* Called on libvirtd startup to see if AppArmor is available */
@ -848,6 +846,23 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
virSCSIDevicePtr scsi =
virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
dev->source.subsys.u.scsi.bus,
dev->source.subsys.u.scsi.target,
dev->source.subsys.u.scsi.unit,
dev->readonly);
if (!scsi)
goto done;
ret = virSCSIDeviceFileIterate(scsi, AppArmorSetSecuritySCSILabel, ptr);
virSCSIDeviceFree(scsi);
break;
}
default:
ret = 0;
break;

76
src/security/security_dac.c
View File

@ -30,6 +30,7 @@
#include "virlog.h"
#include "virpci.h"
#include "virusb.h"
#include "virscsi.h"
#include "virstoragefile.h"
#include "virstring.h"
@ -435,9 +436,8 @@ virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
static int
virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
void *opaque)
virSecurityDACSetSecurityHostdevLabelHelper(const char *file,
void *opaque)
{
void **params = opaque;
virSecurityManagerPtr mgr = params[0];
@ -453,22 +453,30 @@ virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
}
static int
virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
void *opaque)
{
return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
}
static int
virSecurityDACSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
void *opaque)
{
void **params = opaque;
virSecurityManagerPtr mgr = params[0];
virDomainDefPtr def = params[1];
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
uid_t user;
gid_t group;
return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
}
if (virSecurityDACGetIds(def, priv, &user, &group))
return -1;
return virSecurityDACSetOwnership(file, user, group);
static int
virSecurityDACSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
void *opaque)
{
return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
}
@ -536,6 +544,24 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
virSCSIDevicePtr scsi =
virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
dev->source.subsys.u.scsi.bus,
dev->source.subsys.u.scsi.target,
dev->source.subsys.u.scsi.unit,
dev->readonly);
if (!scsi)
goto done;
ret = virSCSIDeviceFileIterate(scsi, virSecurityDACSetSecuritySCSILabel,
params);
virSCSIDeviceFree(scsi);
break;
}
default:
ret = 0;
break;
@ -564,6 +590,15 @@ virSecurityDACRestoreSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
}
static int
virSecurityDACRestoreSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
void *opaque ATTRIBUTE_UNUSED)
{
return virSecurityDACRestoreSecurityFileLabel(file);
}
static int
virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def ATTRIBUTE_UNUSED,
@ -626,6 +661,23 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
virSCSIDevicePtr scsi =
virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
dev->source.subsys.u.scsi.bus,
dev->source.subsys.u.scsi.target,
dev->source.subsys.u.scsi.unit,
dev->readonly);
if (!scsi)
goto done;
ret = virSCSIDeviceFileIterate(scsi, virSecurityDACRestoreSecuritySCSILabel, mgr);
virSCSIDeviceFree(scsi);
break;
}
default:
ret = 0;
break;

72
src/security/security_selinux.c
View File

@ -38,6 +38,7 @@
#include "virlog.h"
#include "virpci.h"
#include "virusb.h"
#include "virscsi.h"
#include "virstoragefile.h"
#include "virfile.h"
#include "virhash.h"
@ -1277,10 +1278,8 @@ virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
&cbdata);
}
static int
virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
{
virSecurityLabelDefPtr secdef;
virDomainDefPtr def = opaque;
@ -1291,20 +1290,26 @@ virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
}
static int
virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
}
static int
virSecuritySELinuxSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
virSecurityLabelDefPtr secdef;
virDomainDefPtr def = opaque;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL)
return -1;
return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
}
static int
virSecuritySELinuxSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
}
static int
virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
@ -1359,6 +1364,23 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
virSCSIDevicePtr scsi =
virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
dev->source.subsys.u.scsi.bus,
dev->source.subsys.u.scsi.target,
dev->source.subsys.u.scsi.unit,
dev->readonly);
if (!scsi)
goto done;
ret = virSCSIDeviceFileIterate(scsi, virSecuritySELinuxSetSecuritySCSILabel, def);
virSCSIDeviceFree(scsi);
break;
}
default:
ret = 0;
break;
@ -1456,7 +1478,6 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
}
}
static int
virSecuritySELinuxRestoreSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
@ -1478,6 +1499,16 @@ virSecuritySELinuxRestoreSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
}
static int
virSecuritySELinuxRestoreSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
void *opaque)
{
virSecurityManagerPtr mgr = opaque;
return virSecuritySELinuxRestoreSecurityFileLabel(mgr, file);
}
static int
virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
virDomainHostdevDefPtr dev,
@ -1532,6 +1563,23 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
virSCSIDevicePtr scsi =
virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
dev->source.subsys.u.scsi.bus,
dev->source.subsys.u.scsi.target,
dev->source.subsys.u.scsi.unit,
dev->readonly);
if (!scsi)
goto done;
ret = virSCSIDeviceFileIterate(scsi, virSecuritySELinuxRestoreSecuritySCSILabel, mgr);
virSCSIDeviceFree(scsi);
break;
}
default:
ret = 0;
break;