security: Manage the security label for scsi host device

To not introduce more redundant code, helpers are added for
both "selinux", "dac", and "apparmor" backends.

Signed-off-by: Han Cheng <hanc.fnst@cn.fujitsu.com>
Signed-off-by: Osier Yang <jyang@redhat>

v2.5 - v3:
  * Splitted from 8/10 of v2.5
  * Don't forget the other backends (DAC, and apparmor)

src/security/security_apparmor.c

@@ -306,8 +306,7 @@ reload_profile(virSecurityManagerPtr mgr,
 }
 
 static int
-AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
+AppArmorSetSecurityHostdevLabelHelper(const char *file, void *opaque)
-                           const char *file, void *opaque)
 {
     struct SDPDOP *ptr = opaque;
     virDomainDefPtr def = ptr->def;
@@ -327,26 +326,25 @@ AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
     return 0;
 }
 
+static int
+AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
+                            const char *file, void *opaque)
+{
+    return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
+}
+
 static int
 AppArmorSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
                             const char *file, void *opaque)
 {
-    struct SDPDOP *ptr = opaque;
+    return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
-    virDomainDefPtr def = ptr->def;
+}
 
-    if (reload_profile(ptr->mgr, def, file, true) < 0) {
+static int
-        const virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(
+AppArmorSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
-                                                def, SECURITY_APPARMOR_NAME);
+                             const char *file, void *opaque)
-        if (!secdef) {
+{
-            virReportOOMError();
+    return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
-            return -1;
-        }
-        virReportError(VIR_ERR_INTERNAL_ERROR,
-                       _("cannot update AppArmor profile \'%s\'"),
-                       secdef->imagelabel);
-        return -1;
-    }
-    return 0;
 }
 
 /* Called on libvirtd startup to see if AppArmor is available */
@@ -848,6 +846,23 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
         break;
     }
 
+    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+        virSCSIDevicePtr scsi =
+            virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+                             dev->source.subsys.u.scsi.bus,
+                             dev->source.subsys.u.scsi.target,
+                             dev->source.subsys.u.scsi.unit,
+                             dev->readonly);
+
+         if (!scsi)
+             goto done;
+
+        ret = virSCSIDeviceFileIterate(scsi, AppArmorSetSecuritySCSILabel, ptr);
+        virSCSIDeviceFree(scsi);
+
+        break;
+    }
+
     default:
         ret = 0;
         break;

src/security/security_dac.c

@@ -30,6 +30,7 @@
 #include "virlog.h"
 #include "virpci.h"
 #include "virusb.h"
+#include "virscsi.h"
 #include "virstoragefile.h"
 #include "virstring.h"
 
@@ -435,9 +436,8 @@ virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
 
 
 static int
-virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
+virSecurityDACSetSecurityHostdevLabelHelper(const char *file,
-                                  const char *file,
+                                            void *opaque)
-                                  void *opaque)
 {
     void **params = opaque;
     virSecurityManagerPtr mgr = params[0];
@@ -453,22 +453,30 @@ virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
 }
 
 
+static int
+virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
+                                  const char *file,
+                                  void *opaque)
+{
+    return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
+}
+
+
 static int
 virSecurityDACSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
                                   const char *file,
                                   void *opaque)
 {
-    void **params = opaque;
+    return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
-    virSecurityManagerPtr mgr = params[0];
+}
-    virDomainDefPtr def = params[1];
-    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
-    uid_t user;
-    gid_t group;
 
-    if (virSecurityDACGetIds(def, priv, &user, &group))
-        return -1;
 
-    return virSecurityDACSetOwnership(file, user, group);
+static int
+virSecurityDACSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+                                   const char *file,
+                                   void *opaque)
+{
+    return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
 }
 
 
@@ -536,6 +544,24 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
         break;
     }
 
+    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+        virSCSIDevicePtr scsi =
+            virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+                             dev->source.subsys.u.scsi.bus,
+                             dev->source.subsys.u.scsi.target,
+                             dev->source.subsys.u.scsi.unit,
+                             dev->readonly);
+
+        if (!scsi)
+            goto done;
+
+        ret = virSCSIDeviceFileIterate(scsi, virSecurityDACSetSecuritySCSILabel,
+                                       params);
+        virSCSIDeviceFree(scsi);
+
+        break;
+    }
+
     default:
         ret = 0;
         break;
@@ -564,6 +590,15 @@ virSecurityDACRestoreSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
 }
 
 
+static int
+virSecurityDACRestoreSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+                                       const char *file,
+                                       void *opaque ATTRIBUTE_UNUSED)
+{
+    return virSecurityDACRestoreSecurityFileLabel(file);
+}
+
+
 static int
 virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
                                           virDomainDefPtr def ATTRIBUTE_UNUSED,
@@ -626,6 +661,23 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
         break;
     }
 
+    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+        virSCSIDevicePtr scsi =
+            virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+                             dev->source.subsys.u.scsi.bus,
+                             dev->source.subsys.u.scsi.target,
+                             dev->source.subsys.u.scsi.unit,
+                             dev->readonly);
+
+        if (!scsi)
+            goto done;
+
+        ret = virSCSIDeviceFileIterate(scsi, virSecurityDACRestoreSecuritySCSILabel, mgr);
+        virSCSIDeviceFree(scsi);
+
+        break;
+    }
+
     default:
         ret = 0;
         break;

src/security/security_selinux.c

@@ -38,6 +38,7 @@
 #include "virlog.h"
 #include "virpci.h"
 #include "virusb.h"
+#include "virscsi.h"
 #include "virstoragefile.h"
 #include "virfile.h"
 #include "virhash.h"
@@ -1277,10 +1278,8 @@ virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
                                        &cbdata);
 }
 
-
 static int
-virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
+virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
-                                      const char *file, void *opaque)
 {
     virSecurityLabelDefPtr secdef;
     virDomainDefPtr def = opaque;
@@ -1291,20 +1290,26 @@ virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
     return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
 }
 
+static int
+virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
+                                      const char *file, void *opaque)
+{
+    return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
+}
+
 static int
 virSecuritySELinuxSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
                                       const char *file, void *opaque)
 {
-    virSecurityLabelDefPtr secdef;
+    return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
-    virDomainDefPtr def = opaque;
-
-    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
-    if (secdef == NULL)
-        return -1;
-
-    return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
 }
 
+static int
+virSecuritySELinuxSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+                                       const char *file, void *opaque)
+{
+    return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
+}
 
 static int
 virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
@@ -1359,6 +1364,23 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
         break;
     }
 
+    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+        virSCSIDevicePtr scsi =
+            virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+                             dev->source.subsys.u.scsi.bus,
+                             dev->source.subsys.u.scsi.target,
+                             dev->source.subsys.u.scsi.unit,
+                             dev->readonly);
+
+        if (!scsi)
+            goto done;
+
+        ret = virSCSIDeviceFileIterate(scsi, virSecuritySELinuxSetSecuritySCSILabel, def);
+        virSCSIDeviceFree(scsi);
+
+        break;
+    }
+
     default:
         ret = 0;
         break;
@@ -1456,7 +1478,6 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
     }
 }
 
-
 static int
 virSecuritySELinuxRestoreSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
                                           const char *file,
@@ -1478,6 +1499,16 @@ virSecuritySELinuxRestoreSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
 }
 
 
+static int
+virSecuritySELinuxRestoreSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+                                           const char *file,
+                                           void *opaque)
+{
+    virSecurityManagerPtr mgr = opaque;
+
+    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, file);
+}
+
 static int
 virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
                                                     virDomainHostdevDefPtr dev,
@@ -1532,6 +1563,23 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
         break;
     }
 
+    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+        virSCSIDevicePtr scsi =
+            virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+                             dev->source.subsys.u.scsi.bus,
+                             dev->source.subsys.u.scsi.target,
+                             dev->source.subsys.u.scsi.unit,
+                             dev->readonly);
+
+            if (!scsi)
+                goto done;
+
+            ret = virSCSIDeviceFileIterate(scsi, virSecuritySELinuxRestoreSecuritySCSILabel, mgr);
+            virSCSIDeviceFree(scsi);
+
+            break;
+       }
+
     default:
         ret = 0;
         break;