mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-12 07:42:56 +00:00
security: add MANAGER_MOUNT_NAMESPACE flag
The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver if mount namespaces are in use for the VM. Will be used for future changes. Wire it up in the qemu driver
This commit is contained in:
parent
239781e03a
commit
321031e482
@ -419,6 +419,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
|
|||||||
if (virQEMUDriverIsPrivileged(driver)) {
|
if (virQEMUDriverIsPrivileged(driver)) {
|
||||||
if (cfg->dynamicOwnership)
|
if (cfg->dynamicOwnership)
|
||||||
flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
|
flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
|
||||||
|
if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT))
|
||||||
|
flags |= VIR_SECURITY_MANAGER_MOUNT_NAMESPACE;
|
||||||
if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME,
|
if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME,
|
||||||
cfg->user,
|
cfg->user,
|
||||||
cfg->group,
|
cfg->group,
|
||||||
|
@ -57,6 +57,7 @@ struct _virSecurityDACData {
|
|||||||
gid_t *groups;
|
gid_t *groups;
|
||||||
int ngroups;
|
int ngroups;
|
||||||
bool dynamicOwnership;
|
bool dynamicOwnership;
|
||||||
|
bool mountNamespace;
|
||||||
char *baselabel;
|
char *baselabel;
|
||||||
virSecurityManagerDACChownCallback chownCallback;
|
virSecurityManagerDACChownCallback chownCallback;
|
||||||
};
|
};
|
||||||
@ -237,6 +238,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
|||||||
priv->dynamicOwnership = dynamicOwnership;
|
priv->dynamicOwnership = dynamicOwnership;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
|
||||||
|
bool mountNamespace)
|
||||||
|
{
|
||||||
|
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
priv->mountNamespace = mountNamespace;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
void
|
void
|
||||||
virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
|
virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
|
||||||
virSecurityManagerDACChownCallback chownCallback)
|
virSecurityManagerDACChownCallback chownCallback)
|
||||||
|
@ -32,6 +32,9 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
|
|||||||
void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
||||||
bool dynamic);
|
bool dynamic);
|
||||||
|
|
||||||
|
void virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
|
||||||
|
bool mountNamespace);
|
||||||
|
|
||||||
void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
|
void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
|
||||||
virSecurityManagerDACChownCallback chownCallback);
|
virSecurityManagerDACChownCallback chownCallback);
|
||||||
|
|
||||||
|
@ -146,7 +146,8 @@ virSecurityManagerNewDAC(const char *virtDriver,
|
|||||||
virSecurityManagerPtr mgr;
|
virSecurityManagerPtr mgr;
|
||||||
|
|
||||||
virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK |
|
virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK |
|
||||||
VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL);
|
VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP |
|
||||||
|
VIR_SECURITY_MANAGER_MOUNT_NAMESPACE, NULL);
|
||||||
|
|
||||||
mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC,
|
mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC,
|
||||||
virtDriver,
|
virtDriver,
|
||||||
@ -161,6 +162,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
|
|||||||
}
|
}
|
||||||
|
|
||||||
virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP);
|
virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP);
|
||||||
|
virSecurityDACSetMountNamespace(mgr, flags & VIR_SECURITY_MANAGER_MOUNT_NAMESPACE);
|
||||||
virSecurityDACSetChownCallback(mgr, chownCallback);
|
virSecurityDACSetChownCallback(mgr, chownCallback);
|
||||||
|
|
||||||
return mgr;
|
return mgr;
|
||||||
|
@ -36,6 +36,7 @@ typedef enum {
|
|||||||
VIR_SECURITY_MANAGER_REQUIRE_CONFINED = 1 << 2,
|
VIR_SECURITY_MANAGER_REQUIRE_CONFINED = 1 << 2,
|
||||||
VIR_SECURITY_MANAGER_PRIVILEGED = 1 << 3,
|
VIR_SECURITY_MANAGER_PRIVILEGED = 1 << 3,
|
||||||
VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP = 1 << 4,
|
VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP = 1 << 4,
|
||||||
|
VIR_SECURITY_MANAGER_MOUNT_NAMESPACE = 1 << 5,
|
||||||
} virSecurityManagerNewFlags;
|
} virSecurityManagerNewFlags;
|
||||||
|
|
||||||
# define VIR_SECURITY_MANAGER_NEW_MASK \
|
# define VIR_SECURITY_MANAGER_NEW_MASK \
|
||||||
|
Loading…
x
Reference in New Issue
Block a user