From 3e92938656953c0f33c811fa3846f81243c4059c Mon Sep 17 00:00:00 2001 From: Eric Blake Date: Wed, 26 Mar 2014 14:09:46 -0600 Subject: [PATCH] conf: split security label structs to util/ In order to reuse the newly-created host-side disk struct in the virstoragefile backing chain code, I first have to move it to util/. This starts the process, by first moving the security label structures. * src/conf/domain_conf.h (virDomainDefGenSecurityLabelDef) (virDomainDiskDefGenSecurityLabelDef, virSecurityLabelDefFree) (virSecurityDeviceLabelDefFree, virSecurityLabelDef) (virSecurityDeviceLabelDef): Move... * src/util/virseclabel.h: ...to new file. (virSecurityLabelDefNew, virSecurityDeviceLabelDefNew): Rename the GenSecurity functions. * src/qemu/qemu_process.c (qemuProcessAttach): Adjust callers. * src/security/security_manager.c (virSecurityManagerGenLabel): Likewise. * src/security/security_selinux.c (virSecuritySELinuxSetSecurityFileLabel): Likewise. * src/util/virseclabel.c: New file. * src/conf/domain_conf.c: Move security code, and fix fallout. * src/Makefile.am (UTIL_SOURCES): Build new file. * src/libvirt_private.syms (domain_conf.h): Move symbols... (virseclabel.h): ...to new section. Signed-off-by: Eric Blake --- src/Makefile.am | 1 + src/conf/domain_conf.c | 51 -------------------- src/conf/domain_conf.h | 43 +---------------- src/libvirt_private.syms | 11 +++-- src/qemu/qemu_process.c | 2 +- src/security/security_manager.c | 2 +- src/security/security_selinux.c | 2 +- src/util/virseclabel.c | 82 +++++++++++++++++++++++++++++++++ src/util/virseclabel.h | 67 +++++++++++++++++++++++++++ 9 files changed, 161 insertions(+), 100 deletions(-) create mode 100644 src/util/virseclabel.c create mode 100644 src/util/virseclabel.h diff --git a/src/Makefile.am b/src/Makefile.am index 55427eda0b..54206e4131 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -142,6 +142,7 @@ UTIL_SOURCES = \ util/virprocess.c util/virprocess.h \ util/virrandom.h util/virrandom.c \ util/virscsi.c util/virscsi.h \ + util/virseclabel.c util/virseclabel.h \ util/virsexpr.c util/virsexpr.h \ util/virsocketaddr.h util/virsocketaddr.c \ util/virstatslinux.c util/virstatslinux.h \ diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 6fb216e782..66eeaa972c 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -1149,29 +1149,6 @@ virDomainGraphicsListenDefClear(virDomainGraphicsListenDefPtr def) return; } -void -virSecurityLabelDefFree(virSecurityLabelDefPtr def) -{ - if (!def) - return; - VIR_FREE(def->model); - VIR_FREE(def->label); - VIR_FREE(def->imagelabel); - VIR_FREE(def->baselabel); - VIR_FREE(def); -} - - -void -virSecurityDeviceLabelDefFree(virSecurityDeviceLabelDefPtr def) -{ - if (!def) - return; - VIR_FREE(def->model); - VIR_FREE(def->label); - VIR_FREE(def); -} - void virDomainGraphicsDefFree(virDomainGraphicsDefPtr def) { @@ -19422,34 +19399,6 @@ virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model) return NULL; } -virSecurityLabelDefPtr -virDomainDefGenSecurityLabelDef(const char *model) -{ - virSecurityLabelDefPtr seclabel = NULL; - - if (VIR_ALLOC(seclabel) < 0 || - VIR_STRDUP(seclabel->model, model) < 0) { - virSecurityLabelDefFree(seclabel); - seclabel = NULL; - } - - return seclabel; -} - -virSecurityDeviceLabelDefPtr -virDomainDiskDefGenSecurityLabelDef(const char *model) -{ - virSecurityDeviceLabelDefPtr seclabel = NULL; - - if (VIR_ALLOC(seclabel) < 0 || - VIR_STRDUP(seclabel->model, model) < 0) { - virSecurityDeviceLabelDefFree(seclabel); - seclabel = NULL; - } - - return seclabel; -} - typedef struct { const char *devAlias; diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index f3f24c4777..a249208326 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -47,6 +47,7 @@ # include "virbitmap.h" # include "virstoragefile.h" # include "virnuma.h" +# include "virseclabel.h" /* forward declarations of all device types, required by * virDomainDeviceDef @@ -328,39 +329,6 @@ struct _virDomainDeviceInfo { int bootIndex; }; -enum virDomainSeclabelType { - VIR_DOMAIN_SECLABEL_DEFAULT, - VIR_DOMAIN_SECLABEL_NONE, - VIR_DOMAIN_SECLABEL_DYNAMIC, - VIR_DOMAIN_SECLABEL_STATIC, - - VIR_DOMAIN_SECLABEL_LAST -}; - -/* Security configuration for domain */ -typedef struct _virSecurityLabelDef virSecurityLabelDef; -typedef virSecurityLabelDef *virSecurityLabelDefPtr; -struct _virSecurityLabelDef { - char *model; /* name of security model */ - char *label; /* security label string */ - char *imagelabel; /* security image label string */ - char *baselabel; /* base name of label string */ - int type; /* virDomainSeclabelType */ - bool norelabel; - bool implicit; /* true if seclabel is auto-added */ -}; - - -/* Security configuration for domain */ -typedef struct _virSecurityDeviceLabelDef virSecurityDeviceLabelDef; -typedef virSecurityDeviceLabelDef *virSecurityDeviceLabelDefPtr; -struct _virSecurityDeviceLabelDef { - char *model; - char *label; /* image label string */ - bool norelabel; /* true to skip label attempts */ - bool labelskip; /* live-only; true if skipping failed label attempt */ -}; - typedef struct _virDomainHostdevOrigStates virDomainHostdevOrigStates; typedef virDomainHostdevOrigStates *virDomainHostdevOrigStatesPtr; @@ -2674,15 +2642,6 @@ virDomainDiskDefGetSecurityLabelDef(virDomainDiskDefPtr def, const char *model); virSecurityDeviceLabelDefPtr virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model); -virSecurityLabelDefPtr -virDomainDefGenSecurityLabelDef(const char *model); - -virSecurityDeviceLabelDefPtr -virDomainDiskDefGenSecurityLabelDef(const char *model); - -void virSecurityLabelDefFree(virSecurityLabelDefPtr def); -void virSecurityDeviceLabelDefFree(virSecurityDeviceLabelDefPtr def); - typedef const char* (*virEventActionToStringFunc)(int type); typedef int (*virEventActionFromStringFunc)(const char *type); diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 38fbf63da8..12d47e16a3 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -161,7 +161,6 @@ virDomainDefFindDevice; virDomainDefFormat; virDomainDefFormatInternal; virDomainDefFree; -virDomainDefGenSecurityLabelDef; virDomainDefGetDefaultEmulator; virDomainDefGetSecurityLabelDef; virDomainDefMaybeAddController; @@ -191,7 +190,6 @@ virDomainDiskCopyOnReadTypeToString; virDomainDiskDefAssignAddress; virDomainDiskDefForeachPath; virDomainDiskDefFree; -virDomainDiskDefGenSecurityLabelDef; virDomainDiskDefGetSecurityLabelDef; virDomainDiskDeviceTypeToString; virDomainDiskDiscardTypeToString; @@ -425,8 +423,6 @@ virDomainWatchdogModelTypeFromString; virDomainWatchdogModelTypeToString; virDomainXMLOptionGetNamespace; virDomainXMLOptionNew; -virSecurityDeviceLabelDefFree; -virSecurityLabelDefFree; # conf/domain_event.h @@ -1778,6 +1774,13 @@ virSCSIDeviceNew; virSCSIDeviceSetUsedBy; +# util/virseclabel.h +virSecurityDeviceLabelDefFree; +virSecurityDeviceLabelDefNew; +virSecurityLabelDefFree; +virSecurityLabelDefNew; + + # util/virsexpr.h sexpr2string; sexpr_append; diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 583ff76be7..ca9e15cb03 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4582,7 +4582,7 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED, model = virSecurityManagerGetModel(sec_managers[i]); seclabeldef = virDomainDefGetSecurityLabelDef(vm->def, model); if (seclabeldef == NULL) { - if (!(seclabeldef = virDomainDefGenSecurityLabelDef(model))) + if (!(seclabeldef = virSecurityLabelDefNew(model))) goto error; seclabelgen = true; } diff --git a/src/security/security_manager.c b/src/security/security_manager.c index a308dfcbc3..d68c7e949e 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -485,7 +485,7 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, generated = false; seclabel = virDomainDefGetSecurityLabelDef(vm, sec_managers[i]->drv->name); if (!seclabel) { - if (!(seclabel = virDomainDefGenSecurityLabelDef(sec_managers[i]->drv->name))) + if (!(seclabel = virSecurityLabelDefNew(sec_managers[i]->drv->name))) goto cleanup; generated = seclabel->implicit = true; } diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index f9d112286a..b55ae386e0 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1233,7 +1233,7 @@ virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk, if (ret == 1 && !disk_seclabel) { /* If we failed to set a label, but virt_use_nfs let us * proceed anyway, then we don't need to relabel later. */ - disk_seclabel = virDomainDiskDefGenSecurityLabelDef(SECURITY_SELINUX_NAME); + disk_seclabel = virSecurityDeviceLabelDefNew(SECURITY_SELINUX_NAME); if (!disk_seclabel) return -1; disk_seclabel->labelskip = true; diff --git a/src/util/virseclabel.c b/src/util/virseclabel.c new file mode 100644 index 0000000000..5a4d78e3da --- /dev/null +++ b/src/util/virseclabel.c @@ -0,0 +1,82 @@ +/* + * virseclabel.c: security label utility functions + * + * Copyright (C) 2006-2014 Red Hat, Inc. + * Copyright (C) 2006-2008 Daniel P. Berrange + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#include "internal.h" +#include "viralloc.h" +#include "virseclabel.h" +#include "virstring.h" + +#define VIR_FROM_THIS VIR_FROM_NONE + + +void +virSecurityLabelDefFree(virSecurityLabelDefPtr def) +{ + if (!def) + return; + VIR_FREE(def->model); + VIR_FREE(def->label); + VIR_FREE(def->imagelabel); + VIR_FREE(def->baselabel); + VIR_FREE(def); +} + + +void +virSecurityDeviceLabelDefFree(virSecurityDeviceLabelDefPtr def) +{ + if (!def) + return; + VIR_FREE(def->model); + VIR_FREE(def->label); + VIR_FREE(def); +} + + +virSecurityLabelDefPtr +virSecurityLabelDefNew(const char *model) +{ + virSecurityLabelDefPtr seclabel = NULL; + + if (VIR_ALLOC(seclabel) < 0 || + VIR_STRDUP(seclabel->model, model) < 0) { + virSecurityLabelDefFree(seclabel); + seclabel = NULL; + } + + return seclabel; +} + +virSecurityDeviceLabelDefPtr +virSecurityDeviceLabelDefNew(const char *model) +{ + virSecurityDeviceLabelDefPtr seclabel = NULL; + + if (VIR_ALLOC(seclabel) < 0 || + VIR_STRDUP(seclabel->model, model) < 0) { + virSecurityDeviceLabelDefFree(seclabel); + seclabel = NULL; + } + + return seclabel; +} diff --git a/src/util/virseclabel.h b/src/util/virseclabel.h new file mode 100644 index 0000000000..41b90bc517 --- /dev/null +++ b/src/util/virseclabel.h @@ -0,0 +1,67 @@ +/* + * virseclabel.h: security label utility functions + * + * Copyright (C) 2006-2014 Red Hat, Inc. + * Copyright (C) 2006-2008 Daniel P. Berrange + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#ifndef __SECLABEL_H +# define __SECLABEL_H + +enum virDomainSeclabelType { + VIR_DOMAIN_SECLABEL_DEFAULT, + VIR_DOMAIN_SECLABEL_NONE, + VIR_DOMAIN_SECLABEL_DYNAMIC, + VIR_DOMAIN_SECLABEL_STATIC, + + VIR_DOMAIN_SECLABEL_LAST +}; + +/* Security configuration for domain */ +typedef struct _virSecurityLabelDef virSecurityLabelDef; +typedef virSecurityLabelDef *virSecurityLabelDefPtr; +struct _virSecurityLabelDef { + char *model; /* name of security model */ + char *label; /* security label string */ + char *imagelabel; /* security image label string */ + char *baselabel; /* base name of label string */ + int type; /* virDomainSeclabelType */ + bool norelabel; + bool implicit; /* true if seclabel is auto-added */ +}; + + +/* Security configuration for domain */ +typedef struct _virSecurityDeviceLabelDef virSecurityDeviceLabelDef; +typedef virSecurityDeviceLabelDef *virSecurityDeviceLabelDefPtr; +struct _virSecurityDeviceLabelDef { + char *model; + char *label; /* image label string */ + bool norelabel; /* true to skip label attempts */ + bool labelskip; /* live-only; true if skipping failed label attempt */ +}; + +virSecurityLabelDefPtr +virSecurityLabelDefNew(const char *model); + +virSecurityDeviceLabelDefPtr +virSecurityDeviceLabelDefNew(const char *model); + +void virSecurityLabelDefFree(virSecurityLabelDefPtr def); +void virSecurityDeviceLabelDefFree(virSecurityDeviceLabelDefPtr def); + +#endif /* __SECLABEL_H */