mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-11 04:15:49 +00:00
security: Remove security driver internals for disk labeling
Security labeling of disks consists of labeling of the disk image itself and it's backing chain. Modify virSecurityManager[Set|Restore]ImageLabel to take a boolean flag that will label the full chain rather than the top image itself. This allows to delete/unify some parts of the code and will also simplify callers in some cases. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
This commit is contained in:
parent
e7d14bf965
commit
43479005ee
1
cfg.mk
1
cfg.mk
@ -309,6 +309,7 @@ sc_flags_usage:
|
|||||||
{ echo '$(ME): new API should use "unsigned int flags"' 1>&2; \
|
{ echo '$(ME): new API should use "unsigned int flags"' 1>&2; \
|
||||||
exit 1; } || :
|
exit 1; } || :
|
||||||
@prohibit=' flags ATTRIBUTE_UNUSED' \
|
@prohibit=' flags ATTRIBUTE_UNUSED' \
|
||||||
|
exclude='virSecurityDomainImageLabelFlags' \
|
||||||
halt='flags should be checked with virCheckFlags' \
|
halt='flags should be checked with virCheckFlags' \
|
||||||
$(_sc_search_regexp)
|
$(_sc_search_regexp)
|
||||||
@prohibit='^[^@]*([^d] (int|long long)|[^dg] long) flags[;,)]' \
|
@prohibit='^[^@]*([^d] (int|long long)|[^dg] long) flags[;,)]' \
|
||||||
|
@ -170,8 +170,7 @@ qemuSecuritySetImageLabel(virQEMUDriverPtr driver,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (virSecurityManagerSetImageLabel(driver->securityManager,
|
if (virSecurityManagerSetImageLabel(driver->securityManager,
|
||||||
vm->def,
|
vm->def, src, 0) < 0)
|
||||||
src) < 0)
|
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
||||||
@ -201,8 +200,7 @@ qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
|
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
|
||||||
vm->def,
|
vm->def, src, 0) < 0)
|
||||||
src) < 0)
|
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
||||||
|
@ -691,7 +691,8 @@ AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
static int
|
static int
|
||||||
AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
|
AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virStorageSourcePtr src)
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
if (!virStorageSourceIsLocalStorage(src))
|
if (!virStorageSourceIsLocalStorage(src))
|
||||||
return 0;
|
return 0;
|
||||||
@ -699,13 +700,6 @@ AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
|
|||||||
return reload_profile(mgr, def, NULL, false);
|
return reload_profile(mgr, def, NULL, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
AppArmorRestoreSecurityDiskLabel(virSecurityManagerPtr mgr,
|
|
||||||
virDomainDefPtr def,
|
|
||||||
virDomainDiskDefPtr disk)
|
|
||||||
{
|
|
||||||
return AppArmorRestoreSecurityImageLabel(mgr, def, disk->src);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Called when hotplugging */
|
/* Called when hotplugging */
|
||||||
static int
|
static int
|
||||||
@ -799,7 +793,8 @@ AppArmorRestoreInputLabel(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
|
AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virStorageSourcePtr src)
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
int rc = -1;
|
int rc = -1;
|
||||||
char *profile_name = NULL;
|
char *profile_name = NULL;
|
||||||
@ -844,14 +839,6 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
|
|||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
AppArmorSetSecurityDiskLabel(virSecurityManagerPtr mgr,
|
|
||||||
virDomainDefPtr def,
|
|
||||||
virDomainDiskDefPtr disk)
|
|
||||||
{
|
|
||||||
return AppArmorSetSecurityImageLabel(mgr, def, disk->src);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
virDomainDefPtr def)
|
virDomainDefPtr def)
|
||||||
@ -1188,9 +1175,6 @@ virSecurityDriver virAppArmorSecurityDriver = {
|
|||||||
|
|
||||||
.domainSecurityVerify = AppArmorSecurityVerify,
|
.domainSecurityVerify = AppArmorSecurityVerify,
|
||||||
|
|
||||||
.domainSetSecurityDiskLabel = AppArmorSetSecurityDiskLabel,
|
|
||||||
.domainRestoreSecurityDiskLabel = AppArmorRestoreSecurityDiskLabel,
|
|
||||||
|
|
||||||
.domainSetSecurityImageLabel = AppArmorSetSecurityImageLabel,
|
.domainSetSecurityImageLabel = AppArmorSetSecurityImageLabel,
|
||||||
.domainRestoreSecurityImageLabel = AppArmorRestoreSecurityImageLabel,
|
.domainRestoreSecurityImageLabel = AppArmorRestoreSecurityImageLabel,
|
||||||
|
|
||||||
|
@ -897,22 +897,17 @@ virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecurityDACSetImageLabel(virSecurityManagerPtr mgr,
|
virSecurityDACSetImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virStorageSourcePtr src)
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags)
|
||||||
{
|
{
|
||||||
return virSecurityDACSetImageLabelInternal(mgr, def, src, NULL);
|
virStorageSourcePtr n;
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
|
||||||
virSecurityDACSetDiskLabel(virSecurityManagerPtr mgr,
|
if (virSecurityDACSetImageLabelInternal(mgr, def, n, src) < 0)
|
||||||
virDomainDefPtr def,
|
|
||||||
virDomainDiskDefPtr disk)
|
|
||||||
|
|
||||||
{
|
|
||||||
virStorageSourcePtr next;
|
|
||||||
|
|
||||||
for (next = disk->src; virStorageSourceIsBacking(next); next = next->backingStore) {
|
|
||||||
if (virSecurityDACSetImageLabelInternal(mgr, def, next, disk->src) < 0)
|
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
@ -969,21 +964,13 @@ virSecurityDACRestoreImageLabelInt(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecurityDACRestoreImageLabel(virSecurityManagerPtr mgr,
|
virSecurityDACRestoreImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virStorageSourcePtr src)
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
return virSecurityDACRestoreImageLabelInt(mgr, def, src, false);
|
return virSecurityDACRestoreImageLabelInt(mgr, def, src, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
|
||||||
virSecurityDACRestoreDiskLabel(virSecurityManagerPtr mgr,
|
|
||||||
virDomainDefPtr def,
|
|
||||||
virDomainDiskDefPtr disk)
|
|
||||||
{
|
|
||||||
return virSecurityDACRestoreImageLabelInt(mgr, def, disk->src, false);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecurityDACSetHostdevLabelHelper(const char *file,
|
virSecurityDACSetHostdevLabelHelper(const char *file,
|
||||||
void *opaque)
|
void *opaque)
|
||||||
@ -1853,9 +1840,8 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
|||||||
/* XXX fixme - we need to recursively label the entire tree :-( */
|
/* XXX fixme - we need to recursively label the entire tree :-( */
|
||||||
if (virDomainDiskGetType(def->disks[i]) == VIR_STORAGE_TYPE_DIR)
|
if (virDomainDiskGetType(def->disks[i]) == VIR_STORAGE_TYPE_DIR)
|
||||||
continue;
|
continue;
|
||||||
if (virSecurityDACSetDiskLabel(mgr,
|
if (virSecurityDACSetImageLabel(mgr, def, def->disks[i]->src,
|
||||||
def,
|
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN) < 0)
|
||||||
def->disks[i]) < 0)
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2295,9 +2281,6 @@ virSecurityDriver virSecurityDriverDAC = {
|
|||||||
|
|
||||||
.domainSecurityVerify = virSecurityDACVerify,
|
.domainSecurityVerify = virSecurityDACVerify,
|
||||||
|
|
||||||
.domainSetSecurityDiskLabel = virSecurityDACSetDiskLabel,
|
|
||||||
.domainRestoreSecurityDiskLabel = virSecurityDACRestoreDiskLabel,
|
|
||||||
|
|
||||||
.domainSetSecurityImageLabel = virSecurityDACSetImageLabel,
|
.domainSetSecurityImageLabel = virSecurityDACSetImageLabel,
|
||||||
.domainRestoreSecurityImageLabel = virSecurityDACRestoreImageLabel,
|
.domainRestoreSecurityImageLabel = virSecurityDACRestoreImageLabel,
|
||||||
|
|
||||||
|
@ -54,18 +54,12 @@ typedef int (*virSecurityDriverTransactionCommit) (virSecurityManagerPtr mgr,
|
|||||||
bool lock);
|
bool lock);
|
||||||
typedef void (*virSecurityDriverTransactionAbort) (virSecurityManagerPtr mgr);
|
typedef void (*virSecurityDriverTransactionAbort) (virSecurityManagerPtr mgr);
|
||||||
|
|
||||||
typedef int (*virSecurityDomainRestoreDiskLabel) (virSecurityManagerPtr mgr,
|
|
||||||
virDomainDefPtr def,
|
|
||||||
virDomainDiskDefPtr disk);
|
|
||||||
typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm);
|
virDomainDefPtr vm);
|
||||||
typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def);
|
virDomainDefPtr def);
|
||||||
typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def);
|
virDomainDefPtr def);
|
||||||
typedef int (*virSecurityDomainSetDiskLabel) (virSecurityManagerPtr mgr,
|
|
||||||
virDomainDefPtr def,
|
|
||||||
virDomainDiskDefPtr disk);
|
|
||||||
typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virDomainHostdevDefPtr dev,
|
virDomainHostdevDefPtr dev,
|
||||||
@ -117,12 +111,15 @@ typedef char *(*virSecurityDomainGetMountOptions) (virSecurityManagerPtr mgr,
|
|||||||
typedef int (*virSecurityDomainSetHugepages) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainSetHugepages) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
const char *path);
|
const char *path);
|
||||||
|
|
||||||
typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virStorageSourcePtr src);
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags);
|
||||||
typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virStorageSourcePtr src);
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags);
|
||||||
typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virDomainMemoryDefPtr mem);
|
virDomainMemoryDefPtr mem);
|
||||||
@ -171,9 +168,6 @@ struct _virSecurityDriver {
|
|||||||
|
|
||||||
virSecurityDomainSecurityVerify domainSecurityVerify;
|
virSecurityDomainSecurityVerify domainSecurityVerify;
|
||||||
|
|
||||||
virSecurityDomainSetDiskLabel domainSetSecurityDiskLabel;
|
|
||||||
virSecurityDomainRestoreDiskLabel domainRestoreSecurityDiskLabel;
|
|
||||||
|
|
||||||
virSecurityDomainSetImageLabel domainSetSecurityImageLabel;
|
virSecurityDomainSetImageLabel domainSetSecurityImageLabel;
|
||||||
virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
|
virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
|
||||||
|
|
||||||
|
@ -418,10 +418,11 @@ virSecurityManagerRestoreDiskLabel(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
virDomainDiskDefPtr disk)
|
virDomainDiskDefPtr disk)
|
||||||
{
|
{
|
||||||
if (mgr->drv->domainRestoreSecurityDiskLabel) {
|
if (mgr->drv->domainRestoreSecurityImageLabel) {
|
||||||
int ret;
|
int ret;
|
||||||
virObjectLock(mgr);
|
virObjectLock(mgr);
|
||||||
ret = mgr->drv->domainRestoreSecurityDiskLabel(mgr, vm, disk);
|
ret = mgr->drv->domainRestoreSecurityImageLabel(mgr, vm, disk->src,
|
||||||
|
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN);
|
||||||
virObjectUnlock(mgr);
|
virObjectUnlock(mgr);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@ -436,20 +437,22 @@ virSecurityManagerRestoreDiskLabel(virSecurityManagerPtr mgr,
|
|||||||
* @mgr: security manager object
|
* @mgr: security manager object
|
||||||
* @vm: domain definition object
|
* @vm: domain definition object
|
||||||
* @src: disk source definition to operate on
|
* @src: disk source definition to operate on
|
||||||
|
* @flags: bitwise or of 'virSecurityDomainImageLabelFlags'
|
||||||
*
|
*
|
||||||
* Removes security label from a single storage image.
|
* Removes security label from @src according to @flags.
|
||||||
*
|
*
|
||||||
* Returns: 0 on success, -1 on error.
|
* Returns: 0 on success, -1 on error.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
|
virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
virStorageSourcePtr src)
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags)
|
||||||
{
|
{
|
||||||
if (mgr->drv->domainRestoreSecurityImageLabel) {
|
if (mgr->drv->domainRestoreSecurityImageLabel) {
|
||||||
int ret;
|
int ret;
|
||||||
virObjectLock(mgr);
|
virObjectLock(mgr);
|
||||||
ret = mgr->drv->domainRestoreSecurityImageLabel(mgr, vm, src);
|
ret = mgr->drv->domainRestoreSecurityImageLabel(mgr, vm, src, flags);
|
||||||
virObjectUnlock(mgr);
|
virObjectUnlock(mgr);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@ -526,10 +529,11 @@ virSecurityManagerSetDiskLabel(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
virDomainDiskDefPtr disk)
|
virDomainDiskDefPtr disk)
|
||||||
{
|
{
|
||||||
if (mgr->drv->domainSetSecurityDiskLabel) {
|
if (mgr->drv->domainSetSecurityImageLabel) {
|
||||||
int ret;
|
int ret;
|
||||||
virObjectLock(mgr);
|
virObjectLock(mgr);
|
||||||
ret = mgr->drv->domainSetSecurityDiskLabel(mgr, vm, disk);
|
ret = mgr->drv->domainSetSecurityImageLabel(mgr, vm, disk->src,
|
||||||
|
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN);
|
||||||
virObjectUnlock(mgr);
|
virObjectUnlock(mgr);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@ -544,20 +548,22 @@ virSecurityManagerSetDiskLabel(virSecurityManagerPtr mgr,
|
|||||||
* @mgr: security manager object
|
* @mgr: security manager object
|
||||||
* @vm: domain definition object
|
* @vm: domain definition object
|
||||||
* @src: disk source definition to operate on
|
* @src: disk source definition to operate on
|
||||||
|
* @flags: bitwise or of 'virSecurityDomainImageLabelFlags'
|
||||||
*
|
*
|
||||||
* Labels a single storage image with the configured security label.
|
* Labels a storage image with the configured security label according to @flags.
|
||||||
*
|
*
|
||||||
* Returns: 0 on success, -1 on error.
|
* Returns: 0 on success, -1 on error.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
|
virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
virStorageSourcePtr src)
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags)
|
||||||
{
|
{
|
||||||
if (mgr->drv->domainSetSecurityImageLabel) {
|
if (mgr->drv->domainSetSecurityImageLabel) {
|
||||||
int ret;
|
int ret;
|
||||||
virObjectLock(mgr);
|
virObjectLock(mgr);
|
||||||
ret = mgr->drv->domainSetSecurityImageLabel(mgr, vm, src);
|
ret = mgr->drv->domainSetSecurityImageLabel(mgr, vm, src, flags);
|
||||||
virObjectUnlock(mgr);
|
virObjectUnlock(mgr);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
@ -154,12 +154,18 @@ char *virSecurityManagerGetMountOptions(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr vm);
|
virDomainDefPtr vm);
|
||||||
virSecurityManagerPtr* virSecurityManagerGetNested(virSecurityManagerPtr mgr);
|
virSecurityManagerPtr* virSecurityManagerGetNested(virSecurityManagerPtr mgr);
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN = 1 << 0,
|
||||||
|
} virSecurityDomainImageLabelFlags;
|
||||||
|
|
||||||
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
|
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
virStorageSourcePtr src);
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags);
|
||||||
int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
|
int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
virStorageSourcePtr src);
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags);
|
||||||
|
|
||||||
int virSecurityManagerSetMemoryLabel(virSecurityManagerPtr mgr,
|
int virSecurityManagerSetMemoryLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
|
@ -55,14 +55,6 @@ virSecurityDriverGetDOINop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
|
|||||||
return "0";
|
return "0";
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
virSecurityDomainRestoreDiskLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|
||||||
virDomainDefPtr vm ATTRIBUTE_UNUSED,
|
|
||||||
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
|
|
||||||
{
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
virDomainDefPtr vm ATTRIBUTE_UNUSED)
|
virDomainDefPtr vm ATTRIBUTE_UNUSED)
|
||||||
@ -84,14 +76,6 @@ virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
|
||||||
virSecurityDomainSetDiskLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|
||||||
virDomainDefPtr vm ATTRIBUTE_UNUSED,
|
|
||||||
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
|
|
||||||
{
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
virDomainDefPtr vm ATTRIBUTE_UNUSED,
|
virDomainDefPtr vm ATTRIBUTE_UNUSED,
|
||||||
@ -225,7 +209,8 @@ virSecurityGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
static int
|
static int
|
||||||
virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
virDomainDefPtr def ATTRIBUTE_UNUSED,
|
virDomainDefPtr def ATTRIBUTE_UNUSED,
|
||||||
virStorageSourcePtr src ATTRIBUTE_UNUSED)
|
virStorageSourcePtr src ATTRIBUTE_UNUSED,
|
||||||
|
virSecurityDomainImageLabelFlags flags ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -233,7 +218,8 @@ virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED
|
|||||||
static int
|
static int
|
||||||
virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
virDomainDefPtr def ATTRIBUTE_UNUSED,
|
virDomainDefPtr def ATTRIBUTE_UNUSED,
|
||||||
virStorageSourcePtr src ATTRIBUTE_UNUSED)
|
virStorageSourcePtr src ATTRIBUTE_UNUSED,
|
||||||
|
virSecurityDomainImageLabelFlags flags ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -292,9 +278,6 @@ virSecurityDriver virSecurityDriverNop = {
|
|||||||
|
|
||||||
.domainSecurityVerify = virSecurityDomainVerifyNop,
|
.domainSecurityVerify = virSecurityDomainVerifyNop,
|
||||||
|
|
||||||
.domainSetSecurityDiskLabel = virSecurityDomainSetDiskLabelNop,
|
|
||||||
.domainRestoreSecurityDiskLabel = virSecurityDomainRestoreDiskLabelNop,
|
|
||||||
|
|
||||||
.domainSetSecurityImageLabel = virSecurityDomainSetImageLabelNop,
|
.domainSetSecurityImageLabel = virSecurityDomainSetImageLabelNop,
|
||||||
.domainRestoreSecurityImageLabel = virSecurityDomainRestoreImageLabelNop,
|
.domainRestoreSecurityImageLabel = virSecurityDomainRestoreImageLabelNop,
|
||||||
|
|
||||||
|
@ -1771,20 +1771,11 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManagerPtr mgr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
|
||||||
virSecuritySELinuxRestoreDiskLabel(virSecurityManagerPtr mgr,
|
|
||||||
virDomainDefPtr def,
|
|
||||||
virDomainDiskDefPtr disk)
|
|
||||||
{
|
|
||||||
return virSecuritySELinuxRestoreImageLabelInt(mgr, def, disk->src,
|
|
||||||
false);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecuritySELinuxRestoreImageLabel(virSecurityManagerPtr mgr,
|
virSecuritySELinuxRestoreImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virStorageSourcePtr src)
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
return virSecuritySELinuxRestoreImageLabelInt(mgr, def, src, false);
|
return virSecuritySELinuxRestoreImageLabelInt(mgr, def, src, false);
|
||||||
}
|
}
|
||||||
@ -1869,28 +1860,23 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecuritySELinuxSetImageLabel(virSecurityManagerPtr mgr,
|
virSecuritySELinuxSetImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virStorageSourcePtr src)
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags)
|
||||||
{
|
{
|
||||||
return virSecuritySELinuxSetImageLabelInternal(mgr, def, src, NULL);
|
virStorageSourcePtr n;
|
||||||
}
|
|
||||||
|
|
||||||
|
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
|
||||||
static int
|
if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, src) < 0)
|
||||||
virSecuritySELinuxSetDiskLabel(virSecurityManagerPtr mgr,
|
|
||||||
virDomainDefPtr def,
|
|
||||||
virDomainDiskDefPtr disk)
|
|
||||||
|
|
||||||
{
|
|
||||||
virStorageSourcePtr next;
|
|
||||||
|
|
||||||
for (next = disk->src; virStorageSourceIsBacking(next); next = next->backingStore) {
|
|
||||||
if (virSecuritySELinuxSetImageLabelInternal(mgr, def, next, disk->src) < 0)
|
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecuritySELinuxSetHostdevLabelHelper(const char *file, void *opaque)
|
virSecuritySELinuxSetHostdevLabelHelper(const char *file, void *opaque)
|
||||||
{
|
{
|
||||||
@ -3026,8 +3012,8 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
|
|||||||
def->disks[i]->dst);
|
def->disks[i]->dst);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (virSecuritySELinuxSetDiskLabel(mgr,
|
if (virSecuritySELinuxSetImageLabel(mgr, def, def->disks[i]->src,
|
||||||
def, def->disks[i]) < 0)
|
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
/* XXX fixme process def->fss if relabel == true */
|
/* XXX fixme process def->fss if relabel == true */
|
||||||
@ -3441,9 +3427,6 @@ virSecurityDriver virSecurityDriverSELinux = {
|
|||||||
|
|
||||||
.domainSecurityVerify = virSecuritySELinuxVerify,
|
.domainSecurityVerify = virSecuritySELinuxVerify,
|
||||||
|
|
||||||
.domainSetSecurityDiskLabel = virSecuritySELinuxSetDiskLabel,
|
|
||||||
.domainRestoreSecurityDiskLabel = virSecuritySELinuxRestoreDiskLabel,
|
|
||||||
|
|
||||||
.domainSetSecurityImageLabel = virSecuritySELinuxSetImageLabel,
|
.domainSetSecurityImageLabel = virSecuritySELinuxSetImageLabel,
|
||||||
.domainRestoreSecurityImageLabel = virSecuritySELinuxRestoreImageLabel,
|
.domainRestoreSecurityImageLabel = virSecuritySELinuxRestoreImageLabel,
|
||||||
|
|
||||||
|
@ -267,42 +267,6 @@ virSecurityStackReserveLabel(virSecurityManagerPtr mgr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
|
||||||
virSecurityStackSetDiskLabel(virSecurityManagerPtr mgr,
|
|
||||||
virDomainDefPtr vm,
|
|
||||||
virDomainDiskDefPtr disk)
|
|
||||||
{
|
|
||||||
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
|
||||||
virSecurityStackItemPtr item = priv->itemsHead;
|
|
||||||
int rc = 0;
|
|
||||||
|
|
||||||
for (; item; item = item->next) {
|
|
||||||
if (virSecurityManagerSetDiskLabel(item->securityManager, vm, disk) < 0)
|
|
||||||
rc = -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
static int
|
|
||||||
virSecurityStackRestoreDiskLabel(virSecurityManagerPtr mgr,
|
|
||||||
virDomainDefPtr vm,
|
|
||||||
virDomainDiskDefPtr disk)
|
|
||||||
{
|
|
||||||
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
|
||||||
virSecurityStackItemPtr item = priv->itemsHead;
|
|
||||||
int rc = 0;
|
|
||||||
|
|
||||||
for (; item; item = item->next) {
|
|
||||||
if (virSecurityManagerRestoreDiskLabel(item->securityManager, vm, disk) < 0)
|
|
||||||
rc = -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
return rc;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecurityStackSetHostdevLabel(virSecurityManagerPtr mgr,
|
virSecurityStackSetHostdevLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
@ -600,14 +564,16 @@ virSecurityStackGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
|
|||||||
static int
|
static int
|
||||||
virSecurityStackSetImageLabel(virSecurityManagerPtr mgr,
|
virSecurityStackSetImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
virStorageSourcePtr src)
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags)
|
||||||
{
|
{
|
||||||
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
virSecurityStackItemPtr item = priv->itemsHead;
|
virSecurityStackItemPtr item = priv->itemsHead;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
for (; item; item = item->next) {
|
for (; item; item = item->next) {
|
||||||
if (virSecurityManagerSetImageLabel(item->securityManager, vm, src) < 0)
|
if (virSecurityManagerSetImageLabel(item->securityManager, vm, src,
|
||||||
|
flags) < 0)
|
||||||
rc = -1;
|
rc = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -617,7 +583,8 @@ virSecurityStackSetImageLabel(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecurityStackRestoreImageLabel(virSecurityManagerPtr mgr,
|
virSecurityStackRestoreImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
virStorageSourcePtr src)
|
virStorageSourcePtr src,
|
||||||
|
virSecurityDomainImageLabelFlags flags)
|
||||||
{
|
{
|
||||||
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
virSecurityStackItemPtr item = priv->itemsHead;
|
virSecurityStackItemPtr item = priv->itemsHead;
|
||||||
@ -625,7 +592,7 @@ virSecurityStackRestoreImageLabel(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
for (; item; item = item->next) {
|
for (; item; item = item->next) {
|
||||||
if (virSecurityManagerRestoreImageLabel(item->securityManager,
|
if (virSecurityManagerRestoreImageLabel(item->securityManager,
|
||||||
vm, src) < 0)
|
vm, src, flags) < 0)
|
||||||
rc = -1;
|
rc = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -816,9 +783,6 @@ virSecurityDriver virSecurityDriverStack = {
|
|||||||
|
|
||||||
.domainSecurityVerify = virSecurityStackVerify,
|
.domainSecurityVerify = virSecurityStackVerify,
|
||||||
|
|
||||||
.domainSetSecurityDiskLabel = virSecurityStackSetDiskLabel,
|
|
||||||
.domainRestoreSecurityDiskLabel = virSecurityStackRestoreDiskLabel,
|
|
||||||
|
|
||||||
.domainSetSecurityImageLabel = virSecurityStackSetImageLabel,
|
.domainSetSecurityImageLabel = virSecurityStackSetImageLabel,
|
||||||
.domainRestoreSecurityImageLabel = virSecurityStackRestoreImageLabel,
|
.domainRestoreSecurityImageLabel = virSecurityStackRestoreImageLabel,
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user