mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-30 17:45:23 +00:00
Skip bulk relabelling of resources in SELinux driver when used with LXC
The virSecurityManager{Set,Restore}AllLabel methods are invoked
at domain startup/shutdown to relabel resources associated with
a domain. This works fine with QEMU, but with LXC they are in
fact both currently no-ops since LXC does not support disks,
hostdevs, or kernel/initrd files. Worse, when LXC gains support
for disks/hostdevs, they will do the wrong thing, since they
run in host context, not container context. Thus this patch
turns then into a formal no-op when used with LXC. The LXC
controller will call out to specific security manager labelling
APIs as required during startup.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 89c5a9d0e8
)
This commit is contained in:
parent
8cdeb0f85e
commit
460e481647
@ -61,6 +61,7 @@ struct _virSecuritySELinuxData {
|
|||||||
char *file_context;
|
char *file_context;
|
||||||
char *content_context;
|
char *content_context;
|
||||||
virHashTablePtr mcs;
|
virHashTablePtr mcs;
|
||||||
|
bool skipAllLabel;
|
||||||
};
|
};
|
||||||
|
|
||||||
struct _virSecuritySELinuxCallbackData {
|
struct _virSecuritySELinuxCallbackData {
|
||||||
@ -363,6 +364,8 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
|
|||||||
virConfPtr selinux_conf;
|
virConfPtr selinux_conf;
|
||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
|
||||||
|
data->skipAllLabel = true;
|
||||||
|
|
||||||
selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
|
selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
|
||||||
if (!selinux_conf) {
|
if (!selinux_conf) {
|
||||||
virReportSystemError(errno,
|
virReportSystemError(errno,
|
||||||
@ -438,6 +441,8 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
|
|||||||
char *ptr;
|
char *ptr;
|
||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
|
||||||
|
data->skipAllLabel = false;
|
||||||
|
|
||||||
if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT, &(data->domain_context)) < 0) {
|
if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT, &(data->domain_context)) < 0) {
|
||||||
virReportSystemError(errno,
|
virReportSystemError(errno,
|
||||||
_("cannot read SELinux virtual domain context file '%s'"),
|
_("cannot read SELinux virtual domain context file '%s'"),
|
||||||
@ -1441,11 +1446,12 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
|
|||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
int migrated ATTRIBUTE_UNUSED)
|
int migrated ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
int i;
|
int i;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
@ -1455,7 +1461,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
|
|||||||
if (secdef == NULL)
|
if (secdef == NULL)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (secdef->norelabel)
|
if (secdef->norelabel || data->skipAllLabel)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
for (i = 0 ; i < def->nhostdevs ; i++) {
|
for (i = 0 ; i < def->nhostdevs ; i++) {
|
||||||
@ -1813,7 +1819,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
|
|||||||
if (secdef == NULL)
|
if (secdef == NULL)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (secdef->norelabel)
|
if (secdef->norelabel || data->skipAllLabel)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
for (i = 0 ; i < def->ndisks ; i++) {
|
for (i = 0 ; i < def->ndisks ; i++) {
|
||||||
|
Loading…
Reference in New Issue
Block a user