From 4ccbd207f213066c000f43eb544eb00ec745023b Mon Sep 17 00:00:00 2001 From: Michal Privoznik Date: Wed, 17 Jun 2020 11:32:53 +0200 Subject: [PATCH] security: Rename virSecurityManagerRestoreSavedStateLabel() The new name is virSecurityManagerDomainRestorePathLabel(). Signed-off-by: Michal Privoznik Reviewed-by: Erik Skultety --- src/libvirt_private.syms | 2 +- src/qemu/qemu_security.c | 2 +- src/security/security_apparmor.c | 9 +++---- src/security/security_dac.c | 26 +++++++----------- src/security/security_driver.h | 9 +++---- src/security/security_manager.c | 46 +++++++++++++++++++------------- src/security/security_manager.h | 8 +++--- src/security/security_nop.c | 10 ------- src/security/security_selinux.c | 33 +++++++++++------------ src/security/security_stack.c | 40 +++++++++++++-------------- 10 files changed, 89 insertions(+), 96 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index a591eac28f..284c6c3880 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1535,6 +1535,7 @@ virSecurityDriverLookup; # security/security_manager.h virSecurityManagerCheckAllLabel; virSecurityManagerClearSocketLabel; +virSecurityManagerDomainRestorePathLabel; virSecurityManagerDomainSetPathLabel; virSecurityManagerDomainSetPathLabelRO; virSecurityManagerGenLabel; @@ -1558,7 +1559,6 @@ virSecurityManagerRestoreHostdevLabel; virSecurityManagerRestoreImageLabel; virSecurityManagerRestoreInputLabel; virSecurityManagerRestoreMemoryLabel; -virSecurityManagerRestoreSavedStateLabel; virSecurityManagerRestoreTPMLabels; virSecurityManagerSetAllLabel; virSecurityManagerSetChardevLabel; diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index d47f4cc3c0..de4df23847 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -629,7 +629,7 @@ qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver, if (virSecurityManagerTransactionStart(driver->securityManager) < 0) goto cleanup; - if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager, + if (virSecurityManagerDomainRestorePathLabel(driver->securityManager, vm->def, savefile) < 0) goto cleanup; diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 30f7701975..583e872614 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -1069,9 +1069,9 @@ AppArmorSetPathLabel(virSecurityManagerPtr mgr, } static int -AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainDefPtr def, - const char *savefile G_GNUC_UNUSED) +AppArmorRestorePathLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + const char *path G_GNUC_UNUSED) { return reload_profile(mgr, def, NULL, false); } @@ -1157,9 +1157,8 @@ virSecurityDriver virAppArmorSecurityDriver = { .domainSetSecurityHostdevLabel = AppArmorSetSecurityHostdevLabel, .domainRestoreSecurityHostdevLabel = AppArmorRestoreSecurityHostdevLabel, - .domainRestoreSavedStateLabel = AppArmorRestoreSavedStateLabel, - .domainSetPathLabel = AppArmorSetPathLabel, + .domainRestorePathLabel = AppArmorRestorePathLabel, .domainSetSecurityChardevLabel = AppArmorSetChardevLabel, .domainRestoreSecurityChardevLabel = AppArmorRestoreChardevLabel, diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 2f531cb86b..afc0a9fcb9 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -2257,20 +2257,6 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, } -static int -virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainDefPtr def G_GNUC_UNUSED, - const char *savefile) -{ - virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); - - if (!priv->dynamicOwnership) - return 0; - - return virSecurityDACRestoreFileLabel(mgr, savefile); -} - - static int virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def) @@ -2570,6 +2556,15 @@ virSecurityDACDomainSetPathLabel(virSecurityManagerPtr mgr, return virSecurityDACSetOwnership(mgr, NULL, path, user, group, true); } +static int +virSecurityDACDomainRestorePathLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def G_GNUC_UNUSED, + const char *path) +{ + return virSecurityDACRestoreFileLabel(mgr, path); +} + + virSecurityDriver virSecurityDriverDAC = { .privateDataLen = sizeof(virSecurityDACData), .name = SECURITY_DAC_NAME, @@ -2616,8 +2611,6 @@ virSecurityDriver virSecurityDriverDAC = { .domainSetSecurityHostdevLabel = virSecurityDACSetHostdevLabel, .domainRestoreSecurityHostdevLabel = virSecurityDACRestoreHostdevLabel, - .domainRestoreSavedStateLabel = virSecurityDACRestoreSavedStateLabel, - .domainSetSecurityImageFDLabel = virSecurityDACSetImageFDLabel, .domainSetSecurityTapFDLabel = virSecurityDACSetTapFDLabel, @@ -2626,6 +2619,7 @@ virSecurityDriver virSecurityDriverDAC = { .getBaseLabel = virSecurityDACGetBaseLabel, .domainSetPathLabel = virSecurityDACDomainSetPathLabel, + .domainRestorePathLabel = virSecurityDACDomainRestorePathLabel, .domainSetSecurityChardevLabel = virSecurityDACSetChardevLabel, .domainRestoreSecurityChardevLabel = virSecurityDACRestoreChardevLabel, diff --git a/src/security/security_driver.h b/src/security/security_driver.h index 33887f4c16..bfff789552 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -67,9 +67,6 @@ typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainHostdevDefPtr dev, const char *vroot); -typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr, - virDomainDefPtr def, - const char *savefile); typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr, virDomainDefPtr sec); typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr, @@ -140,6 +137,9 @@ typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetPathLabelRO) (virSecurityManagerPtr mgr, virDomainDefPtr def, const char *path); +typedef int (*virSecurityDomainRestorePathLabel) (virSecurityManagerPtr mgr, + virDomainDefPtr def, + const char *path); typedef int (*virSecurityDomainSetChardevLabel) (virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainChrSourceDefPtr dev_source, @@ -200,8 +200,6 @@ struct _virSecurityDriver { virSecurityDomainSetHostdevLabel domainSetSecurityHostdevLabel; virSecurityDomainRestoreHostdevLabel domainRestoreSecurityHostdevLabel; - virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel; - virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel; virSecurityDomainSetTapFDLabel domainSetSecurityTapFDLabel; @@ -211,6 +209,7 @@ struct _virSecurityDriver { virSecurityDomainSetPathLabel domainSetPathLabel; virSecurityDomainSetPathLabelRO domainSetPathLabelRO; + virSecurityDomainRestorePathLabel domainRestorePathLabel; virSecurityDomainSetChardevLabel domainSetSecurityChardevLabel; virSecurityDomainRestoreChardevLabel domainRestoreSecurityChardevLabel; diff --git a/src/security/security_manager.c b/src/security/security_manager.c index b2f3f1a6bb..ad1938caeb 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -596,24 +596,6 @@ virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, } -int -virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainDefPtr vm, - const char *savefile) -{ - if (mgr->drv->domainRestoreSavedStateLabel) { - int ret; - virObjectLock(mgr); - ret = mgr->drv->domainRestoreSavedStateLabel(mgr, vm, savefile); - virObjectUnlock(mgr); - return ret; - } - - virReportUnsupportedError(); - return -1; -} - - int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm) @@ -1087,6 +1069,34 @@ virSecurityManagerDomainSetPathLabelRO(virSecurityManagerPtr mgr, return 0; } +/** + * virSecurityManagerDomainRestorePathLabel: + * @mgr: security manager object + * @vm: domain definition object + * @path: path to restore labels one + * + * This function is a counterpart to virSecurityManagerDomainSetPathLabel() and + * virSecurityManagerDomainSetPathLabelRO() as it restores any labels set by them. + * + * Returns: 0 on success, -1 on error. + */ +int +virSecurityManagerDomainRestorePathLabel(virSecurityManagerPtr mgr, + virDomainDefPtr vm, + const char *path) +{ + if (mgr->drv->domainRestorePathLabel) { + int ret; + virObjectLock(mgr); + ret = mgr->drv->domainRestorePathLabel(mgr, vm, path); + virObjectUnlock(mgr); + return ret; + } + + return 0; +} + + /** * virSecurityManagerSetMemoryLabel: diff --git a/src/security/security_manager.h b/src/security/security_manager.h index ac50100f0f..999752ce09 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -104,9 +104,6 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainHostdevDefPtr dev, const char *vroot); -int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainDefPtr def, - const char *savefile); int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, virDomainDefPtr sec); int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, @@ -190,6 +187,11 @@ int virSecurityManagerDomainSetPathLabelRO(virSecurityManagerPtr mgr, virDomainDefPtr vm, const char *path); +int virSecurityManagerDomainRestorePathLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + const char *path); + + int virSecurityManagerSetChardevLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainChrSourceDefPtr dev_source, diff --git a/src/security/security_nop.c b/src/security/security_nop.c index d5720ee495..de5da1ee1c 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -94,14 +94,6 @@ virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr G_GNUC_UNUSED, return 0; } -static int -virSecurityDomainRestoreSavedStateLabelNop(virSecurityManagerPtr mgr G_GNUC_UNUSED, - virDomainDefPtr vm G_GNUC_UNUSED, - const char *savefile G_GNUC_UNUSED) -{ - return 0; -} - static int virSecurityDomainGenLabelNop(virSecurityManagerPtr mgr G_GNUC_UNUSED, virDomainDefPtr sec G_GNUC_UNUSED) @@ -308,8 +300,6 @@ virSecurityDriver virSecurityDriverNop = { .domainSetSecurityHostdevLabel = virSecurityDomainSetHostdevLabelNop, .domainRestoreSecurityHostdevLabel = virSecurityDomainRestoreHostdevLabelNop, - .domainRestoreSavedStateLabel = virSecurityDomainRestoreSavedStateLabelNop, - .domainSetSecurityImageFDLabel = virSecurityDomainSetFDLabelNop, .domainSetSecurityTapFDLabel = virSecurityDomainSetFDLabelNop, diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 02b1100420..4cc2707c3b 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2858,21 +2858,6 @@ virSecuritySELinuxReleaseLabel(virSecurityManagerPtr mgr, } -static int -virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainDefPtr def, - const char *savefile) -{ - virSecurityLabelDefPtr secdef; - - secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); - if (!secdef || !secdef->relabel) - return 0; - - return virSecuritySELinuxRestoreFileLabel(mgr, savefile, true); -} - - static int virSecuritySELinuxVerify(virSecurityManagerPtr mgr G_GNUC_UNUSED, virDomainDefPtr def) @@ -3428,6 +3413,21 @@ virSecuritySELinuxDomainSetPathLabelRO(virSecurityManagerPtr mgr, return virSecuritySELinuxSetFilecon(mgr, path, data->content_context, false); } +static int +virSecuritySELinuxDomainRestorePathLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + const char *path) +{ + virSecurityLabelDefPtr secdef; + + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (!secdef || !secdef->relabel) + return 0; + + return virSecuritySELinuxRestoreFileLabel(mgr, path, true); +} + + /* * virSecuritySELinuxSetFileLabels: * @@ -3620,8 +3620,6 @@ virSecurityDriver virSecurityDriverSELinux = { .domainSetSecurityHostdevLabel = virSecuritySELinuxSetHostdevLabel, .domainRestoreSecurityHostdevLabel = virSecuritySELinuxRestoreHostdevLabel, - .domainRestoreSavedStateLabel = virSecuritySELinuxRestoreSavedStateLabel, - .domainSetSecurityImageFDLabel = virSecuritySELinuxSetImageFDLabel, .domainSetSecurityTapFDLabel = virSecuritySELinuxSetTapFDLabel, @@ -3630,6 +3628,7 @@ virSecurityDriver virSecurityDriverSELinux = { .domainSetPathLabel = virSecuritySELinuxDomainSetPathLabel, .domainSetPathLabelRO = virSecuritySELinuxDomainSetPathLabelRO, + .domainRestorePathLabel = virSecuritySELinuxDomainRestorePathLabel, .domainSetSecurityChardevLabel = virSecuritySELinuxSetChardevLabel, .domainRestoreSecurityChardevLabel = virSecuritySELinuxRestoreChardevLabel, diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 8e04b4fcfe..379c9302bc 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -394,24 +394,6 @@ virSecurityStackRestoreAllLabel(virSecurityManagerPtr mgr, } -static int -virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, - virDomainDefPtr vm, - const char *savefile) -{ - virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); - virSecurityStackItemPtr item = priv->itemsHead; - int rc = 0; - - for (; item; item = item->next) { - if (virSecurityManagerRestoreSavedStateLabel(item->securityManager, vm, savefile) < 0) - rc = -1; - } - - return rc; -} - - static int virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm) @@ -814,6 +796,25 @@ virSecurityStackDomainSetPathLabelRO(virSecurityManagerPtr mgr, } +static int +virSecurityStackDomainRestorePathLabel(virSecurityManagerPtr mgr, + virDomainDefPtr vm, + const char *path) +{ + virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityStackItemPtr item = priv->itemsHead; + int rc = 0; + + for (; item; item = item->next) { + if (virSecurityManagerDomainRestorePathLabel(item->securityManager, + vm, path) < 0) + rc = -1; + } + + return rc; +} + + static int virSecurityStackDomainSetChardevLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -963,8 +964,6 @@ virSecurityDriver virSecurityDriverStack = { .domainSetSecurityHostdevLabel = virSecurityStackSetHostdevLabel, .domainRestoreSecurityHostdevLabel = virSecurityStackRestoreHostdevLabel, - .domainRestoreSavedStateLabel = virSecurityStackRestoreSavedStateLabel, - .domainSetSecurityImageFDLabel = virSecurityStackSetImageFDLabel, .domainSetSecurityTapFDLabel = virSecurityStackSetTapFDLabel, @@ -974,6 +973,7 @@ virSecurityDriver virSecurityDriverStack = { .domainSetPathLabel = virSecurityStackDomainSetPathLabel, .domainSetPathLabelRO = virSecurityStackDomainSetPathLabelRO, + .domainRestorePathLabel = virSecurityStackDomainRestorePathLabel, .domainSetSecurityChardevLabel = virSecurityStackDomainSetChardevLabel, .domainRestoreSecurityChardevLabel = virSecurityStackDomainRestoreChardevLabel,