External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-08 20:51:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix default value of security label 'relabel' attribute

Browse Source 
When no <seclabel> is present in the XML, the virDomainSeclabelDef
struct is left as all zeros. Unfortunately, this means it gets setup
as type=dynamic, with relabel=no, which is an illegal combination.

Change the 'bool relabel' attribute in virDomainSeclabelDef to
the inverse 'bool norelabel' so that the default initialization
is sensible

* src/conf/domain_conf.c, src/conf/domain_conf.h,
  src/security/security_apparmor.c, src/security/security_selinux.c:
  Replace 'relabel' with 'norelabel'
This commit is contained in:
Daniel P. Berrange 2011-07-05 10:49:51 +01:00
parent e123e1ee6b
commit 693eac388f
4 changed files with 24 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/conf/domain_conf.c
View File

@ -5076,25 +5076,25 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
VIR_SECURITY_LABEL_BUFLEN-1, ctxt); VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p != NULL) { if (p != NULL) {
if (STREQ(p, "yes")) { if (STREQ(p, "yes")) {
def->seclabel.relabel = true; def->seclabel.norelabel = false;
} else if (STREQ(p, "no")) { } else if (STREQ(p, "no")) {
def->seclabel.relabel = false; def->seclabel.norelabel = true;
} else { } else {
virDomainReportError(VIR_ERR_XML_ERROR, virDomainReportError(VIR_ERR_XML_ERROR,
_("invalid security relabel value %s"), p); _("invalid security relabel value %s"), p);
goto error; goto error;
} }
if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
!def->seclabel.relabel) { def->seclabel.norelabel) {
virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED, virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("dynamic label type must use resource relabeling")); "%s", _("dynamic label type must use resource relabeling"));
goto error; goto error;
} }
} else { } else {
if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
def->seclabel.relabel = false; def->seclabel.norelabel = true;
else else
def->seclabel.relabel = true; def->seclabel.norelabel = false;
} }
/* Only parse label, if using static labels, or /* Only parse label, if using static labels, or
@ -5114,7 +5114,7 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
} }
/* Only parse imagelabel, if requested live XML with relabeling */ /* Only parse imagelabel, if requested live XML with relabeling */
if (def->seclabel.relabel && if (!def->seclabel.norelabel &&
!(flags & VIR_DOMAIN_XML_INACTIVE)) { !(flags & VIR_DOMAIN_XML_INACTIVE)) {
p = virXPathStringLimit("string(./seclabel/imagelabel[1])", p = virXPathStringLimit("string(./seclabel/imagelabel[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt); VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
@ -9893,15 +9893,15 @@ char *virDomainDefFormat(virDomainDefPtr def,
(flags & VIR_DOMAIN_XML_INACTIVE)) { (flags & VIR_DOMAIN_XML_INACTIVE)) {
virBufferAsprintf(&buf, " <seclabel type='%s' model='%s' relabel='%s'/>\n", virBufferAsprintf(&buf, " <seclabel type='%s' model='%s' relabel='%s'/>\n",
sectype, def->seclabel.model, sectype, def->seclabel.model,
def->seclabel.relabel ? "yes" : "no"); def->seclabel.norelabel ? "no" : "yes");
} else { } else {
virBufferAsprintf(&buf, " <seclabel type='%s' model='%s' relabel='%s'>\n", virBufferAsprintf(&buf, " <seclabel type='%s' model='%s' relabel='%s'>\n",
sectype, def->seclabel.model, sectype, def->seclabel.model,
def->seclabel.relabel ? "yes" : "no"); def->seclabel.norelabel ? "no" : "yes");
if (def->seclabel.label) if (def->seclabel.label)
virBufferEscapeString(&buf, " <label>%s</label>\n", virBufferEscapeString(&buf, " <label>%s</label>\n",
def->seclabel.label); def->seclabel.label);
if (def->seclabel.relabel && def->seclabel.imagelabel) if (!def->seclabel.norelabel && def->seclabel.imagelabel)
virBufferEscapeString(&buf, " <imagelabel>%s</imagelabel>\n", virBufferEscapeString(&buf, " <imagelabel>%s</imagelabel>\n",
def->seclabel.imagelabel); def->seclabel.imagelabel);
if (def->seclabel.baselabel && if (def->seclabel.baselabel &&

2
src/conf/domain_conf.h
View File

@ -960,7 +960,7 @@ struct _virSecurityLabelDef {
char *imagelabel; /* security image label string */ char *imagelabel; /* security image label string */
char *baselabel; /* base name of label string */ char *baselabel; /* base name of label string */
int type; /* virDomainSeclabelType */ int type; /* virDomainSeclabelType */
bool relabel; bool norelabel;
}; };
enum virDomainTimerNameType { enum virDomainTimerNameType {

8
src/security/security_apparmor.c
View File

@ -265,7 +265,7 @@ reload_profile(virSecurityManagerPtr mgr,
int rc = -1; int rc = -1;
char *profile_name = NULL; char *profile_name = NULL;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
if ((profile_name = get_profile_name(vm)) == NULL) if ((profile_name = get_profile_name(vm)) == NULL)
@ -610,7 +610,7 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
int rc = -1; int rc = -1;
char *profile_name; char *profile_name;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK) if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
@ -682,7 +682,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
struct SDPDOP *ptr; struct SDPDOP *ptr;
int ret = -1; int ret = -1;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
@ -741,7 +741,7 @@ AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
return reload_profile(mgr, vm, NULL, false); return reload_profile(mgr, vm, NULL, false);

20
src/security/security_selinux.c
View File

@ -537,7 +537,7 @@ SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
/* Don't restore labels on readoly/shared disks, because /* Don't restore labels on readoly/shared disks, because
@ -621,7 +621,7 @@ SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr); bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
return virDomainDiskDefForeachPath(disk, return virDomainDiskDefForeachPath(disk,
@ -661,7 +661,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int ret = -1; int ret = -1;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
@ -730,7 +730,7 @@ SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int ret = -1; int ret = -1;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
@ -784,7 +784,7 @@ SELinuxSetSecurityChardevLabel(virDomainObjPtr vm,
char *in = NULL, *out = NULL; char *in = NULL, *out = NULL;
int ret = -1; int ret = -1;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
switch (dev->type) { switch (dev->type) {
@ -830,7 +830,7 @@ SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
char *in = NULL, *out = NULL; char *in = NULL, *out = NULL;
int ret = -1; int ret = -1;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
switch (dev->type) { switch (dev->type) {
@ -918,7 +918,7 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
VIR_DEBUG("Restoring security label on %s", vm->def->name); VIR_DEBUG("Restoring security label on %s", vm->def->name);
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
for (i = 0 ; i < vm->def->nhostdevs ; i++) { for (i = 0 ; i < vm->def->nhostdevs ; i++) {
@ -989,7 +989,7 @@ SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
return SELinuxSetFilecon(savefile, secdef->imagelabel); return SELinuxSetFilecon(savefile, secdef->imagelabel);
@ -1003,7 +1003,7 @@ SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
return SELinuxRestoreSecurityFileLabel(savefile); return SELinuxRestoreSecurityFileLabel(savefile);
@ -1218,7 +1218,7 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int i; int i;
if (!secdef->relabel) if (secdef->norelabel)
return 0; return 0;
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < vm->def->ndisks ; i++) {