security: DAC: Implement per-image seclabel set

Refactor the code and reuse it to implement the functionality.
2025-01-08 22:15:21 +00:00 · 2014-06-24 17:04:21 +02:00 · 2014-06-24 17:04:21 +02:00 · 7077cfeff4
commit 7077cfeff4
parent 4f2170dc24
1 changed files with 25 additions and 27 deletions
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@ -289,22 +289,29 @@ virSecurityDACRestoreSecurityFileLabel(const char *path)


 static int
-virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk,
-                                   const char *path,
-                                   size_t depth ATTRIBUTE_UNUSED,
-                                   void *opaque)
+virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
+                                    virDomainDefPtr def,
+                                    virStorageSourcePtr src)
 {
-    virSecurityDACCallbackDataPtr cbdata = opaque;
-    virSecurityManagerPtr mgr = cbdata->manager;
-    virSecurityLabelDefPtr secdef = cbdata->secdef;
-    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityLabelDefPtr secdef;
    virSecurityDeviceLabelDefPtr disk_seclabel;
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    uid_t user;
    gid_t group;

-    disk_seclabel = virStorageSourceGetSecurityLabelDef(disk->src,
-                                                        SECURITY_DAC_NAME);
+    if (!priv->dynamicOwnership)
+        return 0;

+    /* XXX: Add support for gluster DAC permissions */
+    if (!src->path || !virStorageSourceIsLocalStorage(src))
+        return 0;
+
+    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+    if (secdef && secdef->norelabel)
+        return 0;
+
+    disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
+                                                        SECURITY_DAC_NAME);
    if (disk_seclabel && disk_seclabel->norelabel)
        return 0;

@ -316,7 +323,7 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk,
            return -1;
    }

-    return virSecurityDACSetOwnership(path, user, group);
+    return virSecurityDACSetOwnership(src->path, user, group);
 }


@ -326,24 +333,14 @@ virSecurityDACSetSecurityDiskLabel(virSecurityManagerPtr mgr,
                                   virDomainDiskDefPtr disk)

 {
-    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
-    virSecurityDACCallbackData cbdata;
-    virSecurityLabelDefPtr secdef;
+    virStorageSourcePtr next;

-    if (!priv->dynamicOwnership)
-        return 0;
+    for (next = disk->src; next; next = next->backingStore) {
+        if (virSecurityDACSetSecurityImageLabel(mgr, def, next) < 0)
+            return -1;
+    }

-    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
-
-    if (secdef && secdef->norelabel)
-        return 0;
-
-    cbdata.manager = mgr;
-    cbdata.secdef = secdef;
-    return virDomainDiskDefForeachPath(disk,
-                                       false,
-                                       virSecurityDACSetSecurityFileLabel,
-                                       &cbdata);
+    return 0;
 }


@ -1274,6 +1271,7 @@ virSecurityDriver virSecurityDriverDAC = {
    .domainSetSecurityDiskLabel         = virSecurityDACSetSecurityDiskLabel,
    .domainRestoreSecurityDiskLabel     = virSecurityDACRestoreSecurityDiskLabel,

+    .domainSetSecurityImageLabel        = virSecurityDACSetSecurityImageLabel,
    .domainRestoreSecurityImageLabel    = virSecurityDACRestoreSecurityImageLabel,

    .domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,