mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 05:35:25 +00:00
Pass the virt driver name into security drivers
To allow the security drivers to apply different configuration information per hypervisor, pass the virtualization driver name into the security manager constructor. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel Walsh
Daniel P. Berrange
parent
6cfc3f8f4f
commit
73580c60d1
@ -36,6 +36,8 @@
|
||||
# include "security/security_manager.h"
|
||||
# include "configmake.h"
|
||||
|
||||
# define LXC_DRIVER_NAME "LXC"
|
||||
|
||||
# define LXC_CONFIG_DIR SYSCONFDIR "/libvirt/lxc"
|
||||
# define LXC_STATE_DIR LOCALSTATEDIR "/run/libvirt/lxc"
|
||||
# define LXC_LOG_DIR LOCALSTATEDIR "/log/libvirt/lxc"
|
||||
|
||||
@ -1723,7 +1723,9 @@ int main(int argc, char *argv[])
|
||||
break;
|
||||
|
||||
case 'S':
|
||||
if (!(securityDriver = virSecurityManagerNew(optarg, false, false, false))) {
|
||||
if (!(securityDriver = virSecurityManagerNew(optarg,
|
||||
LXC_DRIVER_NAME,
|
||||
false, false, false))) {
|
||||
fprintf(stderr, "Cannot create security manager '%s'",
|
||||
optarg);
|
||||
goto cleanup;
|
||||
@ -1750,7 +1752,9 @@ int main(int argc, char *argv[])
|
||||
}
|
||||
|
||||
if (securityDriver == NULL) {
|
||||
if (!(securityDriver = virSecurityManagerNew("none", false, false, false))) {
|
||||
if (!(securityDriver = virSecurityManagerNew("none",
|
||||
LXC_DRIVER_NAME,
|
||||
false, false, false))) {
|
||||
fprintf(stderr, "%s: cannot initialize nop security manager", argv[0]);
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
@ -2533,7 +2533,9 @@ error:
|
||||
static int
|
||||
lxcSecurityInit(lxc_driver_t *driver)
|
||||
{
|
||||
VIR_INFO("lxcSecurityInit %s", driver->securityDriverName);
|
||||
virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName,
|
||||
LXC_DRIVER_NAME,
|
||||
false,
|
||||
driver->securityDefaultConfined,
|
||||
driver->securityRequireConfined);
|
||||
@ -3851,7 +3853,7 @@ static virNWFilterCallbackDriver lxcCallbackDriver = {
|
||||
/* Function Tables */
|
||||
static virDriver lxcDriver = {
|
||||
.no = VIR_DRV_LXC,
|
||||
.name = "LXC",
|
||||
.name = LXC_DRIVER_NAME,
|
||||
.open = lxcOpen, /* 0.4.2 */
|
||||
.close = lxcClose, /* 0.4.2 */
|
||||
.version = lxcVersion, /* 0.4.6 */
|
||||
@ -3915,7 +3917,7 @@ static virDriver lxcDriver = {
|
||||
};
|
||||
|
||||
static virStateDriver lxcStateDriver = {
|
||||
.name = "LXC",
|
||||
.name = LXC_DRIVER_NAME,
|
||||
.initialize = lxcStartup,
|
||||
.cleanup = lxcShutdown,
|
||||
.active = lxcActive,
|
||||
|
||||
@ -95,6 +95,8 @@
|
||||
|
||||
#define VIR_FROM_THIS VIR_FROM_QEMU
|
||||
|
||||
#define QEMU_DRIVER_NAME "QEMU"
|
||||
|
||||
#define QEMU_NB_MEM_PARAM 3
|
||||
|
||||
#define QEMU_NB_BLOCK_IO_TUNE_PARAM 6
|
||||
@ -213,6 +215,7 @@ static int
|
||||
qemuSecurityInit(struct qemud_driver *driver)
|
||||
{
|
||||
virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName,
|
||||
QEMU_DRIVER_NAME,
|
||||
driver->allowDiskFormatProbing,
|
||||
driver->securityDefaultConfined,
|
||||
driver->securityRequireConfined);
|
||||
@ -221,7 +224,8 @@ qemuSecurityInit(struct qemud_driver *driver)
|
||||
goto error;
|
||||
|
||||
if (driver->privileged) {
|
||||
virSecurityManagerPtr dac = virSecurityManagerNewDAC(driver->user,
|
||||
virSecurityManagerPtr dac = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
|
||||
driver->user,
|
||||
driver->group,
|
||||
driver->allowDiskFormatProbing,
|
||||
driver->securityDefaultConfined,
|
||||
@ -12838,7 +12842,7 @@ cleanup:
|
||||
|
||||
static virDriver qemuDriver = {
|
||||
.no = VIR_DRV_QEMU,
|
||||
.name = "QEMU",
|
||||
.name = QEMU_DRIVER_NAME,
|
||||
.open = qemudOpen, /* 0.2.0 */
|
||||
.close = qemudClose, /* 0.2.0 */
|
||||
.supports_feature = qemudSupportsFeature, /* 0.5.0 */
|
||||
@ -13029,7 +13033,7 @@ qemuVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
|
||||
}
|
||||
|
||||
static virNWFilterCallbackDriver qemuCallbackDriver = {
|
||||
.name = "QEMU",
|
||||
.name = QEMU_DRIVER_NAME,
|
||||
.vmFilterRebuild = qemuVMFilterRebuild,
|
||||
.vmDriverLock = qemuVMDriverLock,
|
||||
.vmDriverUnlock = qemuVMDriverUnlock,
|
||||
|
||||
@ -328,7 +328,7 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
|
||||
|
||||
/* Called on libvirtd startup to see if AppArmor is available */
|
||||
static int
|
||||
AppArmorSecurityManagerProbe(void)
|
||||
AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED)
|
||||
{
|
||||
char *template = NULL;
|
||||
int rc = SECURITY_DRIVER_DISABLE;
|
||||
|
||||
@ -65,7 +65,7 @@ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
||||
}
|
||||
|
||||
static virSecurityDriverStatus
|
||||
virSecurityDACProbe(void)
|
||||
virSecurityDACProbe(const char *virtDriver ATTRIBUTE_UNUSED)
|
||||
{
|
||||
return SECURITY_DRIVER_ENABLE;
|
||||
}
|
||||
|
||||
@ -37,7 +37,8 @@ static virSecurityDriverPtr security_drivers[] = {
|
||||
&virSecurityDriverNop, /* Must always be last, since it will always probe */
|
||||
};
|
||||
|
||||
virSecurityDriverPtr virSecurityDriverLookup(const char *name)
|
||||
virSecurityDriverPtr virSecurityDriverLookup(const char *name,
|
||||
const char *virtDriver)
|
||||
{
|
||||
virSecurityDriverPtr drv = NULL;
|
||||
int i;
|
||||
@ -51,7 +52,7 @@ virSecurityDriverPtr virSecurityDriverLookup(const char *name)
|
||||
STRNEQ(tmp->name, name))
|
||||
continue;
|
||||
|
||||
switch (tmp->probe()) {
|
||||
switch (tmp->probe(virtDriver)) {
|
||||
case SECURITY_DRIVER_ENABLE:
|
||||
VIR_DEBUG("Probed name=%s", tmp->name);
|
||||
drv = tmp;
|
||||
|
||||
@ -31,7 +31,7 @@ typedef enum {
|
||||
typedef struct _virSecurityDriver virSecurityDriver;
|
||||
typedef virSecurityDriver *virSecurityDriverPtr;
|
||||
|
||||
typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
|
||||
typedef virSecurityDriverStatus (*virSecurityDriverProbe) (const char *virtDriver);
|
||||
typedef int (*virSecurityDriverOpen) (virSecurityManagerPtr mgr);
|
||||
typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr);
|
||||
|
||||
@ -125,6 +125,7 @@ struct _virSecurityDriver {
|
||||
virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
|
||||
};
|
||||
|
||||
virSecurityDriverPtr virSecurityDriverLookup(const char *name);
|
||||
virSecurityDriverPtr virSecurityDriverLookup(const char *name,
|
||||
const char *virtDriver);
|
||||
|
||||
#endif /* __VIR_SECURITY_H__ */
|
||||
|
||||
@ -38,9 +38,11 @@ struct _virSecurityManager {
|
||||
bool allowDiskFormatProbing;
|
||||
bool defaultConfined;
|
||||
bool requireConfined;
|
||||
const char *virtDriver;
|
||||
};
|
||||
|
||||
static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr drv,
|
||||
const char *virtDriver,
|
||||
bool allowDiskFormatProbing,
|
||||
bool defaultConfined,
|
||||
bool requireConfined)
|
||||
@ -56,6 +58,7 @@ static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr dr
|
||||
mgr->allowDiskFormatProbing = allowDiskFormatProbing;
|
||||
mgr->defaultConfined = defaultConfined;
|
||||
mgr->requireConfined = requireConfined;
|
||||
mgr->virtDriver = virtDriver;
|
||||
|
||||
if (drv->open(mgr) < 0) {
|
||||
virSecurityManagerFree(mgr);
|
||||
@ -70,6 +73,7 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary,
|
||||
{
|
||||
virSecurityManagerPtr mgr =
|
||||
virSecurityManagerNewDriver(&virSecurityDriverStack,
|
||||
virSecurityManagerGetDriver(primary),
|
||||
virSecurityManagerGetAllowDiskFormatProbing(primary),
|
||||
virSecurityManagerGetDefaultConfined(primary),
|
||||
virSecurityManagerGetRequireConfined(primary));
|
||||
@ -83,7 +87,8 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary,
|
||||
return mgr;
|
||||
}
|
||||
|
||||
virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
|
||||
virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
|
||||
uid_t user,
|
||||
gid_t group,
|
||||
bool allowDiskFormatProbing,
|
||||
bool defaultConfined,
|
||||
@ -92,6 +97,7 @@ virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
|
||||
{
|
||||
virSecurityManagerPtr mgr =
|
||||
virSecurityManagerNewDriver(&virSecurityDriverDAC,
|
||||
virtDriver,
|
||||
allowDiskFormatProbing,
|
||||
defaultConfined,
|
||||
requireConfined);
|
||||
@ -107,11 +113,12 @@ virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
|
||||
}
|
||||
|
||||
virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
||||
const char *virtDriver,
|
||||
bool allowDiskFormatProbing,
|
||||
bool defaultConfined,
|
||||
bool requireConfined)
|
||||
{
|
||||
virSecurityDriverPtr drv = virSecurityDriverLookup(name);
|
||||
virSecurityDriverPtr drv = virSecurityDriverLookup(name, virtDriver);
|
||||
if (!drv)
|
||||
return NULL;
|
||||
|
||||
@ -136,6 +143,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
||||
}
|
||||
|
||||
return virSecurityManagerNewDriver(drv,
|
||||
virtDriver,
|
||||
allowDiskFormatProbing,
|
||||
defaultConfined,
|
||||
requireConfined);
|
||||
@ -161,6 +169,12 @@ void virSecurityManagerFree(virSecurityManagerPtr mgr)
|
||||
VIR_FREE(mgr);
|
||||
}
|
||||
|
||||
const char *
|
||||
virSecurityManagerGetDriver(virSecurityManagerPtr mgr)
|
||||
{
|
||||
return mgr->virtDriver;
|
||||
}
|
||||
|
||||
const char *
|
||||
virSecurityManagerGetDOI(virSecurityManagerPtr mgr)
|
||||
{
|
||||
|
||||
@ -32,6 +32,7 @@ typedef struct _virSecurityManager virSecurityManager;
|
||||
typedef virSecurityManager *virSecurityManagerPtr;
|
||||
|
||||
virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
||||
const char *virtDriver,
|
||||
bool allowDiskFormatProbing,
|
||||
bool defaultConfined,
|
||||
bool requireConfined);
|
||||
@ -39,7 +40,8 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
||||
virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary,
|
||||
virSecurityManagerPtr secondary);
|
||||
|
||||
virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
|
||||
virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
|
||||
uid_t user,
|
||||
gid_t group,
|
||||
bool allowDiskFormatProbing,
|
||||
bool defaultConfined,
|
||||
@ -50,6 +52,7 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr);
|
||||
|
||||
void virSecurityManagerFree(virSecurityManagerPtr mgr);
|
||||
|
||||
const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr);
|
||||
const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr);
|
||||
const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
|
||||
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
|
||||
|
||||
@ -21,7 +21,7 @@
|
||||
|
||||
#include "security_nop.h"
|
||||
|
||||
static virSecurityDriverStatus virSecurityDriverProbeNop(void)
|
||||
static virSecurityDriverStatus virSecurityDriverProbeNop(const char *virtDriver ATTRIBUTE_UNUSED)
|
||||
{
|
||||
return SECURITY_DRIVER_ENABLE;
|
||||
}
|
||||
|
||||
@ -346,7 +346,7 @@ err:
|
||||
|
||||
|
||||
static int
|
||||
SELinuxSecurityDriverProbe(void)
|
||||
SELinuxSecurityDriverProbe(const char *virtDriver ATTRIBUTE_UNUSED)
|
||||
{
|
||||
return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE;
|
||||
}
|
||||
|
||||
@ -49,7 +49,7 @@ void virSecurityStackSetSecondary(virSecurityManagerPtr mgr,
|
||||
}
|
||||
|
||||
static virSecurityDriverStatus
|
||||
virSecurityStackProbe(void)
|
||||
virSecurityStackProbe(const char *virtDriver ATTRIBUTE_UNUSED)
|
||||
{
|
||||
return SECURITY_DRIVER_ENABLE;
|
||||
}
|
||||
|
||||
@ -13,7 +13,7 @@ main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED)
|
||||
virSecurityManagerPtr mgr;
|
||||
const char *doi, *model;
|
||||
|
||||
mgr = virSecurityManagerNew(NULL, false, true, false);
|
||||
mgr = virSecurityManagerNew(NULL, "QEMU", false, true, false);
|
||||
if (mgr == NULL) {
|
||||
fprintf (stderr, "Failed to start security driver");
|
||||
exit (-1);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user