From 73580c60d1003c7d93125a0f62b673818a5da9c9 Mon Sep 17 00:00:00 2001 From: Daniel Walsh Date: Thu, 10 May 2012 17:49:29 +0100 Subject: [PATCH] Pass the virt driver name into security drivers To allow the security drivers to apply different configuration information per hypervisor, pass the virtualization driver name into the security manager constructor. Signed-off-by: Daniel P. Berrange --- src/lxc/lxc_conf.h | 2 ++ src/lxc/lxc_controller.c | 8 ++++++-- src/lxc/lxc_driver.c | 6 ++++-- src/qemu/qemu_driver.c | 10 +++++++--- src/security/security_apparmor.c | 2 +- src/security/security_dac.c | 2 +- src/security/security_driver.c | 5 +++-- src/security/security_driver.h | 5 +++-- src/security/security_manager.c | 18 ++++++++++++++++-- src/security/security_manager.h | 5 ++++- src/security/security_nop.c | 2 +- src/security/security_selinux.c | 2 +- src/security/security_stack.c | 2 +- tests/seclabeltest.c | 2 +- 14 files changed, 51 insertions(+), 20 deletions(-) diff --git a/src/lxc/lxc_conf.h b/src/lxc/lxc_conf.h index ebdc173b22..cc279b279d 100644 --- a/src/lxc/lxc_conf.h +++ b/src/lxc/lxc_conf.h @@ -36,6 +36,8 @@ # include "security/security_manager.h" # include "configmake.h" +# define LXC_DRIVER_NAME "LXC" + # define LXC_CONFIG_DIR SYSCONFDIR "/libvirt/lxc" # define LXC_STATE_DIR LOCALSTATEDIR "/run/libvirt/lxc" # define LXC_LOG_DIR LOCALSTATEDIR "/log/libvirt/lxc" diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 26b3115b9d..1292751bf6 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1723,7 +1723,9 @@ int main(int argc, char *argv[]) break; case 'S': - if (!(securityDriver = virSecurityManagerNew(optarg, false, false, false))) { + if (!(securityDriver = virSecurityManagerNew(optarg, + LXC_DRIVER_NAME, + false, false, false))) { fprintf(stderr, "Cannot create security manager '%s'", optarg); goto cleanup; @@ -1750,7 +1752,9 @@ int main(int argc, char *argv[]) } if (securityDriver == NULL) { - if (!(securityDriver = virSecurityManagerNew("none", false, false, false))) { + if (!(securityDriver = virSecurityManagerNew("none", + LXC_DRIVER_NAME, + false, false, false))) { fprintf(stderr, "%s: cannot initialize nop security manager", argv[0]); goto cleanup; } diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c index 03783ffbf8..4cccd532c0 100644 --- a/src/lxc/lxc_driver.c +++ b/src/lxc/lxc_driver.c @@ -2533,7 +2533,9 @@ error: static int lxcSecurityInit(lxc_driver_t *driver) { + VIR_INFO("lxcSecurityInit %s", driver->securityDriverName); virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName, + LXC_DRIVER_NAME, false, driver->securityDefaultConfined, driver->securityRequireConfined); @@ -3851,7 +3853,7 @@ static virNWFilterCallbackDriver lxcCallbackDriver = { /* Function Tables */ static virDriver lxcDriver = { .no = VIR_DRV_LXC, - .name = "LXC", + .name = LXC_DRIVER_NAME, .open = lxcOpen, /* 0.4.2 */ .close = lxcClose, /* 0.4.2 */ .version = lxcVersion, /* 0.4.6 */ @@ -3915,7 +3917,7 @@ static virDriver lxcDriver = { }; static virStateDriver lxcStateDriver = { - .name = "LXC", + .name = LXC_DRIVER_NAME, .initialize = lxcStartup, .cleanup = lxcShutdown, .active = lxcActive, diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 981c4fdc66..0fd7de1cdf 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -95,6 +95,8 @@ #define VIR_FROM_THIS VIR_FROM_QEMU +#define QEMU_DRIVER_NAME "QEMU" + #define QEMU_NB_MEM_PARAM 3 #define QEMU_NB_BLOCK_IO_TUNE_PARAM 6 @@ -213,6 +215,7 @@ static int qemuSecurityInit(struct qemud_driver *driver) { virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName, + QEMU_DRIVER_NAME, driver->allowDiskFormatProbing, driver->securityDefaultConfined, driver->securityRequireConfined); @@ -221,7 +224,8 @@ qemuSecurityInit(struct qemud_driver *driver) goto error; if (driver->privileged) { - virSecurityManagerPtr dac = virSecurityManagerNewDAC(driver->user, + virSecurityManagerPtr dac = virSecurityManagerNewDAC(QEMU_DRIVER_NAME, + driver->user, driver->group, driver->allowDiskFormatProbing, driver->securityDefaultConfined, @@ -12838,7 +12842,7 @@ cleanup: static virDriver qemuDriver = { .no = VIR_DRV_QEMU, - .name = "QEMU", + .name = QEMU_DRIVER_NAME, .open = qemudOpen, /* 0.2.0 */ .close = qemudClose, /* 0.2.0 */ .supports_feature = qemudSupportsFeature, /* 0.5.0 */ @@ -13029,7 +13033,7 @@ qemuVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED, } static virNWFilterCallbackDriver qemuCallbackDriver = { - .name = "QEMU", + .name = QEMU_DRIVER_NAME, .vmFilterRebuild = qemuVMFilterRebuild, .vmDriverLock = qemuVMDriverLock, .vmDriverUnlock = qemuVMDriverUnlock, diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 8f8b2003b3..d638d1f167 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -328,7 +328,7 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, /* Called on libvirtd startup to see if AppArmor is available */ static int -AppArmorSecurityManagerProbe(void) +AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED) { char *template = NULL; int rc = SECURITY_DRIVER_DISABLE; diff --git a/src/security/security_dac.c b/src/security/security_dac.c index e71dc20d60..8201022261 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -65,7 +65,7 @@ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, } static virSecurityDriverStatus -virSecurityDACProbe(void) +virSecurityDACProbe(const char *virtDriver ATTRIBUTE_UNUSED) { return SECURITY_DRIVER_ENABLE; } diff --git a/src/security/security_driver.c b/src/security/security_driver.c index fd2c01ad60..39736cf3fe 100644 --- a/src/security/security_driver.c +++ b/src/security/security_driver.c @@ -37,7 +37,8 @@ static virSecurityDriverPtr security_drivers[] = { &virSecurityDriverNop, /* Must always be last, since it will always probe */ }; -virSecurityDriverPtr virSecurityDriverLookup(const char *name) +virSecurityDriverPtr virSecurityDriverLookup(const char *name, + const char *virtDriver) { virSecurityDriverPtr drv = NULL; int i; @@ -51,7 +52,7 @@ virSecurityDriverPtr virSecurityDriverLookup(const char *name) STRNEQ(tmp->name, name)) continue; - switch (tmp->probe()) { + switch (tmp->probe(virtDriver)) { case SECURITY_DRIVER_ENABLE: VIR_DEBUG("Probed name=%s", tmp->name); drv = tmp; diff --git a/src/security/security_driver.h b/src/security/security_driver.h index f0ace1c78d..d24304cdbd 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -31,7 +31,7 @@ typedef enum { typedef struct _virSecurityDriver virSecurityDriver; typedef virSecurityDriver *virSecurityDriverPtr; -typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void); +typedef virSecurityDriverStatus (*virSecurityDriverProbe) (const char *virtDriver); typedef int (*virSecurityDriverOpen) (virSecurityManagerPtr mgr); typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr); @@ -125,6 +125,7 @@ struct _virSecurityDriver { virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel; }; -virSecurityDriverPtr virSecurityDriverLookup(const char *name); +virSecurityDriverPtr virSecurityDriverLookup(const char *name, + const char *virtDriver); #endif /* __VIR_SECURITY_H__ */ diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 0a43458d78..e0dd1655b9 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -38,9 +38,11 @@ struct _virSecurityManager { bool allowDiskFormatProbing; bool defaultConfined; bool requireConfined; + const char *virtDriver; }; static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr drv, + const char *virtDriver, bool allowDiskFormatProbing, bool defaultConfined, bool requireConfined) @@ -56,6 +58,7 @@ static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr dr mgr->allowDiskFormatProbing = allowDiskFormatProbing; mgr->defaultConfined = defaultConfined; mgr->requireConfined = requireConfined; + mgr->virtDriver = virtDriver; if (drv->open(mgr) < 0) { virSecurityManagerFree(mgr); @@ -70,6 +73,7 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary, { virSecurityManagerPtr mgr = virSecurityManagerNewDriver(&virSecurityDriverStack, + virSecurityManagerGetDriver(primary), virSecurityManagerGetAllowDiskFormatProbing(primary), virSecurityManagerGetDefaultConfined(primary), virSecurityManagerGetRequireConfined(primary)); @@ -83,7 +87,8 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary, return mgr; } -virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user, +virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver, + uid_t user, gid_t group, bool allowDiskFormatProbing, bool defaultConfined, @@ -92,6 +97,7 @@ virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user, { virSecurityManagerPtr mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC, + virtDriver, allowDiskFormatProbing, defaultConfined, requireConfined); @@ -107,11 +113,12 @@ virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user, } virSecurityManagerPtr virSecurityManagerNew(const char *name, + const char *virtDriver, bool allowDiskFormatProbing, bool defaultConfined, bool requireConfined) { - virSecurityDriverPtr drv = virSecurityDriverLookup(name); + virSecurityDriverPtr drv = virSecurityDriverLookup(name, virtDriver); if (!drv) return NULL; @@ -136,6 +143,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name, } return virSecurityManagerNewDriver(drv, + virtDriver, allowDiskFormatProbing, defaultConfined, requireConfined); @@ -161,6 +169,12 @@ void virSecurityManagerFree(virSecurityManagerPtr mgr) VIR_FREE(mgr); } +const char * +virSecurityManagerGetDriver(virSecurityManagerPtr mgr) +{ + return mgr->virtDriver; +} + const char * virSecurityManagerGetDOI(virSecurityManagerPtr mgr) { diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 32c8c3bf41..ca27bc6259 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -32,6 +32,7 @@ typedef struct _virSecurityManager virSecurityManager; typedef virSecurityManager *virSecurityManagerPtr; virSecurityManagerPtr virSecurityManagerNew(const char *name, + const char *virtDriver, bool allowDiskFormatProbing, bool defaultConfined, bool requireConfined); @@ -39,7 +40,8 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name, virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary, virSecurityManagerPtr secondary); -virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user, +virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver, + uid_t user, gid_t group, bool allowDiskFormatProbing, bool defaultConfined, @@ -50,6 +52,7 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr); void virSecurityManagerFree(virSecurityManagerPtr mgr); +const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr); const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr); const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr); bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr); diff --git a/src/security/security_nop.c b/src/security/security_nop.c index c3bd426d18..e979b544f6 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -21,7 +21,7 @@ #include "security_nop.h" -static virSecurityDriverStatus virSecurityDriverProbeNop(void) +static virSecurityDriverStatus virSecurityDriverProbeNop(const char *virtDriver ATTRIBUTE_UNUSED) { return SECURITY_DRIVER_ENABLE; } diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 1e27e10f55..4bd33a5eff 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -346,7 +346,7 @@ err: static int -SELinuxSecurityDriverProbe(void) +SELinuxSecurityDriverProbe(const char *virtDriver ATTRIBUTE_UNUSED) { return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE; } diff --git a/src/security/security_stack.c b/src/security/security_stack.c index c82865facf..2eab38cdce 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -49,7 +49,7 @@ void virSecurityStackSetSecondary(virSecurityManagerPtr mgr, } static virSecurityDriverStatus -virSecurityStackProbe(void) +virSecurityStackProbe(const char *virtDriver ATTRIBUTE_UNUSED) { return SECURITY_DRIVER_ENABLE; } diff --git a/tests/seclabeltest.c b/tests/seclabeltest.c index fca76b9851..2f65ec1005 100644 --- a/tests/seclabeltest.c +++ b/tests/seclabeltest.c @@ -13,7 +13,7 @@ main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) virSecurityManagerPtr mgr; const char *doi, *model; - mgr = virSecurityManagerNew(NULL, false, true, false); + mgr = virSecurityManagerNew(NULL, "QEMU", false, true, false); if (mgr == NULL) { fprintf (stderr, "Failed to start security driver"); exit (-1);