mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-18 10:35:20 +00:00
Pass the virt driver name into security drivers
To allow the security drivers to apply different configuration information per hypervisor, pass the virtualization driver name into the security manager constructor. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel Walsh
Daniel P. Berrange
parent
6cfc3f8f4f
commit
73580c60d1
@ -36,6 +36,8 @@
|
|||||||
# include "security/security_manager.h"
|
# include "security/security_manager.h"
|
||||||
# include "configmake.h"
|
# include "configmake.h"
|
||||||
|
|
||||||
|
# define LXC_DRIVER_NAME "LXC"
|
||||||
|
|
||||||
# define LXC_CONFIG_DIR SYSCONFDIR "/libvirt/lxc"
|
# define LXC_CONFIG_DIR SYSCONFDIR "/libvirt/lxc"
|
||||||
# define LXC_STATE_DIR LOCALSTATEDIR "/run/libvirt/lxc"
|
# define LXC_STATE_DIR LOCALSTATEDIR "/run/libvirt/lxc"
|
||||||
# define LXC_LOG_DIR LOCALSTATEDIR "/log/libvirt/lxc"
|
# define LXC_LOG_DIR LOCALSTATEDIR "/log/libvirt/lxc"
|
||||||
|
|||||||
@ -1723,7 +1723,9 @@ int main(int argc, char *argv[])
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 'S':
|
case 'S':
|
||||||
if (!(securityDriver = virSecurityManagerNew(optarg, false, false, false))) {
|
if (!(securityDriver = virSecurityManagerNew(optarg,
|
||||||
|
LXC_DRIVER_NAME,
|
||||||
|
false, false, false))) {
|
||||||
fprintf(stderr, "Cannot create security manager '%s'",
|
fprintf(stderr, "Cannot create security manager '%s'",
|
||||||
optarg);
|
optarg);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
@ -1750,7 +1752,9 @@ int main(int argc, char *argv[])
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (securityDriver == NULL) {
|
if (securityDriver == NULL) {
|
||||||
if (!(securityDriver = virSecurityManagerNew("none", false, false, false))) {
|
if (!(securityDriver = virSecurityManagerNew("none",
|
||||||
|
LXC_DRIVER_NAME,
|
||||||
|
false, false, false))) {
|
||||||
fprintf(stderr, "%s: cannot initialize nop security manager", argv[0]);
|
fprintf(stderr, "%s: cannot initialize nop security manager", argv[0]);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2533,7 +2533,9 @@ error:
|
|||||||
static int
|
static int
|
||||||
lxcSecurityInit(lxc_driver_t *driver)
|
lxcSecurityInit(lxc_driver_t *driver)
|
||||||
{
|
{
|
||||||
|
VIR_INFO("lxcSecurityInit %s", driver->securityDriverName);
|
||||||
virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName,
|
virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName,
|
||||||
|
LXC_DRIVER_NAME,
|
||||||
false,
|
false,
|
||||||
driver->securityDefaultConfined,
|
driver->securityDefaultConfined,
|
||||||
driver->securityRequireConfined);
|
driver->securityRequireConfined);
|
||||||
@ -3851,7 +3853,7 @@ static virNWFilterCallbackDriver lxcCallbackDriver = {
|
|||||||
/* Function Tables */
|
/* Function Tables */
|
||||||
static virDriver lxcDriver = {
|
static virDriver lxcDriver = {
|
||||||
.no = VIR_DRV_LXC,
|
.no = VIR_DRV_LXC,
|
||||||
.name = "LXC",
|
.name = LXC_DRIVER_NAME,
|
||||||
.open = lxcOpen, /* 0.4.2 */
|
.open = lxcOpen, /* 0.4.2 */
|
||||||
.close = lxcClose, /* 0.4.2 */
|
.close = lxcClose, /* 0.4.2 */
|
||||||
.version = lxcVersion, /* 0.4.6 */
|
.version = lxcVersion, /* 0.4.6 */
|
||||||
@ -3915,7 +3917,7 @@ static virDriver lxcDriver = {
|
|||||||
};
|
};
|
||||||
|
|
||||||
static virStateDriver lxcStateDriver = {
|
static virStateDriver lxcStateDriver = {
|
||||||
.name = "LXC",
|
.name = LXC_DRIVER_NAME,
|
||||||
.initialize = lxcStartup,
|
.initialize = lxcStartup,
|
||||||
.cleanup = lxcShutdown,
|
.cleanup = lxcShutdown,
|
||||||
.active = lxcActive,
|
.active = lxcActive,
|
||||||
|
|||||||
@ -95,6 +95,8 @@
|
|||||||
|
|
||||||
#define VIR_FROM_THIS VIR_FROM_QEMU
|
#define VIR_FROM_THIS VIR_FROM_QEMU
|
||||||
|
|
||||||
|
#define QEMU_DRIVER_NAME "QEMU"
|
||||||
|
|
||||||
#define QEMU_NB_MEM_PARAM 3
|
#define QEMU_NB_MEM_PARAM 3
|
||||||
|
|
||||||
#define QEMU_NB_BLOCK_IO_TUNE_PARAM 6
|
#define QEMU_NB_BLOCK_IO_TUNE_PARAM 6
|
||||||
@ -213,6 +215,7 @@ static int
|
|||||||
qemuSecurityInit(struct qemud_driver *driver)
|
qemuSecurityInit(struct qemud_driver *driver)
|
||||||
{
|
{
|
||||||
virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName,
|
virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName,
|
||||||
|
QEMU_DRIVER_NAME,
|
||||||
driver->allowDiskFormatProbing,
|
driver->allowDiskFormatProbing,
|
||||||
driver->securityDefaultConfined,
|
driver->securityDefaultConfined,
|
||||||
driver->securityRequireConfined);
|
driver->securityRequireConfined);
|
||||||
@ -221,7 +224,8 @@ qemuSecurityInit(struct qemud_driver *driver)
|
|||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
if (driver->privileged) {
|
if (driver->privileged) {
|
||||||
virSecurityManagerPtr dac = virSecurityManagerNewDAC(driver->user,
|
virSecurityManagerPtr dac = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
|
||||||
|
driver->user,
|
||||||
driver->group,
|
driver->group,
|
||||||
driver->allowDiskFormatProbing,
|
driver->allowDiskFormatProbing,
|
||||||
driver->securityDefaultConfined,
|
driver->securityDefaultConfined,
|
||||||
@ -12838,7 +12842,7 @@ cleanup:
|
|||||||
|
|
||||||
static virDriver qemuDriver = {
|
static virDriver qemuDriver = {
|
||||||
.no = VIR_DRV_QEMU,
|
.no = VIR_DRV_QEMU,
|
||||||
.name = "QEMU",
|
.name = QEMU_DRIVER_NAME,
|
||||||
.open = qemudOpen, /* 0.2.0 */
|
.open = qemudOpen, /* 0.2.0 */
|
||||||
.close = qemudClose, /* 0.2.0 */
|
.close = qemudClose, /* 0.2.0 */
|
||||||
.supports_feature = qemudSupportsFeature, /* 0.5.0 */
|
.supports_feature = qemudSupportsFeature, /* 0.5.0 */
|
||||||
@ -13029,7 +13033,7 @@ qemuVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static virNWFilterCallbackDriver qemuCallbackDriver = {
|
static virNWFilterCallbackDriver qemuCallbackDriver = {
|
||||||
.name = "QEMU",
|
.name = QEMU_DRIVER_NAME,
|
||||||
.vmFilterRebuild = qemuVMFilterRebuild,
|
.vmFilterRebuild = qemuVMFilterRebuild,
|
||||||
.vmDriverLock = qemuVMDriverLock,
|
.vmDriverLock = qemuVMDriverLock,
|
||||||
.vmDriverUnlock = qemuVMDriverUnlock,
|
.vmDriverUnlock = qemuVMDriverUnlock,
|
||||||
|
|||||||
@ -328,7 +328,7 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
|
|||||||
|
|
||||||
/* Called on libvirtd startup to see if AppArmor is available */
|
/* Called on libvirtd startup to see if AppArmor is available */
|
||||||
static int
|
static int
|
||||||
AppArmorSecurityManagerProbe(void)
|
AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
char *template = NULL;
|
char *template = NULL;
|
||||||
int rc = SECURITY_DRIVER_DISABLE;
|
int rc = SECURITY_DRIVER_DISABLE;
|
||||||
|
|||||||
@ -65,7 +65,7 @@ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static virSecurityDriverStatus
|
static virSecurityDriverStatus
|
||||||
virSecurityDACProbe(void)
|
virSecurityDACProbe(const char *virtDriver ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
return SECURITY_DRIVER_ENABLE;
|
return SECURITY_DRIVER_ENABLE;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -37,7 +37,8 @@ static virSecurityDriverPtr security_drivers[] = {
|
|||||||
&virSecurityDriverNop, /* Must always be last, since it will always probe */
|
&virSecurityDriverNop, /* Must always be last, since it will always probe */
|
||||||
};
|
};
|
||||||
|
|
||||||
virSecurityDriverPtr virSecurityDriverLookup(const char *name)
|
virSecurityDriverPtr virSecurityDriverLookup(const char *name,
|
||||||
|
const char *virtDriver)
|
||||||
{
|
{
|
||||||
virSecurityDriverPtr drv = NULL;
|
virSecurityDriverPtr drv = NULL;
|
||||||
int i;
|
int i;
|
||||||
@ -51,7 +52,7 @@ virSecurityDriverPtr virSecurityDriverLookup(const char *name)
|
|||||||
STRNEQ(tmp->name, name))
|
STRNEQ(tmp->name, name))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
switch (tmp->probe()) {
|
switch (tmp->probe(virtDriver)) {
|
||||||
case SECURITY_DRIVER_ENABLE:
|
case SECURITY_DRIVER_ENABLE:
|
||||||
VIR_DEBUG("Probed name=%s", tmp->name);
|
VIR_DEBUG("Probed name=%s", tmp->name);
|
||||||
drv = tmp;
|
drv = tmp;
|
||||||
|
|||||||
@ -31,7 +31,7 @@ typedef enum {
|
|||||||
typedef struct _virSecurityDriver virSecurityDriver;
|
typedef struct _virSecurityDriver virSecurityDriver;
|
||||||
typedef virSecurityDriver *virSecurityDriverPtr;
|
typedef virSecurityDriver *virSecurityDriverPtr;
|
||||||
|
|
||||||
typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
|
typedef virSecurityDriverStatus (*virSecurityDriverProbe) (const char *virtDriver);
|
||||||
typedef int (*virSecurityDriverOpen) (virSecurityManagerPtr mgr);
|
typedef int (*virSecurityDriverOpen) (virSecurityManagerPtr mgr);
|
||||||
typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr);
|
typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr);
|
||||||
|
|
||||||
@ -125,6 +125,7 @@ struct _virSecurityDriver {
|
|||||||
virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
|
virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
|
||||||
};
|
};
|
||||||
|
|
||||||
virSecurityDriverPtr virSecurityDriverLookup(const char *name);
|
virSecurityDriverPtr virSecurityDriverLookup(const char *name,
|
||||||
|
const char *virtDriver);
|
||||||
|
|
||||||
#endif /* __VIR_SECURITY_H__ */
|
#endif /* __VIR_SECURITY_H__ */
|
||||||
|
|||||||
@ -38,9 +38,11 @@ struct _virSecurityManager {
|
|||||||
bool allowDiskFormatProbing;
|
bool allowDiskFormatProbing;
|
||||||
bool defaultConfined;
|
bool defaultConfined;
|
||||||
bool requireConfined;
|
bool requireConfined;
|
||||||
|
const char *virtDriver;
|
||||||
};
|
};
|
||||||
|
|
||||||
static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr drv,
|
static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr drv,
|
||||||
|
const char *virtDriver,
|
||||||
bool allowDiskFormatProbing,
|
bool allowDiskFormatProbing,
|
||||||
bool defaultConfined,
|
bool defaultConfined,
|
||||||
bool requireConfined)
|
bool requireConfined)
|
||||||
@ -56,6 +58,7 @@ static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr dr
|
|||||||
mgr->allowDiskFormatProbing = allowDiskFormatProbing;
|
mgr->allowDiskFormatProbing = allowDiskFormatProbing;
|
||||||
mgr->defaultConfined = defaultConfined;
|
mgr->defaultConfined = defaultConfined;
|
||||||
mgr->requireConfined = requireConfined;
|
mgr->requireConfined = requireConfined;
|
||||||
|
mgr->virtDriver = virtDriver;
|
||||||
|
|
||||||
if (drv->open(mgr) < 0) {
|
if (drv->open(mgr) < 0) {
|
||||||
virSecurityManagerFree(mgr);
|
virSecurityManagerFree(mgr);
|
||||||
@ -70,6 +73,7 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary,
|
|||||||
{
|
{
|
||||||
virSecurityManagerPtr mgr =
|
virSecurityManagerPtr mgr =
|
||||||
virSecurityManagerNewDriver(&virSecurityDriverStack,
|
virSecurityManagerNewDriver(&virSecurityDriverStack,
|
||||||
|
virSecurityManagerGetDriver(primary),
|
||||||
virSecurityManagerGetAllowDiskFormatProbing(primary),
|
virSecurityManagerGetAllowDiskFormatProbing(primary),
|
||||||
virSecurityManagerGetDefaultConfined(primary),
|
virSecurityManagerGetDefaultConfined(primary),
|
||||||
virSecurityManagerGetRequireConfined(primary));
|
virSecurityManagerGetRequireConfined(primary));
|
||||||
@ -83,7 +87,8 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary,
|
|||||||
return mgr;
|
return mgr;
|
||||||
}
|
}
|
||||||
|
|
||||||
virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
|
virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
|
||||||
|
uid_t user,
|
||||||
gid_t group,
|
gid_t group,
|
||||||
bool allowDiskFormatProbing,
|
bool allowDiskFormatProbing,
|
||||||
bool defaultConfined,
|
bool defaultConfined,
|
||||||
@ -92,6 +97,7 @@ virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
|
|||||||
{
|
{
|
||||||
virSecurityManagerPtr mgr =
|
virSecurityManagerPtr mgr =
|
||||||
virSecurityManagerNewDriver(&virSecurityDriverDAC,
|
virSecurityManagerNewDriver(&virSecurityDriverDAC,
|
||||||
|
virtDriver,
|
||||||
allowDiskFormatProbing,
|
allowDiskFormatProbing,
|
||||||
defaultConfined,
|
defaultConfined,
|
||||||
requireConfined);
|
requireConfined);
|
||||||
@ -107,11 +113,12 @@ virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
|
|||||||
}
|
}
|
||||||
|
|
||||||
virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
||||||
|
const char *virtDriver,
|
||||||
bool allowDiskFormatProbing,
|
bool allowDiskFormatProbing,
|
||||||
bool defaultConfined,
|
bool defaultConfined,
|
||||||
bool requireConfined)
|
bool requireConfined)
|
||||||
{
|
{
|
||||||
virSecurityDriverPtr drv = virSecurityDriverLookup(name);
|
virSecurityDriverPtr drv = virSecurityDriverLookup(name, virtDriver);
|
||||||
if (!drv)
|
if (!drv)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
@ -136,6 +143,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
|||||||
}
|
}
|
||||||
|
|
||||||
return virSecurityManagerNewDriver(drv,
|
return virSecurityManagerNewDriver(drv,
|
||||||
|
virtDriver,
|
||||||
allowDiskFormatProbing,
|
allowDiskFormatProbing,
|
||||||
defaultConfined,
|
defaultConfined,
|
||||||
requireConfined);
|
requireConfined);
|
||||||
@ -161,6 +169,12 @@ void virSecurityManagerFree(virSecurityManagerPtr mgr)
|
|||||||
VIR_FREE(mgr);
|
VIR_FREE(mgr);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const char *
|
||||||
|
virSecurityManagerGetDriver(virSecurityManagerPtr mgr)
|
||||||
|
{
|
||||||
|
return mgr->virtDriver;
|
||||||
|
}
|
||||||
|
|
||||||
const char *
|
const char *
|
||||||
virSecurityManagerGetDOI(virSecurityManagerPtr mgr)
|
virSecurityManagerGetDOI(virSecurityManagerPtr mgr)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -32,6 +32,7 @@ typedef struct _virSecurityManager virSecurityManager;
|
|||||||
typedef virSecurityManager *virSecurityManagerPtr;
|
typedef virSecurityManager *virSecurityManagerPtr;
|
||||||
|
|
||||||
virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
||||||
|
const char *virtDriver,
|
||||||
bool allowDiskFormatProbing,
|
bool allowDiskFormatProbing,
|
||||||
bool defaultConfined,
|
bool defaultConfined,
|
||||||
bool requireConfined);
|
bool requireConfined);
|
||||||
@ -39,7 +40,8 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
|||||||
virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary,
|
virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary,
|
||||||
virSecurityManagerPtr secondary);
|
virSecurityManagerPtr secondary);
|
||||||
|
|
||||||
virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
|
virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
|
||||||
|
uid_t user,
|
||||||
gid_t group,
|
gid_t group,
|
||||||
bool allowDiskFormatProbing,
|
bool allowDiskFormatProbing,
|
||||||
bool defaultConfined,
|
bool defaultConfined,
|
||||||
@ -50,6 +52,7 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr);
|
|||||||
|
|
||||||
void virSecurityManagerFree(virSecurityManagerPtr mgr);
|
void virSecurityManagerFree(virSecurityManagerPtr mgr);
|
||||||
|
|
||||||
|
const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr);
|
||||||
const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr);
|
const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr);
|
||||||
const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
|
const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
|
||||||
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
|
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
|
||||||
|
|||||||
@ -21,7 +21,7 @@
|
|||||||
|
|
||||||
#include "security_nop.h"
|
#include "security_nop.h"
|
||||||
|
|
||||||
static virSecurityDriverStatus virSecurityDriverProbeNop(void)
|
static virSecurityDriverStatus virSecurityDriverProbeNop(const char *virtDriver ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
return SECURITY_DRIVER_ENABLE;
|
return SECURITY_DRIVER_ENABLE;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -346,7 +346,7 @@ err:
|
|||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
SELinuxSecurityDriverProbe(void)
|
SELinuxSecurityDriverProbe(const char *virtDriver ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE;
|
return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -49,7 +49,7 @@ void virSecurityStackSetSecondary(virSecurityManagerPtr mgr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
static virSecurityDriverStatus
|
static virSecurityDriverStatus
|
||||||
virSecurityStackProbe(void)
|
virSecurityStackProbe(const char *virtDriver ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
return SECURITY_DRIVER_ENABLE;
|
return SECURITY_DRIVER_ENABLE;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -13,7 +13,7 @@ main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED)
|
|||||||
virSecurityManagerPtr mgr;
|
virSecurityManagerPtr mgr;
|
||||||
const char *doi, *model;
|
const char *doi, *model;
|
||||||
|
|
||||||
mgr = virSecurityManagerNew(NULL, false, true, false);
|
mgr = virSecurityManagerNew(NULL, "QEMU", false, true, false);
|
||||||
if (mgr == NULL) {
|
if (mgr == NULL) {
|
||||||
fprintf (stderr, "Failed to start security driver");
|
fprintf (stderr, "Failed to start security driver");
|
||||||
exit (-1);
|
exit (-1);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user