mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-30 09:53:10 +00:00
security: Introduce virSecurityManagerMoveImageMetadata
The purpose of this API is to allow caller move XATTRs (or remove them) from one file to another. This will be needed when moving top level of disk chain (either by introducing new HEAD or removing it). Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
8b1660e530
commit
8b74cecbdf
@ -1409,6 +1409,7 @@ virSecurityManagerGetModel;
|
|||||||
virSecurityManagerGetMountOptions;
|
virSecurityManagerGetMountOptions;
|
||||||
virSecurityManagerGetNested;
|
virSecurityManagerGetNested;
|
||||||
virSecurityManagerGetProcessLabel;
|
virSecurityManagerGetProcessLabel;
|
||||||
|
virSecurityManagerMoveImageMetadata;
|
||||||
virSecurityManagerNew;
|
virSecurityManagerNew;
|
||||||
virSecurityManagerNewDAC;
|
virSecurityManagerNewDAC;
|
||||||
virSecurityManagerNewStack;
|
virSecurityManagerNewStack;
|
||||||
|
@ -119,6 +119,10 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virStorageSourcePtr src,
|
virStorageSourcePtr src,
|
||||||
virSecurityDomainImageLabelFlags flags);
|
virSecurityDomainImageLabelFlags flags);
|
||||||
|
typedef int (*virSecurityDomainMoveImageMetadata) (virSecurityManagerPtr mgr,
|
||||||
|
pid_t pid,
|
||||||
|
virStorageSourcePtr src,
|
||||||
|
virStorageSourcePtr dst);
|
||||||
typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virDomainMemoryDefPtr mem);
|
virDomainMemoryDefPtr mem);
|
||||||
@ -169,6 +173,7 @@ struct _virSecurityDriver {
|
|||||||
|
|
||||||
virSecurityDomainSetImageLabel domainSetSecurityImageLabel;
|
virSecurityDomainSetImageLabel domainSetSecurityImageLabel;
|
||||||
virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
|
virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
|
||||||
|
virSecurityDomainMoveImageMetadata domainMoveImageMetadata;
|
||||||
|
|
||||||
virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
|
virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
|
||||||
virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
|
virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
|
||||||
|
@ -432,6 +432,45 @@ virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* virSecurityManagerMoveImageMetadata:
|
||||||
|
* @mgr: security manager
|
||||||
|
* @pid: domain's PID
|
||||||
|
* @src: source of metadata
|
||||||
|
* @dst: destination to move metadata to
|
||||||
|
*
|
||||||
|
* For given source @src, metadata is moved to destination @dst.
|
||||||
|
*
|
||||||
|
* If @dst is NULL then metadata is removed from @src and not
|
||||||
|
* stored anywhere.
|
||||||
|
*
|
||||||
|
* If @pid is not -1 enther the @pid mount namespace (usually
|
||||||
|
* @pid refers to a domain) and perform the move from there. If
|
||||||
|
* @pid is -1 then the move is performed from the caller's
|
||||||
|
* namespace.
|
||||||
|
*
|
||||||
|
* Returns: 0 on success,
|
||||||
|
* -1 otherwise.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
virSecurityManagerMoveImageMetadata(virSecurityManagerPtr mgr,
|
||||||
|
pid_t pid,
|
||||||
|
virStorageSourcePtr src,
|
||||||
|
virStorageSourcePtr dst)
|
||||||
|
{
|
||||||
|
if (mgr->drv->domainMoveImageMetadata) {
|
||||||
|
int ret;
|
||||||
|
virObjectLock(mgr);
|
||||||
|
ret = mgr->drv->domainMoveImageMetadata(mgr, pid, src, dst);
|
||||||
|
virObjectUnlock(mgr);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
virReportUnsupportedError();
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
int
|
int
|
||||||
virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
|
virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm)
|
virDomainDefPtr vm)
|
||||||
|
@ -159,6 +159,10 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
virStorageSourcePtr src,
|
virStorageSourcePtr src,
|
||||||
virSecurityDomainImageLabelFlags flags);
|
virSecurityDomainImageLabelFlags flags);
|
||||||
|
int virSecurityManagerMoveImageMetadata(virSecurityManagerPtr mgr,
|
||||||
|
pid_t pid,
|
||||||
|
virStorageSourcePtr src,
|
||||||
|
virStorageSourcePtr dst);
|
||||||
|
|
||||||
int virSecurityManagerSetMemoryLabel(virSecurityManagerPtr mgr,
|
int virSecurityManagerSetMemoryLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
|
@ -224,6 +224,15 @@ virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
virSecurityDomainMoveImageMetadataNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
|
pid_t pid ATTRIBUTE_UNUSED,
|
||||||
|
virStorageSourcePtr src ATTRIBUTE_UNUSED,
|
||||||
|
virStorageSourcePtr dst ATTRIBUTE_UNUSED)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecurityDomainSetMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
virSecurityDomainSetMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
virDomainDefPtr def ATTRIBUTE_UNUSED,
|
virDomainDefPtr def ATTRIBUTE_UNUSED,
|
||||||
@ -280,6 +289,7 @@ virSecurityDriver virSecurityDriverNop = {
|
|||||||
|
|
||||||
.domainSetSecurityImageLabel = virSecurityDomainSetImageLabelNop,
|
.domainSetSecurityImageLabel = virSecurityDomainSetImageLabelNop,
|
||||||
.domainRestoreSecurityImageLabel = virSecurityDomainRestoreImageLabelNop,
|
.domainRestoreSecurityImageLabel = virSecurityDomainRestoreImageLabelNop,
|
||||||
|
.domainMoveImageMetadata = virSecurityDomainMoveImageMetadataNop,
|
||||||
|
|
||||||
.domainSetSecurityMemoryLabel = virSecurityDomainSetMemoryLabelNop,
|
.domainSetSecurityMemoryLabel = virSecurityDomainSetMemoryLabelNop,
|
||||||
.domainRestoreSecurityMemoryLabel = virSecurityDomainRestoreMemoryLabelNop,
|
.domainRestoreSecurityMemoryLabel = virSecurityDomainRestoreMemoryLabelNop,
|
||||||
|
@ -599,6 +599,25 @@ virSecurityStackRestoreImageLabel(virSecurityManagerPtr mgr,
|
|||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
virSecurityStackMoveImageMetadata(virSecurityManagerPtr mgr,
|
||||||
|
pid_t pid,
|
||||||
|
virStorageSourcePtr src,
|
||||||
|
virStorageSourcePtr dst)
|
||||||
|
{
|
||||||
|
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
virSecurityStackItemPtr item = priv->itemsHead;
|
||||||
|
int rc = 0;
|
||||||
|
|
||||||
|
for (; item; item = item->next) {
|
||||||
|
if (virSecurityManagerMoveImageMetadata(item->securityManager,
|
||||||
|
pid, src, dst) < 0)
|
||||||
|
rc = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecurityStackSetMemoryLabel(virSecurityManagerPtr mgr,
|
virSecurityStackSetMemoryLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
@ -785,6 +804,7 @@ virSecurityDriver virSecurityDriverStack = {
|
|||||||
|
|
||||||
.domainSetSecurityImageLabel = virSecurityStackSetImageLabel,
|
.domainSetSecurityImageLabel = virSecurityStackSetImageLabel,
|
||||||
.domainRestoreSecurityImageLabel = virSecurityStackRestoreImageLabel,
|
.domainRestoreSecurityImageLabel = virSecurityStackRestoreImageLabel,
|
||||||
|
.domainMoveImageMetadata = virSecurityStackMoveImageMetadata,
|
||||||
|
|
||||||
.domainSetSecurityMemoryLabel = virSecurityStackSetMemoryLabel,
|
.domainSetSecurityMemoryLabel = virSecurityStackSetMemoryLabel,
|
||||||
.domainRestoreSecurityMemoryLabel = virSecurityStackRestoreMemoryLabel,
|
.domainRestoreSecurityMemoryLabel = virSecurityStackRestoreMemoryLabel,
|
||||||
|
Loading…
Reference in New Issue
Block a user