External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-22 19:32:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add a virSecurityManagerSetProcessFDLabel

Browse Source 
Add a new security driver method for labelling an FD with
the process label, rather than the image label

* src/libvirt_private.syms, src/security/security_apparmor.c,
  src/security/security_dac.c, src/security/security_driver.h,
  src/security/security_manager.c, src/security/security_manager.h,
  src/security/security_selinux.c, src/security/security_stack.c:
  Add virSecurityManagerSetProcessFDLabel & impl
This commit is contained in:
Daniel P. Berrange 2011-06-24 14:50:36 +01:00
parent 4438c63e71
commit 8e3c6fbbe6
8 changed files with 89 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/libvirt_private.syms
View File

@ -851,6 +851,7 @@ virSecurityManagerSetAllLabel;
virSecurityManagerSetImageFDLabel;
virSecurityManagerSetImageLabel;
virSecurityManagerSetHostdevLabel;
virSecurityManagerSetProcessFDLabel;
virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel;
virSecurityManagerSetSocketLabel;

29
src/security/security_apparmor.c
View File

@ -786,6 +786,34 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
return reload_profile(mgr, vm, fd_path, true);
}
static int
AppArmorSetProcessFDLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
int fd)
{
int rc = -1;
char *proc = NULL;
char *fd_path = NULL;
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (secdef->imagelabel == NULL)
return 0;
if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1) {
virReportOOMError();
return rc;
}
if (virFileResolveLink(proc, &fd_path) < 0) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("could not find path for descriptor"));
return rc;
}
return reload_profile(mgr, vm, fd_path, true);
}
virSecurityDriver virAppArmorSecurityDriver = {
0,
SECURITY_APPARMOR_NAME,
@ -821,4 +849,5 @@ virSecurityDriver virAppArmorSecurityDriver = {
AppArmorRestoreSavedStateLabel,
AppArmorSetImageFDLabel,
AppArmorSetProcessFDLabel,
};

9
src/security/security_dac.c
View File

@ -689,6 +689,14 @@ virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return 0;
}
static int
virSecurityDACSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED,
int fd ATTRIBUTE_UNUSED)
{
return 0;
}
virSecurityDriver virSecurityDriverDAC = {
sizeof(virSecurityDACData),
@ -726,4 +734,5 @@ virSecurityDriver virSecurityDriverDAC = {
virSecurityDACRestoreSavedStateLabel,
virSecurityDACSetImageFDLabel,
virSecurityDACSetProcessFDLabel,
};

4
src/security/security_driver.h
View File

@ -82,6 +82,9 @@ typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm,
int fd);
typedef int (*virSecurityDomainSetProcessFDLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm,
int fd);
struct _virSecurityDriver {
size_t privateDataLen;
@ -118,6 +121,7 @@ struct _virSecurityDriver {
virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
virSecurityDomainSetProcessFDLabel domainSetSecurityProcessFDLabel;
};
virSecurityDriverPtr virSecurityDriverLookup(const char *name);

11
src/security/security_manager.c
View File

@ -336,3 +336,14 @@ int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
}
int virSecurityManagerSetProcessFDLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
int fd)
{
if (mgr->drv->domainSetSecurityProcessFDLabel)
return mgr->drv->domainSetSecurityProcessFDLabel(mgr, vm, fd);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
}

3
src/security/security_manager.h
View File

@ -94,5 +94,8 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
int fd);
int virSecurityManagerSetProcessFDLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
int fd);
#endif /* VIR_SECURITY_MANAGER_H__ */

14
src/security/security_selinux.c
View File

@ -1221,6 +1221,19 @@ SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return SELinuxFSetFilecon(fd, secdef->imagelabel);
}
static int
SELinuxSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm,
int fd)
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (secdef->label == NULL)
return 0;
return SELinuxFSetFilecon(fd, secdef->label);
}
virSecurityDriver virSecurityDriverSELinux = {
0,
SECURITY_SELINUX_NAME,
@ -1256,4 +1269,5 @@ virSecurityDriver virSecurityDriverSELinux = {
SELinuxRestoreSavedStateLabel,
SELinuxSetImageFDLabel,
SELinuxSetProcessFDLabel,
};

18
src/security/security_stack.c
View File

@ -386,6 +386,23 @@ virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
}
static int
virSecurityStackSetProcessFDLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
int fd)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
if (virSecurityManagerSetProcessFDLabel(priv->secondary, vm, fd) < 0)
rc = -1;
if (virSecurityManagerSetProcessFDLabel(priv->primary, vm, fd) < 0)
rc = -1;
return rc;
}
virSecurityDriver virSecurityDriverStack = {
sizeof(virSecurityStackData),
"stack",
@ -421,4 +438,5 @@ virSecurityDriver virSecurityDriverStack = {
virSecurityStackRestoreSavedStateLabel,
virSecurityStackSetImageFDLabel,
virSecurityStackSetProcessFDLabel,
};