Change security driver APIs to use virDomainDefPtr instead of virDomainObjPtr

When sVirt is integrated with the LXC driver, it will be neccessary
to invoke the security driver APIs using only a virDomainDefPtr
since the lxc_container.c code has no virDomainObjPtr available.
Aside from two functions which want obj->pid, every bit of the
security driver code only touches obj->def. So we don't need to
pass a virDomainObjPtr into the security drivers, a virDomainDefPtr
is sufficient. Two functions also gain a 'pid_t pid' argument.

* src/qemu/qemu_driver.c, src/qemu/qemu_hotplug.c,
  src/qemu/qemu_migration.c, src/qemu/qemu_process.c,
  src/security/security_apparmor.c,
  src/security/security_dac.c,
  src/security/security_driver.h,
  src/security/security_manager.c,
  src/security/security_manager.h,
  src/security/security_nop.c,
  src/security/security_selinux.c,
  src/security/security_stack.c: Change all security APIs to use a
  virDomainDefPtr instead of virDomainObjPtr
This commit is contained in:
Daniel P. Berrange 2011-07-14 14:32:06 +01:00
parent 4e9953a426
commit 99be754ada
12 changed files with 382 additions and 373 deletions

View File

@ -3087,7 +3087,7 @@ qemuDomainScreenshot(virDomainPtr dom,
} }
unlink_tmp = true; unlink_tmp = true;
virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp); virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp);
qemuDomainObjEnterMonitor(driver, vm); qemuDomainObjEnterMonitor(driver, vm);
if (qemuMonitorScreendump(priv->mon, tmp) < 0) { if (qemuMonitorScreendump(priv->mon, tmp) < 0) {
@ -3766,7 +3766,7 @@ static int qemudDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr sec
*/ */
if (virDomainObjIsActive(vm)) { if (virDomainObjIsActive(vm)) {
if (virSecurityManagerGetProcessLabel(driver->securityManager, if (virSecurityManagerGetProcessLabel(driver->securityManager,
vm, seclabel) < 0) { vm->def, vm->pid, seclabel) < 0) {
qemuReportError(VIR_ERR_INTERNAL_ERROR, qemuReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("Failed to get security label")); "%s", _("Failed to get security label"));
goto cleanup; goto cleanup;
@ -4074,7 +4074,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
out: out:
virCommandFree(cmd); virCommandFree(cmd);
if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager, if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
vm, path) < 0) vm->def, path) < 0)
VIR_WARN("failed to restore save state label on %s", path); VIR_WARN("failed to restore save state label on %s", path);
return ret; return ret;
@ -8352,7 +8352,7 @@ qemudDomainMemoryPeek (virDomainPtr dom,
goto endjob; goto endjob;
} }
virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp); virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp);
priv = vm->privateData; priv = vm->privateData;
qemuDomainObjEnterMonitor(driver, vm); qemuDomainObjEnterMonitor(driver, vm);
@ -9834,7 +9834,7 @@ qemuDomainSnapshotCreateSingleDiskActive(struct qemud_driver *driver,
if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0) if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0)
goto cleanup; goto cleanup;
if (virSecurityManagerSetImageLabel(driver->securityManager, vm, if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def,
disk) < 0) { disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", source); VIR_WARN("Unable to release lock on %s", source);

View File

@ -88,7 +88,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver,
return -1; return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager, if (virSecurityManagerSetImageLabel(driver->securityManager,
vm, disk) < 0) { vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src); VIR_WARN("Unable to release lock on %s", disk->src);
return -1; return -1;
@ -120,7 +120,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver,
goto error; goto error;
if (virSecurityManagerRestoreImageLabel(driver->securityManager, if (virSecurityManagerRestoreImageLabel(driver->securityManager,
vm, origdisk) < 0) vm->def, origdisk) < 0)
VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src); VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, origdisk) < 0) if (virDomainLockDiskDetach(driver->lockManager, vm, origdisk) < 0)
@ -141,7 +141,7 @@ error:
VIR_FREE(driveAlias); VIR_FREE(driveAlias);
if (virSecurityManagerRestoreImageLabel(driver->securityManager, if (virSecurityManagerRestoreImageLabel(driver->securityManager,
vm, disk) < 0) vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on new media %s", disk->src); VIR_WARN("Unable to restore security label on new media %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@ -211,7 +211,7 @@ int qemuDomainAttachPciDiskDevice(virConnectPtr conn,
return -1; return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager, if (virSecurityManagerSetImageLabel(driver->securityManager,
vm, disk) < 0) { vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src); VIR_WARN("Unable to release lock on %s", disk->src);
return -1; return -1;
@ -285,7 +285,7 @@ error:
VIR_WARN("Unable to release PCI address on %s", disk->src); VIR_WARN("Unable to release PCI address on %s", disk->src);
if (virSecurityManagerRestoreImageLabel(driver->securityManager, if (virSecurityManagerRestoreImageLabel(driver->securityManager,
vm, disk) < 0) vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src); VIR_WARN("Unable to restore security label on %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@ -441,7 +441,7 @@ int qemuDomainAttachSCSIDisk(virConnectPtr conn,
return -1; return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager, if (virSecurityManagerSetImageLabel(driver->securityManager,
vm, disk) < 0) { vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src); VIR_WARN("Unable to release lock on %s", disk->src);
return -1; return -1;
@ -532,7 +532,7 @@ error:
VIR_FREE(drivestr); VIR_FREE(drivestr);
if (virSecurityManagerRestoreImageLabel(driver->securityManager, if (virSecurityManagerRestoreImageLabel(driver->securityManager,
vm, disk) < 0) vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src); VIR_WARN("Unable to restore security label on %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@ -564,7 +564,7 @@ int qemuDomainAttachUsbMassstorageDevice(virConnectPtr conn,
return -1; return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager, if (virSecurityManagerSetImageLabel(driver->securityManager,
vm, disk) < 0) { vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src); VIR_WARN("Unable to release lock on %s", disk->src);
return -1; return -1;
@ -625,7 +625,7 @@ error:
VIR_FREE(drivestr); VIR_FREE(drivestr);
if (virSecurityManagerRestoreImageLabel(driver->securityManager, if (virSecurityManagerRestoreImageLabel(driver->securityManager,
vm, disk) < 0) vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src); VIR_WARN("Unable to restore security label on %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0) if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@ -1117,7 +1117,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver,
if (virSecurityManagerSetHostdevLabel(driver->securityManager, if (virSecurityManagerSetHostdevLabel(driver->securityManager,
vm, hostdev) < 0) vm->def, hostdev) < 0)
return -1; return -1;
switch (hostdev->source.subsys.type) { switch (hostdev->source.subsys.type) {
@ -1144,7 +1144,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver,
error: error:
if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
vm, hostdev) < 0) vm->def, hostdev) < 0)
VIR_WARN("Unable to restore host device labelling on hotplug fail"); VIR_WARN("Unable to restore host device labelling on hotplug fail");
return -1; return -1;
@ -1577,7 +1577,7 @@ int qemuDomainDetachPciDiskDevice(struct qemud_driver *driver,
virDomainDiskDefFree(detach); virDomainDiskDefFree(detach);
if (virSecurityManagerRestoreImageLabel(driver->securityManager, if (virSecurityManagerRestoreImageLabel(driver->securityManager,
vm, dev->data.disk) < 0) vm->def, dev->data.disk) < 0)
VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
if (cgroup != NULL) { if (cgroup != NULL) {
@ -1659,7 +1659,7 @@ int qemuDomainDetachDiskDevice(struct qemud_driver *driver,
virDomainDiskDefFree(detach); virDomainDiskDefFree(detach);
if (virSecurityManagerRestoreImageLabel(driver->securityManager, if (virSecurityManagerRestoreImageLabel(driver->securityManager,
vm, dev->data.disk) < 0) vm->def, dev->data.disk) < 0)
VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
if (cgroup != NULL) { if (cgroup != NULL) {
@ -2192,7 +2192,7 @@ int qemuDomainDetachHostDevice(struct qemud_driver *driver,
if (ret == 0 && if (ret == 0 &&
virSecurityManagerRestoreHostdevLabel(driver->securityManager, virSecurityManagerRestoreHostdevLabel(driver->securityManager,
vm, detach) < 0) vm->def, detach) < 0)
VIR_WARN("Failed to restore host device labelling"); VIR_WARN("Failed to restore host device labelling");
virDomainHostdevDefFree(detach); virDomainHostdevDefFree(detach);

View File

@ -1750,13 +1750,13 @@ static int doNativeMigrate(struct qemud_driver *driver,
virReportOOMError(); virReportOOMError();
goto cleanup; goto cleanup;
} }
if (virSecurityManagerSetSocketLabel(driver->securityManager, vm) < 0) if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0)
goto cleanup; goto cleanup;
if (virNetSocketNewConnectTCP(uribits->server, tmp, &sock) == 0) { if (virNetSocketNewConnectTCP(uribits->server, tmp, &sock) == 0) {
spec.dest.fd.qemu = virNetSocketDupFD(sock, true); spec.dest.fd.qemu = virNetSocketDupFD(sock, true);
virNetSocketFree(sock); virNetSocketFree(sock);
} }
if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0 || if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0 ||
spec.dest.fd.qemu == -1) spec.dest.fd.qemu == -1)
goto cleanup; goto cleanup;
} else { } else {
@ -1823,7 +1823,7 @@ static int doTunnelMigrate(struct qemud_driver *driver,
spec.dest.fd.local = fds[0]; spec.dest.fd.local = fds[0];
} }
if (spec.dest.fd.qemu == -1 || if (spec.dest.fd.qemu == -1 ||
virSecurityManagerSetImageFDLabel(driver->securityManager, vm, virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
spec.dest.fd.qemu) < 0) { spec.dest.fd.qemu) < 0) {
virReportSystemError(errno, "%s", virReportSystemError(errno, "%s",
_("cannot create pipe for tunnelled migration")); _("cannot create pipe for tunnelled migration"));
@ -2843,7 +2843,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
* doesn't have to open() the file, so while we still have to * doesn't have to open() the file, so while we still have to
* grant SELinux access, we can do it on fd and avoid cleanup * grant SELinux access, we can do it on fd and avoid cleanup
* later, as well as skip futzing with cgroup. */ * later, as well as skip futzing with cgroup. */
if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm, if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
compressor ? pipeFD[1] : fd) < 0) compressor ? pipeFD[1] : fd) < 0)
goto cleanup; goto cleanup;
bypassSecurityDriver = true; bypassSecurityDriver = true;
@ -2877,7 +2877,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
} }
if ((!bypassSecurityDriver) && if ((!bypassSecurityDriver) &&
virSecurityManagerSetSavedStateLabel(driver->securityManager, virSecurityManagerSetSavedStateLabel(driver->securityManager,
vm, path) < 0) vm->def, path) < 0)
goto cleanup; goto cleanup;
restoreLabel = true; restoreLabel = true;
} }
@ -2952,7 +2952,7 @@ cleanup:
virCommandFree(cmd); virCommandFree(cmd);
if (restoreLabel && (!bypassSecurityDriver) && if (restoreLabel && (!bypassSecurityDriver) &&
virSecurityManagerRestoreSavedStateLabel(driver->securityManager, virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
vm, path) < 0) vm->def, path) < 0)
VIR_WARN("failed to restore save state label on %s", path); VIR_WARN("failed to restore save state label on %s", path);
if (cgroup != NULL) { if (cgroup != NULL) {

View File

@ -881,7 +881,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm)
qemuMonitorPtr mon = NULL; qemuMonitorPtr mon = NULL;
if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager, if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager,
vm) < 0) { vm->def) < 0) {
VIR_ERROR(_("Failed to set security context for monitor for %s"), VIR_ERROR(_("Failed to set security context for monitor for %s"),
vm->def->name); vm->def->name);
goto error; goto error;
@ -914,7 +914,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm)
} }
priv->mon = mon; priv->mon = mon;
if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0) { if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) {
VIR_ERROR(_("Failed to clear security context for monitor for %s"), VIR_ERROR(_("Failed to clear security context for monitor for %s"),
vm->def->name); vm->def->name);
goto error; goto error;
@ -2217,7 +2217,7 @@ static int qemuProcessHook(void *data)
* sockets the lock driver opens that we don't want * sockets the lock driver opens that we don't want
* labelled. So far we're ok though. * labelled. So far we're ok though.
*/ */
if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm) < 0) if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup; goto cleanup;
if (virDomainLockProcessStart(h->driver->lockManager, if (virDomainLockProcessStart(h->driver->lockManager,
h->vm, h->vm,
@ -2225,7 +2225,7 @@ static int qemuProcessHook(void *data)
true, true,
&fd) < 0) &fd) < 0)
goto cleanup; goto cleanup;
if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm) < 0) if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup; goto cleanup;
if (qemuProcessLimits(h->driver) < 0) if (qemuProcessLimits(h->driver) < 0)
@ -2248,7 +2248,7 @@ static int qemuProcessHook(void *data)
return -1; return -1;
VIR_DEBUG("Setting up security labelling"); VIR_DEBUG("Setting up security labelling");
if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm) < 0) if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup; goto cleanup;
ret = 0; ret = 0;
@ -2735,7 +2735,7 @@ qemuProcessReconnect(void *opaque)
goto error; goto error;
} }
if (virSecurityManagerReserveLabel(driver->securityManager, obj) < 0) if (virSecurityManagerReserveLabel(driver->securityManager, obj->def, obj->pid) < 0)
goto error; goto error;
if (qemuProcessNotifyNets(obj->def) < 0) if (qemuProcessNotifyNets(obj->def) < 0)
@ -2973,7 +2973,7 @@ int qemuProcessStart(virConnectPtr conn,
/* If you are using a SecurityDriver with dynamic labelling, /* If you are using a SecurityDriver with dynamic labelling,
then generate a security label for isolation */ then generate a security label for isolation */
VIR_DEBUG("Generating domain security label (if required)"); VIR_DEBUG("Generating domain security label (if required)");
if (virSecurityManagerGenLabel(driver->securityManager, vm) < 0) { if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) {
virDomainAuditSecurityLabel(vm, false); virDomainAuditSecurityLabel(vm, false);
goto cleanup; goto cleanup;
} }
@ -3218,7 +3218,7 @@ int qemuProcessStart(virConnectPtr conn,
VIR_DEBUG("Setting domain security labels"); VIR_DEBUG("Setting domain security labels");
if (virSecurityManagerSetAllLabel(driver->securityManager, if (virSecurityManagerSetAllLabel(driver->securityManager,
vm, stdin_path) < 0) vm->def, stdin_path) < 0)
goto cleanup; goto cleanup;
if (stdin_fd != -1) { if (stdin_fd != -1) {
@ -3235,7 +3235,7 @@ int qemuProcessStart(virConnectPtr conn,
goto cleanup; goto cleanup;
} }
if (S_ISFIFO(stdin_sb.st_mode) && if (S_ISFIFO(stdin_sb.st_mode) &&
virSecurityManagerSetImageFDLabel(driver->securityManager, vm, stdin_fd) < 0) virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, stdin_fd) < 0)
goto cleanup; goto cleanup;
} }
@ -3488,8 +3488,8 @@ void qemuProcessStop(struct qemud_driver *driver,
/* Reset Security Labels */ /* Reset Security Labels */
virSecurityManagerRestoreAllLabel(driver->securityManager, virSecurityManagerRestoreAllLabel(driver->securityManager,
vm, migrated); vm->def, migrated);
virSecurityManagerReleaseLabel(driver->securityManager, vm); virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
/* Clear out dynamically assigned labels */ /* Clear out dynamically assigned labels */
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
@ -3638,7 +3638,7 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED,
if (VIR_ALLOC(seclabel) < 0) if (VIR_ALLOC(seclabel) < 0)
goto no_memory; goto no_memory;
if (virSecurityManagerGetProcessLabel(driver->securityManager, if (virSecurityManagerGetProcessLabel(driver->securityManager,
vm, seclabel) < 0) vm->def, vm->pid, seclabel) < 0)
goto cleanup; goto cleanup;
if (driver->caps->host.secModel.model && if (driver->caps->host.secModel.model &&
!(vm->def->seclabel.model = strdup(driver->caps->host.secModel.model))) !(vm->def->seclabel.model = strdup(driver->caps->host.secModel.model)))

View File

@ -48,7 +48,7 @@
/* Data structure to pass to *FileIterate so we have everything we need */ /* Data structure to pass to *FileIterate so we have everything we need */
struct SDPDOP { struct SDPDOP {
virSecurityManagerPtr mgr; virSecurityManagerPtr mgr;
virDomainObjPtr vm; virDomainDefPtr def;
}; };
/* /*
@ -160,7 +160,7 @@ profile_status_file(const char *str)
static int static int
load_profile(virSecurityManagerPtr mgr, load_profile(virSecurityManagerPtr mgr,
const char *profile, const char *profile,
virDomainObjPtr vm, virDomainDefPtr def,
const char *fn, const char *fn,
bool append) bool append)
{ {
@ -171,7 +171,7 @@ load_profile(virSecurityManagerPtr mgr,
const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr) const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr)
? "1" : "0"; ? "1" : "0";
xml = virDomainDefFormat(vm->def, VIR_DOMAIN_XML_SECURE); xml = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE);
if (!xml) if (!xml)
goto clean; goto clean;
@ -213,12 +213,12 @@ remove_profile(const char *profile)
} }
static char * static char *
get_profile_name(virDomainObjPtr vm) get_profile_name(virDomainDefPtr def)
{ {
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
char *name = NULL; char *name = NULL;
virUUIDFormat(vm->def->uuid, uuidstr); virUUIDFormat(def->uuid, uuidstr);
if (virAsprintf(&name, "%s%s", AA_PREFIX, uuidstr) < 0) { if (virAsprintf(&name, "%s%s", AA_PREFIX, uuidstr) < 0) {
virReportOOMError(); virReportOOMError();
return NULL; return NULL;
@ -258,23 +258,23 @@ cleanup:
*/ */
static int static int
reload_profile(virSecurityManagerPtr mgr, reload_profile(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
const char *fn, const char *fn,
bool append) bool append)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = -1; int rc = -1;
char *profile_name = NULL; char *profile_name = NULL;
if (secdef->norelabel) if (secdef->norelabel)
return 0; return 0;
if ((profile_name = get_profile_name(vm)) == NULL) if ((profile_name = get_profile_name(def)) == NULL)
return rc; return rc;
/* Update the profile only if it is loaded */ /* Update the profile only if it is loaded */
if (profile_loaded(secdef->imagelabel) >= 0) { if (profile_loaded(secdef->imagelabel) >= 0) {
if (load_profile(mgr, secdef->imagelabel, vm, fn, append) < 0) { if (load_profile(mgr, secdef->imagelabel, def, fn, append) < 0) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile " _("cannot update AppArmor profile "
"\'%s\'"), "\'%s\'"),
@ -295,10 +295,10 @@ AppArmorSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque) const char *file, void *opaque)
{ {
struct SDPDOP *ptr = opaque; struct SDPDOP *ptr = opaque;
virDomainObjPtr vm = ptr->vm; virDomainDefPtr def = ptr->def;
if (reload_profile(ptr->mgr, vm, file, true) < 0) { if (reload_profile(ptr->mgr, def, file, true) < 0) {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile " _("cannot update AppArmor profile "
"\'%s\'"), "\'%s\'"),
@ -313,10 +313,10 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque) const char *file, void *opaque)
{ {
struct SDPDOP *ptr = opaque; struct SDPDOP *ptr = opaque;
virDomainObjPtr vm = ptr->vm; virDomainDefPtr def = ptr->def;
if (reload_profile(ptr->mgr, vm, file, true) < 0) { if (reload_profile(ptr->mgr, def, file, true) < 0) {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile " _("cannot update AppArmor profile "
"\'%s\'"), "\'%s\'"),
@ -391,56 +391,56 @@ AppArmorSecurityManagerGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
*/ */
static int static int
AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm) virDomainDefPtr def)
{ {
int rc = -1; int rc = -1;
char *profile_name = NULL; char *profile_name = NULL;
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
return 0; return 0;
if (vm->def->seclabel.baselabel) { if (def->seclabel.baselabel) {
virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED, virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("Cannot set a base label with AppArmour")); "%s", _("Cannot set a base label with AppArmour"));
return rc; return rc;
} }
if ((vm->def->seclabel.label) || if ((def->seclabel.label) ||
(vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) { (def->seclabel.model) || (def->seclabel.imagelabel)) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", "%s",
_("security label already defined for VM")); _("security label already defined for VM"));
return rc; return rc;
} }
if ((profile_name = get_profile_name(vm)) == NULL) if ((profile_name = get_profile_name(def)) == NULL)
return rc; return rc;
vm->def->seclabel.label = strndup(profile_name, strlen(profile_name)); def->seclabel.label = strndup(profile_name, strlen(profile_name));
if (!vm->def->seclabel.label) { if (!def->seclabel.label) {
virReportOOMError(); virReportOOMError();
goto clean; goto clean;
} }
/* set imagelabel the same as label (but we won't use it) */ /* set imagelabel the same as label (but we won't use it) */
vm->def->seclabel.imagelabel = strndup(profile_name, def->seclabel.imagelabel = strndup(profile_name,
strlen(profile_name)); strlen(profile_name));
if (!vm->def->seclabel.imagelabel) { if (!def->seclabel.imagelabel) {
virReportOOMError(); virReportOOMError();
goto err; goto err;
} }
vm->def->seclabel.model = strdup(SECURITY_APPARMOR_NAME); def->seclabel.model = strdup(SECURITY_APPARMOR_NAME);
if (!vm->def->seclabel.model) { if (!def->seclabel.model) {
virReportOOMError(); virReportOOMError();
goto err; goto err;
} }
/* Now that we have a label, load the profile into the kernel. */ /* Now that we have a label, load the profile into the kernel. */
if (load_profile(mgr, vm->def->seclabel.label, vm, NULL, false) < 0) { if (load_profile(mgr, def->seclabel.label, def, NULL, false) < 0) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot load AppArmor profile " _("cannot load AppArmor profile "
"\'%s\'"), vm->def->seclabel.label); "\'%s\'"), def->seclabel.label);
goto err; goto err;
} }
@ -448,9 +448,9 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
goto clean; goto clean;
err: err:
VIR_FREE(vm->def->seclabel.label); VIR_FREE(def->seclabel.label);
VIR_FREE(vm->def->seclabel.imagelabel); VIR_FREE(def->seclabel.imagelabel);
VIR_FREE(vm->def->seclabel.model); VIR_FREE(def->seclabel.model);
clean: clean:
VIR_FREE(profile_name); VIR_FREE(profile_name);
@ -460,15 +460,15 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, const char *stdin_path) virDomainDefPtr def, const char *stdin_path)
{ {
if (vm->def->seclabel.norelabel) if (def->seclabel.norelabel)
return 0; return 0;
/* Reload the profile if stdin_path is specified. Note that /* Reload the profile if stdin_path is specified. Note that
GenSecurityLabel() will have already been run. */ GenSecurityLabel() will have already been run. */
if (stdin_path) if (stdin_path)
return reload_profile(mgr, vm, stdin_path, true); return reload_profile(mgr, def, stdin_path, true);
return 0; return 0;
} }
@ -478,13 +478,14 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
*/ */
static int static int
AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm, virDomainDefPtr def,
pid_t pid,
virSecurityLabelPtr sec) virSecurityLabelPtr sec)
{ {
int rc = -1; int rc = -1;
char *profile_name = NULL; char *profile_name = NULL;
if ((profile_name = get_profile_name(vm)) == NULL) if ((profile_name = get_profile_name(def)) == NULL)
return rc; return rc;
if (virStrcpy(sec->label, profile_name, if (virStrcpy(sec->label, profile_name,
@ -512,9 +513,9 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
*/ */
static int static int
AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm) virDomainDefPtr def)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
VIR_FREE(secdef->model); VIR_FREE(secdef->model);
VIR_FREE(secdef->label); VIR_FREE(secdef->label);
@ -526,10 +527,10 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm, virDomainDefPtr def,
int migrated ATTRIBUTE_UNUSED) int migrated ATTRIBUTE_UNUSED)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = 0; int rc = 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
@ -546,13 +547,13 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
* LOCALSTATEDIR/log/libvirt/qemu/<vm name>.log * LOCALSTATEDIR/log/libvirt/qemu/<vm name>.log
*/ */
static int static int
AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = -1; int rc = -1;
char *profile_name = NULL; char *profile_name = NULL;
if ((profile_name = get_profile_name(vm)) == NULL) if ((profile_name = get_profile_name(def)) == NULL)
return rc; return rc;
if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) { if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@ -580,21 +581,21 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm)
static int static int
AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr vm ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int static int
AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr def ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int static int
AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr def ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
@ -603,21 +604,21 @@ AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
/* Called when hotplugging */ /* Called when hotplugging */
static int static int
AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr, AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) virDomainDiskDefPtr disk)
{ {
if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK) if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
return 0; return 0;
return reload_profile(mgr, vm, NULL, false); return reload_profile(mgr, def, NULL, false);
} }
/* Called when hotplugging */ /* Called when hotplugging */
static int static int
AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDiskDefPtr disk) virDomainDefPtr def, virDomainDiskDefPtr disk)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = -1; int rc = -1;
char *profile_name; char *profile_name;
@ -635,12 +636,12 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
return rc; return rc;
} }
if ((profile_name = get_profile_name(vm)) == NULL) if ((profile_name = get_profile_name(def)) == NULL)
return rc; return rc;
/* update the profile only if it is loaded */ /* update the profile only if it is loaded */
if (profile_loaded(secdef->imagelabel) >= 0) { if (profile_loaded(secdef->imagelabel) >= 0) {
if (load_profile(mgr, secdef->imagelabel, vm, disk->src, if (load_profile(mgr, secdef->imagelabel, def, disk->src,
false) < 0) { false) < 0) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile " _("cannot update AppArmor profile "
@ -677,7 +678,8 @@ AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr def ATTRIBUTE_UNUSED,
pid_t pid ATTRIBUTE_UNUSED)
{ {
/* NOOP. Nothing to reserve with AppArmor */ /* NOOP. Nothing to reserve with AppArmor */
return 0; return 0;
@ -685,11 +687,11 @@ AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
struct SDPDOP *ptr; struct SDPDOP *ptr;
int ret = -1; int ret = -1;
@ -705,7 +707,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (VIR_ALLOC(ptr) < 0) if (VIR_ALLOC(ptr) < 0)
return -1; return -1;
ptr->mgr = mgr; ptr->mgr = mgr;
ptr->vm = vm; ptr->def = def;
switch (dev->source.subsys.type) { switch (dev->source.subsys.type) {
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: { case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
@ -747,44 +749,44 @@ done:
static int static int
AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel) if (secdef->norelabel)
return 0; return 0;
return reload_profile(mgr, vm, NULL, false); return reload_profile(mgr, def, NULL, false);
} }
static int static int
AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr, AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
const char *savefile) const char *savefile)
{ {
return reload_profile(mgr, vm, savefile, true); return reload_profile(mgr, def, savefile, true);
} }
static int static int
AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr, AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
const char *savefile ATTRIBUTE_UNUSED) const char *savefile ATTRIBUTE_UNUSED)
{ {
return reload_profile(mgr, vm, NULL, false); return reload_profile(mgr, def, NULL, false);
} }
static int static int
AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
int fd) int fd)
{ {
int rc = -1; int rc = -1;
char *proc = NULL; char *proc = NULL;
char *fd_path = NULL; char *fd_path = NULL;
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->imagelabel == NULL) if (secdef->imagelabel == NULL)
return 0; return 0;
@ -800,7 +802,7 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
return 0; return 0;
} }
return reload_profile(mgr, vm, fd_path, true); return reload_profile(mgr, def, fd_path, true);
} }
virSecurityDriver virAppArmorSecurityDriver = { virSecurityDriver virAppArmorSecurityDriver = {

View File

@ -171,7 +171,7 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
static int static int
virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr, virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
@ -193,7 +193,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk, virDomainDiskDefPtr disk,
int migrated) int migrated)
{ {
@ -241,10 +241,10 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
static int static int
virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr, virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
return virSecurityDACRestoreSecurityImageLabelInt(mgr, vm, disk, 0); return virSecurityDACRestoreSecurityImageLabelInt(mgr, def, disk, 0);
} }
@ -274,7 +274,7 @@ virSecurityDACSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
static int static int
virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr, virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -344,7 +344,7 @@ virSecurityDACRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
static int static int
virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
@ -495,7 +495,7 @@ virSecurityDACRestoreChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
static int static int
virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
int migrated) int migrated)
{ {
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -507,34 +507,34 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
VIR_DEBUG("Restoring security label on %s migrated=%d", VIR_DEBUG("Restoring security label on %s migrated=%d",
vm->def->name, migrated); def->name, migrated);
for (i = 0 ; i < vm->def->nhostdevs ; i++) { for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecurityDACRestoreSecurityHostdevLabel(mgr, if (virSecurityDACRestoreSecurityHostdevLabel(mgr,
vm, def,
vm->def->hostdevs[i]) < 0) def->hostdevs[i]) < 0)
rc = -1; rc = -1;
} }
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < def->ndisks ; i++) {
if (virSecurityDACRestoreSecurityImageLabelInt(mgr, if (virSecurityDACRestoreSecurityImageLabelInt(mgr,
vm, def,
vm->def->disks[i], def->disks[i],
migrated) < 0) migrated) < 0)
rc = -1; rc = -1;
} }
if (virDomainChrDefForeach(vm->def, if (virDomainChrDefForeach(def,
false, false,
virSecurityDACRestoreChardevCallback, virSecurityDACRestoreChardevCallback,
mgr) < 0) mgr) < 0)
rc = -1; rc = -1;
if (vm->def->os.kernel && if (def->os.kernel &&
virSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0) virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0)
rc = -1; rc = -1;
if (vm->def->os.initrd && if (def->os.initrd &&
virSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0) virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -554,7 +554,7 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
static int static int
virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr, virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
const char *stdin_path ATTRIBUTE_UNUSED) const char *stdin_path ATTRIBUTE_UNUSED)
{ {
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -563,36 +563,36 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
if (!priv->dynamicOwnership) if (!priv->dynamicOwnership)
return 0; return 0;
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < def->ndisks ; i++) {
/* XXX fixme - we need to recursively label the entire tree :-( */ /* XXX fixme - we need to recursively label the entire tree :-( */
if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
continue; continue;
if (virSecurityDACSetSecurityImageLabel(mgr, if (virSecurityDACSetSecurityImageLabel(mgr,
vm, def,
vm->def->disks[i]) < 0) def->disks[i]) < 0)
return -1; return -1;
} }
for (i = 0 ; i < vm->def->nhostdevs ; i++) { for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecurityDACSetSecurityHostdevLabel(mgr, if (virSecurityDACSetSecurityHostdevLabel(mgr,
vm, def,
vm->def->hostdevs[i]) < 0) def->hostdevs[i]) < 0)
return -1; return -1;
} }
if (virDomainChrDefForeach(vm->def, if (virDomainChrDefForeach(def,
true, true,
virSecurityDACSetChardevCallback, virSecurityDACSetChardevCallback,
mgr) < 0) mgr) < 0)
return -1; return -1;
if (vm->def->os.kernel && if (def->os.kernel &&
virSecurityDACSetOwnership(vm->def->os.kernel, virSecurityDACSetOwnership(def->os.kernel,
priv->user, priv->user,
priv->group) < 0) priv->group) < 0)
return -1; return -1;
if (vm->def->os.initrd && if (def->os.initrd &&
virSecurityDACSetOwnership(vm->def->os.initrd, virSecurityDACSetOwnership(def->os.initrd,
priv->user, priv->user,
priv->group) < 0) priv->group) < 0)
return -1; return -1;
@ -603,7 +603,7 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr, virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr def ATTRIBUTE_UNUSED,
const char *savefile) const char *savefile)
{ {
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -614,7 +614,7 @@ virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr, virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr def ATTRIBUTE_UNUSED,
const char *savefile) const char *savefile)
{ {
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -628,11 +628,11 @@ virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr, virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr def ATTRIBUTE_UNUSED)
{ {
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
VIR_DEBUG("Dropping privileges of VM to %u:%u", VIR_DEBUG("Dropping privileges of DEF to %u:%u",
(unsigned int) priv->user, (unsigned int) priv->group); (unsigned int) priv->user, (unsigned int) priv->group);
if (virSetUIDGID(priv->user, priv->group) < 0) if (virSetUIDGID(priv->user, priv->group) < 0)
@ -651,28 +651,30 @@ virSecurityDACVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
virSecurityDACGenLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityDACGenLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr def ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int static int
virSecurityDACReleaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityDACReleaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr def ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int static int
virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr def ATTRIBUTE_UNUSED,
pid_t pid ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int static int
virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr def ATTRIBUTE_UNUSED,
pid_t pid ATTRIBUTE_UNUSED,
virSecurityLabelPtr seclabel ATTRIBUTE_UNUSED) virSecurityLabelPtr seclabel ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
@ -680,7 +682,7 @@ virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr vm ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
@ -688,7 +690,7 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr def ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
@ -696,20 +698,19 @@ virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr def ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int static int
virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr def ATTRIBUTE_UNUSED,
int fd ATTRIBUTE_UNUSED) int fd ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
virSecurityDriver virSecurityDriverDAC = { virSecurityDriver virSecurityDriverDAC = {
sizeof(virSecurityDACData), sizeof(virSecurityDACData),
"virDAC", "virDAC",

View File

@ -39,50 +39,52 @@ typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr);
typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr); typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr);
typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainDiskDefPtr disk); virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
virDomainObjPtr vm); virDomainDefPtr vm);
typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm); virDomainDefPtr def);
typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr, typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
virDomainObjPtr vm); virDomainDefPtr def);
typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainDiskDefPtr disk); virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainHostdevDefPtr dev); virDomainHostdevDefPtr dev);
typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainHostdevDefPtr dev); virDomainHostdevDefPtr dev);
typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
const char *savefile); const char *savefile);
typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
const char *savefile); const char *savefile);
typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr sec); virDomainDefPtr sec);
typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr sec); virDomainDefPtr sec,
pid_t pid);
typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr sec); virDomainDefPtr sec);
typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr sec, virDomainDefPtr sec,
const char *stdin_path); const char *stdin_path);
typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
int migrated); int migrated);
typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
pid_t pid,
virSecurityLabelPtr sec); virSecurityLabelPtr sec);
typedef int (*virSecurityDomainSetProcessLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetProcessLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm); virDomainDefPtr def);
typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
virDomainDefPtr def); virDomainDefPtr def);
typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
int fd); int fd);
struct _virSecurityDriver { struct _virSecurityDriver {

View File

@ -150,7 +150,7 @@ bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
} }
int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
if (mgr->drv->domainRestoreSecurityImageLabel) if (mgr->drv->domainRestoreSecurityImageLabel)
@ -161,7 +161,7 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
if (mgr->drv->domainSetSecurityDaemonSocketLabel) if (mgr->drv->domainSetSecurityDaemonSocketLabel)
return mgr->drv->domainSetSecurityDaemonSocketLabel(mgr, vm); return mgr->drv->domainSetSecurityDaemonSocketLabel(mgr, vm);
@ -171,7 +171,7 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
if (mgr->drv->domainSetSecuritySocketLabel) if (mgr->drv->domainSetSecuritySocketLabel)
return mgr->drv->domainSetSecuritySocketLabel(mgr, vm); return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
@ -181,7 +181,7 @@ int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
if (mgr->drv->domainClearSecuritySocketLabel) if (mgr->drv->domainClearSecuritySocketLabel)
return mgr->drv->domainClearSecuritySocketLabel(mgr, vm); return mgr->drv->domainClearSecuritySocketLabel(mgr, vm);
@ -191,7 +191,7 @@ int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
if (mgr->drv->domainSetSecurityImageLabel) if (mgr->drv->domainSetSecurityImageLabel)
@ -202,7 +202,7 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
if (mgr->drv->domainRestoreSecurityHostdevLabel) if (mgr->drv->domainRestoreSecurityHostdevLabel)
@ -213,7 +213,7 @@ int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
if (mgr->drv->domainSetSecurityHostdevLabel) if (mgr->drv->domainSetSecurityHostdevLabel)
@ -224,7 +224,7 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
const char *savefile) const char *savefile)
{ {
if (mgr->drv->domainSetSavedStateLabel) if (mgr->drv->domainSetSavedStateLabel)
@ -235,7 +235,7 @@ int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
const char *savefile) const char *savefile)
{ {
if (mgr->drv->domainRestoreSavedStateLabel) if (mgr->drv->domainRestoreSavedStateLabel)
@ -246,7 +246,7 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
if (mgr->drv->domainGenSecurityLabel) if (mgr->drv->domainGenSecurityLabel)
return mgr->drv->domainGenSecurityLabel(mgr, vm); return mgr->drv->domainGenSecurityLabel(mgr, vm);
@ -256,17 +256,18 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm,
pid_t pid)
{ {
if (mgr->drv->domainReserveSecurityLabel) if (mgr->drv->domainReserveSecurityLabel)
return mgr->drv->domainReserveSecurityLabel(mgr, vm); return mgr->drv->domainReserveSecurityLabel(mgr, vm, pid);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1; return -1;
} }
int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
if (mgr->drv->domainReleaseSecurityLabel) if (mgr->drv->domainReleaseSecurityLabel)
return mgr->drv->domainReleaseSecurityLabel(mgr, vm); return mgr->drv->domainReleaseSecurityLabel(mgr, vm);
@ -276,7 +277,7 @@ int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
const char *stdin_path) const char *stdin_path)
{ {
if (mgr->drv->domainSetSecurityAllLabel) if (mgr->drv->domainSetSecurityAllLabel)
@ -287,7 +288,7 @@ int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
int migrated) int migrated)
{ {
if (mgr->drv->domainRestoreSecurityAllLabel) if (mgr->drv->domainRestoreSecurityAllLabel)
@ -298,18 +299,19 @@ int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
} }
int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
pid_t pid,
virSecurityLabelPtr sec) virSecurityLabelPtr sec)
{ {
if (mgr->drv->domainGetSecurityProcessLabel) if (mgr->drv->domainGetSecurityProcessLabel)
return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, sec); return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, pid, sec);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1; return -1;
} }
int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
if (mgr->drv->domainSetSecurityProcessLabel) if (mgr->drv->domainSetSecurityProcessLabel)
return mgr->drv->domainSetSecurityProcessLabel(mgr, vm); return mgr->drv->domainSetSecurityProcessLabel(mgr, vm);
@ -337,7 +339,7 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
} }
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
int fd) int fd)
{ {
if (mgr->drv->domainSetSecurityImageFDLabel) if (mgr->drv->domainSetSecurityImageFDLabel)

View File

@ -51,50 +51,52 @@ const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr); bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainDiskDefPtr disk); virDomainDiskDefPtr disk);
int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm); virDomainDefPtr vm);
int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm); virDomainDefPtr def);
int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm); virDomainDefPtr def);
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainDiskDefPtr disk); virDomainDiskDefPtr disk);
int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainHostdevDefPtr dev); virDomainHostdevDefPtr dev);
int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainHostdevDefPtr dev); virDomainHostdevDefPtr dev);
int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
const char *savefile); const char *savefile);
int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
const char *savefile); const char *savefile);
int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
virDomainObjPtr sec); virDomainDefPtr sec);
int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
virDomainObjPtr sec); virDomainDefPtr sec,
pid_t pid);
int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr, int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
virDomainObjPtr sec); virDomainDefPtr sec);
int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr sec, virDomainDefPtr sec,
const char *stdin_path); const char *stdin_path);
int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
int migrated); int migrated);
int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
pid_t pid,
virSecurityLabelPtr sec); virSecurityLabelPtr sec);
int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm); virDomainDefPtr def);
int virSecurityManagerVerify(virSecurityManagerPtr mgr, int virSecurityManagerVerify(virSecurityManagerPtr mgr,
virDomainDefPtr def); virDomainDefPtr def);
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
int fd); int fd);
#endif /* VIR_SECURITY_MANAGER_H__ */ #endif /* VIR_SECURITY_MANAGER_H__ */

View File

@ -47,104 +47,106 @@ static const char * virSecurityDriverGetDOINop(virSecurityManagerPtr mgr ATTRIBU
} }
static int virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr vm ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr vm ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr vm ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainSetSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainSetSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr vm ATTRIBUTE_UNUSED,
const char *savefile ATTRIBUTE_UNUSED) const char *savefile ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainRestoreSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainRestoreSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr vm ATTRIBUTE_UNUSED,
const char *savefile ATTRIBUTE_UNUSED) const char *savefile ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainGenLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainGenLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr sec ATTRIBUTE_UNUSED) virDomainDefPtr sec ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainReserveLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainReserveLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr sec ATTRIBUTE_UNUSED) virDomainDefPtr sec ATTRIBUTE_UNUSED,
pid_t pid ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainReleaseLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainReleaseLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr sec ATTRIBUTE_UNUSED) virDomainDefPtr sec ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr sec ATTRIBUTE_UNUSED, virDomainDefPtr sec ATTRIBUTE_UNUSED,
const char *stdin_path ATTRIBUTE_UNUSED) const char *stdin_path ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr vm ATTRIBUTE_UNUSED,
int migrated ATTRIBUTE_UNUSED) int migrated ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainGetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainGetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDefPtr vm ATTRIBUTE_UNUSED,
pid_t pid ATTRIBUTE_UNUSED,
virSecurityLabelPtr sec ATTRIBUTE_UNUSED) virSecurityLabelPtr sec ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
static int virSecurityDomainSetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainSetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainDefPtr vm ATTRIBUTE_UNUSED)
{ {
return 0; return 0;
} }
@ -156,7 +158,7 @@ static int virSecurityDomainVerifyNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED
} }
static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr sec ATTRIBUTE_UNUSED, virDomainDefPtr sec ATTRIBUTE_UNUSED,
int fd ATTRIBUTE_UNUSED) int fd ATTRIBUTE_UNUSED)
{ {
return 0; return 0;

View File

@ -162,7 +162,7 @@ SELinuxInitialize(void)
static int static int
SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm) virDomainDefPtr def)
{ {
int rc = -1; int rc = -1;
char *mcs = NULL; char *mcs = NULL;
@ -171,40 +171,40 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
int c2 = 0; int c2 = 0;
context_t ctx = NULL; context_t ctx = NULL;
if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) && if ((def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
!vm->def->seclabel.baselabel && !def->seclabel.baselabel &&
vm->def->seclabel.model) { def->seclabel.model) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security model already defined for VM")); "%s", _("security model already defined for VM"));
return rc; return rc;
} }
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
vm->def->seclabel.label) { def->seclabel.label) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security label already defined for VM")); "%s", _("security label already defined for VM"));
return rc; return rc;
} }
if (vm->def->seclabel.imagelabel) { if (def->seclabel.imagelabel) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security image label already defined for VM")); "%s", _("security image label already defined for VM"));
return rc; return rc;
} }
if (vm->def->seclabel.model && if (def->seclabel.model &&
STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) { STRNEQ(def->seclabel.model, SECURITY_SELINUX_NAME)) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("security label model %s is not supported with selinux"), _("security label model %s is not supported with selinux"),
vm->def->seclabel.model); def->seclabel.model);
return rc; return rc;
} }
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) { if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
if (!(ctx = context_new(vm->def->seclabel.label)) ) { if (!(ctx = context_new(def->seclabel.label)) ) {
virReportSystemError(errno, virReportSystemError(errno,
_("unable to allocate socket security context '%s'"), _("unable to allocate socket security context '%s'"),
vm->def->seclabel.label); def->seclabel.label);
return rc; return rc;
} }
@ -237,25 +237,25 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
} }
} while (mcsAdd(mcs) == -1); } while (mcsAdd(mcs) == -1);
vm->def->seclabel.label = def->seclabel.label =
SELinuxGenNewContext(vm->def->seclabel.baselabel ? SELinuxGenNewContext(def->seclabel.baselabel ?
vm->def->seclabel.baselabel : def->seclabel.baselabel :
default_domain_context, mcs); default_domain_context, mcs);
if (! vm->def->seclabel.label) { if (! def->seclabel.label) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs); _("cannot generate selinux context for %s"), mcs);
goto cleanup; goto cleanup;
} }
} }
vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
if (!vm->def->seclabel.imagelabel) { if (!def->seclabel.imagelabel) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs); _("cannot generate selinux context for %s"), mcs);
goto cleanup; goto cleanup;
} }
if (!vm->def->seclabel.model && if (!def->seclabel.model &&
!(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) { !(def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
virReportOOMError(); virReportOOMError();
goto cleanup; goto cleanup;
} }
@ -264,12 +264,12 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
cleanup: cleanup:
if (rc != 0) { if (rc != 0) {
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
VIR_FREE(vm->def->seclabel.label); VIR_FREE(def->seclabel.label);
VIR_FREE(vm->def->seclabel.imagelabel); VIR_FREE(def->seclabel.imagelabel);
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
!vm->def->seclabel.baselabel) !def->seclabel.baselabel)
VIR_FREE(vm->def->seclabel.model); VIR_FREE(def->seclabel.model);
} }
if (ctx) if (ctx)
@ -278,28 +278,29 @@ cleanup:
VIR_FREE(mcs); VIR_FREE(mcs);
VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s", VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
NULLSTR(vm->def->seclabel.model), NULLSTR(def->seclabel.model),
NULLSTR(vm->def->seclabel.label), NULLSTR(def->seclabel.label),
NULLSTR(vm->def->seclabel.imagelabel), NULLSTR(def->seclabel.imagelabel),
NULLSTR(vm->def->seclabel.baselabel)); NULLSTR(def->seclabel.baselabel));
return rc; return rc;
} }
static int static int
SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm) virDomainDefPtr def,
pid_t pid)
{ {
security_context_t pctx; security_context_t pctx;
context_t ctx = NULL; context_t ctx = NULL;
const char *mcs; const char *mcs;
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
return 0; return 0;
if (getpidcon(vm->pid, &pctx) == -1) { if (getpidcon(pid, &pctx) == -1) {
virReportSystemError(errno, virReportSystemError(errno,
_("unable to get PID %d security context"), vm->pid); _("unable to get PID %d security context"), pid);
return -1; return -1;
} }
@ -360,15 +361,16 @@ static const char *SELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNU
static int static int
SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm, virDomainDefPtr def ATTRIBUTE_UNUSED,
pid_t pid,
virSecurityLabelPtr sec) virSecurityLabelPtr sec)
{ {
security_context_t ctx; security_context_t ctx;
if (getpidcon(vm->pid, &ctx) == -1) { if (getpidcon(pid, &ctx) == -1) {
virReportSystemError(errno, virReportSystemError(errno,
_("unable to get PID %d security context"), _("unable to get PID %d security context"),
vm->pid); pid);
return -1; return -1;
} }
@ -560,11 +562,11 @@ err:
static int static int
SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainDiskDefPtr disk, virDomainDiskDefPtr disk,
int migrated) int migrated)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel || (disk->seclabel && disk->seclabel->norelabel)) if (secdef->norelabel || (disk->seclabel && disk->seclabel->norelabel))
return 0; return 0;
@ -605,10 +607,10 @@ SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr, SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0); return SELinuxRestoreSecurityImageLabelInt(mgr, def, disk, 0);
} }
@ -655,11 +657,11 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
static int static int
SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr, SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr); bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
if (secdef->norelabel) if (secdef->norelabel)
@ -680,8 +682,8 @@ static int
SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque) const char *file, void *opaque)
{ {
virDomainObjPtr vm = opaque; virDomainDefPtr def = opaque;
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
return SELinuxSetFilecon(file, secdef->imagelabel); return SELinuxSetFilecon(file, secdef->imagelabel);
} }
@ -690,19 +692,19 @@ static int
SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED, SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque) const char *file, void *opaque)
{ {
virDomainObjPtr vm = opaque; virDomainDefPtr def = opaque;
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
return SELinuxSetFilecon(file, secdef->imagelabel); return SELinuxSetFilecon(file, secdef->imagelabel);
} }
static int static int
SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
int ret = -1; int ret = -1;
if (secdef->norelabel) if (secdef->norelabel)
@ -719,7 +721,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
if (!usb) if (!usb)
goto done; goto done;
ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm); ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, def);
usbFreeDevice(usb); usbFreeDevice(usb);
break; break;
} }
@ -733,7 +735,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
if (!pci) if (!pci)
goto done; goto done;
ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm); ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, def);
pciFreeDevice(pci); pciFreeDevice(pci);
break; break;
@ -767,11 +769,11 @@ SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
static int static int
SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm, virDomainDefPtr def,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
int ret = -1; int ret = -1;
if (secdef->norelabel) if (secdef->norelabel)
@ -820,11 +822,11 @@ done:
static int static int
SELinuxSetSecurityChardevLabel(virDomainObjPtr vm, SELinuxSetSecurityChardevLabel(virDomainDefPtr def,
virDomainChrSourceDefPtr dev) virDomainChrSourceDefPtr dev)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
char *in = NULL, *out = NULL; char *in = NULL, *out = NULL;
int ret = -1; int ret = -1;
@ -866,11 +868,11 @@ done:
} }
static int static int
SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm, SELinuxRestoreSecurityChardevLabel(virDomainDefPtr def,
virDomainChrSourceDefPtr dev) virDomainChrSourceDefPtr dev)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
char *in = NULL, *out = NULL; char *in = NULL, *out = NULL;
int ret = -1; int ret = -1;
@ -914,27 +916,24 @@ done:
static int static int
SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def,
virDomainChrDefPtr dev, virDomainChrDefPtr dev,
void *opaque) void *opaque ATTRIBUTE_UNUSED)
{ {
virDomainObjPtr vm = opaque;
/* This is taken care of by processing of def->serials */ /* This is taken care of by processing of def->serials */
if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE && if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL) dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
return 0; return 0;
return SELinuxRestoreSecurityChardevLabel(vm, &dev->source); return SELinuxRestoreSecurityChardevLabel(def, &dev->source);
} }
static int static int
SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
virDomainSmartcardDefPtr dev, virDomainSmartcardDefPtr dev,
void *opaque) void *opaque ATTRIBUTE_UNUSED)
{ {
virDomainObjPtr vm = opaque;
const char *database; const char *database;
switch (dev->type) { switch (dev->type) {
@ -948,7 +947,7 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
return SELinuxRestoreSecurityFileLabel(database); return SELinuxRestoreSecurityFileLabel(database);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru); return SELinuxRestoreSecurityChardevLabel(def, &dev->data.passthru);
default: default:
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
@ -963,50 +962,50 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
static int static int
SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm, virDomainDefPtr def,
int migrated ATTRIBUTE_UNUSED) int migrated ATTRIBUTE_UNUSED)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
int i; int i;
int rc = 0; int rc = 0;
VIR_DEBUG("Restoring security label on %s", vm->def->name); VIR_DEBUG("Restoring security label on %s", def->name);
if (secdef->norelabel) if (secdef->norelabel)
return 0; return 0;
for (i = 0 ; i < vm->def->nhostdevs ; i++) { for (i = 0 ; i < def->nhostdevs ; i++) {
if (SELinuxRestoreSecurityHostdevLabel(mgr, if (SELinuxRestoreSecurityHostdevLabel(mgr,
vm, def,
vm->def->hostdevs[i]) < 0) def->hostdevs[i]) < 0)
rc = -1; rc = -1;
} }
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < def->ndisks ; i++) {
if (SELinuxRestoreSecurityImageLabelInt(mgr, if (SELinuxRestoreSecurityImageLabelInt(mgr,
vm, def,
vm->def->disks[i], def->disks[i],
migrated) < 0) migrated) < 0)
rc = -1; rc = -1;
} }
if (virDomainChrDefForeach(vm->def, if (virDomainChrDefForeach(def,
false, false,
SELinuxRestoreSecurityChardevCallback, SELinuxRestoreSecurityChardevCallback,
vm) < 0) NULL) < 0)
rc = -1; rc = -1;
if (virDomainSmartcardDefForeach(vm->def, if (virDomainSmartcardDefForeach(def,
false, false,
SELinuxRestoreSecuritySmartcardCallback, SELinuxRestoreSecuritySmartcardCallback,
vm) < 0) NULL) < 0)
rc = -1; rc = -1;
if (vm->def->os.kernel && if (def->os.kernel &&
SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0) SELinuxRestoreSecurityFileLabel(def->os.kernel) < 0)
rc = -1; rc = -1;
if (vm->def->os.initrd && if (def->os.initrd &&
SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0) SELinuxRestoreSecurityFileLabel(def->os.initrd) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -1014,9 +1013,9 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm) virDomainDefPtr def)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
if (secdef->label != NULL) { if (secdef->label != NULL) {
@ -1038,10 +1037,10 @@ SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm, virDomainDefPtr def,
const char *savefile) const char *savefile)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel) if (secdef->norelabel)
return 0; return 0;
@ -1052,10 +1051,10 @@ SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm, virDomainDefPtr def,
const char *savefile) const char *savefile)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel) if (secdef->norelabel)
return 0; return 0;
@ -1090,12 +1089,12 @@ SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr def)
{ {
/* TODO: verify DOI */ /* TODO: verify DOI */
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (vm->def->seclabel.label == NULL) if (def->seclabel.label == NULL)
return 0; return 0;
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@ -1121,16 +1120,16 @@ SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
static int static int
SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr def)
{ {
/* TODO: verify DOI */ /* TODO: verify DOI */
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
context_t execcon = NULL; context_t execcon = NULL;
context_t proccon = NULL; context_t proccon = NULL;
security_context_t scon = NULL; security_context_t scon = NULL;
int rc = -1; int rc = -1;
if (vm->def->seclabel.label == NULL) if (def->seclabel.label == NULL)
return 0; return 0;
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@ -1171,7 +1170,7 @@ SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
} }
VIR_DEBUG("Setting VM %s socket context %s", VIR_DEBUG("Setting VM %s socket context %s",
vm->def->name, context_str(proccon)); def->name, context_str(proccon));
if (setsockcreatecon(context_str(proccon)) == -1) { if (setsockcreatecon(context_str(proccon)) == -1) {
virReportSystemError(errno, virReportSystemError(errno,
_("unable to set socket security context '%s'"), _("unable to set socket security context '%s'"),
@ -1192,9 +1191,9 @@ done:
static int static int
SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->seclabel;
int rc = -1; int rc = -1;
if (secdef->label == NULL) if (secdef->label == NULL)
@ -1210,7 +1209,7 @@ SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
} }
VIR_DEBUG("Setting VM %s socket context %s", VIR_DEBUG("Setting VM %s socket context %s",
vm->def->name, secdef->label); vm->name, secdef->label);
if (setsockcreatecon(secdef->label) == -1) { if (setsockcreatecon(secdef->label) == -1) {
virReportSystemError(errno, virReportSystemError(errno,
_("unable to set socket security context '%s'"), _("unable to set socket security context '%s'"),
@ -1229,12 +1228,12 @@ done:
static int static int
SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr def)
{ {
/* TODO: verify DOI */ /* TODO: verify DOI */
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (vm->def->seclabel.label == NULL) if (def->seclabel.label == NULL)
return 0; return 0;
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@ -1259,27 +1258,24 @@ SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
static int static int
SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, SELinuxSetSecurityChardevCallback(virDomainDefPtr def,
virDomainChrDefPtr dev, virDomainChrDefPtr dev,
void *opaque) void *opaque ATTRIBUTE_UNUSED)
{ {
virDomainObjPtr vm = opaque;
/* This is taken care of by processing of def->serials */ /* This is taken care of by processing of def->serials */
if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE && if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL) dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
return 0; return 0;
return SELinuxSetSecurityChardevLabel(vm, &dev->source); return SELinuxSetSecurityChardevLabel(def, &dev->source);
} }
static int static int
SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
virDomainSmartcardDefPtr dev, virDomainSmartcardDefPtr dev,
void *opaque) void *opaque ATTRIBUTE_UNUSED)
{ {
virDomainObjPtr vm = opaque;
const char *database; const char *database;
switch (dev->type) { switch (dev->type) {
@ -1293,7 +1289,7 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
return SELinuxSetFilecon(database, default_content_context); return SELinuxSetFilecon(database, default_content_context);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru); return SELinuxSetSecurityChardevLabel(def, &dev->data.passthru);
default: default:
virSecurityReportError(VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
@ -1308,53 +1304,53 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
static int static int
SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr def,
const char *stdin_path) const char *stdin_path)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
int i; int i;
if (secdef->norelabel) if (secdef->norelabel)
return 0; return 0;
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < def->ndisks ; i++) {
/* XXX fixme - we need to recursively label the entire tree :-( */ /* XXX fixme - we need to recursively label the entire tree :-( */
if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) { if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
VIR_WARN("Unable to relabel directory tree %s for disk %s", VIR_WARN("Unable to relabel directory tree %s for disk %s",
vm->def->disks[i]->src, vm->def->disks[i]->dst); def->disks[i]->src, def->disks[i]->dst);
continue; continue;
} }
if (SELinuxSetSecurityImageLabel(mgr, if (SELinuxSetSecurityImageLabel(mgr,
vm, vm->def->disks[i]) < 0) def, def->disks[i]) < 0)
return -1; return -1;
} }
/* XXX fixme process vm->def->fss if relabel == true */ /* XXX fixme process def->fss if relabel == true */
for (i = 0 ; i < vm->def->nhostdevs ; i++) { for (i = 0 ; i < def->nhostdevs ; i++) {
if (SELinuxSetSecurityHostdevLabel(mgr, if (SELinuxSetSecurityHostdevLabel(mgr,
vm, def,
vm->def->hostdevs[i]) < 0) def->hostdevs[i]) < 0)
return -1; return -1;
} }
if (virDomainChrDefForeach(vm->def, if (virDomainChrDefForeach(def,
true, true,
SELinuxSetSecurityChardevCallback, SELinuxSetSecurityChardevCallback,
vm) < 0) NULL) < 0)
return -1; return -1;
if (virDomainSmartcardDefForeach(vm->def, if (virDomainSmartcardDefForeach(def,
true, true,
SELinuxSetSecuritySmartcardCallback, SELinuxSetSecuritySmartcardCallback,
vm) < 0) NULL) < 0)
return -1; return -1;
if (vm->def->os.kernel && if (def->os.kernel &&
SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0) SELinuxSetFilecon(def->os.kernel, default_content_context) < 0)
return -1; return -1;
if (vm->def->os.initrd && if (def->os.initrd &&
SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0) SELinuxSetFilecon(def->os.initrd, default_content_context) < 0)
return -1; return -1;
if (stdin_path) { if (stdin_path) {
@ -1369,10 +1365,10 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
static int static int
SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm, virDomainDefPtr def,
int fd) int fd)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->imagelabel == NULL) if (secdef->imagelabel == NULL)
return 0; return 0;

View File

@ -106,7 +106,7 @@ virSecurityStackVerify(virSecurityManagerPtr mgr,
static int static int
virSecurityStackGenLabel(virSecurityManagerPtr mgr, virSecurityStackGenLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0; int rc = 0;
@ -131,7 +131,7 @@ virSecurityStackGenLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackReleaseLabel(virSecurityManagerPtr mgr, virSecurityStackReleaseLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0; int rc = 0;
@ -150,16 +150,17 @@ virSecurityStackReleaseLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackReserveLabel(virSecurityManagerPtr mgr, virSecurityStackReserveLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm,
pid_t pid)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0; int rc = 0;
if (virSecurityManagerReserveLabel(priv->primary, vm) < 0) if (virSecurityManagerReserveLabel(priv->primary, vm, pid) < 0)
rc = -1; rc = -1;
#if 0 #if 0
/* XXX See note in GenLabel */ /* XXX See note in GenLabel */
if (virSecurityManagerReserveLabel(priv->secondary, vm) < 0) if (virSecurityManagerReserveLabel(priv->secondary, vm, pid) < 0)
rc = -1; rc = -1;
#endif #endif
@ -169,7 +170,7 @@ virSecurityStackReserveLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr, virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -186,7 +187,7 @@ virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr, virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -203,7 +204,7 @@ virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr, virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
@ -221,7 +222,7 @@ virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -238,7 +239,7 @@ virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr, virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
const char *stdin_path) const char *stdin_path)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -255,7 +256,7 @@ virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr, virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
int migrated) int migrated)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -272,7 +273,7 @@ virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr, virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
const char *savefile) const char *savefile)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -289,7 +290,7 @@ virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
const char *savefile) const char *savefile)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -306,7 +307,7 @@ virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0; int rc = 0;
@ -321,17 +322,18 @@ virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr, virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
pid_t pid,
virSecurityLabelPtr seclabel) virSecurityLabelPtr seclabel)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0; int rc = 0;
#if 0 #if 0
if (virSecurityManagerGetProcessLabel(priv->secondary, vm, seclabel) < 0) if (virSecurityManagerGetProcessLabel(priv->secondary, vm, pid, seclabel) < 0)
rc = -1; rc = -1;
#endif #endif
if (virSecurityManagerGetProcessLabel(priv->primary, vm, seclabel) < 0) if (virSecurityManagerGetProcessLabel(priv->primary, vm, pid, seclabel) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -340,7 +342,7 @@ virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr, virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0; int rc = 0;
@ -356,7 +358,7 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr, virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0; int rc = 0;
@ -372,7 +374,7 @@ virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr, virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainDefPtr vm)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0; int rc = 0;
@ -387,7 +389,7 @@ virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr, virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm, virDomainDefPtr vm,
int fd) int fd)
{ {
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);