External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

Add support for SELinux labelling of hostdev storage/misc devices

Browse Source 
The SELinux security driver needs to learn to label storage/misc
hostdev devices for LXC

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2012-11-28 16:07:27 +00:00
parent 570ad09ef9
commit a6cbdd7b81
1 changed files with 118 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
src/security/security_selinux.c
View File

@ -1210,6 +1210,65 @@ done:
} }
static int
virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
virDomainHostdevDefPtr dev,
const char *vroot)
{
int ret = -1;
virSecurityLabelDefPtr secdef;
char *path;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL)
return -1;
switch (dev->source.caps.type) {
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
if (vroot) {
if (virAsprintf(&path, "%s/%s", vroot,
dev->source.caps.u.storage.block) < 0) {
virReportOOMError();
return -1;
}
} else {
if (!(path = strdup(dev->source.caps.u.storage.block))) {
virReportOOMError();
return -1;
}
}
ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
VIR_FREE(path);
break;
}
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
if (vroot) {
if (virAsprintf(&path, "%s/%s", vroot,
dev->source.caps.u.misc.chardev) < 0) {
virReportOOMError();
return -1;
}
} else {
if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
virReportOOMError();
return -1;
}
}
ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
VIR_FREE(path);
break;
}
default:
ret = 0;
break;
}
return ret;
}
static int static int
virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def, virDomainDefPtr def,
@ -1230,6 +1289,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS: case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot); return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);
case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);
default: default:
return 0; return 0;
} }
@ -1304,6 +1366,59 @@ done:
} }
static int
virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev,
const char *vroot)
{
int ret = -1;
char *path;
switch (dev->source.caps.type) {
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
if (vroot) {
if (virAsprintf(&path, "%s/%s", vroot,
dev->source.caps.u.storage.block) < 0) {
virReportOOMError();
return -1;
}
} else {
if (!(path = strdup(dev->source.caps.u.storage.block))) {
virReportOOMError();
return -1;
}
}
ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
VIR_FREE(path);
break;
}
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
if (vroot) {
if (virAsprintf(&path, "%s/%s", vroot,
dev->source.caps.u.misc.chardev) < 0) {
virReportOOMError();
return -1;
}
} else {
if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
virReportOOMError();
return -1;
}
}
ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
VIR_FREE(path);
break;
}
default:
ret = 0;
break;
}
return ret;
}
static int static int
virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def, virDomainDefPtr def,
@ -1324,6 +1439,9 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUT
case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS: case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(dev, vroot); return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(dev, vroot);
case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
return virSecuritySELinuxRestoreSecurityHostdevCapsLabel(dev, vroot);
default: default:
return 0; return 0;
} }