mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 22:25:25 +00:00
Revert changes to sec label parsing
Revert parsing changes: commit302fe95ffa
Author: Eric Blake <eblake@redhat.com> Date: Wed Jan 4 16:01:24 2012 -0700 seclabel: fix regression in libvirtd restart commitb43432931a
Author: Eric Blake <eblake@redhat.com> Date: Thu Dec 22 17:47:50 2011 -0700 seclabel: allow a seclabel override on a disk src These two commits changed the sec label parsing code so that the same code dealt with both the VM level sec label, and the per device label. Unfortunately, as we add more options to the VM level sec label, the logic required to use the same parsing code for the per device label becomes unintelligible. * src/conf/domain_conf.c: Remove support for parsing per device sec labels
This commit is contained in:
parent
e68f22ae65
commit
ae6135bf05
@ -812,15 +812,6 @@ virSecurityLabelDefClear(virSecurityLabelDefPtr def)
|
||||
VIR_FREE(def->baselabel);
|
||||
}
|
||||
|
||||
static void
|
||||
virSecurityLabelDefFree(virSecurityLabelDefPtr def)
|
||||
{
|
||||
if (!def)
|
||||
return;
|
||||
virSecurityLabelDefClear(def);
|
||||
VIR_FREE(def);
|
||||
}
|
||||
|
||||
void virDomainGraphicsDefFree(virDomainGraphicsDefPtr def)
|
||||
{
|
||||
int ii;
|
||||
@ -890,7 +881,6 @@ void virDomainDiskDefFree(virDomainDiskDefPtr def)
|
||||
|
||||
VIR_FREE(def->serial);
|
||||
VIR_FREE(def->src);
|
||||
virSecurityLabelDefFree(def->seclabel);
|
||||
VIR_FREE(def->dst);
|
||||
VIR_FREE(def->driverName);
|
||||
VIR_FREE(def->driverType);
|
||||
@ -2565,94 +2555,14 @@ virDomainDiskDefAssignAddress(virCapsPtr caps, virDomainDiskDefPtr def)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Parse the portion of a SecurityLabel that is common to both the
|
||||
* top-level <seclabel> and to a per-device override.
|
||||
* default_seclabel is NULL for top-level, or points to the top-level
|
||||
* when parsing an override. */
|
||||
static int
|
||||
virSecurityLabelDefParseXMLHelper(virSecurityLabelDefPtr def,
|
||||
xmlNodePtr node,
|
||||
xmlXPathContextPtr ctxt,
|
||||
virSecurityLabelDefPtr default_seclabel,
|
||||
unsigned int flags)
|
||||
{
|
||||
char *p;
|
||||
xmlNodePtr save_ctxt = ctxt->node;
|
||||
int ret = -1;
|
||||
int type = default_seclabel ? default_seclabel->type : def->type;
|
||||
|
||||
ctxt->node = node;
|
||||
|
||||
/* Can't use overrides if top-level doesn't allow relabeling. */
|
||||
if (default_seclabel && default_seclabel->norelabel) {
|
||||
virDomainReportError(VIR_ERR_XML_ERROR, "%s",
|
||||
_("label overrides require relabeling to be "
|
||||
"enabled at the domain level"));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
p = virXPathStringLimit("string(./@relabel)",
|
||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||
if (p != NULL) {
|
||||
if (STREQ(p, "yes")) {
|
||||
def->norelabel = false;
|
||||
} else if (STREQ(p, "no")) {
|
||||
def->norelabel = true;
|
||||
} else {
|
||||
virDomainReportError(VIR_ERR_XML_ERROR,
|
||||
_("invalid security relabel value %s"), p);
|
||||
VIR_FREE(p);
|
||||
goto cleanup;
|
||||
}
|
||||
VIR_FREE(p);
|
||||
if (!default_seclabel &&
|
||||
type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
|
||||
def->norelabel) {
|
||||
virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||
_("dynamic label type must use resource "
|
||||
"relabeling"));
|
||||
goto cleanup;
|
||||
}
|
||||
} else {
|
||||
if (!default_seclabel && type == VIR_DOMAIN_SECLABEL_STATIC)
|
||||
def->norelabel = true;
|
||||
else
|
||||
def->norelabel = false;
|
||||
}
|
||||
|
||||
/* Only parse label, if using static labels, or
|
||||
* if the 'live' VM XML is requested, or if this is a device override
|
||||
*/
|
||||
if (type == VIR_DOMAIN_SECLABEL_STATIC ||
|
||||
!(flags & VIR_DOMAIN_XML_INACTIVE) ||
|
||||
(default_seclabel && !def->norelabel)) {
|
||||
p = virXPathStringLimit("string(./label[1])",
|
||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||
if (p == NULL && !(default_seclabel && def->norelabel)) {
|
||||
virDomainReportError(VIR_ERR_XML_ERROR,
|
||||
"%s", _("security label is missing"));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
def->label = p;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
cleanup:
|
||||
ctxt->node = save_ctxt;
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Parse the top-level <seclabel>, if present. */
|
||||
static int
|
||||
virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
||||
xmlXPathContextPtr ctxt,
|
||||
unsigned int flags)
|
||||
{
|
||||
char *p;
|
||||
xmlNodePtr node = virXPathNode("./seclabel", ctxt);
|
||||
|
||||
if (node == NULL)
|
||||
if (virXPathNode("./seclabel", ctxt) == NULL)
|
||||
return 0;
|
||||
|
||||
p = virXPathStringLimit("string(./seclabel/@type)",
|
||||
@ -2669,9 +2579,48 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
||||
"%s", _("invalid security type"));
|
||||
goto error;
|
||||
}
|
||||
p = virXPathStringLimit("string(./seclabel/@relabel)",
|
||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||
if (p != NULL) {
|
||||
if (STREQ(p, "yes")) {
|
||||
def->norelabel = false;
|
||||
} else if (STREQ(p, "no")) {
|
||||
def->norelabel = true;
|
||||
} else {
|
||||
virDomainReportError(VIR_ERR_XML_ERROR,
|
||||
_("invalid security relabel value %s"), p);
|
||||
VIR_FREE(p);
|
||||
goto error;
|
||||
}
|
||||
VIR_FREE(p);
|
||||
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
|
||||
def->norelabel) {
|
||||
virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
|
||||
"%s", _("dynamic label type must use resource relabeling"));
|
||||
goto error;
|
||||
}
|
||||
} else {
|
||||
if (def->type == VIR_DOMAIN_SECLABEL_STATIC)
|
||||
def->norelabel = true;
|
||||
else
|
||||
def->norelabel = false;
|
||||
}
|
||||
|
||||
if (virSecurityLabelDefParseXMLHelper(def, node, ctxt, NULL, flags) < 0)
|
||||
goto error;
|
||||
/* Only parse label, if using static labels, or
|
||||
* if the 'live' VM XML is requested
|
||||
*/
|
||||
if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
|
||||
!(flags & VIR_DOMAIN_XML_INACTIVE)) {
|
||||
p = virXPathStringLimit("string(./seclabel/label[1])",
|
||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||
if (p == NULL) {
|
||||
virDomainReportError(VIR_ERR_XML_ERROR,
|
||||
"%s", _("security label is missing"));
|
||||
goto error;
|
||||
}
|
||||
|
||||
def->label = p;
|
||||
}
|
||||
|
||||
/* Only parse imagelabel, if requested live XML with relabeling */
|
||||
if (!def->norelabel &&
|
||||
@ -2798,7 +2747,6 @@ virDomainDiskDefParseXML(virCapsPtr caps,
|
||||
xmlNodePtr node,
|
||||
xmlXPathContextPtr ctxt,
|
||||
virBitmapPtr bootMap,
|
||||
virSecurityLabelDefPtr default_seclabel,
|
||||
unsigned int flags)
|
||||
{
|
||||
virDomainDiskDefPtr def;
|
||||
@ -3109,16 +3057,6 @@ virDomainDiskDefParseXML(virCapsPtr caps,
|
||||
goto error;
|
||||
}
|
||||
|
||||
/* If source is present, check for an optional seclabel override. */
|
||||
if (source) {
|
||||
xmlNodePtr seclabel = virXPathNode("./source/seclabel", ctxt);
|
||||
if (seclabel &&
|
||||
(VIR_ALLOC(def->seclabel) < 0 ||
|
||||
virSecurityLabelDefParseXMLHelper(def->seclabel, seclabel, ctxt,
|
||||
default_seclabel, flags) < 0))
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (target == NULL) {
|
||||
virDomainReportError(VIR_ERR_NO_TARGET,
|
||||
source ? "%s" : NULL, source);
|
||||
@ -6475,8 +6413,7 @@ virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps,
|
||||
if (xmlStrEqual(node->name, BAD_CAST "disk")) {
|
||||
dev->type = VIR_DOMAIN_DEVICE_DISK;
|
||||
if (!(dev->data.disk = virDomainDiskDefParseXML(caps, node, ctxt,
|
||||
NULL, &def->seclabel,
|
||||
flags)))
|
||||
NULL, flags)))
|
||||
goto error;
|
||||
} else if (xmlStrEqual(node->name, BAD_CAST "lease")) {
|
||||
dev->type = VIR_DOMAIN_DEVICE_LEASE;
|
||||
@ -7586,7 +7523,6 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
|
||||
nodes[i],
|
||||
ctxt,
|
||||
bootMap,
|
||||
&def->seclabel,
|
||||
flags);
|
||||
if (!disk)
|
||||
goto error;
|
||||
@ -9907,32 +9843,23 @@ virSecurityLabelDefFormat(virBufferPtr buf, virSecurityLabelDefPtr def,
|
||||
if (!sectype)
|
||||
goto cleanup;
|
||||
|
||||
if (def->model &&
|
||||
def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
|
||||
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
|
||||
!def->baselabel &&
|
||||
(flags & VIR_DOMAIN_XML_INACTIVE)) {
|
||||
/* This is the default for inactive xml, so nothing to output. */
|
||||
} else {
|
||||
virBufferAddLit(buf, "<seclabel");
|
||||
if (def->model)
|
||||
virBufferAsprintf(buf, " type='%s' model='%s'",
|
||||
sectype, def->model);
|
||||
virBufferAsprintf(buf, " relabel='%s'",
|
||||
virBufferAsprintf(buf, "<seclabel type='%s' model='%s' relabel='%s'>\n",
|
||||
sectype, def->model,
|
||||
def->norelabel ? "no" : "yes");
|
||||
if (def->label || def->baselabel) {
|
||||
virBufferAddLit(buf, ">\n");
|
||||
virBufferEscapeString(buf, " <label>%s</label>\n",
|
||||
def->label);
|
||||
if (!def->norelabel)
|
||||
virBufferEscapeString(buf, " <imagelabel>%s</imagelabel>\n",
|
||||
def->imagelabel);
|
||||
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
|
||||
virBufferEscapeString(buf, " <baselabel>%s</baselabel>\n",
|
||||
def->baselabel);
|
||||
virBufferAddLit(buf, "</seclabel>\n");
|
||||
} else {
|
||||
virBufferAddLit(buf, "/>\n");
|
||||
}
|
||||
virBufferEscapeString(buf, " <label>%s</label>\n",
|
||||
def->label);
|
||||
if (!def->norelabel)
|
||||
virBufferEscapeString(buf, " <imagelabel>%s</imagelabel>\n",
|
||||
def->imagelabel);
|
||||
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
|
||||
virBufferEscapeString(buf, " <baselabel>%s</baselabel>\n",
|
||||
def->baselabel);
|
||||
virBufferAddLit(buf, "</seclabel>\n");
|
||||
}
|
||||
ret = 0;
|
||||
cleanup:
|
||||
@ -10062,36 +9989,17 @@ virDomainDiskDefFormat(virBufferPtr buf,
|
||||
def->startupPolicy) {
|
||||
switch (def->type) {
|
||||
case VIR_DOMAIN_DISK_TYPE_FILE:
|
||||
virBufferAddLit(buf, " <source");
|
||||
virBufferAsprintf(buf," <source");
|
||||
if (def->src)
|
||||
virBufferEscapeString(buf, " file='%s'", def->src);
|
||||
if (def->startupPolicy)
|
||||
virBufferEscapeString(buf, " startupPolicy='%s'",
|
||||
startupPolicy);
|
||||
if (def->seclabel) {
|
||||
virBufferAddLit(buf, ">\n");
|
||||
virBufferAdjustIndent(buf, 8);
|
||||
if (virSecurityLabelDefFormat(buf, def->seclabel, flags) < 0)
|
||||
return -1;
|
||||
virBufferAdjustIndent(buf, -8);
|
||||
virBufferAddLit(buf, " </source>\n");
|
||||
} else {
|
||||
virBufferAddLit(buf, "/>\n");
|
||||
}
|
||||
virBufferAsprintf(buf, "/>\n");
|
||||
break;
|
||||
case VIR_DOMAIN_DISK_TYPE_BLOCK:
|
||||
if (def->src && def->seclabel) {
|
||||
virBufferEscapeString(buf, " <source dev='%s'>\n",
|
||||
def->src);
|
||||
virBufferAdjustIndent(buf, 8);
|
||||
if (virSecurityLabelDefFormat(buf, def->seclabel, flags) < 0)
|
||||
return -1;
|
||||
virBufferAdjustIndent(buf, -8);
|
||||
virBufferAddLit(buf, " </source>\n");
|
||||
} else {
|
||||
virBufferEscapeString(buf, " <source dev='%s'/>\n",
|
||||
def->src);
|
||||
}
|
||||
virBufferEscapeString(buf, " <source dev='%s'/>\n",
|
||||
def->src);
|
||||
break;
|
||||
case VIR_DOMAIN_DISK_TYPE_DIR:
|
||||
virBufferEscapeString(buf, " <source dir='%s'/>\n",
|
||||
|
Loading…
Reference in New Issue
Block a user