External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-30 21:47:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revert changes to sec label parsing

Browse Source 
Revert parsing changes:

  commit 302fe95ffa
  Author: Eric Blake <eblake@redhat.com>
  Date:   Wed Jan 4 16:01:24 2012 -0700

    seclabel: fix regression in libvirtd restart

  commit b43432931a
  Author: Eric Blake <eblake@redhat.com>
  Date:   Thu Dec 22 17:47:50 2011 -0700

    seclabel: allow a seclabel override on a disk src

These two commits changed the sec label parsing code so that
the same code dealt with both the VM level sec label, and the
per device label. Unfortunately, as we add more options to the
VM level sec label, the logic required to use the same parsing
code for the per device label becomes unintelligible.

* src/conf/domain_conf.c: Remove support for parsing per
  device sec labels
This commit is contained in:
Daniel P. Berrange 2012-01-25 14:12:50 +00:00 committed by Eric Blake
parent e68f22ae65
commit ae6135bf05
1 changed files with 59 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

210
src/conf/domain_conf.c
View File

@ -812,15 +812,6 @@ virSecurityLabelDefClear(virSecurityLabelDefPtr def)
VIR_FREE(def->baselabel);
}
static void
virSecurityLabelDefFree(virSecurityLabelDefPtr def)
{
if (!def)
return;
virSecurityLabelDefClear(def);
VIR_FREE(def);
}
void virDomainGraphicsDefFree(virDomainGraphicsDefPtr def)
{
int ii;
@ -890,7 +881,6 @@ void virDomainDiskDefFree(virDomainDiskDefPtr def)
VIR_FREE(def->serial);
VIR_FREE(def->src);
virSecurityLabelDefFree(def->seclabel);
VIR_FREE(def->dst);
VIR_FREE(def->driverName);
VIR_FREE(def->driverType);
@ -2565,94 +2555,14 @@ virDomainDiskDefAssignAddress(virCapsPtr caps, virDomainDiskDefPtr def)
return 0;
}
/* Parse the portion of a SecurityLabel that is common to both the
* top-level <seclabel> and to a per-device override.
* default_seclabel is NULL for top-level, or points to the top-level
* when parsing an override. */
static int
virSecurityLabelDefParseXMLHelper(virSecurityLabelDefPtr def,
xmlNodePtr node,
xmlXPathContextPtr ctxt,
virSecurityLabelDefPtr default_seclabel,
unsigned int flags)
{
char *p;
xmlNodePtr save_ctxt = ctxt->node;
int ret = -1;
int type = default_seclabel ? default_seclabel->type : def->type;
ctxt->node = node;
/* Can't use overrides if top-level doesn't allow relabeling. */
if (default_seclabel && default_seclabel->norelabel) {
virDomainReportError(VIR_ERR_XML_ERROR, "%s",
_("label overrides require relabeling to be "
"enabled at the domain level"));
goto cleanup;
}
p = virXPathStringLimit("string(./@relabel)",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p != NULL) {
if (STREQ(p, "yes")) {
def->norelabel = false;
} else if (STREQ(p, "no")) {
def->norelabel = true;
} else {
virDomainReportError(VIR_ERR_XML_ERROR,
_("invalid security relabel value %s"), p);
VIR_FREE(p);
goto cleanup;
}
VIR_FREE(p);
if (!default_seclabel &&
type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
def->norelabel) {
virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("dynamic label type must use resource "
"relabeling"));
goto cleanup;
}
} else {
if (!default_seclabel && type == VIR_DOMAIN_SECLABEL_STATIC)
def->norelabel = true;
else
def->norelabel = false;
}
/* Only parse label, if using static labels, or
* if the 'live' VM XML is requested, or if this is a device override
*/
if (type == VIR_DOMAIN_SECLABEL_STATIC ||
!(flags & VIR_DOMAIN_XML_INACTIVE) ||
(default_seclabel && !def->norelabel)) {
p = virXPathStringLimit("string(./label[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p == NULL && !(default_seclabel && def->norelabel)) {
virDomainReportError(VIR_ERR_XML_ERROR,
"%s", _("security label is missing"));
goto cleanup;
}
def->label = p;
}
ret = 0;
cleanup:
ctxt->node = save_ctxt;
return ret;
}
/* Parse the top-level <seclabel>, if present. */
static int
virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
xmlXPathContextPtr ctxt,
unsigned int flags)
{
char *p;
xmlNodePtr node = virXPathNode("./seclabel", ctxt);
if (node == NULL)
if (virXPathNode("./seclabel", ctxt) == NULL)
return 0;
p = virXPathStringLimit("string(./seclabel/@type)",
@ -2669,9 +2579,48 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
"%s", _("invalid security type"));
goto error;
}
p = virXPathStringLimit("string(./seclabel/@relabel)",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p != NULL) {
if (STREQ(p, "yes")) {
def->norelabel = false;
} else if (STREQ(p, "no")) {
def->norelabel = true;
} else {
virDomainReportError(VIR_ERR_XML_ERROR,
_("invalid security relabel value %s"), p);
VIR_FREE(p);
goto error;
}
VIR_FREE(p);
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
def->norelabel) {
virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("dynamic label type must use resource relabeling"));
goto error;
}
} else {
if (def->type == VIR_DOMAIN_SECLABEL_STATIC)
def->norelabel = true;
else
def->norelabel = false;
}
if (virSecurityLabelDefParseXMLHelper(def, node, ctxt, NULL, flags) < 0)
goto error;
/* Only parse label, if using static labels, or
* if the 'live' VM XML is requested
*/
if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
!(flags & VIR_DOMAIN_XML_INACTIVE)) {
p = virXPathStringLimit("string(./seclabel/label[1])",
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
if (p == NULL) {
virDomainReportError(VIR_ERR_XML_ERROR,
"%s", _("security label is missing"));
goto error;
}
def->label = p;
}
/* Only parse imagelabel, if requested live XML with relabeling */
if (!def->norelabel &&
@ -2798,7 +2747,6 @@ virDomainDiskDefParseXML(virCapsPtr caps,
xmlNodePtr node,
xmlXPathContextPtr ctxt,
virBitmapPtr bootMap,
virSecurityLabelDefPtr default_seclabel,
unsigned int flags)
{
virDomainDiskDefPtr def;
@ -3109,16 +3057,6 @@ virDomainDiskDefParseXML(virCapsPtr caps,
goto error;
}
/* If source is present, check for an optional seclabel override. */
if (source) {
xmlNodePtr seclabel = virXPathNode("./source/seclabel", ctxt);
if (seclabel &&
(VIR_ALLOC(def->seclabel) < 0 ||
virSecurityLabelDefParseXMLHelper(def->seclabel, seclabel, ctxt,
default_seclabel, flags) < 0))
goto error;
}
if (target == NULL) {
virDomainReportError(VIR_ERR_NO_TARGET,
source ? "%s" : NULL, source);
@ -6475,8 +6413,7 @@ virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps,
if (xmlStrEqual(node->name, BAD_CAST "disk")) {
dev->type = VIR_DOMAIN_DEVICE_DISK;
if (!(dev->data.disk = virDomainDiskDefParseXML(caps, node, ctxt,
NULL, &def->seclabel,
flags)))
NULL, flags)))
goto error;
} else if (xmlStrEqual(node->name, BAD_CAST "lease")) {
dev->type = VIR_DOMAIN_DEVICE_LEASE;
@ -7586,7 +7523,6 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
nodes[i],
ctxt,
bootMap,
&def->seclabel,
flags);
if (!disk)
goto error;
@ -9907,32 +9843,23 @@ virSecurityLabelDefFormat(virBufferPtr buf, virSecurityLabelDefPtr def,
if (!sectype)
goto cleanup;
if (def->model &&
def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
!def->baselabel &&
(flags & VIR_DOMAIN_XML_INACTIVE)) {
/* This is the default for inactive xml, so nothing to output. */
} else {
virBufferAddLit(buf, "<seclabel");
if (def->model)
virBufferAsprintf(buf, " type='%s' model='%s'",
sectype, def->model);
virBufferAsprintf(buf, " relabel='%s'",
virBufferAsprintf(buf, "<seclabel type='%s' model='%s' relabel='%s'>\n",
sectype, def->model,
def->norelabel ? "no" : "yes");
if (def->label || def->baselabel) {
virBufferAddLit(buf, ">\n");
virBufferEscapeString(buf, " <label>%s</label>\n",
def->label);
if (!def->norelabel)
virBufferEscapeString(buf, " <imagelabel>%s</imagelabel>\n",
def->imagelabel);
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
virBufferEscapeString(buf, " <baselabel>%s</baselabel>\n",
def->baselabel);
virBufferAddLit(buf, "</seclabel>\n");
} else {
virBufferAddLit(buf, "/>\n");
}
virBufferEscapeString(buf, " <label>%s</label>\n",
def->label);
if (!def->norelabel)
virBufferEscapeString(buf, " <imagelabel>%s</imagelabel>\n",
def->imagelabel);
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
virBufferEscapeString(buf, " <baselabel>%s</baselabel>\n",
def->baselabel);
virBufferAddLit(buf, "</seclabel>\n");
}
ret = 0;
cleanup:
@ -10062,36 +9989,17 @@ virDomainDiskDefFormat(virBufferPtr buf,
def->startupPolicy) {
switch (def->type) {
case VIR_DOMAIN_DISK_TYPE_FILE:
virBufferAddLit(buf, " <source");
virBufferAsprintf(buf," <source");
if (def->src)
virBufferEscapeString(buf, " file='%s'", def->src);
if (def->startupPolicy)
virBufferEscapeString(buf, " startupPolicy='%s'",
startupPolicy);
if (def->seclabel) {
virBufferAddLit(buf, ">\n");
virBufferAdjustIndent(buf, 8);
if (virSecurityLabelDefFormat(buf, def->seclabel, flags) < 0)
return -1;
virBufferAdjustIndent(buf, -8);
virBufferAddLit(buf, " </source>\n");
} else {
virBufferAddLit(buf, "/>\n");
}
virBufferAsprintf(buf, "/>\n");
break;
case VIR_DOMAIN_DISK_TYPE_BLOCK:
if (def->src && def->seclabel) {
virBufferEscapeString(buf, " <source dev='%s'>\n",
def->src);
virBufferAdjustIndent(buf, 8);
if (virSecurityLabelDefFormat(buf, def->seclabel, flags) < 0)
return -1;
virBufferAdjustIndent(buf, -8);
virBufferAddLit(buf, " </source>\n");
} else {
virBufferEscapeString(buf, " <source dev='%s'/>\n",
def->src);
}
virBufferEscapeString(buf, " <source dev='%s'/>\n",
def->src);
break;
case VIR_DOMAIN_DISK_TYPE_DIR:
virBufferEscapeString(buf, " <source dir='%s'/>\n",