mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-30 17:45:23 +00:00
Separate MCS range parsing from MCS range checking
Pull the code which parses the current process MCS range
out of virSecuritySELinuxMCSFind and into a new method
virSecuritySELinuxMCSGetProcessRange.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 4a92fe4413
)
Conflicts:
src/security/security_selinux.c
This commit is contained in:
parent
d4e0e86c49
commit
afb32d4a2b
@ -105,16 +105,69 @@ virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
|
|
||||||
static char *
|
static char *
|
||||||
virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr)
|
virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr,
|
||||||
|
const char *sens,
|
||||||
|
int catMin,
|
||||||
|
int catMax)
|
||||||
{
|
{
|
||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
int c1 = 0;
|
int catRange;
|
||||||
int c2 = 0;
|
|
||||||
char *mcs = NULL;
|
char *mcs = NULL;
|
||||||
|
|
||||||
|
/* +1 since virRandomInt range is exclusive of the upper bound */
|
||||||
|
catRange = (catMax - catMin) + 1;
|
||||||
|
|
||||||
|
if (catRange < 8) {
|
||||||
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
|
_("Category range c%d-c%d too small"),
|
||||||
|
catMin, catMax);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
VIR_DEBUG("Using sensitivity level '%s' cat min %d max %d range %d",
|
||||||
|
sens, catMin, catMax, catRange);
|
||||||
|
|
||||||
|
for (;;) {
|
||||||
|
int c1 = virRandomInt(catRange);
|
||||||
|
int c2 = virRandomInt(catRange);
|
||||||
|
|
||||||
|
VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
|
||||||
|
|
||||||
|
if (c1 == c2) {
|
||||||
|
if (virAsprintf(&mcs, "%s:c%d", sens, catMin + c1) < 0) {
|
||||||
|
virReportOOMError();
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (c1 > c2) {
|
||||||
|
int t = c1;
|
||||||
|
c1 = c2;
|
||||||
|
c2 = t;
|
||||||
|
}
|
||||||
|
if (virAsprintf(&mcs, "%s:c%d,c%d", sens, catMin + c1, catMin + c2) < 0) {
|
||||||
|
virReportOOMError();
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (virHashLookup(data->mcs, mcs) == NULL)
|
||||||
|
break;
|
||||||
|
|
||||||
|
VIR_FREE(mcs);
|
||||||
|
}
|
||||||
|
|
||||||
|
return mcs;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
virSecuritySELinuxMCSGetProcessRange(char **sens,
|
||||||
|
int *catMin,
|
||||||
|
int *catMax)
|
||||||
|
{
|
||||||
security_context_t ourSecContext = NULL;
|
security_context_t ourSecContext = NULL;
|
||||||
context_t ourContext = NULL;
|
context_t ourContext = NULL;
|
||||||
char *sens, *cat, *tmp;
|
char *cat, *tmp;
|
||||||
int catMin, catMax, catRange;
|
int ret = -1;
|
||||||
|
|
||||||
if (getcon_raw(&ourSecContext) < 0) {
|
if (getcon_raw(&ourSecContext) < 0) {
|
||||||
virReportSystemError(errno, "%s",
|
virReportSystemError(errno, "%s",
|
||||||
@ -128,22 +181,22 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr)
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!(sens = strdup(context_range_get(ourContext)))) {
|
if (!(*sens = strdup(context_range_get(ourContext)))) {
|
||||||
virReportOOMError();
|
virReportOOMError();
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Find and blank out the category part */
|
/* Find and blank out the category part */
|
||||||
if (!(tmp = strchr(sens, ':'))) {
|
if (!(tmp = strchr(*sens, ':'))) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
_("Cannot parse sensitivity level in %s"),
|
_("Cannot parse sensitivity level in %s"),
|
||||||
sens);
|
*sens);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
*tmp = '\0';
|
*tmp = '\0';
|
||||||
cat = tmp + 1;
|
cat = tmp + 1;
|
||||||
/* Find and blank out the sensitivity upper bound */
|
/* Find and blank out the sensitivity upper bound */
|
||||||
if ((tmp = strchr(sens, '-')))
|
if ((tmp = strchr(*sens, '-')))
|
||||||
*tmp = '\0';
|
*tmp = '\0';
|
||||||
/* sens now just contains the sensitivity lower bound */
|
/* sens now just contains the sensitivity lower bound */
|
||||||
|
|
||||||
@ -156,7 +209,7 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr)
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
tmp++;
|
tmp++;
|
||||||
if (virStrToLong_i(tmp, &tmp, 10, &catMin) < 0) {
|
if (virStrToLong_i(tmp, &tmp, 10, catMin) < 0) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
_("Cannot parse category in %s"),
|
_("Cannot parse category in %s"),
|
||||||
cat);
|
cat);
|
||||||
@ -186,60 +239,21 @@ virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr)
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
tmp++;
|
tmp++;
|
||||||
if (virStrToLong_i(tmp, &tmp, 10, &catMax) < 0) {
|
if (virStrToLong_i(tmp, &tmp, 10, catMax) < 0) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
_("Cannot parse category in %s"),
|
_("Cannot parse category in %s"),
|
||||||
cat);
|
cat);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* +1 since virRandomInt range is exclusive of the upper bound */
|
ret = 0;
|
||||||
catRange = (catMax - catMin) + 1;
|
|
||||||
|
|
||||||
if (catRange < 8) {
|
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
|
||||||
_("Category range c%d-c%d too small"),
|
|
||||||
catMin, catMax);
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
|
|
||||||
VIR_DEBUG("Using sensitivity level '%s' cat min %d max %d range %d",
|
|
||||||
sens, catMin, catMax, catRange);
|
|
||||||
|
|
||||||
for (;;) {
|
|
||||||
c1 = virRandomInt(catRange);
|
|
||||||
c2 = virRandomInt(catRange);
|
|
||||||
VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1+catMin, c2+catMin);
|
|
||||||
|
|
||||||
if (c1 == c2) {
|
|
||||||
if (virAsprintf(&mcs, "%s:c%d", sens, catMin + c1) < 0) {
|
|
||||||
virReportOOMError();
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if (c1 > c2) {
|
|
||||||
int t = c1;
|
|
||||||
c1 = c2;
|
|
||||||
c2 = t;
|
|
||||||
}
|
|
||||||
if (virAsprintf(&mcs, "%s:c%d,c%d", sens, catMin + c1, catMin + c2) < 0) {
|
|
||||||
virReportOOMError();
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (virHashLookup(data->mcs, mcs) == NULL)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
VIR_FREE(mcs);
|
|
||||||
}
|
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
VIR_DEBUG("Found context '%s'", NULLSTR(mcs));
|
if (ret < 0)
|
||||||
VIR_FREE(sens);
|
VIR_FREE(*sens);
|
||||||
freecon(ourSecContext);
|
freecon(ourSecContext);
|
||||||
context_free(ourContext);
|
context_free(ourContext);
|
||||||
return mcs;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
static char *
|
static char *
|
||||||
@ -559,6 +573,8 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
virSecurityLabelDefPtr seclabel;
|
virSecurityLabelDefPtr seclabel;
|
||||||
virSecuritySELinuxDataPtr data;
|
virSecuritySELinuxDataPtr data;
|
||||||
const char *baselabel;
|
const char *baselabel;
|
||||||
|
char *sens = NULL;
|
||||||
|
int catMin, catMax;
|
||||||
|
|
||||||
if (mgr == NULL) {
|
if (mgr == NULL) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
@ -615,7 +631,15 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case VIR_DOMAIN_SECLABEL_DYNAMIC:
|
case VIR_DOMAIN_SECLABEL_DYNAMIC:
|
||||||
if (!(mcs = virSecuritySELinuxMCSFind(mgr)))
|
if (virSecuritySELinuxMCSGetProcessRange(&sens,
|
||||||
|
&catMin,
|
||||||
|
&catMax) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
if (!(mcs = virSecuritySELinuxMCSFind(mgr,
|
||||||
|
sens,
|
||||||
|
catMin,
|
||||||
|
catMax)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (virSecuritySELinuxMCSAdd(mgr, mcs) < 0)
|
if (virSecuritySELinuxMCSAdd(mgr, mcs) < 0)
|
||||||
@ -694,6 +718,7 @@ cleanup:
|
|||||||
context_free(ctx);
|
context_free(ctx);
|
||||||
VIR_FREE(scontext);
|
VIR_FREE(scontext);
|
||||||
VIR_FREE(mcs);
|
VIR_FREE(mcs);
|
||||||
|
VIR_FREE(sens);
|
||||||
|
|
||||||
VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
|
VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
|
||||||
NULLSTR(seclabel->model),
|
NULLSTR(seclabel->model),
|
||||||
|
Loading…
Reference in New Issue
Block a user