mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-07 17:28:15 +00:00
capabilities: add baselabel per sec driver/virt type to secmodel
Expand the "secmodel" XML fragment of "host" with a sequence of baselabel's which describe the default security context used by libvirt with a specific security model and virtualization type: <secmodel> <model>selinux</model> <doi>0</doi> <baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel> <baselabel type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel> </secmodel> <secmodel> <model>dac</model> <doi>0</doi> <baselabel type='kvm'>107:107</baselabel> <baselabel type='qemu'>107:107</baselabel> </secmodel> "baselabel" is driver-specific information, e.g. in the DAC security model, it indicates USER_ID:GROUP_ID. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Signed-off-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
parent
64a68a4a09
commit
b51038a4cd
@ -60,6 +60,14 @@
|
|||||||
<element name='doi'>
|
<element name='doi'>
|
||||||
<text/>
|
<text/>
|
||||||
</element>
|
</element>
|
||||||
|
<zeroOrMore>
|
||||||
|
<element name='baselabel'>
|
||||||
|
<attribute name='type'>
|
||||||
|
<text/>
|
||||||
|
</attribute>
|
||||||
|
<text/>
|
||||||
|
</element>
|
||||||
|
</zeroOrMore>
|
||||||
</interleave>
|
</interleave>
|
||||||
</element>
|
</element>
|
||||||
</define>
|
</define>
|
||||||
|
@ -183,6 +183,20 @@ virCapabilitiesFreeNUMAInfo(virCapsPtr caps)
|
|||||||
caps->host.nnumaCell = 0;
|
caps->host.nnumaCell = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
virCapabilitiesClearSecModel(virCapsHostSecModelPtr secmodel)
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
for (i = 0; i < secmodel->nlabels; i++) {
|
||||||
|
VIR_FREE(secmodel->labels[i].type);
|
||||||
|
VIR_FREE(secmodel->labels[i].label);
|
||||||
|
}
|
||||||
|
|
||||||
|
VIR_FREE(secmodel->labels);
|
||||||
|
VIR_FREE(secmodel->model);
|
||||||
|
VIR_FREE(secmodel->doi);
|
||||||
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
virCapabilitiesDispose(void *object)
|
virCapabilitiesDispose(void *object)
|
||||||
{
|
{
|
||||||
@ -204,8 +218,7 @@ virCapabilitiesDispose(void *object)
|
|||||||
VIR_FREE(caps->host.migrateTrans);
|
VIR_FREE(caps->host.migrateTrans);
|
||||||
|
|
||||||
for (i = 0; i < caps->host.nsecModels; i++) {
|
for (i = 0; i < caps->host.nsecModels; i++) {
|
||||||
VIR_FREE(caps->host.secModels[i].model);
|
virCapabilitiesClearSecModel(&caps->host.secModels[i]);
|
||||||
VIR_FREE(caps->host.secModels[i].doi);
|
|
||||||
}
|
}
|
||||||
VIR_FREE(caps->host.secModels);
|
VIR_FREE(caps->host.secModels);
|
||||||
|
|
||||||
@ -506,6 +519,44 @@ virCapabilitiesAddGuestFeature(virCapsGuestPtr guest,
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* virCapabilitiesHostSecModelAddBaseLabel
|
||||||
|
* @secmodel: Security model to add a base label for
|
||||||
|
* @type: virtualization type
|
||||||
|
* @label: base label
|
||||||
|
*
|
||||||
|
* Returns non-zero on error.
|
||||||
|
*/
|
||||||
|
extern int
|
||||||
|
virCapabilitiesHostSecModelAddBaseLabel(virCapsHostSecModelPtr secmodel,
|
||||||
|
const char *type,
|
||||||
|
const char *label)
|
||||||
|
{
|
||||||
|
char *t = NULL, *l = NULL;
|
||||||
|
|
||||||
|
if (type == NULL || label == NULL)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
if (VIR_STRDUP(t, type) < 0)
|
||||||
|
goto no_memory;
|
||||||
|
|
||||||
|
if (VIR_STRDUP(l, label) < 0)
|
||||||
|
goto no_memory;
|
||||||
|
|
||||||
|
if (VIR_EXPAND_N(secmodel->labels, secmodel->nlabels, 1) < 0)
|
||||||
|
goto no_memory;
|
||||||
|
|
||||||
|
secmodel->labels[secmodel->nlabels - 1].type = t;
|
||||||
|
secmodel->labels[secmodel->nlabels - 1].label = l;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
no_memory:
|
||||||
|
VIR_FREE(l);
|
||||||
|
VIR_FREE(t);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* virCapabilitiesSupportsGuestArch:
|
* virCapabilitiesSupportsGuestArch:
|
||||||
* @caps: capabilities to query
|
* @caps: capabilities to query
|
||||||
@ -826,6 +877,11 @@ virCapabilitiesFormatXML(virCapsPtr caps)
|
|||||||
caps->host.secModels[i].model);
|
caps->host.secModels[i].model);
|
||||||
virBufferAsprintf(&xml, " <doi>%s</doi>\n",
|
virBufferAsprintf(&xml, " <doi>%s</doi>\n",
|
||||||
caps->host.secModels[i].doi);
|
caps->host.secModels[i].doi);
|
||||||
|
for (j = 0; j < caps->host.secModels[i].nlabels; j++) {
|
||||||
|
virBufferAsprintf(&xml, " <baselabel type='%s'>%s</baselabel>\n",
|
||||||
|
caps->host.secModels[i].labels[j].type,
|
||||||
|
caps->host.secModels[i].labels[j].label);
|
||||||
|
}
|
||||||
virBufferAddLit(&xml, " </secmodel>\n");
|
virBufferAddLit(&xml, " </secmodel>\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -104,11 +104,20 @@ struct _virCapsHostNUMACell {
|
|||||||
virCapsHostNUMACellCPUPtr cpus;
|
virCapsHostNUMACellCPUPtr cpus;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
typedef struct _virCapsHostSecModelLabel virCapsHostSecModelLabel;
|
||||||
|
typedef virCapsHostSecModelLabel *virCapsHostSecModelLabelPtr;
|
||||||
|
struct _virCapsHostSecModelLabel {
|
||||||
|
char *type;
|
||||||
|
char *label;
|
||||||
|
};
|
||||||
|
|
||||||
typedef struct _virCapsHostSecModel virCapsHostSecModel;
|
typedef struct _virCapsHostSecModel virCapsHostSecModel;
|
||||||
typedef virCapsHostSecModel *virCapsHostSecModelPtr;
|
typedef virCapsHostSecModel *virCapsHostSecModelPtr;
|
||||||
struct _virCapsHostSecModel {
|
struct _virCapsHostSecModel {
|
||||||
char *model;
|
char *model;
|
||||||
char *doi;
|
char *doi;
|
||||||
|
size_t nlabels;
|
||||||
|
virCapsHostSecModelLabelPtr labels;
|
||||||
};
|
};
|
||||||
|
|
||||||
typedef struct _virCapsHost virCapsHost;
|
typedef struct _virCapsHost virCapsHost;
|
||||||
@ -224,6 +233,11 @@ virCapabilitiesAddGuestFeature(virCapsGuestPtr guest,
|
|||||||
int defaultOn,
|
int defaultOn,
|
||||||
int toggle);
|
int toggle);
|
||||||
|
|
||||||
|
extern int
|
||||||
|
virCapabilitiesHostSecModelAddBaseLabel(virCapsHostSecModelPtr secmodel,
|
||||||
|
const char *type,
|
||||||
|
const char *label);
|
||||||
|
|
||||||
extern int
|
extern int
|
||||||
virCapabilitiesSupportsGuestArch(virCapsPtr caps,
|
virCapabilitiesSupportsGuestArch(virCapsPtr caps,
|
||||||
virArch arch);
|
virArch arch);
|
||||||
|
@ -58,6 +58,7 @@ virCapabilitiesFormatXML;
|
|||||||
virCapabilitiesFreeMachines;
|
virCapabilitiesFreeMachines;
|
||||||
virCapabilitiesFreeNUMAInfo;
|
virCapabilitiesFreeNUMAInfo;
|
||||||
virCapabilitiesGetCpusForNodemask;
|
virCapabilitiesGetCpusForNodemask;
|
||||||
|
virCapabilitiesHostSecModelAddBaseLabel;
|
||||||
virCapabilitiesNew;
|
virCapabilitiesNew;
|
||||||
virCapabilitiesSetHostCPU;
|
virCapabilitiesSetHostCPU;
|
||||||
|
|
||||||
|
@ -126,10 +126,13 @@ virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver)
|
|||||||
|
|
||||||
if (driver) {
|
if (driver) {
|
||||||
/* Security driver data */
|
/* Security driver data */
|
||||||
const char *doi, *model;
|
const char *doi, *model, *label, *type;
|
||||||
|
|
||||||
doi = virSecurityManagerGetDOI(driver->securityManager);
|
doi = virSecurityManagerGetDOI(driver->securityManager);
|
||||||
model = virSecurityManagerGetModel(driver->securityManager);
|
model = virSecurityManagerGetModel(driver->securityManager);
|
||||||
|
label = virSecurityManagerGetBaseLabel(driver->securityManager,
|
||||||
|
VIR_DOMAIN_VIRT_LXC);
|
||||||
|
type = virDomainVirtTypeToString(VIR_DOMAIN_VIRT_LXC);
|
||||||
/* Allocate the primary security driver for LXC. */
|
/* Allocate the primary security driver for LXC. */
|
||||||
if (VIR_ALLOC(caps->host.secModels) < 0)
|
if (VIR_ALLOC(caps->host.secModels) < 0)
|
||||||
goto error;
|
goto error;
|
||||||
@ -138,6 +141,11 @@ virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver)
|
|||||||
goto error;
|
goto error;
|
||||||
if (VIR_STRDUP(caps->host.secModels[0].doi, doi) < 0)
|
if (VIR_STRDUP(caps->host.secModels[0].doi, doi) < 0)
|
||||||
goto error;
|
goto error;
|
||||||
|
if (label &&
|
||||||
|
virCapabilitiesHostSecModelAddBaseLabel(&caps->host.secModels[0],
|
||||||
|
type,
|
||||||
|
label) < 0)
|
||||||
|
goto error;
|
||||||
|
|
||||||
VIR_DEBUG("Initialized caps for security driver \"%s\" with "
|
VIR_DEBUG("Initialized caps for security driver \"%s\" with "
|
||||||
"DOI \"%s\"", model, doi);
|
"DOI \"%s\"", model, doi);
|
||||||
|
@ -605,12 +605,14 @@ virQEMUDriverCreateXMLConf(virQEMUDriverPtr driver)
|
|||||||
|
|
||||||
virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
|
virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i, j;
|
||||||
virCapsPtr caps;
|
virCapsPtr caps;
|
||||||
virSecurityManagerPtr *sec_managers = NULL;
|
virSecurityManagerPtr *sec_managers = NULL;
|
||||||
/* Security driver data */
|
/* Security driver data */
|
||||||
const char *doi, *model;
|
const char *doi, *model, *lbl, *type;
|
||||||
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
|
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
|
||||||
|
const int virtTypes[] = {VIR_DOMAIN_VIRT_KVM,
|
||||||
|
VIR_DOMAIN_VIRT_QEMU,};
|
||||||
|
|
||||||
/* Basic host arch / guest machine capabilities */
|
/* Basic host arch / guest machine capabilities */
|
||||||
if (!(caps = virQEMUCapsInit(driver->qemuCapsCache)))
|
if (!(caps = virQEMUCapsInit(driver->qemuCapsCache)))
|
||||||
@ -635,11 +637,21 @@ virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
|
|||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
for (i = 0; sec_managers[i]; i++) {
|
for (i = 0; sec_managers[i]; i++) {
|
||||||
|
virCapsHostSecModelPtr sm = &caps->host.secModels[i];
|
||||||
doi = virSecurityManagerGetDOI(sec_managers[i]);
|
doi = virSecurityManagerGetDOI(sec_managers[i]);
|
||||||
model = virSecurityManagerGetModel(sec_managers[i]);
|
model = virSecurityManagerGetModel(sec_managers[i]);
|
||||||
if (VIR_STRDUP(caps->host.secModels[i].model, model) < 0 ||
|
if (VIR_STRDUP(sm->model, model) < 0 ||
|
||||||
VIR_STRDUP(caps->host.secModels[i].doi, doi) < 0)
|
VIR_STRDUP(sm->doi, doi) < 0)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
|
for (j = 0; j < ARRAY_CARDINALITY(virtTypes); j++) {
|
||||||
|
lbl = virSecurityManagerGetBaseLabel(sec_managers[i], virtTypes[j]);
|
||||||
|
type = virDomainVirtTypeToString(virtTypes[j]);
|
||||||
|
if (lbl &&
|
||||||
|
virCapabilitiesHostSecModelAddBaseLabel(sm, type, lbl) < 0)
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
VIR_DEBUG("Initialized caps for security driver \"%s\" with "
|
VIR_DEBUG("Initialized caps for security driver \"%s\" with "
|
||||||
"DOI \"%s\"", model, doi);
|
"DOI \"%s\"", model, doi);
|
||||||
}
|
}
|
||||||
|
@ -25,6 +25,8 @@
|
|||||||
<secmodel>
|
<secmodel>
|
||||||
<model>selinux</model>
|
<model>selinux</model>
|
||||||
<doi>0</doi>
|
<doi>0</doi>
|
||||||
|
<baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
|
||||||
|
<baselabel type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel>
|
||||||
</secmodel>
|
</secmodel>
|
||||||
</host>
|
</host>
|
||||||
|
|
||||||
|
@ -82,6 +82,8 @@
|
|||||||
<secmodel>
|
<secmodel>
|
||||||
<model>dac</model>
|
<model>dac</model>
|
||||||
<doi>0</doi>
|
<doi>0</doi>
|
||||||
|
<baselabel type='kvm'>107:107</baselabel>
|
||||||
|
<baselabel type='qemu'>107:107</baselabel>
|
||||||
</secmodel>
|
</secmodel>
|
||||||
</host>
|
</host>
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user