mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-07 17:28:15 +00:00
Pull code which finds a free MCS label out into its own method
The code for picking a MCS label is about to get significantly more complicated, so it deserves to be in a standlone method, instead of a switch/case body. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
parent
b77e9814e4
commit
b6e66cb6dd
@ -98,6 +98,48 @@ virSecuritySELinuxMCSRemove(virSecurityManagerPtr mgr,
|
|||||||
virHashRemoveEntry(data->mcs, mcs);
|
virHashRemoveEntry(data->mcs, mcs);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static char *
|
||||||
|
virSecuritySELinuxMCSFind(virSecurityManagerPtr mgr)
|
||||||
|
{
|
||||||
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
int c1 = 0;
|
||||||
|
int c2 = 0;
|
||||||
|
char *mcs = NULL;
|
||||||
|
|
||||||
|
for (;;) {
|
||||||
|
c1 = virRandomBits(10);
|
||||||
|
c2 = virRandomBits(10);
|
||||||
|
|
||||||
|
if (c1 == c2) {
|
||||||
|
if (virAsprintf(&mcs, "s0:c%d", c1) < 0) {
|
||||||
|
virReportOOMError();
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (c1 > c2) {
|
||||||
|
int t = c1;
|
||||||
|
c1 = c2;
|
||||||
|
c2 = t;
|
||||||
|
}
|
||||||
|
if (virAsprintf(&mcs, "s0:c%d,c%d", c1, c2) < 0) {
|
||||||
|
virReportOOMError();
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (virHashLookup(data->mcs, mcs) == NULL)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
VIR_FREE(mcs);
|
||||||
|
}
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
VIR_DEBUG("Found context '%s'", NULLSTR(mcs));
|
||||||
|
return mcs;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static char *
|
static char *
|
||||||
virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
|
virSecuritySELinuxGenNewContext(const char *basecontext, const char *mcs)
|
||||||
{
|
{
|
||||||
@ -316,8 +358,6 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
int rc = -1;
|
int rc = -1;
|
||||||
char *mcs = NULL;
|
char *mcs = NULL;
|
||||||
char *scontext = NULL;
|
char *scontext = NULL;
|
||||||
int c1 = 0;
|
|
||||||
int c2 = 0;
|
|
||||||
context_t ctx = NULL;
|
context_t ctx = NULL;
|
||||||
const char *range;
|
const char *range;
|
||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
@ -372,32 +412,11 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case VIR_DOMAIN_SECLABEL_DYNAMIC:
|
case VIR_DOMAIN_SECLABEL_DYNAMIC:
|
||||||
for (;;) {
|
if (!(mcs = virSecuritySELinuxMCSFind(mgr)))
|
||||||
int rv;
|
goto cleanup;
|
||||||
c1 = virRandomBits(10);
|
|
||||||
c2 = virRandomBits(10);
|
|
||||||
|
|
||||||
if ( c1 == c2 ) {
|
if (virSecuritySELinuxMCSAdd(mgr, mcs) < 0)
|
||||||
if (virAsprintf(&mcs, "s0:c%d", c1) < 0) {
|
|
||||||
virReportOOMError();
|
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if (c1 > c2) {
|
|
||||||
c1 ^= c2;
|
|
||||||
c2 ^= c1;
|
|
||||||
c1 ^= c2;
|
|
||||||
}
|
|
||||||
if (virAsprintf(&mcs, "s0:c%d,c%d", c1, c2) < 0) {
|
|
||||||
virReportOOMError();
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if ((rv = virSecuritySELinuxMCSAdd(mgr, mcs)) < 0)
|
|
||||||
goto cleanup;
|
|
||||||
if (rv == 0)
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!(def->seclabel.label =
|
if (!(def->seclabel.label =
|
||||||
virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
|
virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
|
||||||
|
Loading…
x
Reference in New Issue
Block a user