mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-22 04:25:18 +00:00
seclabel: make code and RNG match
Commit b170eb99 introduced a bug: domains that had an explicit <seclabel type='none'/> when started would not be reparsed if libvirtd restarted. It turns out that our testsuite was not exercising this because it never tried anything but inactive parsing. Additionally, the live XML for such a domain failed to re-validate. Applying just the tests/ portion of this patch will expose the bugs that are fixed by the other two files. * docs/schemas/domaincommon.rng (seclabel): Allow relabel under type='none'. * src/conf/domain_conf.c (virSecurityLabelDefParseXML): Per RNG, presence of <seclabel> with no type implies dynamic. Don't require sub-elements for type='none'. * tests/qemuxml2xmltest.c (mymain): Add test. * tests/qemuxml2argvtest.c (mymain): Likewise. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.xml: Add file. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.args: Add file. Reported by Ansis Atteka.
This commit is contained in:
parent
13545647ba
commit
c052d8a89f
@ -130,9 +130,15 @@
|
||||
</interleave>
|
||||
</group>
|
||||
<group>
|
||||
<!-- with none, relabel must be no if present -->
|
||||
<attribute name='type'>
|
||||
<value>none</value>
|
||||
</attribute>
|
||||
<optional>
|
||||
<attribute name='relabel'>
|
||||
<value>no</value>
|
||||
</attribute>
|
||||
</optional>
|
||||
</group>
|
||||
</choice>
|
||||
</element>
|
||||
|
@ -2583,11 +2583,8 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
||||
p = virXPathStringLimit("string(./seclabel/@type)",
|
||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||
if (p == NULL) {
|
||||
virDomainReportError(VIR_ERR_XML_ERROR,
|
||||
"%s", _("missing security type"));
|
||||
goto error;
|
||||
}
|
||||
|
||||
def->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
||||
} else {
|
||||
def->type = virDomainSeclabelTypeFromString(p);
|
||||
VIR_FREE(p);
|
||||
if (def->type <= 0) {
|
||||
@ -2595,6 +2592,7 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
||||
"%s", _("invalid security type"));
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
|
||||
p = virXPathStringLimit("string(./seclabel/@relabel)",
|
||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||
@ -2634,7 +2632,8 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
||||
* if the 'live' VM XML is requested
|
||||
*/
|
||||
if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
|
||||
!(flags & VIR_DOMAIN_XML_INACTIVE)) {
|
||||
(!(flags & VIR_DOMAIN_XML_INACTIVE) &&
|
||||
def->type != VIR_DOMAIN_SECLABEL_NONE)) {
|
||||
p = virXPathStringLimit("string(./seclabel/label[1])",
|
||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||
if (p == NULL) {
|
||||
@ -2648,7 +2647,8 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
||||
|
||||
/* Only parse imagelabel, if requested live XML with relabeling */
|
||||
if (!def->norelabel &&
|
||||
!(flags & VIR_DOMAIN_XML_INACTIVE)) {
|
||||
(!(flags & VIR_DOMAIN_XML_INACTIVE) &&
|
||||
def->type != VIR_DOMAIN_SECLABEL_NONE)) {
|
||||
p = virXPathStringLimit("string(./seclabel/imagelabel[1])",
|
||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||
if (p == NULL) {
|
||||
@ -2659,16 +2659,11 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
||||
def->imagelabel = p;
|
||||
}
|
||||
|
||||
/* Only parse baselabel, for dynamic or none label types */
|
||||
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC ||
|
||||
def->type == VIR_DOMAIN_SECLABEL_NONE) {
|
||||
/* Only parse baselabel for dynamic label type */
|
||||
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
||||
p = virXPathStringLimit("string(./seclabel/baselabel[1])",
|
||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||
if (p != NULL) {
|
||||
def->baselabel = p;
|
||||
/* Forces none type to dynamic for back compat */
|
||||
def->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
||||
}
|
||||
}
|
||||
|
||||
/* Only parse model, if static labelling, or a base
|
||||
@ -2676,7 +2671,8 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
||||
*/
|
||||
if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
|
||||
def->baselabel ||
|
||||
!(flags & VIR_DOMAIN_XML_INACTIVE)) {
|
||||
(!(flags & VIR_DOMAIN_XML_INACTIVE) &&
|
||||
def->type != VIR_DOMAIN_SECLABEL_NONE)) {
|
||||
p = virXPathStringLimit("string(./seclabel/@model)",
|
||||
VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
|
||||
if (p == NULL) {
|
||||
|
4
tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.args
Normal file
4
tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.args
Normal file
@ -0,0 +1,4 @@
|
||||
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test /usr/bin/qemu -S -M \
|
||||
pc -m 214 -smp 1 -name QEMUGuest1 -nographic -monitor unix:/tmp/test-monitor,\
|
||||
server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -net none -serial \
|
||||
none -parallel none -usb
|
26
tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.xml
Normal file
26
tests/qemuxml2argvdata/qemuxml2argv-seclabel-none.xml
Normal file
@ -0,0 +1,26 @@
|
||||
<domain type='qemu'>
|
||||
<name>QEMUGuest1</name>
|
||||
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
|
||||
<memory>219100</memory>
|
||||
<currentMemory>219100</currentMemory>
|
||||
<vcpu cpuset='1-4,8-20,525'>1</vcpu>
|
||||
<os>
|
||||
<type arch='i686' machine='pc'>hvm</type>
|
||||
<boot dev='hd'/>
|
||||
</os>
|
||||
<clock offset='utc'/>
|
||||
<on_poweroff>destroy</on_poweroff>
|
||||
<on_reboot>restart</on_reboot>
|
||||
<on_crash>destroy</on_crash>
|
||||
<devices>
|
||||
<emulator>/usr/bin/qemu</emulator>
|
||||
<disk type='block' device='disk'>
|
||||
<source dev='/dev/HostVG/QEMUGuest1'/>
|
||||
<target dev='hda' bus='ide'/>
|
||||
<address type='drive' controller='0' bus='0' unit='0'/>
|
||||
</disk>
|
||||
<controller type='ide' index='0'/>
|
||||
<memballoon model='virtio'/>
|
||||
</devices>
|
||||
<seclabel type='none' relabel='no'/>
|
||||
</domain>
|
@ -728,6 +728,7 @@ mymain(void)
|
||||
DO_TEST("seclabel-dynamic-override", false, QEMU_CAPS_NAME);
|
||||
DO_TEST("seclabel-static", false, QEMU_CAPS_NAME);
|
||||
DO_TEST("seclabel-static-relabel", false, QEMU_CAPS_NAME);
|
||||
DO_TEST("seclabel-none", false, QEMU_CAPS_NAME);
|
||||
|
||||
DO_TEST("pseries-basic", false,
|
||||
QEMU_CAPS_CHARDEV, QEMU_CAPS_DEVICE, QEMU_CAPS_NODEFCONFIG);
|
||||
|
@ -19,7 +19,7 @@
|
||||
static struct qemud_driver driver;
|
||||
|
||||
static int
|
||||
testCompareXMLToXMLFiles(const char *inxml, const char *outxml)
|
||||
testCompareXMLToXMLFiles(const char *inxml, const char *outxml, bool live)
|
||||
{
|
||||
char *inXmlData = NULL;
|
||||
char *outXmlData = NULL;
|
||||
@ -34,7 +34,7 @@ testCompareXMLToXMLFiles(const char *inxml, const char *outxml)
|
||||
|
||||
if (!(def = virDomainDefParseString(driver.caps, inXmlData,
|
||||
QEMU_EXPECTED_VIRT_TYPES,
|
||||
VIR_DOMAIN_XML_INACTIVE)))
|
||||
live ? 0 : VIR_DOMAIN_XML_INACTIVE)))
|
||||
goto fail;
|
||||
|
||||
if (!(actual = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE)))
|
||||
@ -58,6 +58,7 @@ testCompareXMLToXMLFiles(const char *inxml, const char *outxml)
|
||||
struct testInfo {
|
||||
const char *name;
|
||||
int different;
|
||||
bool inactive_only;
|
||||
};
|
||||
|
||||
static int
|
||||
@ -75,9 +76,16 @@ testCompareXMLToXMLHelper(const void *data)
|
||||
goto cleanup;
|
||||
|
||||
if (info->different) {
|
||||
ret = testCompareXMLToXMLFiles(xml_in, xml_out);
|
||||
ret = testCompareXMLToXMLFiles(xml_in, xml_out, false);
|
||||
} else {
|
||||
ret = testCompareXMLToXMLFiles(xml_in, xml_in);
|
||||
ret = testCompareXMLToXMLFiles(xml_in, xml_in, false);
|
||||
}
|
||||
if (!info->inactive_only) {
|
||||
if (info->different) {
|
||||
ret = testCompareXMLToXMLFiles(xml_in, xml_out, true);
|
||||
} else {
|
||||
ret = testCompareXMLToXMLFiles(xml_in, xml_in, true);
|
||||
}
|
||||
}
|
||||
|
||||
cleanup:
|
||||
@ -95,19 +103,19 @@ mymain(void)
|
||||
if ((driver.caps = testQemuCapsInit()) == NULL)
|
||||
return (EXIT_FAILURE);
|
||||
|
||||
# define DO_TEST_FULL(name, is_different) \
|
||||
# define DO_TEST_FULL(name, is_different, inactive) \
|
||||
do { \
|
||||
const struct testInfo info = {name, is_different}; \
|
||||
const struct testInfo info = {name, is_different, inactive}; \
|
||||
if (virtTestRun("QEMU XML-2-XML " name, \
|
||||
1, testCompareXMLToXMLHelper, &info) < 0) \
|
||||
ret = -1; \
|
||||
} while (0)
|
||||
|
||||
# define DO_TEST(name) \
|
||||
DO_TEST_FULL(name, 0)
|
||||
DO_TEST_FULL(name, 0, false)
|
||||
|
||||
# define DO_TEST_DIFFERENT(name) \
|
||||
DO_TEST_FULL(name, 1)
|
||||
DO_TEST_FULL(name, 1, false)
|
||||
|
||||
/* Unset or set all envvars here that are copied in qemudBuildCommandLine
|
||||
* using ADD_ENV_COPY, otherwise these tests may fail due to unexpected
|
||||
@ -200,9 +208,10 @@ mymain(void)
|
||||
DO_TEST("usb-redir");
|
||||
DO_TEST("blkdeviotune");
|
||||
|
||||
DO_TEST("seclabel-dynamic-baselabel");
|
||||
DO_TEST("seclabel-dynamic-override");
|
||||
DO_TEST_FULL("seclabel-dynamic-baselabel", false, true);
|
||||
DO_TEST_FULL("seclabel-dynamic-override", false, true);
|
||||
DO_TEST("seclabel-static");
|
||||
DO_TEST("seclabel-none");
|
||||
|
||||
/* These tests generate different XML */
|
||||
DO_TEST_DIFFERENT("balloon-device-auto");
|
||||
|
Loading…
x
Reference in New Issue
Block a user