External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

Remove use of virConnectPtr from security driver APIs

Browse Source 
The virConnectPtr is no longer required for error reporting since
that is recorded in a thread local. Remove use of virConnectPtr
from all APIs in security_driver.{h,c} and update all callers to
match
This commit is contained in:
Daniel P. Berrange 2010-02-09 19:18:21 +00:00
parent 65842bf669
commit d6126f764f
7 changed files with 189 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
src/qemu/qemu_driver.c
View File

@ -118,8 +118,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
const char *migrateFrom, const char *migrateFrom,
int stdin_fd); int stdin_fd);
static void qemudShutdownVMDaemon(virConnectPtr conn, static void qemudShutdownVMDaemon(struct qemud_driver *driver,
struct qemud_driver *driver,
virDomainObjPtr vm); virDomainObjPtr vm);
static int qemudDomainGetMaxVcpus(virDomainPtr dom); static int qemudDomainGetMaxVcpus(virDomainPtr dom);
@ -681,7 +680,7 @@ qemuHandleMonitorEOF(qemuMonitorPtr mon ATTRIBUTE_UNUSED,
VIR_DOMAIN_EVENT_STOPPED_FAILED : VIR_DOMAIN_EVENT_STOPPED_FAILED :
VIR_DOMAIN_EVENT_STOPPED_SHUTDOWN); VIR_DOMAIN_EVENT_STOPPED_SHUTDOWN);
qemudShutdownVMDaemon(NULL, driver, vm); qemudShutdownVMDaemon(driver, vm);
if (!vm->persistent) if (!vm->persistent)
virDomainRemoveInactive(&driver->domains, vm); virDomainRemoveInactive(&driver->domains, vm);
else else
@ -865,7 +864,7 @@ qemuReconnectDomain(void *payload, const char *name ATTRIBUTE_UNUSED, void *opaq
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainReserveSecurityLabel && driver->securityDriver->domainReserveSecurityLabel &&
driver->securityDriver->domainReserveSecurityLabel(NULL, obj) < 0) driver->securityDriver->domainReserveSecurityLabel(obj) < 0)
goto error; goto error;
if (obj->def->id >= driver->nextvmid) if (obj->def->id >= driver->nextvmid)
@ -878,7 +877,7 @@ error:
/* We can't get the monitor back, so must kill the VM /* We can't get the monitor back, so must kill the VM
* to remove danger of it ending up running twice if * to remove danger of it ending up running twice if
* user tries to start it again later */ * user tries to start it again later */
qemudShutdownVMDaemon(NULL, driver, obj); qemudShutdownVMDaemon(driver, obj);
if (!obj->persistent) if (!obj->persistent)
virDomainRemoveInactive(&driver->domains, obj); virDomainRemoveInactive(&driver->domains, obj);
else else
@ -2468,7 +2467,7 @@ static int qemudSecurityHook(void *data) {
if (h->driver->securityDriver && if (h->driver->securityDriver &&
h->driver->securityDriver->domainSetSecurityProcessLabel && h->driver->securityDriver->domainSetSecurityProcessLabel &&
h->driver->securityDriver->domainSetSecurityProcessLabel(h->conn, h->driver->securityDriver, h->vm) < 0) h->driver->securityDriver->domainSetSecurityProcessLabel(h->driver->securityDriver, h->vm) < 0)
return -1; return -1;
return 0; return 0;
@ -2536,12 +2535,12 @@ static int qemudStartVMDaemon(virConnectPtr conn,
then generate a security label for isolation */ then generate a security label for isolation */
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainGenSecurityLabel && driver->securityDriver->domainGenSecurityLabel &&
driver->securityDriver->domainGenSecurityLabel(conn, vm) < 0) driver->securityDriver->domainGenSecurityLabel(vm) < 0)
return -1; return -1;
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityAllLabel && driver->securityDriver->domainSetSecurityAllLabel &&
driver->securityDriver->domainSetSecurityAllLabel(conn, vm) < 0) driver->securityDriver->domainSetSecurityAllLabel(vm) < 0)
goto cleanup; goto cleanup;
/* Ensure no historical cgroup for this VM is lieing around bogus settings */ /* Ensure no historical cgroup for this VM is lieing around bogus settings */
@ -2767,10 +2766,10 @@ cleanup:
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSecurityAllLabel) driver->securityDriver->domainRestoreSecurityAllLabel)
driver->securityDriver->domainRestoreSecurityAllLabel(conn, vm); driver->securityDriver->domainRestoreSecurityAllLabel(vm);
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainReleaseSecurityLabel) driver->securityDriver->domainReleaseSecurityLabel)
driver->securityDriver->domainReleaseSecurityLabel(conn, vm); driver->securityDriver->domainReleaseSecurityLabel(vm);
qemuRemoveCgroup(driver, vm, 0); qemuRemoveCgroup(driver, vm, 0);
if ((vm->def->ngraphics == 1) && if ((vm->def->ngraphics == 1) &&
vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC && vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
@ -2784,7 +2783,7 @@ cleanup:
abort: abort:
/* We jump here if we failed to initialize the now running VM /* We jump here if we failed to initialize the now running VM
* killing it off and pretend we never started it */ * killing it off and pretend we never started it */
qemudShutdownVMDaemon(conn, driver, vm); qemudShutdownVMDaemon(driver, vm);
if (logfile != -1) if (logfile != -1)
close(logfile); close(logfile);
@ -2793,8 +2792,7 @@ abort:
} }
static void qemudShutdownVMDaemon(virConnectPtr conn, static void qemudShutdownVMDaemon(struct qemud_driver *driver,
struct qemud_driver *driver,
virDomainObjPtr vm) { virDomainObjPtr vm) {
int ret; int ret;
int retries = 0; int retries = 0;
@ -2851,10 +2849,10 @@ static void qemudShutdownVMDaemon(virConnectPtr conn,
/* Reset Security Labels */ /* Reset Security Labels */
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSecurityAllLabel) driver->securityDriver->domainRestoreSecurityAllLabel)
driver->securityDriver->domainRestoreSecurityAllLabel(conn, vm); driver->securityDriver->domainRestoreSecurityAllLabel(vm);
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainReleaseSecurityLabel) driver->securityDriver->domainReleaseSecurityLabel)
driver->securityDriver->domainReleaseSecurityLabel(conn, vm); driver->securityDriver->domainReleaseSecurityLabel(vm);
/* Clear out dynamically assigned labels */ /* Clear out dynamically assigned labels */
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
@ -3306,7 +3304,7 @@ static virDomainPtr qemudDomainCreate(virConnectPtr conn, const char *xml,
VIR_DOMAIN_XML_INACTIVE))) VIR_DOMAIN_XML_INACTIVE)))
goto cleanup; goto cleanup;
if (virSecurityDriverVerify(conn, def) < 0) if (virSecurityDriverVerify(def) < 0)
goto cleanup; goto cleanup;
if (virDomainObjIsDuplicate(&driver->domains, def, 1) < 0) if (virDomainObjIsDuplicate(&driver->domains, def, 1) < 0)
@ -3535,7 +3533,7 @@ static int qemudDomainDestroy(virDomainPtr dom) {
goto endjob; goto endjob;
} }
qemudShutdownVMDaemon(dom->conn, driver, vm); qemudShutdownVMDaemon(driver, vm);
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_DESTROYED); VIR_DOMAIN_EVENT_STOPPED_DESTROYED);
@ -3911,7 +3909,7 @@ static int qemudDomainSave(virDomainPtr dom,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainSetSavedStateLabel && driver->securityDriver->domainSetSavedStateLabel &&
driver->securityDriver->domainSetSavedStateLabel(dom->conn, vm, path) == -1) driver->securityDriver->domainSetSavedStateLabel(vm, path) == -1)
goto endjob; goto endjob;
if (header.compressed == QEMUD_SAVE_FORMAT_RAW) { if (header.compressed == QEMUD_SAVE_FORMAT_RAW) {
@ -3938,13 +3936,13 @@ static int qemudDomainSave(virDomainPtr dom,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSavedStateLabel && driver->securityDriver->domainRestoreSavedStateLabel &&
driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, vm, path) == -1) driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1)
goto endjob; goto endjob;
ret = 0; ret = 0;
/* Shut it down */ /* Shut it down */
qemudShutdownVMDaemon(dom->conn, driver, vm); qemudShutdownVMDaemon(driver, vm);
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_SAVED); VIR_DOMAIN_EVENT_STOPPED_SAVED);
@ -4025,7 +4023,7 @@ static int qemudDomainCoreDump(virDomainPtr dom,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainSetSavedStateLabel && driver->securityDriver->domainSetSavedStateLabel &&
driver->securityDriver->domainSetSavedStateLabel(dom->conn, vm, path) == -1) driver->securityDriver->domainSetSavedStateLabel(vm, path) == -1)
goto endjob; goto endjob;
/* Migrate will always stop the VM, so the resume condition is /* Migrate will always stop the VM, so the resume condition is
@ -4052,12 +4050,12 @@ static int qemudDomainCoreDump(virDomainPtr dom,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSavedStateLabel && driver->securityDriver->domainRestoreSavedStateLabel &&
driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, vm, path) == -1) driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1)
goto endjob; goto endjob;
endjob: endjob:
if ((ret == 0) && (flags & VIR_DUMP_CRASH)) { if ((ret == 0) && (flags & VIR_DUMP_CRASH)) {
qemudShutdownVMDaemon(dom->conn, driver, vm); qemudShutdownVMDaemon(driver, vm);
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_CRASHED); VIR_DOMAIN_EVENT_STOPPED_CRASHED);
@ -4388,7 +4386,7 @@ static int qemudDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr sec
*/ */
if (virDomainObjIsActive(vm)) { if (virDomainObjIsActive(vm)) {
if (driver->securityDriver && driver->securityDriver->domainGetSecurityProcessLabel) { if (driver->securityDriver && driver->securityDriver->domainGetSecurityProcessLabel) {
if (driver->securityDriver->domainGetSecurityProcessLabel(dom->conn, vm, seclabel) == -1) { if (driver->securityDriver->domainGetSecurityProcessLabel(vm, seclabel) == -1) {
qemuReportError(VIR_ERR_INTERNAL_ERROR, qemuReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("Failed to get security label")); "%s", _("Failed to get security label"));
goto cleanup; goto cleanup;
@ -5000,7 +4998,7 @@ static virDomainPtr qemudDomainDefine(virConnectPtr conn, const char *xml) {
VIR_DOMAIN_XML_INACTIVE))) VIR_DOMAIN_XML_INACTIVE)))
goto cleanup; goto cleanup;
if (virSecurityDriverVerify(conn, def) < 0) if (virSecurityDriverVerify(def) < 0)
goto cleanup; goto cleanup;
if ((dupVM = virDomainObjIsDuplicate(&driver->domains, def, 0)) < 0) if ((dupVM = virDomainObjIsDuplicate(&driver->domains, def, 0)) < 0)
@ -5095,8 +5093,7 @@ cleanup:
} }
static int qemudDomainChangeEjectableMedia(virConnectPtr conn, static int qemudDomainChangeEjectableMedia(struct qemud_driver *driver,
struct qemud_driver *driver,
virDomainObjPtr vm, virDomainObjPtr vm,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
@ -5137,7 +5134,7 @@ static int qemudDomainChangeEjectableMedia(virConnectPtr conn,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityImageLabel && driver->securityDriver->domainSetSecurityImageLabel &&
driver->securityDriver->domainSetSecurityImageLabel(conn, vm, disk) < 0) driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0)
return -1; return -1;
qemuDomainObjPrivatePtr priv = vm->privateData; qemuDomainObjPrivatePtr priv = vm->privateData;
@ -5163,7 +5160,7 @@ static int qemudDomainChangeEjectableMedia(virConnectPtr conn,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSecurityImageLabel && driver->securityDriver->domainRestoreSecurityImageLabel &&
driver->securityDriver->domainRestoreSecurityImageLabel(conn, vm, origdisk) < 0) driver->securityDriver->domainRestoreSecurityImageLabel(vm, origdisk) < 0)
VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src); VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src);
VIR_FREE(origdisk->src); VIR_FREE(origdisk->src);
@ -5178,7 +5175,7 @@ static int qemudDomainChangeEjectableMedia(virConnectPtr conn,
error: error:
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSecurityImageLabel && driver->securityDriver->domainRestoreSecurityImageLabel &&
driver->securityDriver->domainRestoreSecurityImageLabel(conn, vm, disk) < 0) driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
VIR_WARN("Unable to restore security label on new media %s", disk->src); VIR_WARN("Unable to restore security label on new media %s", disk->src);
return -1; return -1;
} }
@ -5205,7 +5202,7 @@ static int qemudDomainAttachPciDiskDevice(struct qemud_driver *driver,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityImageLabel && driver->securityDriver->domainSetSecurityImageLabel &&
driver->securityDriver->domainSetSecurityImageLabel(NULL, vm, disk) < 0) driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0)
return -1; return -1;
if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) { if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) {
@ -5266,7 +5263,7 @@ error:
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSecurityImageLabel && driver->securityDriver->domainRestoreSecurityImageLabel &&
driver->securityDriver->domainRestoreSecurityImageLabel(NULL, vm, disk) < 0) driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src); VIR_WARN("Unable to restore security label on %s", disk->src);
return -1; return -1;
@ -5398,7 +5395,7 @@ static int qemudDomainAttachSCSIDisk(struct qemud_driver *driver,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityImageLabel && driver->securityDriver->domainSetSecurityImageLabel &&
driver->securityDriver->domainSetSecurityImageLabel(NULL, vm, disk) < 0) driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0)
return -1; return -1;
/* We should have an address already, so make sure */ /* We should have an address already, so make sure */
@ -5475,7 +5472,7 @@ error:
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSecurityImageLabel && driver->securityDriver->domainRestoreSecurityImageLabel &&
driver->securityDriver->domainRestoreSecurityImageLabel(NULL, vm, disk) < 0) driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src); VIR_WARN("Unable to restore security label on %s", disk->src);
return -1; return -1;
@ -5502,7 +5499,7 @@ static int qemudDomainAttachUsbMassstorageDevice(struct qemud_driver *driver,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityImageLabel && driver->securityDriver->domainSetSecurityImageLabel &&
driver->securityDriver->domainSetSecurityImageLabel(NULL, vm, disk) < 0) driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0)
return -1; return -1;
if (!disk->src) { if (!disk->src) {
@ -5554,7 +5551,7 @@ error:
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSecurityImageLabel && driver->securityDriver->domainRestoreSecurityImageLabel &&
driver->securityDriver->domainRestoreSecurityImageLabel(NULL, vm, disk) < 0) driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src); VIR_WARN("Unable to restore security label on %s", disk->src);
return -1; return -1;
@ -5825,8 +5822,7 @@ error:
} }
static int qemudDomainAttachHostDevice(virConnectPtr conn, static int qemudDomainAttachHostDevice(struct qemud_driver *driver,
struct qemud_driver *driver,
virDomainObjPtr vm, virDomainObjPtr vm,
virDomainHostdevDefPtr hostdev, virDomainHostdevDefPtr hostdev,
int qemuCmdFlags) int qemuCmdFlags)
@ -5840,7 +5836,7 @@ static int qemudDomainAttachHostDevice(virConnectPtr conn,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel && driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(conn, vm, hostdev) < 0) driver->securityDriver->domainSetSecurityHostdevLabel(vm, hostdev) < 0)
return -1; return -1;
switch (hostdev->source.subsys.type) { switch (hostdev->source.subsys.type) {
@ -5868,7 +5864,7 @@ static int qemudDomainAttachHostDevice(virConnectPtr conn,
error: error:
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSecurityHostdevLabel && driver->securityDriver->domainRestoreSecurityHostdevLabel &&
driver->securityDriver->domainRestoreSecurityHostdevLabel(conn, vm, hostdev) < 0) driver->securityDriver->domainRestoreSecurityHostdevLabel(vm, hostdev) < 0)
VIR_WARN0("Unable to restore host device labelling on hotplug fail"); VIR_WARN0("Unable to restore host device labelling on hotplug fail");
return -1; return -1;
@ -5936,7 +5932,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
switch (dev->data.disk->device) { switch (dev->data.disk->device) {
case VIR_DOMAIN_DISK_DEVICE_CDROM: case VIR_DOMAIN_DISK_DEVICE_CDROM:
case VIR_DOMAIN_DISK_DEVICE_FLOPPY: case VIR_DOMAIN_DISK_DEVICE_FLOPPY:
ret = qemudDomainChangeEjectableMedia(dom->conn, driver, vm, dev->data.disk); ret = qemudDomainChangeEjectableMedia(driver, vm, dev->data.disk);
if (ret == 0) if (ret == 0)
dev->data.disk = NULL; dev->data.disk = NULL;
break; break;
@ -5991,7 +5987,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
if (ret == 0) if (ret == 0)
dev->data.net = NULL; dev->data.net = NULL;
} else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV) { } else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV) {
ret = qemudDomainAttachHostDevice(dom->conn, driver, vm, ret = qemudDomainAttachHostDevice(driver, vm,
dev->data.hostdev, qemuCmdFlags); dev->data.hostdev, qemuCmdFlags);
if (ret == 0) if (ret == 0)
dev->data.hostdev = NULL; dev->data.hostdev = NULL;
@ -6085,7 +6081,7 @@ static int qemudDomainDetachPciDiskDevice(struct qemud_driver *driver,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSecurityImageLabel && driver->securityDriver->domainRestoreSecurityImageLabel &&
driver->securityDriver->domainRestoreSecurityImageLabel(NULL, vm, dev->data.disk) < 0) driver->securityDriver->domainRestoreSecurityImageLabel(vm, dev->data.disk) < 0)
VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
ret = 0; ret = 0;
@ -6357,7 +6353,7 @@ static int qemudDomainDetachHostDevice(struct qemud_driver *driver,
if (driver->securityDriver && if (driver->securityDriver &&
driver->securityDriver->domainRestoreSecurityHostdevLabel && driver->securityDriver->domainRestoreSecurityHostdevLabel &&
driver->securityDriver->domainRestoreSecurityHostdevLabel(NULL, vm, dev->data.hostdev) < 0) driver->securityDriver->domainRestoreSecurityHostdevLabel(vm, dev->data.hostdev) < 0)
VIR_WARN0("Failed to restore host device labelling"); VIR_WARN0("Failed to restore host device labelling");
return ret; return ret;
@ -7506,7 +7502,7 @@ qemudDomainMigratePrepareTunnel(virConnectPtr dconn,
qemust = qemuStreamMigOpen(st, unixfile); qemust = qemuStreamMigOpen(st, unixfile);
if (qemust == NULL) { if (qemust == NULL) {
qemudShutdownVMDaemon(NULL, driver, vm); qemudShutdownVMDaemon(driver, vm);
if (!vm->persistent) { if (!vm->persistent) {
if (qemuDomainObjEndJob(vm) > 0) if (qemuDomainObjEndJob(vm) > 0)
virDomainRemoveInactive(&driver->domains, vm); virDomainRemoveInactive(&driver->domains, vm);
@ -8193,7 +8189,7 @@ qemudDomainMigratePerform (virDomainPtr dom,
} }
/* Clean up the source domain. */ /* Clean up the source domain. */
qemudShutdownVMDaemon (dom->conn, driver, vm); qemudShutdownVMDaemon(driver, vm);
paused = 0; paused = 0;
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
@ -8336,7 +8332,7 @@ qemudDomainMigrateFinish2 (virConnectPtr dconn,
} }
virDomainSaveStatus(driver->caps, driver->stateDir, vm); virDomainSaveStatus(driver->caps, driver->stateDir, vm);
} else { } else {
qemudShutdownVMDaemon (dconn, driver, vm); qemudShutdownVMDaemon(driver, vm);
event = virDomainEventNewFromObj(vm, event = virDomainEventNewFromObj(vm,
VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED,
VIR_DOMAIN_EVENT_STOPPED_FAILED); VIR_DOMAIN_EVENT_STOPPED_FAILED);

43
src/qemu/qemu_security_dac.c
View File

@ -105,8 +105,7 @@ err:
static int static int
qemuSecurityDACSetSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED, qemuSecurityDACSetSecurityImageLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
@ -149,8 +148,7 @@ qemuSecurityDACSetSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
static int static int
qemuSecurityDACRestoreSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED, qemuSecurityDACRestoreSecurityImageLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
if (!driver->privileged || !driver->dynamicOwnership) if (!driver->privileged || !driver->dynamicOwnership)
@ -195,8 +193,7 @@ qemuSecurityDACSetSecurityUSBLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
static int static int
qemuSecurityDACSetSecurityHostdevLabel(virConnectPtr conn, qemuSecurityDACSetSecurityHostdevLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
@ -218,7 +215,7 @@ qemuSecurityDACSetSecurityHostdevLabel(virConnectPtr conn,
if (!usb) if (!usb)
goto done; goto done;
ret = usbDeviceFileIterate(conn, usb, qemuSecurityDACSetSecurityUSBLabel, vm); ret = usbDeviceFileIterate(NULL, usb, qemuSecurityDACSetSecurityUSBLabel, vm);
usbFreeDevice(usb); usbFreeDevice(usb);
break; break;
} }
@ -232,7 +229,7 @@ qemuSecurityDACSetSecurityHostdevLabel(virConnectPtr conn,
if (!pci) if (!pci)
goto done; goto done;
ret = pciDeviceFileIterate(conn, pci, qemuSecurityDACSetSecurityPCILabel, vm); ret = pciDeviceFileIterate(NULL, pci, qemuSecurityDACSetSecurityPCILabel, vm);
pciFreeDevice(pci); pciFreeDevice(pci);
break; break;
@ -269,8 +266,7 @@ qemuSecurityDACRestoreSecurityUSBLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
static int static int
qemuSecurityDACRestoreSecurityHostdevLabel(virConnectPtr conn, qemuSecurityDACRestoreSecurityHostdevLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
@ -292,7 +288,7 @@ qemuSecurityDACRestoreSecurityHostdevLabel(virConnectPtr conn,
if (!usb) if (!usb)
goto done; goto done;
ret = usbDeviceFileIterate(conn, usb, qemuSecurityDACRestoreSecurityUSBLabel, NULL); ret = usbDeviceFileIterate(NULL, usb, qemuSecurityDACRestoreSecurityUSBLabel, NULL);
usbFreeDevice(usb); usbFreeDevice(usb);
break; break;
@ -307,7 +303,7 @@ qemuSecurityDACRestoreSecurityHostdevLabel(virConnectPtr conn,
if (!pci) if (!pci)
goto done; goto done;
ret = pciDeviceFileIterate(conn, pci, qemuSecurityDACRestoreSecurityPCILabel, NULL); ret = pciDeviceFileIterate(NULL, pci, qemuSecurityDACRestoreSecurityPCILabel, NULL);
pciFreeDevice(pci); pciFreeDevice(pci);
break; break;
@ -324,8 +320,7 @@ done:
static int static int
qemuSecurityDACRestoreSecurityAllLabel(virConnectPtr conn, qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
int i; int i;
int rc = 0; int rc = 0;
@ -336,12 +331,12 @@ qemuSecurityDACRestoreSecurityAllLabel(virConnectPtr conn,
VIR_DEBUG("Restoring security label on %s", vm->def->name); VIR_DEBUG("Restoring security label on %s", vm->def->name);
for (i = 0 ; i < vm->def->nhostdevs ; i++) { for (i = 0 ; i < vm->def->nhostdevs ; i++) {
if (qemuSecurityDACRestoreSecurityHostdevLabel(conn, vm, if (qemuSecurityDACRestoreSecurityHostdevLabel(vm,
vm->def->hostdevs[i]) < 0) vm->def->hostdevs[i]) < 0)
rc = -1; rc = -1;
} }
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < vm->def->ndisks ; i++) {
if (qemuSecurityDACRestoreSecurityImageLabel(conn, vm, if (qemuSecurityDACRestoreSecurityImageLabel(vm,
vm->def->disks[i]) < 0) vm->def->disks[i]) < 0)
rc = -1; rc = -1;
} }
@ -350,8 +345,7 @@ qemuSecurityDACRestoreSecurityAllLabel(virConnectPtr conn,
static int static int
qemuSecurityDACSetSecurityAllLabel(virConnectPtr conn, qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
int i; int i;
@ -362,11 +356,11 @@ qemuSecurityDACSetSecurityAllLabel(virConnectPtr conn,
/* XXX fixme - we need to recursively label the entriy tree :-( */ /* XXX fixme - we need to recursively label the entriy tree :-( */
if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
continue; continue;
if (qemuSecurityDACSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) if (qemuSecurityDACSetSecurityImageLabel(vm, vm->def->disks[i]) < 0)
return -1; return -1;
} }
for (i = 0 ; i < vm->def->nhostdevs ; i++) { for (i = 0 ; i < vm->def->nhostdevs ; i++) {
if (qemuSecurityDACSetSecurityHostdevLabel(conn, vm, vm->def->hostdevs[i]) < 0) if (qemuSecurityDACSetSecurityHostdevLabel(vm, vm->def->hostdevs[i]) < 0)
return -1; return -1;
} }
@ -375,8 +369,7 @@ qemuSecurityDACSetSecurityAllLabel(virConnectPtr conn,
static int static int
qemuSecurityDACSetSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, qemuSecurityDACSetSavedStateLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED,
const char *savefile) const char *savefile)
{ {
if (!driver->privileged || !driver->dynamicOwnership) if (!driver->privileged || !driver->dynamicOwnership)
@ -387,8 +380,7 @@ qemuSecurityDACSetSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
static int static int
qemuSecurityDACRestoreSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, qemuSecurityDACRestoreSavedStateLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED,
const char *savefile) const char *savefile)
{ {
if (!driver->privileged || !driver->dynamicOwnership) if (!driver->privileged || !driver->dynamicOwnership)
@ -399,8 +391,7 @@ qemuSecurityDACRestoreSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
static int static int
qemuSecurityDACSetProcessLabel(virConnectPtr conn ATTRIBUTE_UNUSED, qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED) virDomainObjPtr vm ATTRIBUTE_UNUSED)
{ {
DEBUG("Dropping privileges of VM to %d:%d", driver->user, driver->group); DEBUG("Dropping privileges of VM to %d:%d", driver->user, driver->group);

99
src/qemu/qemu_security_stacked.c
View File

@ -38,19 +38,18 @@ void qemuSecurityStackedSetDriver(struct qemud_driver *newdriver)
static int static int
qemuSecurityStackedVerify(virConnectPtr conn, qemuSecurityStackedVerify(virDomainDefPtr def)
virDomainDefPtr def)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainSecurityVerify && driver->securitySecondaryDriver->domainSecurityVerify &&
driver->securitySecondaryDriver->domainSecurityVerify(conn, def) < 0) driver->securitySecondaryDriver->domainSecurityVerify(def) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainSecurityVerify && driver->securityPrimaryDriver->domainSecurityVerify &&
driver->securityPrimaryDriver->domainSecurityVerify(conn, def) < 0) driver->securityPrimaryDriver->domainSecurityVerify(def) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -58,19 +57,18 @@ qemuSecurityStackedVerify(virConnectPtr conn,
static int static int
qemuSecurityStackedGenLabel(virConnectPtr conn, qemuSecurityStackedGenLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainGenSecurityLabel && driver->securitySecondaryDriver->domainGenSecurityLabel &&
driver->securitySecondaryDriver->domainGenSecurityLabel(conn, vm) < 0) driver->securitySecondaryDriver->domainGenSecurityLabel(vm) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainGenSecurityLabel && driver->securityPrimaryDriver->domainGenSecurityLabel &&
driver->securityPrimaryDriver->domainGenSecurityLabel(conn, vm) < 0) driver->securityPrimaryDriver->domainGenSecurityLabel(vm) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -78,19 +76,18 @@ qemuSecurityStackedGenLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedReleaseLabel(virConnectPtr conn, qemuSecurityStackedReleaseLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainReleaseSecurityLabel && driver->securitySecondaryDriver->domainReleaseSecurityLabel &&
driver->securitySecondaryDriver->domainReleaseSecurityLabel(conn, vm) < 0) driver->securitySecondaryDriver->domainReleaseSecurityLabel(vm) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainReleaseSecurityLabel && driver->securityPrimaryDriver->domainReleaseSecurityLabel &&
driver->securityPrimaryDriver->domainReleaseSecurityLabel(conn, vm) < 0) driver->securityPrimaryDriver->domainReleaseSecurityLabel(vm) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -98,19 +95,18 @@ qemuSecurityStackedReleaseLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedReserveLabel(virConnectPtr conn, qemuSecurityStackedReserveLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainReserveSecurityLabel && driver->securitySecondaryDriver->domainReserveSecurityLabel &&
driver->securitySecondaryDriver->domainReserveSecurityLabel(conn, vm) < 0) driver->securitySecondaryDriver->domainReserveSecurityLabel(vm) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainReserveSecurityLabel && driver->securityPrimaryDriver->domainReserveSecurityLabel &&
driver->securityPrimaryDriver->domainReserveSecurityLabel(conn, vm) < 0) driver->securityPrimaryDriver->domainReserveSecurityLabel(vm) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -118,20 +114,19 @@ qemuSecurityStackedReserveLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedSetSecurityImageLabel(virConnectPtr conn, qemuSecurityStackedSetSecurityImageLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainSetSecurityImageLabel && driver->securitySecondaryDriver->domainSetSecurityImageLabel &&
driver->securitySecondaryDriver->domainSetSecurityImageLabel(conn, vm, disk) < 0) driver->securitySecondaryDriver->domainSetSecurityImageLabel(vm, disk) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainSetSecurityImageLabel && driver->securityPrimaryDriver->domainSetSecurityImageLabel &&
driver->securityPrimaryDriver->domainSetSecurityImageLabel(conn, vm, disk) < 0) driver->securityPrimaryDriver->domainSetSecurityImageLabel(vm, disk) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -139,20 +134,19 @@ qemuSecurityStackedSetSecurityImageLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedRestoreSecurityImageLabel(virConnectPtr conn, qemuSecurityStackedRestoreSecurityImageLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainRestoreSecurityImageLabel && driver->securitySecondaryDriver->domainRestoreSecurityImageLabel &&
driver->securitySecondaryDriver->domainRestoreSecurityImageLabel(conn, vm, disk) < 0) driver->securitySecondaryDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainRestoreSecurityImageLabel && driver->securityPrimaryDriver->domainRestoreSecurityImageLabel &&
driver->securityPrimaryDriver->domainRestoreSecurityImageLabel(conn, vm, disk) < 0) driver->securityPrimaryDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -160,8 +154,7 @@ qemuSecurityStackedRestoreSecurityImageLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedSetSecurityHostdevLabel(virConnectPtr conn, qemuSecurityStackedSetSecurityHostdevLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
@ -169,12 +162,12 @@ qemuSecurityStackedSetSecurityHostdevLabel(virConnectPtr conn,
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainSetSecurityHostdevLabel && driver->securitySecondaryDriver->domainSetSecurityHostdevLabel &&
driver->securitySecondaryDriver->domainSetSecurityHostdevLabel(conn, vm, dev) < 0) driver->securitySecondaryDriver->domainSetSecurityHostdevLabel(vm, dev) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainSetSecurityHostdevLabel && driver->securityPrimaryDriver->domainSetSecurityHostdevLabel &&
driver->securityPrimaryDriver->domainSetSecurityHostdevLabel(conn, vm, dev) < 0) driver->securityPrimaryDriver->domainSetSecurityHostdevLabel(vm, dev) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -182,8 +175,7 @@ qemuSecurityStackedSetSecurityHostdevLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedRestoreSecurityHostdevLabel(virConnectPtr conn, qemuSecurityStackedRestoreSecurityHostdevLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
@ -191,12 +183,12 @@ qemuSecurityStackedRestoreSecurityHostdevLabel(virConnectPtr conn,
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel && driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel &&
driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel(conn, vm, dev) < 0) driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel(vm, dev) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel && driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel &&
driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel(conn, vm, dev) < 0) driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel(vm, dev) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -204,19 +196,18 @@ qemuSecurityStackedRestoreSecurityHostdevLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedSetSecurityAllLabel(virConnectPtr conn, qemuSecurityStackedSetSecurityAllLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainSetSecurityAllLabel && driver->securitySecondaryDriver->domainSetSecurityAllLabel &&
driver->securitySecondaryDriver->domainSetSecurityAllLabel(conn, vm) < 0) driver->securitySecondaryDriver->domainSetSecurityAllLabel(vm) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainSetSecurityAllLabel && driver->securityPrimaryDriver->domainSetSecurityAllLabel &&
driver->securityPrimaryDriver->domainSetSecurityAllLabel(conn, vm) < 0) driver->securityPrimaryDriver->domainSetSecurityAllLabel(vm) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -224,19 +215,18 @@ qemuSecurityStackedSetSecurityAllLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedRestoreSecurityAllLabel(virConnectPtr conn, qemuSecurityStackedRestoreSecurityAllLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainRestoreSecurityAllLabel && driver->securitySecondaryDriver->domainRestoreSecurityAllLabel &&
driver->securitySecondaryDriver->domainRestoreSecurityAllLabel(conn, vm) < 0) driver->securitySecondaryDriver->domainRestoreSecurityAllLabel(vm) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainRestoreSecurityAllLabel && driver->securityPrimaryDriver->domainRestoreSecurityAllLabel &&
driver->securityPrimaryDriver->domainRestoreSecurityAllLabel(conn, vm) < 0) driver->securityPrimaryDriver->domainRestoreSecurityAllLabel(vm) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -244,20 +234,19 @@ qemuSecurityStackedRestoreSecurityAllLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedSetSavedStateLabel(virConnectPtr conn, qemuSecurityStackedSetSavedStateLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
const char *savefile) const char *savefile)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainSetSavedStateLabel && driver->securitySecondaryDriver->domainSetSavedStateLabel &&
driver->securitySecondaryDriver->domainSetSavedStateLabel(conn, vm, savefile) < 0) driver->securitySecondaryDriver->domainSetSavedStateLabel(vm, savefile) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainSetSavedStateLabel && driver->securityPrimaryDriver->domainSetSavedStateLabel &&
driver->securityPrimaryDriver->domainSetSavedStateLabel(conn, vm, savefile) < 0) driver->securityPrimaryDriver->domainSetSavedStateLabel(vm, savefile) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -265,20 +254,19 @@ qemuSecurityStackedSetSavedStateLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedRestoreSavedStateLabel(virConnectPtr conn, qemuSecurityStackedRestoreSavedStateLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
const char *savefile) const char *savefile)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainRestoreSavedStateLabel && driver->securitySecondaryDriver->domainRestoreSavedStateLabel &&
driver->securitySecondaryDriver->domainRestoreSavedStateLabel(conn, vm, savefile) < 0) driver->securitySecondaryDriver->domainRestoreSavedStateLabel(vm, savefile) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainRestoreSavedStateLabel && driver->securityPrimaryDriver->domainRestoreSavedStateLabel &&
driver->securityPrimaryDriver->domainRestoreSavedStateLabel(conn, vm, savefile) < 0) driver->securityPrimaryDriver->domainRestoreSavedStateLabel(vm, savefile) < 0)
rc = -1; rc = -1;
return rc; return rc;
@ -286,23 +274,20 @@ qemuSecurityStackedRestoreSavedStateLabel(virConnectPtr conn,
static int static int
qemuSecurityStackedSetProcessLabel(virConnectPtr conn, qemuSecurityStackedSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm) virDomainObjPtr vm)
{ {
int rc = 0; int rc = 0;
if (driver->securitySecondaryDriver && if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainSetSecurityProcessLabel && driver->securitySecondaryDriver->domainSetSecurityProcessLabel &&
driver->securitySecondaryDriver->domainSetSecurityProcessLabel(conn, driver->securitySecondaryDriver->domainSetSecurityProcessLabel(driver->securitySecondaryDriver,
driver->securitySecondaryDriver,
vm) < 0) vm) < 0)
rc = -1; rc = -1;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainSetSecurityProcessLabel && driver->securityPrimaryDriver->domainSetSecurityProcessLabel &&
driver->securityPrimaryDriver->domainSetSecurityProcessLabel(conn, driver->securityPrimaryDriver->domainSetSecurityProcessLabel(driver->securityPrimaryDriver,
driver->securityPrimaryDriver,
vm) < 0) vm) < 0)
rc = -1; rc = -1;
@ -310,16 +295,14 @@ qemuSecurityStackedSetProcessLabel(virConnectPtr conn,
} }
static int static int
qemuSecurityStackedGetProcessLabel(virConnectPtr conn, qemuSecurityStackedGetProcessLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virSecurityLabelPtr seclabel) virSecurityLabelPtr seclabel)
{ {
int rc = 0; int rc = 0;
if (driver->securityPrimaryDriver && if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainGetSecurityProcessLabel && driver->securityPrimaryDriver->domainGetSecurityProcessLabel &&
driver->securityPrimaryDriver->domainGetSecurityProcessLabel(conn, driver->securityPrimaryDriver->domainGetSecurityProcessLabel(vm,
vm,
seclabel) < 0) seclabel) < 0)
rc = -1; rc = -1;

69
src/security/security_apparmor.c
View File

@ -148,7 +148,7 @@ profile_status_file(const char *str)
* load (add) a profile. Will create one if necessary * load (add) a profile. Will create one if necessary
*/ */
static int static int
load_profile(virConnectPtr conn, const char *profile, virDomainObjPtr vm, load_profile(const char *profile, virDomainObjPtr vm,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
int rc = -1, status, ret; int rc = -1, status, ret;
@ -162,7 +162,7 @@ load_profile(virConnectPtr conn, const char *profile, virDomainObjPtr vm,
return rc; return rc;
} }
xml = virDomainDefFormat(conn, vm->def, VIR_DOMAIN_XML_SECURE); xml = virDomainDefFormat(vm->def, VIR_DOMAIN_XML_SECURE);
if (!xml) if (!xml)
goto clean; goto clean;
@ -204,7 +204,7 @@ load_profile(virConnectPtr conn, const char *profile, virDomainObjPtr vm,
if (errno == EINTR) if (errno == EINTR)
goto rewait; goto rewait;
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("Unexpected exit status from virt-aa-helper " _("Unexpected exit status from virt-aa-helper "
"%d pid %lu"), "%d pid %lu"),
WEXITSTATUS(status), (unsigned long)child); WEXITSTATUS(status), (unsigned long)child);
@ -311,9 +311,9 @@ AppArmorSecurityDriverProbe(void)
* currently not used. * currently not used.
*/ */
static int static int
AppArmorSecurityDriverOpen(virConnectPtr conn, virSecurityDriverPtr drv) AppArmorSecurityDriverOpen(virSecurityDriverPtr drv)
{ {
virSecurityDriverSetDOI(conn, drv, SECURITY_APPARMOR_VOID_DOI); virSecurityDriverSetDOI(drv, SECURITY_APPARMOR_VOID_DOI);
return 0; return 0;
} }
@ -323,7 +323,7 @@ AppArmorSecurityDriverOpen(virConnectPtr conn, virSecurityDriverPtr drv)
* called on shutdown. * called on shutdown.
*/ */
static int static int
AppArmorGenSecurityLabel(virConnectPtr conn, virDomainObjPtr vm) AppArmorGenSecurityLabel(virDomainObjPtr vm)
{ {
int rc = -1; int rc = -1;
char *profile_name = NULL; char *profile_name = NULL;
@ -333,7 +333,7 @@ AppArmorGenSecurityLabel(virConnectPtr conn, virDomainObjPtr vm)
if ((vm->def->seclabel.label) || if ((vm->def->seclabel.label) ||
(vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) { (vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", "%s",
_("security label already defined for VM")); _("security label already defined for VM"));
return rc; return rc;
@ -377,15 +377,15 @@ AppArmorGenSecurityLabel(virConnectPtr conn, virDomainObjPtr vm)
} }
static int static int
AppArmorSetSecurityAllLabel(virConnectPtr conn, virDomainObjPtr vm) AppArmorSetSecurityAllLabel(virDomainObjPtr vm)
{ {
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
return 0; return 0;
/* if the profile is not already loaded, then load one */ /* if the profile is not already loaded, then load one */
if (profile_loaded(vm->def->seclabel.label) < 0) { if (profile_loaded(vm->def->seclabel.label) < 0) {
if (load_profile(conn, vm->def->seclabel.label, vm, NULL) < 0) { if (load_profile(vm->def->seclabel.label, vm, NULL) < 0) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate AppArmor profile " _("cannot generate AppArmor profile "
"\'%s\'"), vm->def->seclabel.label); "\'%s\'"), vm->def->seclabel.label);
return -1; return -1;
@ -399,8 +399,7 @@ AppArmorSetSecurityAllLabel(virConnectPtr conn, virDomainObjPtr vm)
* running. * running.
*/ */
static int static int
AppArmorGetSecurityProcessLabel(virConnectPtr conn, AppArmorGetSecurityProcessLabel(virDomainObjPtr vm, virSecurityLabelPtr sec)
virDomainObjPtr vm, virSecurityLabelPtr sec)
{ {
int rc = -1; int rc = -1;
char *profile_name = NULL; char *profile_name = NULL;
@ -410,13 +409,13 @@ AppArmorGetSecurityProcessLabel(virConnectPtr conn,
if (virStrcpy(sec->label, profile_name, if (virStrcpy(sec->label, profile_name,
VIR_SECURITY_LABEL_BUFLEN) == NULL) { VIR_SECURITY_LABEL_BUFLEN) == NULL) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("error copying profile name")); "%s", _("error copying profile name"));
goto clean; goto clean;
} }
if ((sec->enforcing = profile_status(profile_name, 1)) < 0) { if ((sec->enforcing = profile_status(profile_name, 1)) < 0) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("error calling profile_status()")); "%s", _("error calling profile_status()"));
goto clean; goto clean;
} }
@ -432,7 +431,7 @@ AppArmorGetSecurityProcessLabel(virConnectPtr conn,
* more details. Currently called via qemudShutdownVMDaemon. * more details. Currently called via qemudShutdownVMDaemon.
*/ */
static int static int
AppArmorReleaseSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, virDomainObjPtr vm) AppArmorReleaseSecurityLabel(virDomainObjPtr vm)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
@ -445,14 +444,14 @@ AppArmorReleaseSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, virDomainObjPt
static int static int
AppArmorRestoreSecurityAllLabel(virConnectPtr conn, virDomainObjPtr vm) AppArmorRestoreSecurityAllLabel(virDomainObjPtr vm)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int rc = 0; int rc = 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
if ((rc = remove_profile(secdef->label)) != 0) { if ((rc = remove_profile(secdef->label)) != 0) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("could not remove profile for \'%s\'"), _("could not remove profile for \'%s\'"),
secdef->label); secdef->label);
} }
@ -464,8 +463,7 @@ AppArmorRestoreSecurityAllLabel(virConnectPtr conn, virDomainObjPtr vm)
* LOCAL_STATE_DIR/log/libvirt/qemu/<vm name>.log * LOCAL_STATE_DIR/log/libvirt/qemu/<vm name>.log
*/ */
static int static int
AppArmorSetSecurityProcessLabel(virConnectPtr conn, AppArmorSetSecurityProcessLabel(virSecurityDriverPtr drv, virDomainObjPtr vm)
virSecurityDriverPtr drv, virDomainObjPtr vm)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int rc = -1; int rc = -1;
@ -475,7 +473,7 @@ AppArmorSetSecurityProcessLabel(virConnectPtr conn,
return rc; return rc;
if (STRNEQ(drv->name, secdef->model)) { if (STRNEQ(drv->name, secdef->model)) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("security label driver mismatch: " _("security label driver mismatch: "
"\'%s\' model configured for domain, but " "\'%s\' model configured for domain, but "
"hypervisor driver is \'%s\'."), "hypervisor driver is \'%s\'."),
@ -485,7 +483,7 @@ AppArmorSetSecurityProcessLabel(virConnectPtr conn,
} }
if (aa_change_profile(profile_name) < 0) { if (aa_change_profile(profile_name) < 0) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("error calling aa_change_profile()")); _("error calling aa_change_profile()"));
goto clean; goto clean;
} }
@ -500,8 +498,7 @@ AppArmorSetSecurityProcessLabel(virConnectPtr conn,
/* Called when hotplugging */ /* Called when hotplugging */
static int static int
AppArmorRestoreSecurityImageLabel(virConnectPtr conn, AppArmorRestoreSecurityImageLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
@ -516,8 +513,8 @@ AppArmorRestoreSecurityImageLabel(virConnectPtr conn,
/* Update the profile only if it is loaded */ /* Update the profile only if it is loaded */
if (profile_loaded(secdef->imagelabel) >= 0) { if (profile_loaded(secdef->imagelabel) >= 0) {
if (load_profile(conn, secdef->imagelabel, vm, NULL) < 0) { if (load_profile(secdef->imagelabel, vm, NULL) < 0) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile " _("cannot update AppArmor profile "
"\'%s\'"), "\'%s\'"),
secdef->imagelabel); secdef->imagelabel);
@ -534,8 +531,7 @@ AppArmorRestoreSecurityImageLabel(virConnectPtr conn,
/* Called when hotplugging */ /* Called when hotplugging */
static int static int
AppArmorSetSecurityImageLabel(virConnectPtr conn, AppArmorSetSecurityImageLabel(virDomainObjPtr vm, virDomainDiskDefPtr disk)
virDomainObjPtr vm, virDomainDiskDefPtr disk)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int rc = -1; int rc = -1;
@ -550,7 +546,7 @@ AppArmorSetSecurityImageLabel(virConnectPtr conn,
if (secdef->imagelabel) { if (secdef->imagelabel) {
/* if the device doesn't exist, error out */ /* if the device doesn't exist, error out */
if (!virFileExists(disk->src)) { if (!virFileExists(disk->src)) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("\'%s\' does not exist"), disk->src); _("\'%s\' does not exist"), disk->src);
return rc; return rc;
} }
@ -560,8 +556,8 @@ AppArmorSetSecurityImageLabel(virConnectPtr conn,
/* update the profile only if it is loaded */ /* update the profile only if it is loaded */
if (profile_loaded(secdef->imagelabel) >= 0) { if (profile_loaded(secdef->imagelabel) >= 0) {
if (load_profile(conn, secdef->imagelabel, vm, disk) < 0) { if (load_profile(secdef->imagelabel, vm, disk) < 0) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile " _("cannot update AppArmor profile "
"\'%s\'"), "\'%s\'"),
secdef->imagelabel); secdef->imagelabel);
@ -578,13 +574,13 @@ AppArmorSetSecurityImageLabel(virConnectPtr conn,
} }
static int static int
AppArmorSecurityVerify(virConnectPtr conn, virDomainDefPtr def) AppArmorSecurityVerify(virDomainDefPtr def)
{ {
const virSecurityLabelDefPtr secdef = &def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) { if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) { if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) {
virSecurityReportError(conn, VIR_ERR_XML_ERROR, virSecurityReportError(VIR_ERR_XML_ERROR,
_("Invalid security label \'%s\'"), _("Invalid security label \'%s\'"),
secdef->label); secdef->label);
return -1; return -1;
@ -594,16 +590,14 @@ AppArmorSecurityVerify(virConnectPtr conn, virDomainDefPtr def)
} }
static int static int
AppArmorReserveSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, AppArmorReserveSecurityLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED)
virDomainObjPtr vm ATTRIBUTE_UNUSED)
{ {
/* NOOP. Nothing to reserve with AppArmor */ /* NOOP. Nothing to reserve with AppArmor */
return 0; return 0;
} }
static int static int
AppArmorSetSecurityHostdevLabel(virConnectPtr conn ATTRIBUTE_UNUSED, AppArmorSetSecurityHostdevLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{ {
@ -617,8 +611,7 @@ AppArmorSetSecurityHostdevLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
} }
static int static int
AppArmorRestoreSecurityHostdevLabel(virConnectPtr conn ATTRIBUTE_UNUSED, AppArmorRestoreSecurityHostdevLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{ {

17
src/security/security_driver.c
View File

@ -35,7 +35,7 @@ static virSecurityDriverPtr security_drivers[] = {
}; };
int int
virSecurityDriverVerify(virConnectPtr conn, virDomainDefPtr def) virSecurityDriverVerify(virDomainDefPtr def)
{ {
unsigned int i; unsigned int i;
const virSecurityLabelDefPtr secdef = &def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
@ -46,10 +46,10 @@ virSecurityDriverVerify(virConnectPtr conn, virDomainDefPtr def)
for (i = 0; security_drivers[i] != NULL ; i++) { for (i = 0; security_drivers[i] != NULL ; i++) {
if (STREQ(security_drivers[i]->name, secdef->model)) { if (STREQ(security_drivers[i]->name, secdef->model)) {
return security_drivers[i]->domainSecurityVerify(conn, def); return security_drivers[i]->domainSecurityVerify(def);
} }
} }
virSecurityReportError(conn, VIR_ERR_XML_ERROR, virSecurityReportError(VIR_ERR_XML_ERROR,
_("invalid security model '%s'"), secdef->model); _("invalid security model '%s'"), secdef->model);
return -1; return -1;
} }
@ -72,7 +72,7 @@ virSecurityDriverStartup(virSecurityDriverPtr *drv,
switch (tmp->probe()) { switch (tmp->probe()) {
case SECURITY_DRIVER_ENABLE: case SECURITY_DRIVER_ENABLE:
virSecurityDriverInit(tmp); virSecurityDriverInit(tmp);
if (tmp->open(NULL, tmp) == -1) { if (tmp->open(tmp) == -1) {
return -1; return -1;
} else { } else {
*drv = tmp; *drv = tmp;
@ -91,7 +91,7 @@ virSecurityDriverStartup(virSecurityDriverPtr *drv,
} }
void void
virSecurityReportError(virConnectPtr conn, int code, const char *fmt, ...) virSecurityReportError(int code, const char *fmt, ...)
{ {
va_list args; va_list args;
char errorMessage[1024]; char errorMessage[1024];
@ -103,7 +103,7 @@ virSecurityReportError(virConnectPtr conn, int code, const char *fmt, ...)
} else } else
errorMessage[0] = '\0'; errorMessage[0] = '\0';
virRaiseError(conn, NULL, NULL, VIR_FROM_SECURITY, code, virRaiseError(NULL, NULL, NULL, VIR_FROM_SECURITY, code,
VIR_ERR_ERROR, NULL, NULL, NULL, -1, -1, "%s", VIR_ERR_ERROR, NULL, NULL, NULL, -1, -1, "%s",
errorMessage); errorMessage);
} }
@ -118,12 +118,11 @@ virSecurityDriverInit(virSecurityDriverPtr drv)
} }
int int
virSecurityDriverSetDOI(virConnectPtr conn, virSecurityDriverSetDOI(virSecurityDriverPtr drv,
virSecurityDriverPtr drv,
const char *doi) const char *doi)
{ {
if (strlen(doi) >= VIR_SECURITY_DOI_BUFLEN) { if (strlen(doi) >= VIR_SECURITY_DOI_BUFLEN) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("%s: DOI \'%s\' is " _("%s: DOI \'%s\' is "
"longer than the maximum allowed length of %d"), "longer than the maximum allowed length of %d"),
__func__, doi, VIR_SECURITY_DOI_BUFLEN - 1); __func__, doi, VIR_SECURITY_DOI_BUFLEN - 1);

54
src/security/security_driver.h
View File

@ -29,44 +29,29 @@ typedef enum {
typedef struct _virSecurityDriver virSecurityDriver; typedef struct _virSecurityDriver virSecurityDriver;
typedef virSecurityDriver *virSecurityDriverPtr; typedef virSecurityDriver *virSecurityDriverPtr;
typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void); typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
typedef int (*virSecurityDriverOpen) (virConnectPtr conn, typedef int (*virSecurityDriverOpen) (virSecurityDriverPtr drv);
virSecurityDriverPtr drv); typedef int (*virSecurityDomainRestoreImageLabel) (virDomainObjPtr vm,
typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn,
virDomainObjPtr vm,
virDomainDiskDefPtr disk); virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn, typedef int (*virSecurityDomainSetImageLabel) (virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainDiskDefPtr disk); virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainRestoreHostdevLabel) (virConnectPtr conn, typedef int (*virSecurityDomainRestoreHostdevLabel) (virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev); virDomainHostdevDefPtr dev);
typedef int (*virSecurityDomainSetHostdevLabel) (virConnectPtr conn, typedef int (*virSecurityDomainSetHostdevLabel) (virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev); virDomainHostdevDefPtr dev);
typedef int (*virSecurityDomainSetSavedStateLabel) (virConnectPtr conn, typedef int (*virSecurityDomainSetSavedStateLabel) (virDomainObjPtr vm,
virDomainObjPtr vm,
const char *savefile); const char *savefile);
typedef int (*virSecurityDomainRestoreSavedStateLabel) (virConnectPtr conn, typedef int (*virSecurityDomainRestoreSavedStateLabel) (virDomainObjPtr vm,
virDomainObjPtr vm,
const char *savefile); const char *savefile);
typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn, typedef int (*virSecurityDomainGenLabel) (virDomainObjPtr sec);
virDomainObjPtr sec); typedef int (*virSecurityDomainReserveLabel) (virDomainObjPtr sec);
typedef int (*virSecurityDomainReserveLabel) (virConnectPtr conn, typedef int (*virSecurityDomainReleaseLabel) (virDomainObjPtr sec);
virDomainObjPtr sec); typedef int (*virSecurityDomainSetAllLabel) (virDomainObjPtr sec);
typedef int (*virSecurityDomainReleaseLabel) (virConnectPtr conn, typedef int (*virSecurityDomainRestoreAllLabel) (virDomainObjPtr vm);
virDomainObjPtr sec); typedef int (*virSecurityDomainGetProcessLabel) (virDomainObjPtr vm,
typedef int (*virSecurityDomainSetAllLabel) (virConnectPtr conn,
virDomainObjPtr sec);
typedef int (*virSecurityDomainRestoreAllLabel) (virConnectPtr conn,
virDomainObjPtr vm);
typedef int (*virSecurityDomainGetProcessLabel) (virConnectPtr conn,
virDomainObjPtr vm,
virSecurityLabelPtr sec); virSecurityLabelPtr sec);
typedef int (*virSecurityDomainSetProcessLabel) (virConnectPtr conn, typedef int (*virSecurityDomainSetProcessLabel) (virSecurityDriverPtr drv,
virSecurityDriverPtr drv,
virDomainObjPtr vm); virDomainObjPtr vm);
typedef int (*virSecurityDomainSecurityVerify) (virConnectPtr conn, typedef int (*virSecurityDomainSecurityVerify) (virDomainDefPtr def);
virDomainDefPtr def);
struct _virSecurityDriver { struct _virSecurityDriver {
const char *name; const char *name;
@ -101,16 +86,15 @@ int virSecurityDriverStartup(virSecurityDriverPtr *drv,
const char *name); const char *name);
int int
virSecurityDriverVerify(virConnectPtr conn, virDomainDefPtr def); virSecurityDriverVerify(virDomainDefPtr def);
void void
virSecurityReportError(virConnectPtr conn, int code, const char *fmt, ...) virSecurityReportError(int code, const char *fmt, ...)
ATTRIBUTE_FMT_PRINTF(3, 4); ATTRIBUTE_FMT_PRINTF(2, 3);
/* Helpers */ /* Helpers */
void virSecurityDriverInit(virSecurityDriverPtr drv); void virSecurityDriverInit(virSecurityDriverPtr drv);
int virSecurityDriverSetDOI(virConnectPtr conn, int virSecurityDriverSetDOI(virSecurityDriverPtr drv,
virSecurityDriverPtr drv,
const char *doi); const char *doi);
const char *virSecurityDriverGetDOI(virSecurityDriverPtr drv); const char *virSecurityDriverGetDOI(virSecurityDriverPtr drv);
const char *virSecurityDriverGetModel(virSecurityDriverPtr drv); const char *virSecurityDriverGetModel(virSecurityDriverPtr drv);

73
src/security/security_selinux.c
View File

@ -156,8 +156,7 @@ SELinuxInitialize(void)
} }
static int static int
SELinuxGenSecurityLabel(virConnectPtr conn, SELinuxGenSecurityLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
int rc = -1; int rc = -1;
char mcs[1024]; char mcs[1024];
@ -171,7 +170,7 @@ SELinuxGenSecurityLabel(virConnectPtr conn,
if (vm->def->seclabel.label || if (vm->def->seclabel.label ||
vm->def->seclabel.model || vm->def->seclabel.model ||
vm->def->seclabel.imagelabel) { vm->def->seclabel.imagelabel) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security label already defined for VM")); "%s", _("security label already defined for VM"));
return rc; return rc;
} }
@ -192,13 +191,13 @@ SELinuxGenSecurityLabel(virConnectPtr conn,
vm->def->seclabel.label = SELinuxGenNewContext(default_domain_context, mcs); vm->def->seclabel.label = SELinuxGenNewContext(default_domain_context, mcs);
if (! vm->def->seclabel.label) { if (! vm->def->seclabel.label) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs); _("cannot generate selinux context for %s"), mcs);
goto err; goto err;
} }
vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
if (! vm->def->seclabel.imagelabel) { if (! vm->def->seclabel.imagelabel) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs); _("cannot generate selinux context for %s"), mcs);
goto err; goto err;
} }
@ -221,8 +220,7 @@ done:
} }
static int static int
SELinuxReserveSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, SELinuxReserveSecurityLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
security_context_t pctx; security_context_t pctx;
context_t ctx = NULL; context_t ctx = NULL;
@ -266,19 +264,18 @@ SELinuxSecurityDriverProbe(void)
} }
static int static int
SELinuxSecurityDriverOpen(virConnectPtr conn, virSecurityDriverPtr drv) SELinuxSecurityDriverOpen(virSecurityDriverPtr drv)
{ {
/* /*
* Where will the DOI come from? SELinux configuration, or qemu * Where will the DOI come from? SELinux configuration, or qemu
* configuration? For the moment, we'll just set it to "0". * configuration? For the moment, we'll just set it to "0".
*/ */
virSecurityDriverSetDOI(conn, drv, SECURITY_SELINUX_VOID_DOI); virSecurityDriverSetDOI(drv, SECURITY_SELINUX_VOID_DOI);
return SELinuxInitialize(); return SELinuxInitialize();
} }
static int static int
SELinuxGetSecurityProcessLabel(virConnectPtr conn, SELinuxGetSecurityProcessLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virSecurityLabelPtr sec) virSecurityLabelPtr sec)
{ {
security_context_t ctx; security_context_t ctx;
@ -291,7 +288,7 @@ SELinuxGetSecurityProcessLabel(virConnectPtr conn,
} }
if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) { if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("security label exceeds " _("security label exceeds "
"maximum length: %d"), "maximum length: %d"),
VIR_SECURITY_LABEL_BUFLEN - 1); VIR_SECURITY_LABEL_BUFLEN - 1);
@ -380,8 +377,7 @@ err:
} }
static int static int
SELinuxRestoreSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED, SELinuxRestoreSecurityImageLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
@ -407,8 +403,7 @@ SELinuxRestoreSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
} }
static int static int
SELinuxSetSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED, SELinuxSetSecurityImageLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
@ -482,8 +477,7 @@ SELinuxSetSecurityUSBLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
} }
static int static int
SELinuxSetSecurityHostdevLabel(virConnectPtr conn, SELinuxSetSecurityHostdevLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
@ -506,7 +500,7 @@ SELinuxSetSecurityHostdevLabel(virConnectPtr conn,
if (!usb) if (!usb)
goto done; goto done;
ret = usbDeviceFileIterate(conn, usb, SELinuxSetSecurityUSBLabel, vm); ret = usbDeviceFileIterate(NULL, usb, SELinuxSetSecurityUSBLabel, vm);
usbFreeDevice(usb); usbFreeDevice(usb);
break; break;
} }
@ -520,7 +514,7 @@ SELinuxSetSecurityHostdevLabel(virConnectPtr conn,
if (!pci) if (!pci)
goto done; goto done;
ret = pciDeviceFileIterate(conn, pci, SELinuxSetSecurityPCILabel, vm); ret = pciDeviceFileIterate(NULL, pci, SELinuxSetSecurityPCILabel, vm);
pciFreeDevice(pci); pciFreeDevice(pci);
break; break;
@ -555,8 +549,7 @@ SELinuxRestoreSecurityUSBLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
} }
static int static int
SELinuxRestoreSecurityHostdevLabel(virConnectPtr conn, SELinuxRestoreSecurityHostdevLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev) virDomainHostdevDefPtr dev)
{ {
@ -579,7 +572,7 @@ SELinuxRestoreSecurityHostdevLabel(virConnectPtr conn,
if (!usb) if (!usb)
goto done; goto done;
ret = usbDeviceFileIterate(conn, usb, SELinuxRestoreSecurityUSBLabel, NULL); ret = usbDeviceFileIterate(NULL, usb, SELinuxRestoreSecurityUSBLabel, NULL);
usbFreeDevice(usb); usbFreeDevice(usb);
break; break;
@ -594,7 +587,7 @@ SELinuxRestoreSecurityHostdevLabel(virConnectPtr conn,
if (!pci) if (!pci)
goto done; goto done;
ret = pciDeviceFileIterate(conn, pci, SELinuxRestoreSecurityPCILabel, NULL); ret = pciDeviceFileIterate(NULL, pci, SELinuxRestoreSecurityPCILabel, NULL);
pciFreeDevice(pci); pciFreeDevice(pci);
break; break;
@ -610,8 +603,7 @@ done:
} }
static int static int
SELinuxRestoreSecurityAllLabel(virConnectPtr conn, SELinuxRestoreSecurityAllLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int i; int i;
@ -623,11 +615,11 @@ SELinuxRestoreSecurityAllLabel(virConnectPtr conn,
return 0; return 0;
for (i = 0 ; i < vm->def->nhostdevs ; i++) { for (i = 0 ; i < vm->def->nhostdevs ; i++) {
if (SELinuxRestoreSecurityHostdevLabel(conn, vm, vm->def->hostdevs[i]) < 0) if (SELinuxRestoreSecurityHostdevLabel(vm, vm->def->hostdevs[i]) < 0)
rc = -1; rc = -1;
} }
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < vm->def->ndisks ; i++) {
if (SELinuxRestoreSecurityImageLabel(conn, vm, if (SELinuxRestoreSecurityImageLabel(vm,
vm->def->disks[i]) < 0) vm->def->disks[i]) < 0)
rc = -1; rc = -1;
} }
@ -636,8 +628,7 @@ SELinuxRestoreSecurityAllLabel(virConnectPtr conn,
} }
static int static int
SELinuxReleaseSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, SELinuxReleaseSecurityLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
@ -659,8 +650,7 @@ SELinuxReleaseSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
static int static int
SELinuxSetSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, SELinuxSetSavedStateLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
const char *savefile) const char *savefile)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
@ -673,8 +663,7 @@ SELinuxSetSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
static int static int
SELinuxRestoreSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, SELinuxRestoreSavedStateLabel(virDomainObjPtr vm,
virDomainObjPtr vm,
const char *savefile) const char *savefile)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
@ -687,12 +676,12 @@ SELinuxRestoreSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
static int static int
SELinuxSecurityVerify(virConnectPtr conn, virDomainDefPtr def) SELinuxSecurityVerify(virDomainDefPtr def)
{ {
const virSecurityLabelDefPtr secdef = &def->seclabel; const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) { if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
if (security_check_context(secdef->label) != 0) { if (security_check_context(secdef->label) != 0) {
virSecurityReportError(conn, VIR_ERR_XML_ERROR, virSecurityReportError(VIR_ERR_XML_ERROR,
_("Invalid security label %s"), secdef->label); _("Invalid security label %s"), secdef->label);
return -1; return -1;
} }
@ -701,8 +690,7 @@ SELinuxSecurityVerify(virConnectPtr conn, virDomainDefPtr def)
} }
static int static int
SELinuxSetSecurityProcessLabel(virConnectPtr conn, SELinuxSetSecurityProcessLabel(virSecurityDriverPtr drv,
virSecurityDriverPtr drv,
virDomainObjPtr vm) virDomainObjPtr vm)
{ {
/* TODO: verify DOI */ /* TODO: verify DOI */
@ -712,7 +700,7 @@ SELinuxSetSecurityProcessLabel(virConnectPtr conn,
return 0; return 0;
if (!STREQ(drv->name, secdef->model)) { if (!STREQ(drv->name, secdef->model)) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("security label driver mismatch: " _("security label driver mismatch: "
"'%s' model configured for domain, but " "'%s' model configured for domain, but "
"hypervisor driver is '%s'."), "hypervisor driver is '%s'."),
@ -733,8 +721,7 @@ SELinuxSetSecurityProcessLabel(virConnectPtr conn,
} }
static int static int
SELinuxSetSecurityAllLabel(virConnectPtr conn, SELinuxSetSecurityAllLabel(virDomainObjPtr vm)
virDomainObjPtr vm)
{ {
const virSecurityLabelDefPtr secdef = &vm->def->seclabel; const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int i; int i;
@ -749,11 +736,11 @@ SELinuxSetSecurityAllLabel(virConnectPtr conn,
vm->def->disks[i]->src, vm->def->disks[i]->dst); vm->def->disks[i]->src, vm->def->disks[i]->dst);
continue; continue;
} }
if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) if (SELinuxSetSecurityImageLabel(vm, vm->def->disks[i]) < 0)
return -1; return -1;
} }
for (i = 0 ; i < vm->def->nhostdevs ; i++) { for (i = 0 ; i < vm->def->nhostdevs ; i++) {
if (SELinuxSetSecurityHostdevLabel(conn, vm, vm->def->hostdevs[i]) < 0) if (SELinuxSetSecurityHostdevLabel(vm, vm->def->hostdevs[i]) < 0)
return -1; return -1;
} }