mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-11 07:17:44 +00:00
security: don't relabel chardev source if virtlogd is used as stdio handler
In the case that virtlogd is used as stdio handler we pass to QEMU only FD to a PIPE connected to virtlogd instead of the file itself. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1430988 Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
This commit is contained in:
Pavel Hrdina
parent
fcd922427c
commit
e13e8808f9
@ -852,7 +852,7 @@ int virLXCProcessStop(virLXCDriverPtr driver,
|
|||||||
}
|
}
|
||||||
|
|
||||||
virSecurityManagerRestoreAllLabel(driver->securityManager,
|
virSecurityManagerRestoreAllLabel(driver->securityManager,
|
||||||
vm->def, false);
|
vm->def, false, false);
|
||||||
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
|
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
|
||||||
/* Clear out dynamically assigned labels */
|
/* Clear out dynamically assigned labels */
|
||||||
if (vm->def->nseclabels &&
|
if (vm->def->nseclabels &&
|
||||||
@ -1349,7 +1349,7 @@ int virLXCProcessStart(virConnectPtr conn,
|
|||||||
|
|
||||||
VIR_DEBUG("Setting domain security labels");
|
VIR_DEBUG("Setting domain security labels");
|
||||||
if (virSecurityManagerSetAllLabel(driver->securityManager,
|
if (virSecurityManagerSetAllLabel(driver->securityManager,
|
||||||
vm->def, NULL) < 0)
|
vm->def, NULL, false) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
VIR_DEBUG("Setting up consoles");
|
VIR_DEBUG("Setting up consoles");
|
||||||
@ -1578,7 +1578,7 @@ int virLXCProcessStart(virConnectPtr conn,
|
|||||||
virLXCProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_FAILED);
|
virLXCProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_FAILED);
|
||||||
} else {
|
} else {
|
||||||
virSecurityManagerRestoreAllLabel(driver->securityManager,
|
virSecurityManagerRestoreAllLabel(driver->securityManager,
|
||||||
vm->def, false);
|
vm->def, false, false);
|
||||||
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
|
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
|
||||||
/* Clear out dynamically assigned labels */
|
/* Clear out dynamically assigned labels */
|
||||||
if (vm->def->nseclabels &&
|
if (vm->def->nseclabels &&
|
||||||
|
|||||||
@ -38,6 +38,7 @@ qemuSecuritySetAllLabel(virQEMUDriverPtr driver,
|
|||||||
const char *stdin_path)
|
const char *stdin_path)
|
||||||
{
|
{
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
qemuDomainObjPrivatePtr priv = vm->privateData;
|
||||||
|
|
||||||
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
|
||||||
virSecurityManagerTransactionStart(driver->securityManager) < 0)
|
virSecurityManagerTransactionStart(driver->securityManager) < 0)
|
||||||
@ -45,7 +46,8 @@ qemuSecuritySetAllLabel(virQEMUDriverPtr driver,
|
|||||||
|
|
||||||
if (virSecurityManagerSetAllLabel(driver->securityManager,
|
if (virSecurityManagerSetAllLabel(driver->securityManager,
|
||||||
vm->def,
|
vm->def,
|
||||||
stdin_path) < 0)
|
stdin_path,
|
||||||
|
priv->chardevStdioLogd) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
|
||||||
@ -65,6 +67,8 @@ qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver,
|
|||||||
virDomainObjPtr vm,
|
virDomainObjPtr vm,
|
||||||
bool migrated)
|
bool migrated)
|
||||||
{
|
{
|
||||||
|
qemuDomainObjPrivatePtr priv = vm->privateData;
|
||||||
|
|
||||||
/* In contrast to qemuSecuritySetAllLabel, do not use
|
/* In contrast to qemuSecuritySetAllLabel, do not use
|
||||||
* secdriver transactions here. This function is called from
|
* secdriver transactions here. This function is called from
|
||||||
* qemuProcessStop() which is meant to do cleanup after qemu
|
* qemuProcessStop() which is meant to do cleanup after qemu
|
||||||
@ -73,7 +77,8 @@ qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver,
|
|||||||
* in entering the namespace then. */
|
* in entering the namespace then. */
|
||||||
virSecurityManagerRestoreAllLabel(driver->securityManager,
|
virSecurityManagerRestoreAllLabel(driver->securityManager,
|
||||||
vm->def,
|
vm->def,
|
||||||
migrated);
|
migrated,
|
||||||
|
priv->chardevStdioLogd);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -489,7 +489,9 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
|
|
||||||
static int
|
static int
|
||||||
AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
|
AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def, const char *stdin_path)
|
virDomainDefPtr def,
|
||||||
|
const char *stdin_path,
|
||||||
|
bool chardevStdioLogd ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
|
virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def,
|
||||||
SECURITY_APPARMOR_NAME);
|
SECURITY_APPARMOR_NAME);
|
||||||
@ -567,7 +569,8 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
static int
|
static int
|
||||||
AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
bool migrated ATTRIBUTE_UNUSED)
|
bool migrated ATTRIBUTE_UNUSED,
|
||||||
|
bool chardevStdioLogd ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
virSecurityLabelDefPtr secdef =
|
virSecurityLabelDefPtr secdef =
|
||||||
|
|||||||
@ -1159,7 +1159,8 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
|
virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virDomainChrSourceDefPtr dev_source)
|
virDomainChrSourceDefPtr dev_source,
|
||||||
|
bool chardevStdioLogd)
|
||||||
|
|
||||||
{
|
{
|
||||||
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
@ -1178,6 +1179,9 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
|
|||||||
if (chr_seclabel && !chr_seclabel->relabel)
|
if (chr_seclabel && !chr_seclabel->relabel)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
if (!chr_seclabel && chardevStdioLogd)
|
||||||
|
return 0;
|
||||||
|
|
||||||
if (chr_seclabel && chr_seclabel->label) {
|
if (chr_seclabel && chr_seclabel->label) {
|
||||||
if (virParseOwnershipIds(chr_seclabel->label, &user, &group) < 0)
|
if (virParseOwnershipIds(chr_seclabel->label, &user, &group) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
@ -1243,7 +1247,8 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
|
virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def ATTRIBUTE_UNUSED,
|
virDomainDefPtr def ATTRIBUTE_UNUSED,
|
||||||
virDomainChrSourceDefPtr dev_source)
|
virDomainChrSourceDefPtr dev_source,
|
||||||
|
bool chardevStdioLogd)
|
||||||
{
|
{
|
||||||
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
|
virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
|
||||||
@ -1256,6 +1261,9 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
|
|||||||
if (chr_seclabel && !chr_seclabel->relabel)
|
if (chr_seclabel && !chr_seclabel->relabel)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
if (!chr_seclabel && chardevStdioLogd)
|
||||||
|
return 0;
|
||||||
|
|
||||||
switch ((virDomainChrType) dev_source->type) {
|
switch ((virDomainChrType) dev_source->type) {
|
||||||
case VIR_DOMAIN_CHR_TYPE_DEV:
|
case VIR_DOMAIN_CHR_TYPE_DEV:
|
||||||
case VIR_DOMAIN_CHR_TYPE_FILE:
|
case VIR_DOMAIN_CHR_TYPE_FILE:
|
||||||
@ -1298,14 +1306,21 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
struct _virSecuritySELinuxChardevCallbackData {
|
||||||
|
virSecurityManagerPtr mgr;
|
||||||
|
bool chardevStdioLogd;
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecurityDACRestoreChardevCallback(virDomainDefPtr def,
|
virSecurityDACRestoreChardevCallback(virDomainDefPtr def,
|
||||||
virDomainChrDefPtr dev ATTRIBUTE_UNUSED,
|
virDomainChrDefPtr dev ATTRIBUTE_UNUSED,
|
||||||
void *opaque)
|
void *opaque)
|
||||||
{
|
{
|
||||||
virSecurityManagerPtr mgr = opaque;
|
struct _virSecuritySELinuxChardevCallbackData *data = opaque;
|
||||||
|
|
||||||
return virSecurityDACRestoreChardevLabel(mgr, def, dev->source);
|
return virSecurityDACRestoreChardevLabel(data->mgr, def, dev->source,
|
||||||
|
data->chardevStdioLogd);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -1319,7 +1334,8 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr mgr,
|
|||||||
switch (tpm->type) {
|
switch (tpm->type) {
|
||||||
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
||||||
ret = virSecurityDACSetChardevLabel(mgr, def,
|
ret = virSecurityDACSetChardevLabel(mgr, def,
|
||||||
&tpm->data.passthrough.source);
|
&tpm->data.passthrough.source,
|
||||||
|
false);
|
||||||
break;
|
break;
|
||||||
case VIR_DOMAIN_TPM_TYPE_LAST:
|
case VIR_DOMAIN_TPM_TYPE_LAST:
|
||||||
break;
|
break;
|
||||||
@ -1339,7 +1355,8 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
|
|||||||
switch (tpm->type) {
|
switch (tpm->type) {
|
||||||
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
||||||
ret = virSecurityDACRestoreChardevLabel(mgr, def,
|
ret = virSecurityDACRestoreChardevLabel(mgr, def,
|
||||||
&tpm->data.passthrough.source);
|
&tpm->data.passthrough.source,
|
||||||
|
false);
|
||||||
break;
|
break;
|
||||||
case VIR_DOMAIN_TPM_TYPE_LAST:
|
case VIR_DOMAIN_TPM_TYPE_LAST:
|
||||||
break;
|
break;
|
||||||
@ -1436,7 +1453,8 @@ virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
bool migrated)
|
bool migrated,
|
||||||
|
bool chardevStdioLogd)
|
||||||
{
|
{
|
||||||
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
@ -1479,10 +1497,15 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
|||||||
rc = -1;
|
rc = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct _virSecuritySELinuxChardevCallbackData chardevData = {
|
||||||
|
.mgr = mgr,
|
||||||
|
.chardevStdioLogd = chardevStdioLogd,
|
||||||
|
};
|
||||||
|
|
||||||
if (virDomainChrDefForeach(def,
|
if (virDomainChrDefForeach(def,
|
||||||
false,
|
false,
|
||||||
virSecurityDACRestoreChardevCallback,
|
virSecurityDACRestoreChardevCallback,
|
||||||
mgr) < 0)
|
&chardevData) < 0)
|
||||||
rc = -1;
|
rc = -1;
|
||||||
|
|
||||||
if (def->tpm) {
|
if (def->tpm) {
|
||||||
@ -1505,9 +1528,10 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def,
|
|||||||
virDomainChrDefPtr dev ATTRIBUTE_UNUSED,
|
virDomainChrDefPtr dev ATTRIBUTE_UNUSED,
|
||||||
void *opaque)
|
void *opaque)
|
||||||
{
|
{
|
||||||
virSecurityManagerPtr mgr = opaque;
|
struct _virSecuritySELinuxChardevCallbackData *data = opaque;
|
||||||
|
|
||||||
return virSecurityDACSetChardevLabel(mgr, def, dev->source);
|
return virSecurityDACSetChardevLabel(data->mgr, def, dev->source,
|
||||||
|
data->chardevStdioLogd);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -1549,7 +1573,8 @@ virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
const char *stdin_path ATTRIBUTE_UNUSED)
|
const char *stdin_path ATTRIBUTE_UNUSED,
|
||||||
|
bool chardevStdioLogd)
|
||||||
{
|
{
|
||||||
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
@ -1592,10 +1617,15 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct _virSecuritySELinuxChardevCallbackData chardevData = {
|
||||||
|
.mgr = mgr,
|
||||||
|
.chardevStdioLogd = chardevStdioLogd,
|
||||||
|
};
|
||||||
|
|
||||||
if (virDomainChrDefForeach(def,
|
if (virDomainChrDefForeach(def,
|
||||||
true,
|
true,
|
||||||
virSecurityDACSetChardevCallback,
|
virSecurityDACSetChardevCallback,
|
||||||
mgr) < 0)
|
&chardevData) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (def->tpm) {
|
if (def->tpm) {
|
||||||
|
|||||||
@ -91,10 +91,12 @@ typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr sec);
|
virDomainDefPtr sec);
|
||||||
typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr sec,
|
virDomainDefPtr sec,
|
||||||
const char *stdin_path);
|
const char *stdin_path,
|
||||||
|
bool chardevStdioLogd);
|
||||||
typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
bool migrated);
|
bool migrated,
|
||||||
|
bool chardevStdioLogd);
|
||||||
typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
pid_t pid,
|
pid_t pid,
|
||||||
|
|||||||
@ -856,12 +856,14 @@ int virSecurityManagerCheckAllLabel(virSecurityManagerPtr mgr,
|
|||||||
int
|
int
|
||||||
virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
|
virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
const char *stdin_path)
|
const char *stdin_path,
|
||||||
|
bool chardevStdioLogd)
|
||||||
{
|
{
|
||||||
if (mgr->drv->domainSetSecurityAllLabel) {
|
if (mgr->drv->domainSetSecurityAllLabel) {
|
||||||
int ret;
|
int ret;
|
||||||
virObjectLock(mgr);
|
virObjectLock(mgr);
|
||||||
ret = mgr->drv->domainSetSecurityAllLabel(mgr, vm, stdin_path);
|
ret = mgr->drv->domainSetSecurityAllLabel(mgr, vm, stdin_path,
|
||||||
|
chardevStdioLogd);
|
||||||
virObjectUnlock(mgr);
|
virObjectUnlock(mgr);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@ -874,12 +876,14 @@ virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
|
|||||||
int
|
int
|
||||||
virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
|
virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
bool migrated)
|
bool migrated,
|
||||||
|
bool chardevStdioLogd)
|
||||||
{
|
{
|
||||||
if (mgr->drv->domainRestoreSecurityAllLabel) {
|
if (mgr->drv->domainRestoreSecurityAllLabel) {
|
||||||
int ret;
|
int ret;
|
||||||
virObjectLock(mgr);
|
virObjectLock(mgr);
|
||||||
ret = mgr->drv->domainRestoreSecurityAllLabel(mgr, vm, migrated);
|
ret = mgr->drv->domainRestoreSecurityAllLabel(mgr, vm, migrated,
|
||||||
|
chardevStdioLogd);
|
||||||
virObjectUnlock(mgr);
|
virObjectUnlock(mgr);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -130,10 +130,12 @@ int virSecurityManagerCheckAllLabel(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr sec);
|
virDomainDefPtr sec);
|
||||||
int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
|
int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr sec,
|
virDomainDefPtr sec,
|
||||||
const char *stdin_path);
|
const char *stdin_path,
|
||||||
|
bool chardevStdioLogd);
|
||||||
int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
|
int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
bool migrated);
|
bool migrated,
|
||||||
|
bool chardevStdioLogd);
|
||||||
int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
|
int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
pid_t pid,
|
pid_t pid,
|
||||||
|
|||||||
@ -151,7 +151,8 @@ virSecurityDomainReleaseLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
static int
|
static int
|
||||||
virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
virDomainDefPtr sec ATTRIBUTE_UNUSED,
|
virDomainDefPtr sec ATTRIBUTE_UNUSED,
|
||||||
const char *stdin_path ATTRIBUTE_UNUSED)
|
const char *stdin_path ATTRIBUTE_UNUSED,
|
||||||
|
bool chardevStdioLogd ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -159,7 +160,8 @@ virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
static int
|
static int
|
||||||
virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
virDomainDefPtr vm ATTRIBUTE_UNUSED,
|
virDomainDefPtr vm ATTRIBUTE_UNUSED,
|
||||||
bool migrated ATTRIBUTE_UNUSED)
|
bool migrated ATTRIBUTE_UNUSED,
|
||||||
|
bool chardevStdioLogd ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2179,7 +2179,8 @@ virSecuritySELinuxRestoreHostdevLabel(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
|
virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virDomainChrSourceDefPtr dev_source)
|
virDomainChrSourceDefPtr dev_source,
|
||||||
|
bool chardevStdioLogd)
|
||||||
|
|
||||||
{
|
{
|
||||||
virSecurityLabelDefPtr seclabel;
|
virSecurityLabelDefPtr seclabel;
|
||||||
@ -2198,6 +2199,9 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
|
|||||||
if (chr_seclabel && !chr_seclabel->relabel)
|
if (chr_seclabel && !chr_seclabel->relabel)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
if (!chr_seclabel && chardevStdioLogd)
|
||||||
|
return 0;
|
||||||
|
|
||||||
if (chr_seclabel)
|
if (chr_seclabel)
|
||||||
imagelabel = chr_seclabel->label;
|
imagelabel = chr_seclabel->label;
|
||||||
if (!imagelabel)
|
if (!imagelabel)
|
||||||
@ -2252,7 +2256,8 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
|
virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virDomainChrSourceDefPtr dev_source)
|
virDomainChrSourceDefPtr dev_source,
|
||||||
|
bool chardevStdioLogd)
|
||||||
|
|
||||||
{
|
{
|
||||||
virSecurityLabelDefPtr seclabel;
|
virSecurityLabelDefPtr seclabel;
|
||||||
@ -2269,6 +2274,9 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
|
|||||||
if (chr_seclabel && !chr_seclabel->relabel)
|
if (chr_seclabel && !chr_seclabel->relabel)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
if (!chr_seclabel && chardevStdioLogd)
|
||||||
|
return 0;
|
||||||
|
|
||||||
switch (dev_source->type) {
|
switch (dev_source->type) {
|
||||||
case VIR_DOMAIN_CHR_TYPE_DEV:
|
case VIR_DOMAIN_CHR_TYPE_DEV:
|
||||||
case VIR_DOMAIN_CHR_TYPE_FILE:
|
case VIR_DOMAIN_CHR_TYPE_FILE:
|
||||||
@ -2312,14 +2320,21 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
struct _virSecuritySELinuxChardevCallbackData {
|
||||||
|
virSecurityManagerPtr mgr;
|
||||||
|
bool chardevStdioLogd;
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecuritySELinuxRestoreSecurityChardevCallback(virDomainDefPtr def,
|
virSecuritySELinuxRestoreSecurityChardevCallback(virDomainDefPtr def,
|
||||||
virDomainChrDefPtr dev ATTRIBUTE_UNUSED,
|
virDomainChrDefPtr dev ATTRIBUTE_UNUSED,
|
||||||
void *opaque)
|
void *opaque)
|
||||||
{
|
{
|
||||||
virSecurityManagerPtr mgr = opaque;
|
struct _virSecuritySELinuxChardevCallbackData *data = opaque;
|
||||||
|
|
||||||
return virSecuritySELinuxRestoreChardevLabel(mgr, def, dev->source);
|
return virSecuritySELinuxRestoreChardevLabel(data->mgr, def, dev->source,
|
||||||
|
data->chardevStdioLogd);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -2342,7 +2357,8 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
|
|||||||
return virSecuritySELinuxRestoreFileLabel(mgr, database);
|
return virSecuritySELinuxRestoreFileLabel(mgr, database);
|
||||||
|
|
||||||
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
|
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
|
||||||
return virSecuritySELinuxRestoreChardevLabel(mgr, def, dev->data.passthru);
|
return virSecuritySELinuxRestoreChardevLabel(mgr, def,
|
||||||
|
dev->data.passthru, false);
|
||||||
|
|
||||||
default:
|
default:
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
@ -2369,7 +2385,8 @@ virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
|
|||||||
static int
|
static int
|
||||||
virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
|
virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
bool migrated)
|
bool migrated,
|
||||||
|
bool chardevStdioLogd)
|
||||||
{
|
{
|
||||||
virSecurityLabelDefPtr secdef;
|
virSecurityLabelDefPtr secdef;
|
||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
@ -2414,10 +2431,15 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
|
|||||||
rc = -1;
|
rc = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct _virSecuritySELinuxChardevCallbackData chardevData = {
|
||||||
|
.mgr = mgr,
|
||||||
|
.chardevStdioLogd = chardevStdioLogd
|
||||||
|
};
|
||||||
|
|
||||||
if (virDomainChrDefForeach(def,
|
if (virDomainChrDefForeach(def,
|
||||||
false,
|
false,
|
||||||
virSecuritySELinuxRestoreSecurityChardevCallback,
|
virSecuritySELinuxRestoreSecurityChardevCallback,
|
||||||
mgr) < 0)
|
&chardevData) < 0)
|
||||||
rc = -1;
|
rc = -1;
|
||||||
|
|
||||||
if (virDomainSmartcardDefForeach(def,
|
if (virDomainSmartcardDefForeach(def,
|
||||||
@ -2706,9 +2728,10 @@ virSecuritySELinuxSetSecurityChardevCallback(virDomainDefPtr def,
|
|||||||
virDomainChrDefPtr dev ATTRIBUTE_UNUSED,
|
virDomainChrDefPtr dev ATTRIBUTE_UNUSED,
|
||||||
void *opaque)
|
void *opaque)
|
||||||
{
|
{
|
||||||
virSecurityManagerPtr mgr = opaque;
|
struct _virSecuritySELinuxChardevCallbackData *data = opaque;
|
||||||
|
|
||||||
return virSecuritySELinuxSetChardevLabel(mgr, def, dev->source);
|
return virSecuritySELinuxSetChardevLabel(data->mgr, def, dev->source,
|
||||||
|
data->chardevStdioLogd);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -2733,7 +2756,7 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
|
|||||||
|
|
||||||
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
|
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
|
||||||
return virSecuritySELinuxSetChardevLabel(mgr, def,
|
return virSecuritySELinuxSetChardevLabel(mgr, def,
|
||||||
dev->data.passthru);
|
dev->data.passthru, false);
|
||||||
|
|
||||||
default:
|
default:
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
@ -2749,7 +2772,8 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
|
|||||||
static int
|
static int
|
||||||
virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
|
virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
const char *stdin_path)
|
const char *stdin_path,
|
||||||
|
bool chardevStdioLogd)
|
||||||
{
|
{
|
||||||
size_t i;
|
size_t i;
|
||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
@ -2797,10 +2821,15 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct _virSecuritySELinuxChardevCallbackData chardevData = {
|
||||||
|
.mgr = mgr,
|
||||||
|
.chardevStdioLogd = chardevStdioLogd
|
||||||
|
};
|
||||||
|
|
||||||
if (virDomainChrDefForeach(def,
|
if (virDomainChrDefForeach(def,
|
||||||
true,
|
true,
|
||||||
virSecuritySELinuxSetSecurityChardevCallback,
|
virSecuritySELinuxSetSecurityChardevCallback,
|
||||||
mgr) < 0)
|
&chardevData) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (virDomainSmartcardDefForeach(def,
|
if (virDomainSmartcardDefForeach(def,
|
||||||
|
|||||||
@ -350,14 +350,16 @@ virSecurityStackRestoreHostdevLabel(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecurityStackSetAllLabel(virSecurityManagerPtr mgr,
|
virSecurityStackSetAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
const char *stdin_path)
|
const char *stdin_path,
|
||||||
|
bool chardevStdioLogd)
|
||||||
{
|
{
|
||||||
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
virSecurityStackItemPtr item = priv->itemsHead;
|
virSecurityStackItemPtr item = priv->itemsHead;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
for (; item; item = item->next) {
|
for (; item; item = item->next) {
|
||||||
if (virSecurityManagerSetAllLabel(item->securityManager, vm, stdin_path) < 0)
|
if (virSecurityManagerSetAllLabel(item->securityManager, vm,
|
||||||
|
stdin_path, chardevStdioLogd) < 0)
|
||||||
rc = -1;
|
rc = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -368,14 +370,16 @@ virSecurityStackSetAllLabel(virSecurityManagerPtr mgr,
|
|||||||
static int
|
static int
|
||||||
virSecurityStackRestoreAllLabel(virSecurityManagerPtr mgr,
|
virSecurityStackRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
bool migrated)
|
bool migrated,
|
||||||
|
bool chardevStdioLogd)
|
||||||
{
|
{
|
||||||
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
virSecurityStackItemPtr item = priv->itemsHead;
|
virSecurityStackItemPtr item = priv->itemsHead;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
for (; item; item = item->next) {
|
for (; item; item = item->next) {
|
||||||
if (virSecurityManagerRestoreAllLabel(item->securityManager, vm, migrated) < 0)
|
if (virSecurityManagerRestoreAllLabel(item->securityManager, vm,
|
||||||
|
migrated, chardevStdioLogd) < 0)
|
||||||
rc = -1;
|
rc = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -313,7 +313,7 @@ testSELinuxLabeling(const void *opaque)
|
|||||||
if (!(def = testSELinuxLoadDef(testname)))
|
if (!(def = testSELinuxLoadDef(testname)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (virSecurityManagerSetAllLabel(mgr, def, NULL) < 0)
|
if (virSecurityManagerSetAllLabel(mgr, def, NULL, false) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (testSELinuxCheckLabels(files, nfiles) < 0)
|
if (testSELinuxCheckLabels(files, nfiles) < 0)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user