qemu-security: add qemuSecurityCommandRun()

Add a generic way to run a command through the security management.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Marc-André Lureau 2019-08-08 18:54:59 +04:00 committed by Michal Privoznik
parent 13e6083efa
commit e595c4e916
2 changed files with 54 additions and 12 deletions

View File

@ -479,21 +479,10 @@ qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver,
goto cleanup_abort; goto cleanup_abort;
transactionStarted = false; transactionStarted = false;
if (virSecurityManagerSetChildProcessLabel(driver->securityManager, if (qemuSecurityCommandRun(driver, vm, cmd, uid, gid, exitstatus, cmdret) < 0)
vm->def, cmd) < 0)
goto cleanup;
if (virSecurityManagerPreFork(driver->securityManager) < 0)
goto cleanup; goto cleanup;
ret = 0; ret = 0;
/* make sure we run this with the appropriate user */
virCommandSetUID(cmd, uid);
virCommandSetGID(cmd, gid);
*cmdret = virCommandRun(cmd, exitstatus);
virSecurityManagerPostFork(driver->securityManager);
if (*cmdret < 0) if (*cmdret < 0)
goto cleanup; goto cleanup;
@ -632,3 +621,48 @@ qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
virSecurityManagerTransactionAbort(driver->securityManager); virSecurityManagerTransactionAbort(driver->securityManager);
return ret; return ret;
} }
/**
* qemuSecurityCommandRun:
* @driver: the QEMU driver
* @vm: the domain object
* @cmd: the command to run
* @uid: the uid to force
* @gid: the gid to force
* @existstatus: pointer to int returning exit status of process
* @cmdret: pointer to int returning result of virCommandRun
*
* Run @cmd with seclabels set on it. If @uid and/or @gid are not
* -1 then their value is enforced.
*
* Returns: 0 on success,
* -1 otherwise.
*/
int
qemuSecurityCommandRun(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virCommandPtr cmd,
uid_t uid,
gid_t gid,
int *exitstatus,
int *cmdret)
{
if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
vm->def, cmd) < 0)
return -1;
if (uid != (uid_t) -1)
virCommandSetUID(cmd, uid);
if (gid != (gid_t) -1)
virCommandSetGID(cmd, gid);
if (virSecurityManagerPreFork(driver->securityManager) < 0)
return -1;
*cmdret = virCommandRun(cmd, exitstatus);
virSecurityManagerPostFork(driver->securityManager);
return 0;
}

View File

@ -101,6 +101,14 @@ int qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm, virDomainObjPtr vm,
const char *savefile); const char *savefile);
int qemuSecurityCommandRun(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virCommandPtr cmd,
uid_t uid,
gid_t gid,
int *exitstatus,
int *cmdret);
/* Please note that for these APIs there is no wrapper yet. Do NOT blindly add /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
* new APIs here. If an API can touch a file add a proper wrapper instead. * new APIs here. If an API can touch a file add a proper wrapper instead.
*/ */