mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 22:25:25 +00:00
qemu-security: add qemuSecurityCommandRun()
Add a generic way to run a command through the security management. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
13e6083efa
commit
e595c4e916
@ -479,21 +479,10 @@ qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver,
|
|||||||
goto cleanup_abort;
|
goto cleanup_abort;
|
||||||
transactionStarted = false;
|
transactionStarted = false;
|
||||||
|
|
||||||
if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
|
if (qemuSecurityCommandRun(driver, vm, cmd, uid, gid, exitstatus, cmdret) < 0)
|
||||||
vm->def, cmd) < 0)
|
|
||||||
goto cleanup;
|
|
||||||
|
|
||||||
if (virSecurityManagerPreFork(driver->securityManager) < 0)
|
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
/* make sure we run this with the appropriate user */
|
|
||||||
virCommandSetUID(cmd, uid);
|
|
||||||
virCommandSetGID(cmd, gid);
|
|
||||||
|
|
||||||
*cmdret = virCommandRun(cmd, exitstatus);
|
|
||||||
|
|
||||||
virSecurityManagerPostFork(driver->securityManager);
|
|
||||||
|
|
||||||
if (*cmdret < 0)
|
if (*cmdret < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
@ -632,3 +621,48 @@ qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
|
|||||||
virSecurityManagerTransactionAbort(driver->securityManager);
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* qemuSecurityCommandRun:
|
||||||
|
* @driver: the QEMU driver
|
||||||
|
* @vm: the domain object
|
||||||
|
* @cmd: the command to run
|
||||||
|
* @uid: the uid to force
|
||||||
|
* @gid: the gid to force
|
||||||
|
* @existstatus: pointer to int returning exit status of process
|
||||||
|
* @cmdret: pointer to int returning result of virCommandRun
|
||||||
|
*
|
||||||
|
* Run @cmd with seclabels set on it. If @uid and/or @gid are not
|
||||||
|
* -1 then their value is enforced.
|
||||||
|
*
|
||||||
|
* Returns: 0 on success,
|
||||||
|
* -1 otherwise.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
qemuSecurityCommandRun(virQEMUDriverPtr driver,
|
||||||
|
virDomainObjPtr vm,
|
||||||
|
virCommandPtr cmd,
|
||||||
|
uid_t uid,
|
||||||
|
gid_t gid,
|
||||||
|
int *exitstatus,
|
||||||
|
int *cmdret)
|
||||||
|
{
|
||||||
|
if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
|
||||||
|
vm->def, cmd) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
if (uid != (uid_t) -1)
|
||||||
|
virCommandSetUID(cmd, uid);
|
||||||
|
if (gid != (gid_t) -1)
|
||||||
|
virCommandSetGID(cmd, gid);
|
||||||
|
|
||||||
|
if (virSecurityManagerPreFork(driver->securityManager) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
*cmdret = virCommandRun(cmd, exitstatus);
|
||||||
|
|
||||||
|
virSecurityManagerPostFork(driver->securityManager);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@ -101,6 +101,14 @@ int qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
|
|||||||
virDomainObjPtr vm,
|
virDomainObjPtr vm,
|
||||||
const char *savefile);
|
const char *savefile);
|
||||||
|
|
||||||
|
int qemuSecurityCommandRun(virQEMUDriverPtr driver,
|
||||||
|
virDomainObjPtr vm,
|
||||||
|
virCommandPtr cmd,
|
||||||
|
uid_t uid,
|
||||||
|
gid_t gid,
|
||||||
|
int *exitstatus,
|
||||||
|
int *cmdret);
|
||||||
|
|
||||||
/* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
|
/* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
|
||||||
* new APIs here. If an API can touch a file add a proper wrapper instead.
|
* new APIs here. If an API can touch a file add a proper wrapper instead.
|
||||||
*/
|
*/
|
||||||
|
Loading…
Reference in New Issue
Block a user