qemu-security: add qemuSecurityCommandRun()

Add a generic way to run a command through the security management. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2024-12-23 14:15:28 +00:00 · 2019-08-08 18:54:59 +04:00 · 2019-08-08 18:54:59 +04:00 · e595c4e916
commit e595c4e916
parent 13e6083efa
2 changed files with 54 additions and 12 deletions
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@ -479,21 +479,10 @@ qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver,
        goto cleanup_abort;
    transactionStarted = false;

-    if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
-                                               vm->def, cmd) < 0)
-        goto cleanup;
-
-    if (virSecurityManagerPreFork(driver->securityManager) < 0)
+    if (qemuSecurityCommandRun(driver, vm, cmd, uid, gid, exitstatus, cmdret) < 0)
        goto cleanup;

    ret = 0;
-    /* make sure we run this with the appropriate user */
-    virCommandSetUID(cmd, uid);
-    virCommandSetGID(cmd, gid);
-
-    *cmdret = virCommandRun(cmd, exitstatus);
-
-    virSecurityManagerPostFork(driver->securityManager);

    if (*cmdret < 0)
        goto cleanup;
@ -632,3 +621,48 @@ qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
    virSecurityManagerTransactionAbort(driver->securityManager);
    return ret;
 }
+
+
+/**
+ * qemuSecurityCommandRun:
+ * @driver: the QEMU driver
+ * @vm: the domain object
+ * @cmd: the command to run
+ * @uid: the uid to force
+ * @gid: the gid to force
+ * @existstatus: pointer to int returning exit status of process
+ * @cmdret: pointer to int returning result of virCommandRun
+ *
+ * Run @cmd with seclabels set on it. If @uid and/or @gid are not
+ * -1 then their value is enforced.
+ *
+ * Returns: 0 on success,
+ *         -1 otherwise.
+ */
+int
+qemuSecurityCommandRun(virQEMUDriverPtr driver,
+                       virDomainObjPtr vm,
+                       virCommandPtr cmd,
+                       uid_t uid,
+                       gid_t gid,
+                       int *exitstatus,
+                       int *cmdret)
+{
+    if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
+                                               vm->def, cmd) < 0)
+        return -1;
+
+    if (uid != (uid_t) -1)
+        virCommandSetUID(cmd, uid);
+    if (gid != (gid_t) -1)
+        virCommandSetGID(cmd, gid);
+
+    if (virSecurityManagerPreFork(driver->securityManager) < 0)
+        return -1;
+
+    *cmdret = virCommandRun(cmd, exitstatus);
+
+    virSecurityManagerPostFork(driver->securityManager);
+
+    return 0;
+}
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@ -101,6 +101,14 @@ int qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
                                       virDomainObjPtr vm,
                                       const char *savefile);

+int qemuSecurityCommandRun(virQEMUDriverPtr driver,
+                           virDomainObjPtr vm,
+                           virCommandPtr cmd,
+                           uid_t uid,
+                           gid_t gid,
+                           int *exitstatus,
+                           int *cmdret);
+
 /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
 * new APIs here. If an API can touch a file add a proper wrapper instead.
 */