mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-07-11 12:25:52 +00:00
e4e69e899e
Add a new virDomainLxcEnterSecurityLabel() function as a counterpart to virDomainLxcEnterNamespaces(), which can change the current calling process to have a new security context. This call runs client side, not in libvirtd so we can't use the security driver infrastructure. When entering a namespace, the process spawned from virsh will default to running with the security label of virsh. The actual desired behaviour is to run with the security label of the container most of the time. So this changes virsh lxc-enter-namespace command to invoke the virDomainLxcEnterSecurityLabel method. The current behaviour is: LABEL PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps Note the ps command is running as unconfined_t, After this patch, The new behaviour is this: virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ LABEL PID TTY TIME CMD system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps The '--noseclabel' flag can be used to skip security labelling. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> |
||
|---|---|---|
| .. | ||
| console.c | ||
| console.h | ||
| libvirt_win_icon_16x16.ico | ||
| libvirt_win_icon_32x32.ico | ||
| libvirt_win_icon_48x48.ico | ||
| libvirt_win_icon_64x64.ico | ||
| libvirt-guests.init.in | ||
| libvirt-guests.service.in | ||
| libvirt-guests.sh.in | ||
| libvirt-guests.sysconf | ||
| Makefile.am | ||
| virsh_win_icon.rc | ||
| virsh-domain-monitor.c | ||
| virsh-domain-monitor.h | ||
| virsh-domain.c | ||
| virsh-domain.h | ||
| virsh-edit.c | ||
| virsh-host.c | ||
| virsh-host.h | ||
| virsh-interface.c | ||
| virsh-interface.h | ||
| virsh-network.c | ||
| virsh-network.h | ||
| virsh-nodedev.c | ||
| virsh-nodedev.h | ||
| virsh-nwfilter.c | ||
| virsh-nwfilter.h | ||
| virsh-pool.c | ||
| virsh-pool.h | ||
| virsh-secret.c | ||
| virsh-secret.h | ||
| virsh-snapshot.c | ||
| virsh-snapshot.h | ||
| virsh-volume.c | ||
| virsh-volume.h | ||
| virsh.c | ||
| virsh.h | ||
| virsh.pod | ||
| virt-host-validate-common.c | ||
| virt-host-validate-common.h | ||
| virt-host-validate-lxc.c | ||
| virt-host-validate-lxc.h | ||
| virt-host-validate-qemu.c | ||
| virt-host-validate-qemu.h | ||
| virt-host-validate.c | ||
| virt-pki-validate.in | ||
| virt-sanlock-cleanup.in | ||
| virt-xml-validate.in | ||