mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-27 16:15:23 +00:00
b170eb99f5
Curently security labels can be of type 'dynamic' or 'static'. If no security label is given, then 'dynamic' is assumed. The current code takes advantage of this default, and avoids even saving <seclabel> elements with type='dynamic' to disk. This means if you temporarily change security driver, the guests can all still start. With the introduction of sVirt to LXC though, there needs to be a new default of 'none' to allow unconfined LXC containers. This patch introduces two new security label types - default: the host configuration decides whether to run the guest with type 'none' or 'dynamic' at guest start - none: the guest will run unconfined by security policy The 'none' label type will obviously be undesirable for some deployments, so a new qemu.conf option allows a host admin to mandate confined guests. It is also possible to turn off default confinement security_default_confined = 1|0 (default == 1) security_require_confined = 1|0 (default == 0) * src/conf/domain_conf.c, src/conf/domain_conf.h: Add new seclabel types * src/security/security_manager.c, src/security/security_manager.h: Set default sec label types * src/security/security_selinux.c: Handle 'none' seclabel type * src/qemu/qemu.conf, src/qemu/qemu_conf.c, src/qemu/qemu_conf.h, src/qemu/libvirtd_qemu.aug: New security config options * src/qemu/qemu_driver.c: Tell security driver about default config |
||
---|---|---|
.. | ||
capabilities.c | ||
capabilities.h | ||
cpu_conf.c | ||
cpu_conf.h | ||
domain_audit.c | ||
domain_audit.h | ||
domain_conf.c | ||
domain_conf.h | ||
domain_event.c | ||
domain_event.h | ||
domain_nwfilter.c | ||
domain_nwfilter.h | ||
interface_conf.c | ||
interface_conf.h | ||
netdev_bandwidth_conf.c | ||
netdev_bandwidth_conf.h | ||
netdev_vport_profile_conf.c | ||
netdev_vport_profile_conf.h | ||
network_conf.c | ||
network_conf.h | ||
node_device_conf.c | ||
node_device_conf.h | ||
nwfilter_conf.c | ||
nwfilter_conf.h | ||
nwfilter_params.c | ||
nwfilter_params.h | ||
secret_conf.c | ||
secret_conf.h | ||
storage_conf.c | ||
storage_conf.h | ||
storage_encryption_conf.c | ||
storage_encryption_conf.h |