mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-09-24 08:25:45 +00:00
e72cc3c11d
When SELinux is running in MLS mode, libvirtd will have a different security level to the VMs. For libvirtd to be able to connect to the monitor console, the client end of the UNIX domain socket needs a different label. This adds infrastructure to set the socket label via the security driver framework * src/qemu/qemu_driver.c: Call out to socket label APIs in security driver * src/qemu/qemu_security_stacked.c: Wire up socket label drivers * src/security/security_driver.h: Define security driver entry points for socket labelling * src/security/security_selinux.c: Set socket label based on VM label
111 lines
5.0 KiB
C
111 lines
5.0 KiB
C
/*
|
|
* Copyright (C) 2008, 2010 Red Hat, Inc.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* Authors:
|
|
* James Morris <jmorris@namei.org>
|
|
*
|
|
*/
|
|
#ifndef __VIR_SECURITY_H__
|
|
# define __VIR_SECURITY_H__
|
|
|
|
# include "internal.h"
|
|
# include "domain_conf.h"
|
|
|
|
/*
|
|
* Return values for security driver probing: the driver will determine
|
|
* whether it should be enabled or disabled.
|
|
*/
|
|
typedef enum {
|
|
SECURITY_DRIVER_ENABLE = 0,
|
|
SECURITY_DRIVER_ERROR = -1,
|
|
SECURITY_DRIVER_DISABLE = -2,
|
|
} virSecurityDriverStatus;
|
|
|
|
typedef struct _virSecurityDriver virSecurityDriver;
|
|
typedef virSecurityDriver *virSecurityDriverPtr;
|
|
typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
|
|
typedef int (*virSecurityDriverOpen) (virSecurityDriverPtr drv);
|
|
typedef int (*virSecurityDomainRestoreImageLabel) (virDomainObjPtr vm,
|
|
virDomainDiskDefPtr disk);
|
|
typedef int (*virSecurityDomainSetSocketLabel) (virSecurityDriverPtr drv,
|
|
virDomainObjPtr vm);
|
|
typedef int (*virSecurityDomainClearSocketLabel)(virSecurityDriverPtr drv,
|
|
virDomainObjPtr vm);
|
|
typedef int (*virSecurityDomainSetImageLabel) (virDomainObjPtr vm,
|
|
virDomainDiskDefPtr disk);
|
|
typedef int (*virSecurityDomainRestoreHostdevLabel) (virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev);
|
|
typedef int (*virSecurityDomainSetHostdevLabel) (virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev);
|
|
typedef int (*virSecurityDomainSetSavedStateLabel) (virDomainObjPtr vm,
|
|
const char *savefile);
|
|
typedef int (*virSecurityDomainRestoreSavedStateLabel) (virDomainObjPtr vm,
|
|
const char *savefile);
|
|
typedef int (*virSecurityDomainGenLabel) (virDomainObjPtr sec);
|
|
typedef int (*virSecurityDomainReserveLabel) (virDomainObjPtr sec);
|
|
typedef int (*virSecurityDomainReleaseLabel) (virDomainObjPtr sec);
|
|
typedef int (*virSecurityDomainSetAllLabel) (virDomainObjPtr sec,
|
|
const char *stdin_path);
|
|
typedef int (*virSecurityDomainRestoreAllLabel) (virDomainObjPtr vm,
|
|
int migrated);
|
|
typedef int (*virSecurityDomainGetProcessLabel) (virDomainObjPtr vm,
|
|
virSecurityLabelPtr sec);
|
|
typedef int (*virSecurityDomainSetProcessLabel) (virSecurityDriverPtr drv,
|
|
virDomainObjPtr vm);
|
|
typedef int (*virSecurityDomainSecurityVerify) (virDomainDefPtr def);
|
|
|
|
struct _virSecurityDriver {
|
|
const char *name;
|
|
virSecurityDriverProbe probe;
|
|
virSecurityDriverOpen open;
|
|
virSecurityDomainSecurityVerify domainSecurityVerify;
|
|
virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
|
|
virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
|
|
virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
|
|
virSecurityDomainSetImageLabel domainSetSecurityImageLabel;
|
|
virSecurityDomainGenLabel domainGenSecurityLabel;
|
|
virSecurityDomainReserveLabel domainReserveSecurityLabel;
|
|
virSecurityDomainReleaseLabel domainReleaseSecurityLabel;
|
|
virSecurityDomainGetProcessLabel domainGetSecurityProcessLabel;
|
|
virSecurityDomainSetProcessLabel domainSetSecurityProcessLabel;
|
|
virSecurityDomainSetAllLabel domainSetSecurityAllLabel;
|
|
virSecurityDomainRestoreAllLabel domainRestoreSecurityAllLabel;
|
|
virSecurityDomainRestoreHostdevLabel domainRestoreSecurityHostdevLabel;
|
|
virSecurityDomainSetHostdevLabel domainSetSecurityHostdevLabel;
|
|
virSecurityDomainSetSavedStateLabel domainSetSavedStateLabel;
|
|
virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
|
|
|
|
/*
|
|
* This is internally managed driver state and should only be accessed
|
|
* via helpers below.
|
|
*/
|
|
struct {
|
|
char doi[VIR_SECURITY_DOI_BUFLEN];
|
|
} _private;
|
|
};
|
|
|
|
/* Global methods */
|
|
int virSecurityDriverStartup(virSecurityDriverPtr *drv,
|
|
const char *name);
|
|
|
|
int
|
|
virSecurityDriverVerify(virDomainDefPtr def);
|
|
|
|
# define virSecurityReportError(code, ...) \
|
|
virReportErrorHelper(NULL, VIR_FROM_SECURITY, code, __FILE__, \
|
|
__FUNCTION__, __LINE__, __VA_ARGS__)
|
|
|
|
/* Helpers */
|
|
void virSecurityDriverInit(virSecurityDriverPtr drv);
|
|
int virSecurityDriverSetDOI(virSecurityDriverPtr drv,
|
|
const char *doi);
|
|
const char *virSecurityDriverGetDOI(virSecurityDriverPtr drv);
|
|
const char *virSecurityDriverGetModel(virSecurityDriverPtr drv);
|
|
|
|
#endif /* __VIR_SECURITY_H__ */
|