[libvirt] [PATCH 4/6] Support relabelling of USB and PCI devices

Thu Sep 3 12:04:30 UTC 2009

Apart from DV's comments, ACK to patches 1-3

On Tue, 2009-09-01 at 16:28 +0100, Daniel P. Berrange wrote:
> * src/security.h: Driver API for relabelling host devices
> * src/security_selinux.c: Implement relabelling of PCI and USB
>   devices
> * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
> ---
>  src/qemu_driver.c      |   12 ++-
>  src/security.h         |    7 ++
>  src/security_selinux.c |  175 +++++++++++++++++++++++++++++++++++++++++++-----
>  3 files changed, 174 insertions(+), 20 deletions(-)
> 
> diff --git a/src/qemu_driver.c b/src/qemu_driver.c
> index e9a09df..d75e28e 100644
> --- a/src/qemu_driver.c
> +++ b/src/qemu_driver.c
> @@ -5498,6 +5498,9 @@ static int qemudDomainAttachHostDevice(virConnectPtr conn,
>  
>      if (qemuDomainSetDeviceOwnership(conn, driver, dev, 0) < 0)
>          return -1;
> +    if (driver->securityDriver &&
> +        driver->securityDriver->domainSetSecurityHostdevLabel(conn, vm, dev->data.hostdev) < 0)
> +        return -1;
>  
>      switch (hostdev->source.subsys.type) {
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI:
> @@ -5566,9 +5569,6 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
>              }
>          }
>  
> -        if (driver->securityDriver)
> -            driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk);

What's this about?

...
> diff --git a/src/security_selinux.c b/src/security_selinux.c
> index 3b2e88f..5b7b038 100644
> --- a/src/security_selinux.c
> +++ b/src/security_selinux.c
...
> @@ -414,6 +427,126 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
>      return 0;
>  }
>  
> +
> +static int
> +SELinuxSetSecurityPCILabel(virConnectPtr conn,
> +                           pciDevice *dev ATTRIBUTE_UNUSED,
> +                           const char *file, void *opaque)
> +{
> +    virDomainObjPtr vm = opaque;
> +    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
> +
> +    return SELinuxSetFilecon(conn, file, secdef->imagelabel);
> +}
> +
> +static int
> +SELinuxSetSecurityHostdevLabel(virConnectPtr conn,
> +                               virDomainObjPtr vm,
> +                               virDomainHostdevDefPtr dev)
> +
> +{
> +    int ret = -1;
> +
> +    if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
> +        return 0;
> +
> +    switch (dev->source.subsys.type) {
> +    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB:
> +        break;

Either you're missing some code here, or I'm missing some
understanding :-)

The rest looks fine, ACK

Cheers,
Mark.