[libvirt] Resubmission #2: [PATCH 1/3] sVirt AppArmor security driver
Daniel P. Berrange
berrange at redhat.com
Wed Sep 30 09:29:46 UTC 2009
On Fri, Sep 25, 2009 at 05:47:35PM -0500, Jamie Strandboge wrote:
> On Fri, 25 Sep 2009, Jamie Strandboge wrote:
>
> > [PATCH 1]
> > patch_1_reenable-nonfile-labels.patch (Updated based on prior feedback):
> > When James Morris originally submitted his sVirt patches (as seen in
> > libvirt 0.6.1), he did not require on disk labelling for
> > virSecurityDomainRestoreImageLabel. A later commit[2] changed this
> > behavior to assume on disk labelling, which halts implementations for
> > path-based MAC systems such as AppArmor and TOMOYO where
> > vm->def->seclabel is required to obtain the label. This patch simply
> > adds the 'virDomainObjPtr vm' argument back to *RestoreImageLabel.
>
> --
> Jamie Strandboge | http://www.canonical.com
> diff -Naurp libvirt.orig/src/qemu/qemu_driver.c libvirt/src/qemu/qemu_driver.c
> --- libvirt.orig/src/qemu/qemu_driver.c 2009-09-25 10:50:21.000000000 -0500
> +++ libvirt/src/qemu/qemu_driver.c 2009-09-25 16:56:32.000000000 -0500
> @@ -6309,7 +6309,7 @@ static int qemudDomainDetachDevice(virDo
> dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) {
> ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev);
> if (driver->securityDriver)
> - driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk);
> + driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev->data.disk);
> if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0)
> VIR_WARN0("Fail to restore disk device ownership");
> } else if (dev->type == VIR_DOMAIN_DEVICE_NET) {
> diff -Naurp libvirt.orig/src/security/security_driver.h libvirt/src/security/security_driver.h
> --- libvirt.orig/src/security/security_driver.h 2009-09-22 12:51:57.000000000 -0500
> +++ libvirt/src/security/security_driver.h 2009-09-25 16:56:32.000000000 -0500
> @@ -32,6 +32,7 @@ typedef virSecurityDriverStatus (*virSec
> typedef int (*virSecurityDriverOpen) (virConnectPtr conn,
> virSecurityDriverPtr drv);
> typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn,
> + virDomainObjPtr vm,
> virDomainDiskDefPtr disk);
> typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
> virDomainObjPtr vm,
> diff -Naurp libvirt.orig/src/security/security_selinux.c libvirt/src/security/security_selinux.c
> --- libvirt.orig/src/security/security_selinux.c 2009-09-22 12:51:57.000000000 -0500
> +++ libvirt/src/security/security_selinux.c 2009-09-25 16:56:32.000000000 -0500
> @@ -377,6 +377,7 @@ err:
>
> static int
> SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
> + virDomainObjPtr vm ATTRIBUTE_UNUSED,
> virDomainDiskDefPtr disk)
> {
> /* Don't restore labels on readoly/shared disks, because
> @@ -581,7 +582,8 @@ SELinuxRestoreSecurityLabel(virConnectPt
> rc = -1;
> }
> for (i = 0 ; i < vm->def->ndisks ; i++) {
> - if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0)
> + if (SELinuxRestoreSecurityImageLabel(conn, vm,
> + vm->def->disks[i]) < 0)
> rc = -1;
> }
> VIR_FREE(secdef->model);
ACK
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the libvir-list
mailing list