[libvirt] [PATCH] Ensure QEMU DAC security driver is activated at all times
Daniel Veillard
veillard at redhat.com
Tue Feb 2 16:37:56 UTC 2010
On Tue, Feb 02, 2010 at 04:20:39PM +0000, Daniel P. Berrange wrote:
> If the primary security driver (SELinux/AppArmour) was disabled
> then the secondary QEMU DAC security driver was also disabled.
> This is mistaken, because the latter must be active at all times
>
> * src/qemu/qemu_driver.c: Ensure DAC driver is always active
> ---
> src/qemu/qemu_driver.c | 22 ++++++++++++----------
> 1 files changed, 12 insertions(+), 10 deletions(-)
>
> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> index 16e9b56..a9313e7 100644
> --- a/src/qemu/qemu_driver.c
> +++ b/src/qemu/qemu_driver.c
> @@ -897,26 +897,28 @@ qemudSecurityInit(struct qemud_driver *qemud_drv)
> int ret;
> virSecurityDriverPtr security_drv;
>
> + qemuSecurityStackedSetDriver(qemud_drv);
> + qemuSecurityDACSetDriver(qemud_drv);
> +
> ret = virSecurityDriverStartup(&security_drv,
> qemud_drv->securityDriverName);
> if (ret == -1) {
> VIR_ERROR0(_("Failed to start security driver"));
> return -1;
> }
> - /* No security driver wanted to be enabled: just return */
> +
> + /* No primary security driver wanted to be enabled: just setup
> + * the DAC driver on its own */
> if (ret == -2) {
> + qemud_drv->securityDriver = &qemuDACSecurityDriver;
> VIR_INFO0(_("No security driver available"));
> - return 0;
> + } else {
> + qemud_drv->securityPrimaryDriver = security_drv;
> + qemud_drv->securitySecondaryDriver = &qemuDACSecurityDriver;
> + qemud_drv->securityDriver = &qemuStackedSecurityDriver;
> + VIR_INFO("Initialized security driver %s", security_drv->name);
> }
>
> - qemuSecurityStackedSetDriver(qemud_drv);
> - qemuSecurityDACSetDriver(qemud_drv);
> -
> - qemud_drv->securityPrimaryDriver = security_drv;
> - qemud_drv->securitySecondaryDriver = &qemuDACSecurityDriver;
> - qemud_drv->securityDriver = &qemuStackedSecurityDriver;
> -
> - VIR_INFO("Initialized security driver %s", security_drv->name);
> return 0;
> }
>
Okay, understood, ACK,
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list