[libvirt] [PATCH 05/12] Introduce a stacked security driver impl for QEMU
Daniel P. Berrange
berrange at redhat.com
Wed Jan 20 15:15:02 UTC 2010
* qemu/qemu_conf.h: Add securityPrimaryDriver and
securitySecondaryDriver fields to 'struct qemud_driver'
* Makefile.am: Add new files
* qemu/qemu_security_stacked.c, qemu/qemu_security_stacked.h: A
simple stacked security driver
---
src/Makefile.am | 4 +-
src/qemu/qemu_conf.h | 2 +
src/qemu/qemu_security_stacked.c | 353 ++++++++++++++++++++++++++++++++++++++
src/qemu/qemu_security_stacked.h | 22 +++
4 files changed, 380 insertions(+), 1 deletions(-)
create mode 100644 src/qemu/qemu_security_stacked.c
create mode 100644 src/qemu/qemu_security_stacked.h
diff --git a/src/Makefile.am b/src/Makefile.am
index 713cbda..0fb6dba 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -198,7 +198,9 @@ QEMU_DRIVER_SOURCES = \
qemu/qemu_monitor_json.h \
qemu/qemu_driver.c qemu/qemu_driver.h \
qemu/qemu_bridge_filter.c \
- qemu/qemu_bridge_filter.h
+ qemu/qemu_bridge_filter.h \
+ qemu/qemu_security_stacked.h \
+ qemu/qemu_security_stacked.c
UML_DRIVER_SOURCES = \
uml/uml_conf.c uml/uml_conf.h \
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index ed2d32b..678bc6f 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -134,6 +134,8 @@ struct qemud_driver {
char *securityDriverName;
virSecurityDriverPtr securityDriver;
+ virSecurityDriverPtr securityPrimaryDriver;
+ virSecurityDriverPtr securitySecondaryDriver;
char *saveImageFormat;
diff --git a/src/qemu/qemu_security_stacked.c b/src/qemu/qemu_security_stacked.c
new file mode 100644
index 0000000..60acb4c
--- /dev/null
+++ b/src/qemu/qemu_security_stacked.c
@@ -0,0 +1,353 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * QEMU stacked security driver
+ */
+
+#include <config.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "qemu_security_stacked.h"
+
+#include "qemu_conf.h"
+#include "datatypes.h"
+#include "virterror_internal.h"
+#include "util.h"
+#include "memory.h"
+#include "logging.h"
+#include "pci.h"
+#include "hostusb.h"
+#include "storage_file.h"
+
+#define VIR_FROM_THIS VIR_FROM_QEMU
+
+
+static struct qemud_driver *driver;
+
+void qemuSecurityStackedSetDriver(struct qemud_driver *newdriver)
+{
+ driver = newdriver;
+}
+
+
+static int
+qemuSecurityStackedVerify(virConnectPtr conn,
+ virDomainDefPtr def)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainSecurityVerify &&
+ driver->securitySecondaryDriver->domainSecurityVerify(conn, def) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainSecurityVerify &&
+ driver->securityPrimaryDriver->domainSecurityVerify(conn, def) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedGenLabel(virConnectPtr conn,
+ virDomainObjPtr vm)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainGenSecurityLabel &&
+ driver->securitySecondaryDriver->domainGenSecurityLabel(conn, vm) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainGenSecurityLabel &&
+ driver->securityPrimaryDriver->domainGenSecurityLabel(conn, vm) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedReleaseLabel(virConnectPtr conn,
+ virDomainObjPtr vm)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainReleaseSecurityLabel &&
+ driver->securitySecondaryDriver->domainReleaseSecurityLabel(conn, vm) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainReleaseSecurityLabel &&
+ driver->securityPrimaryDriver->domainReleaseSecurityLabel(conn, vm) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedReserveLabel(virConnectPtr conn,
+ virDomainObjPtr vm)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainReserveSecurityLabel &&
+ driver->securitySecondaryDriver->domainReserveSecurityLabel(conn, vm) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainReserveSecurityLabel &&
+ driver->securityPrimaryDriver->domainReserveSecurityLabel(conn, vm) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedSetSecurityImageLabel(virConnectPtr conn,
+ virDomainObjPtr vm,
+ virDomainDiskDefPtr disk)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainSetSecurityImageLabel &&
+ driver->securitySecondaryDriver->domainSetSecurityImageLabel(conn, vm, disk) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainSetSecurityImageLabel &&
+ driver->securityPrimaryDriver->domainSetSecurityImageLabel(conn, vm, disk) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedRestoreSecurityImageLabel(virConnectPtr conn,
+ virDomainObjPtr vm,
+ virDomainDiskDefPtr disk)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainRestoreSecurityImageLabel &&
+ driver->securitySecondaryDriver->domainRestoreSecurityImageLabel(conn, vm, disk) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainRestoreSecurityImageLabel &&
+ driver->securityPrimaryDriver->domainRestoreSecurityImageLabel(conn, vm, disk) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedSetSecurityHostdevLabel(virConnectPtr conn,
+ virDomainObjPtr vm,
+ virDomainHostdevDefPtr dev)
+
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainSetSecurityHostdevLabel &&
+ driver->securitySecondaryDriver->domainSetSecurityHostdevLabel(conn, vm, dev) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainSetSecurityHostdevLabel &&
+ driver->securityPrimaryDriver->domainSetSecurityHostdevLabel(conn, vm, dev) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedRestoreSecurityHostdevLabel(virConnectPtr conn,
+ virDomainObjPtr vm,
+ virDomainHostdevDefPtr dev)
+
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel &&
+ driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel(conn, vm, dev) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel &&
+ driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel(conn, vm, dev) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedSetSecurityAllLabel(virConnectPtr conn,
+ virDomainObjPtr vm)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainSetSecurityAllLabel &&
+ driver->securitySecondaryDriver->domainSetSecurityAllLabel(conn, vm) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainSetSecurityAllLabel &&
+ driver->securityPrimaryDriver->domainSetSecurityAllLabel(conn, vm) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedRestoreSecurityAllLabel(virConnectPtr conn,
+ virDomainObjPtr vm)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainRestoreSecurityAllLabel &&
+ driver->securitySecondaryDriver->domainRestoreSecurityAllLabel(conn, vm) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainRestoreSecurityAllLabel &&
+ driver->securityPrimaryDriver->domainRestoreSecurityAllLabel(conn, vm) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedSetSavedStateLabel(virConnectPtr conn,
+ virDomainObjPtr vm,
+ const char *savefile)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainSetSavedStateLabel &&
+ driver->securitySecondaryDriver->domainSetSavedStateLabel(conn, vm, savefile) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainSetSavedStateLabel &&
+ driver->securityPrimaryDriver->domainSetSavedStateLabel(conn, vm, savefile) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedRestoreSavedStateLabel(virConnectPtr conn,
+ virDomainObjPtr vm,
+ const char *savefile)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainRestoreSavedStateLabel &&
+ driver->securitySecondaryDriver->domainRestoreSavedStateLabel(conn, vm, savefile) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainRestoreSavedStateLabel &&
+ driver->securityPrimaryDriver->domainRestoreSavedStateLabel(conn, vm, savefile) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
+qemuSecurityStackedSetProcessLabel(virConnectPtr conn,
+ virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm)
+{
+ int rc = 0;
+
+ if (driver->securitySecondaryDriver &&
+ driver->securitySecondaryDriver->domainSetSecurityProcessLabel &&
+ driver->securitySecondaryDriver->domainSetSecurityProcessLabel(conn,
+ driver->securitySecondaryDriver,
+ vm) < 0)
+ rc = -1;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainSetSecurityProcessLabel &&
+ driver->securityPrimaryDriver->domainSetSecurityProcessLabel(conn,
+ driver->securityPrimaryDriver,
+ vm) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+static int
+qemuSecurityStackedGetProcessLabel(virConnectPtr conn,
+ virDomainObjPtr vm,
+ virSecurityLabelPtr seclabel)
+{
+ int rc = 0;
+
+ if (driver->securityPrimaryDriver &&
+ driver->securityPrimaryDriver->domainGetSecurityProcessLabel &&
+ driver->securityPrimaryDriver->domainGetSecurityProcessLabel(conn,
+ vm,
+ seclabel) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+virSecurityDriver qemuStackedSecurityDriver = {
+ .name = "qemuStacked",
+ .domainSecurityVerify = qemuSecurityStackedVerify,
+
+ .domainGenSecurityLabel = qemuSecurityStackedGenLabel,
+ .domainReleaseSecurityLabel = qemuSecurityStackedReleaseLabel,
+ .domainReserveSecurityLabel = qemuSecurityStackedReserveLabel,
+
+ .domainGetSecurityProcessLabel = qemuSecurityStackedGetProcessLabel,
+ .domainSetSecurityProcessLabel = qemuSecurityStackedSetProcessLabel,
+
+ .domainSetSecurityImageLabel = qemuSecurityStackedSetSecurityImageLabel,
+ .domainRestoreSecurityImageLabel = qemuSecurityStackedRestoreSecurityImageLabel,
+
+ .domainSetSecurityAllLabel = qemuSecurityStackedSetSecurityAllLabel,
+ .domainRestoreSecurityAllLabel = qemuSecurityStackedRestoreSecurityAllLabel,
+
+ .domainSetSecurityHostdevLabel = qemuSecurityStackedSetSecurityHostdevLabel,
+ .domainRestoreSecurityHostdevLabel = qemuSecurityStackedRestoreSecurityHostdevLabel,
+
+ .domainSetSavedStateLabel = qemuSecurityStackedSetSavedStateLabel,
+ .domainRestoreSavedStateLabel = qemuSecurityStackedRestoreSavedStateLabel,
+};
diff --git a/src/qemu/qemu_security_stacked.h b/src/qemu/qemu_security_stacked.h
new file mode 100644
index 0000000..d67a5f1
--- /dev/null
+++ b/src/qemu/qemu_security_stacked.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * QEMU stacked security driver
+ */
+
+#include "security/security_driver.h"
+#include "qemu_conf.h"
+
+#ifndef __QEMU_SECURITY_STACKED
+#define __QEMU_SECURITY_STACKED
+
+extern virSecurityDriver qemuStackedSecurityDriver;
+
+void qemuSecurityStackedSetDriver(struct qemud_driver *driver);
+
+#endif /* __QEMU_SECURITY_DAC */
--
1.6.5.2
More information about the libvir-list
mailing list