[libvirt] [PATCH 7/7] security: Allow disabling security on a per VM basis
Cole Robinson
crobinso at redhat.com
Wed Jan 12 17:23:03 UTC 2011
Make the SecurityManager explicitly handle the case when seclabel
model='none'.
Signed-off-by: Cole Robinson <crobinso at redhat.com>
---
src/security/security_manager.c | 90 +++++++++++++-------
.../qemuxml2xml-seclabel-model-none-in.xml | 21 +++++
.../qemuxml2xml-seclabel-model-none-out.xml | 21 +++++
tests/qemuxml2xmltest.c | 1 +
4 files changed, 101 insertions(+), 32 deletions(-)
create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-in.xml
create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-out.xml
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 66cffb5..9f98886 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -122,6 +122,16 @@ void virSecurityManagerFree(virSecurityManagerPtr mgr)
VIR_FREE(mgr);
}
+static virSecurityDriverPtr
+virSecurityManagerGetDriver(virSecurityManagerPtr mgr,
+ virDomainDefPtr def)
+{
+ if (def->seclabel.model == VIR_DOMAIN_SECLABEL_MODEL_NONE)
+ return virSecurityDriverLookup("none");
+
+ return mgr->drv;
+}
+
const char *
virSecurityManagerGetDOI(virSecurityManagerPtr mgr)
{
@@ -151,8 +161,9 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
virDomainDiskDefPtr disk)
{
- if (mgr->drv->domainRestoreSecurityImageLabel)
- return mgr->drv->domainRestoreSecurityImageLabel(mgr, vm, disk);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainRestoreSecurityImageLabel)
+ return drv->domainRestoreSecurityImageLabel(mgr, vm, disk);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -161,8 +172,9 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm)
{
- if (mgr->drv->domainSetSecuritySocketLabel)
- return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainSetSecuritySocketLabel)
+ return drv->domainSetSecuritySocketLabel(mgr, vm);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -171,8 +183,9 @@ int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm)
{
- if (mgr->drv->domainClearSecuritySocketLabel)
- return mgr->drv->domainClearSecuritySocketLabel(mgr, vm);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainClearSecuritySocketLabel)
+ return drv->domainClearSecuritySocketLabel(mgr, vm);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -182,8 +195,9 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
virDomainDiskDefPtr disk)
{
- if (mgr->drv->domainSetSecurityImageLabel)
- return mgr->drv->domainSetSecurityImageLabel(mgr, vm, disk);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainSetSecurityImageLabel)
+ return drv->domainSetSecurityImageLabel(mgr, vm, disk);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -193,8 +207,9 @@ int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev)
{
- if (mgr->drv->domainRestoreSecurityHostdevLabel)
- return mgr->drv->domainRestoreSecurityHostdevLabel(mgr, vm, dev);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainRestoreSecurityHostdevLabel)
+ return drv->domainRestoreSecurityHostdevLabel(mgr, vm, dev);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -204,8 +219,9 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
virDomainHostdevDefPtr dev)
{
- if (mgr->drv->domainSetSecurityHostdevLabel)
- return mgr->drv->domainSetSecurityHostdevLabel(mgr, vm, dev);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainSetSecurityHostdevLabel)
+ return drv->domainSetSecurityHostdevLabel(mgr, vm, dev);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -215,8 +231,9 @@ int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
const char *savefile)
{
- if (mgr->drv->domainSetSavedStateLabel)
- return mgr->drv->domainSetSavedStateLabel(mgr, vm, savefile);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainSetSavedStateLabel)
+ return drv->domainSetSavedStateLabel(mgr, vm, savefile);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -226,8 +243,9 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
const char *savefile)
{
- if (mgr->drv->domainRestoreSavedStateLabel)
- return mgr->drv->domainRestoreSavedStateLabel(mgr, vm, savefile);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainRestoreSavedStateLabel)
+ return drv->domainRestoreSavedStateLabel(mgr, vm, savefile);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -236,8 +254,9 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm)
{
- if (mgr->drv->domainGenSecurityLabel)
- return mgr->drv->domainGenSecurityLabel(mgr, vm);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainGenSecurityLabel)
+ return drv->domainGenSecurityLabel(mgr, vm);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -246,8 +265,9 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm)
{
- if (mgr->drv->domainReserveSecurityLabel)
- return mgr->drv->domainReserveSecurityLabel(mgr, vm);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainReserveSecurityLabel)
+ return drv->domainReserveSecurityLabel(mgr, vm);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -256,8 +276,9 @@ int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm)
{
- if (mgr->drv->domainReleaseSecurityLabel)
- return mgr->drv->domainReleaseSecurityLabel(mgr, vm);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainReleaseSecurityLabel)
+ return drv->domainReleaseSecurityLabel(mgr, vm);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -267,8 +288,9 @@ int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
const char *stdin_path)
{
- if (mgr->drv->domainSetSecurityAllLabel)
- return mgr->drv->domainSetSecurityAllLabel(mgr, vm, stdin_path);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainSetSecurityAllLabel)
+ return drv->domainSetSecurityAllLabel(mgr, vm, stdin_path);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -278,8 +300,9 @@ int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
int migrated)
{
- if (mgr->drv->domainRestoreSecurityAllLabel)
- return mgr->drv->domainRestoreSecurityAllLabel(mgr, vm, migrated);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainRestoreSecurityAllLabel)
+ return drv->domainRestoreSecurityAllLabel(mgr, vm, migrated);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -289,8 +312,9 @@ int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
virSecurityLabelPtr sec)
{
- if (mgr->drv->domainGetSecurityProcessLabel)
- return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, sec);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainGetSecurityProcessLabel)
+ return drv->domainGetSecurityProcessLabel(mgr, vm, sec);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -299,8 +323,9 @@ int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm)
{
- if (mgr->drv->domainSetSecurityProcessLabel)
- return mgr->drv->domainSetSecurityProcessLabel(mgr, vm);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+ if (drv->domainSetSecurityProcessLabel)
+ return drv->domainSetSecurityProcessLabel(mgr, vm);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -309,8 +334,9 @@ int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
int virSecurityManagerVerify(virSecurityManagerPtr mgr,
virDomainDefPtr def)
{
- if (mgr->drv->domainSecurityVerify)
- return mgr->drv->domainSecurityVerify(mgr, def);
+ virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, def);
+ if (drv->domainSecurityVerify)
+ return drv->domainSecurityVerify(mgr, def);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
diff --git a/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-in.xml b/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-in.xml
new file mode 100644
index 0000000..2b3d40b
--- /dev/null
+++ b/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-in.xml
@@ -0,0 +1,21 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory>219200</memory>
+ <currentMemory>219200</currentMemory>
+ <vcpu>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <controller type='ide' index='0'/>
+ <memballoon model='virtio'/>
+ </devices>
+ <seclabel type='dynamic' model='none'/>
+</domain>
diff --git a/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-out.xml b/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-out.xml
new file mode 100644
index 0000000..2b3d40b
--- /dev/null
+++ b/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-out.xml
@@ -0,0 +1,21 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory>219200</memory>
+ <currentMemory>219200</currentMemory>
+ <vcpu>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <controller type='ide' index='0'/>
+ <memballoon model='virtio'/>
+ </devices>
+ <seclabel type='dynamic' model='none'/>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 2af7494..8c08ee6 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -200,6 +200,7 @@ mymain(int argc, char **argv)
input_folder_fmt = (char *) XML2XMLIN_FMT;
DO_TEST_DIFFERENT("seclabel-dynamic");
DO_TEST_DIFFERENT("seclabel-static");
+ DO_TEST_DIFFERENT("seclabel-model-none");
virCapabilitiesFree(driver.caps);
--
1.7.3.2
More information about the libvir-list
mailing list