[libvirt] [PATCH 6/7] domain: Always validate seclabel model

Daniel P. Berrange berrange at redhat.com
Thu Jan 13 17:31:50 UTC 2011 

On Wed, Jan 12, 2011 at 12:23:02PM -0500, Cole Robinson wrote:
> This will help facilitate disabling seclabel for an individual VM. One
> functional change is that the user can now hardcode type='dynamic', but
> there was no good reason to deny it anyways.
> 
> Signed-off-by: Cole Robinson <crobinso at redhat.com>
> ---
>  src/conf/domain_conf.c                             |   34 ++++++++++----------
>  src/security/security_apparmor.c                   |    6 ++--
>  src/security/security_selinux.c                    |    6 ++--
>  .../qemuxml2xml-seclabel-dynamic-out.xml           |    1 +
>  4 files changed, 24 insertions(+), 23 deletions(-)
> 
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index 077a396..e5b89a2 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -4238,28 +4238,28 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
>          goto error;
>      }
>  
> +    p = virXPathStringLimit("string(./seclabel/@model)",
> +                            VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
> +    if (p == NULL) {
> +        virDomainReportError(VIR_ERR_XML_ERROR,
> +                             "%s", _("missing security model"));
> +        goto error;
> +    }
> +
> +    def->seclabel.model = virDomainSeclabelModelTypeFromString(p);
> +    if (def->seclabel.model < 0) {
> +        virDomainReportError(VIR_ERR_XML_ERROR,
> +                             _("unknown security model '%s'"), p);
> +        VIR_FREE(p);
> +        goto error;
> +    }
> +    VIR_FREE(p);
> +
>      /* Only parse details, if using static labels, or
>       * if the 'live' VM XML is requested
>       */
>      if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC ||
>          !(flags & VIR_DOMAIN_XML_INACTIVE)) {
> -        p = virXPathStringLimit("string(./seclabel/@model)",
> -                                VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
> -        if (p == NULL) {
> -            virDomainReportError(VIR_ERR_XML_ERROR,
> -                                 "%s", _("missing security model"));
> -            goto error;
> -        }
> -
> -        def->seclabel.model = virDomainSeclabelModelTypeFromString(p);
> -        if (def->seclabel.model < 0) {
> -            virDomainReportError(VIR_ERR_XML_ERROR,
> -                                 _("unknown security model '%s'"), p);
> -            VIR_FREE(p);
> -            goto error;
> -        }
> -        VIR_FREE(p);
> -
>          p = virXPathStringLimit("string(./seclabel/label[1])",
>                                  VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
>          if (p == NULL) {

This changes semantics. If the seclabel type is dynamic, then we
want to ignore any kind of 'model' at all, because the model should
automatically become whatever is current active driver. This ensures
that if you change security drivers, then all dynamic VMs will
automatically use the new driver and not be stuck with the model
of the old driver.

Since, we're not supporting per-VM disabled models, I don't think
we need this patch anyway.

Regards,
Daniel

More information about the libvir-list mailing list