[libvirt] [PATCHv3 4/5] smartcard: enable SELinux support
Eric Blake
eblake at redhat.com
Wed Jan 26 00:36:57 UTC 2011
* src/security/security_selinux.c
(SELinuxRestoreSecuritySmartcardCallback)
(SELinuxSetSecuritySmartcardCallback): New helper functions.
(SELinuxRestoreSecurityAllLabel, SELinuxSetSecurityAllLabel): Use
them.
Notes:
v3: new patch
---
src/security/security_selinux.c | 94 +++++++++++++++++++++++++++++++++++++++
1 files changed, 94 insertions(+), 0 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7b71fd9..678b7ff 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -770,6 +770,46 @@ SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
static int
+SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+ virDomainSmartcardDefPtr dev,
+ void *opaque)
+{
+ virDomainObjPtr vm = opaque;
+ int i;
+ int ret = 0;
+
+ switch (dev->type) {
+ case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+ if (dev->data.host.dev)
+ return SELinuxRestoreSecurityFileLabel(dev->data.host.dev);
+ break;
+
+ case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+ for (i = 0; i < VIR_DOMAIN_SMARTCARD_NUM_CERTIFICATES; i++) {
+ if (SELinuxRestoreSecurityFileLabel(dev->data.cert.file[i]) < 0)
+ ret = -1;
+ }
+ if (dev->data.cert.database) {
+ if (SELinuxRestoreSecurityFileLabel(dev->data.cert.database) < 0)
+ ret = -1;
+ }
+ break;
+
+ case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+ return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);
+
+ default:
+ virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unknown smartcard type %d"),
+ dev->type);
+ return -1;
+ }
+
+ return ret;
+}
+
+
+static int
SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm,
int migrated ATTRIBUTE_UNUSED)
@@ -803,6 +843,12 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
vm) < 0)
rc = -1;
+ if (virDomainSmartcardDefForeach(vm->def,
+ false,
+ SELinuxRestoreSecuritySmartcardCallback,
+ vm) < 0)
+ rc = -1;
+
if (vm->def->os.kernel &&
SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
rc = -1;
@@ -1035,6 +1081,48 @@ SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
static int
+SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+ virDomainSmartcardDefPtr dev,
+ void *opaque)
+{
+ virDomainObjPtr vm = opaque;
+ int i;
+
+ switch (dev->type) {
+ case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+ if (dev->data.host.dev)
+ return SELinuxSetFilecon(dev->data.host.dev,
+ default_content_context);
+ break;
+
+ case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+ for (i = 0; i < VIR_DOMAIN_SMARTCARD_NUM_CERTIFICATES; i++) {
+ if (SELinuxSetFilecon(dev->data.cert.file[i],
+ default_content_context) < 0)
+ return -1;
+ }
+ if (dev->data.cert.database) {
+ if (SELinuxSetFilecon(dev->data.cert.database,
+ default_content_context) < 0)
+ return -1;
+ }
+ break;
+
+ case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+ return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);
+
+ default:
+ virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unknown smartcard type %d"),
+ dev->type);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int
SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
const char *stdin_path)
@@ -1069,6 +1157,12 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
vm) < 0)
return -1;
+ if (virDomainSmartcardDefForeach(vm->def,
+ true,
+ SELinuxSetSecuritySmartcardCallback,
+ vm) < 0)
+ return -1;
+
if (vm->def->os.kernel &&
SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
return -1;
--
1.7.3.5
More information about the libvir-list
mailing list