[libvirt] [PATCHv3 4/5] smartcard: enable SELinux support
Daniel P. Berrange
berrange at redhat.com
Wed Jan 26 12:27:33 UTC 2011
On Tue, Jan 25, 2011 at 05:36:57PM -0700, Eric Blake wrote:
> * src/security/security_selinux.c
> (SELinuxRestoreSecuritySmartcardCallback)
> (SELinuxSetSecuritySmartcardCallback): New helper functions.
> (SELinuxRestoreSecurityAllLabel, SELinuxSetSecurityAllLabel): Use
> them.
>
> Notes:
> v3: new patch
> ---
> src/security/security_selinux.c | 94 +++++++++++++++++++++++++++++++++++++++
> 1 files changed, 94 insertions(+), 0 deletions(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 7b71fd9..678b7ff 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -770,6 +770,46 @@ SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
>
>
> static int
> +SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
> + virDomainSmartcardDefPtr dev,
> + void *opaque)
> +{
> + virDomainObjPtr vm = opaque;
> + int i;
> + int ret = 0;
> +
> + switch (dev->type) {
> + case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
> + if (dev->data.host.dev)
> + return SELinuxRestoreSecurityFileLabel(dev->data.host.dev);
> + break;
This can be removed I think
> +
> + case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
> + for (i = 0; i < VIR_DOMAIN_SMARTCARD_NUM_CERTIFICATES; i++) {
> + if (SELinuxRestoreSecurityFileLabel(dev->data.cert.file[i]) < 0)
> + ret = -1;
> + }
> + if (dev->data.cert.database) {
> + if (SELinuxRestoreSecurityFileLabel(dev->data.cert.database) < 0)
> + ret = -1;
> + }
> + break;
> +
> + case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
> + return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);
> +
> + default:
> + virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
> + _("unknown smartcard type %d"),
> + dev->type);
> + return -1;
> + }
> +
> + return ret;
> +}
> +
> +
> +static int
> SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> virDomainObjPtr vm,
> int migrated ATTRIBUTE_UNUSED)
> @@ -803,6 +843,12 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> vm) < 0)
> rc = -1;
>
> + if (virDomainSmartcardDefForeach(vm->def,
> + false,
> + SELinuxRestoreSecuritySmartcardCallback,
> + vm) < 0)
> + rc = -1;
> +
> if (vm->def->os.kernel &&
> SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
> rc = -1;
> @@ -1035,6 +1081,48 @@ SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
>
>
> static int
> +SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
> + virDomainSmartcardDefPtr dev,
> + void *opaque)
> +{
> + virDomainObjPtr vm = opaque;
> + int i;
> +
> + switch (dev->type) {
> + case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
> + if (dev->data.host.dev)
> + return SELinuxSetFilecon(dev->data.host.dev,
> + default_content_context);
> + break;
And this one.
> +
> + case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
> + for (i = 0; i < VIR_DOMAIN_SMARTCARD_NUM_CERTIFICATES; i++) {
> + if (SELinuxSetFilecon(dev->data.cert.file[i],
> + default_content_context) < 0)
> + return -1;
> + }
> + if (dev->data.cert.database) {
> + if (SELinuxSetFilecon(dev->data.cert.database,
> + default_content_context) < 0)
> + return -1;
> + }
> + break;
> +
> + case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
> + return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);
> +
> + default:
> + virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
> + _("unknown smartcard type %d"),
> + dev->type);
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> +
> +static int
> SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
> virDomainObjPtr vm,
> const char *stdin_path)
> @@ -1069,6 +1157,12 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
> vm) < 0)
> return -1;
>
> + if (virDomainSmartcardDefForeach(vm->def,
> + true,
> + SELinuxSetSecuritySmartcardCallback,
> + vm) < 0)
> + return -1;
> +
> if (vm->def->os.kernel &&
> SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
> return -1;
ACK
Daniel
More information about the libvir-list
mailing list