[libvirt] [PATCH 2/3] Add a virSecurityManagerSetProcessFDLabel
Jamie Strandboge
jamie at canonical.com
Fri Jun 24 15:27:21 UTC 2011
On Fri, 2011-06-24 at 16:09 +0100, Daniel P. Berrange wrote:
> Add a new security driver method for labelling an FD with
> the process label, rather than the image label
>
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index 90725cd..2d3f9d8 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -852,6 +852,7 @@ virSecurityManagerSetAllLabel;
> virSecurityManagerSetImageFDLabel;
> virSecurityManagerSetImageLabel;
> virSecurityManagerSetHostdevLabel;
> +virSecurityManagerSetProcessFDLabel;
> virSecurityManagerSetProcessLabel;
> virSecurityManagerSetSavedStateLabel;
> virSecurityManagerSetSocketLabel;
> diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> index 50a7383..df8c66c 100644
> --- a/src/security/security_apparmor.c
> +++ b/src/security/security_apparmor.c
> @@ -784,6 +784,34 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
> return reload_profile(mgr, vm, fd_path, true);
> }
>
> +static int
> +AppArmorSetProcessFDLabel(virSecurityManagerPtr mgr,
> + virDomainObjPtr vm,
> + int fd)
> +{
> + int rc = -1;
> + char *proc = NULL;
> + char *fd_path = NULL;
> +
> + const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
> +
> + if (secdef->imagelabel == NULL)
> + return 0;
> +
> + if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1) {
> + virReportOOMError();
> + return rc;
> + }
> +
> + if (virFileResolveLink(proc, &fd_path) < 0) {
> + virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
> + "%s", _("could not find path for descriptor"));
> + return rc;
> + }
> +
> + return reload_profile(mgr, vm, fd_path, true);
> +}
> +
> virSecurityDriver virAppArmorSecurityDriver = {
> 0,
> SECURITY_APPARMOR_NAME,
> @@ -819,4 +847,5 @@ virSecurityDriver virAppArmorSecurityDriver = {
> AppArmorRestoreSavedStateLabel,
>
> AppArmorSetImageFDLabel,
> + AppArmorSetProcessFDLabel,
> };
ACK, though this and AppArmorSetImageFDLabel() are now identical and
could therefore be refactored. I've made a note to check on this after
the SetProcessFDLabel() changes are in place.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110624/73e21166/attachment-0001.sig>
More information about the libvir-list
mailing list