[libvirt] [PATCH 05/23] Skip bulk relabelling of resources in SELinux driver when used with LXC

Fri Dec 14 09:40:18 UTC 2012

On 2012年12月01日 04:26, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange"<berrange at redhat.com>
>
> The virSecurityManager{Set,Restore}AllLabel methods are invoked
> at domain startup/shutdown to relabel resources associated with
> a domain. This works fine with QEMU, but with LXC they are in
> fact both currently no-ops since LXC does not support disks,
> hostdevs, or kernel/initrd files. Worse, when LXC gains support
> for disks/hostdevs, they will do the wrong thing, since they
> run in host context, not container context. Thus this patch
> turns then into a formal no-op when used with LXC. The LXC
> controller will call out to specific security manager labelling
> APIs as required during startup.
>
> Signed-off-by: Daniel P. Berrange<berrange at redhat.com>
> ---
>   src/security/security_selinux.c | 12 +++++++++---
>   1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 5409e32..ddf3da3 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -61,6 +61,7 @@ struct _virSecuritySELinuxData {
>       char *file_context;
>       char *content_context;
>       virHashTablePtr mcs;
> +    bool skipAllLabel;
>   };
>
>   struct _virSecuritySELinuxCallbackData {
> @@ -363,6 +364,8 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
>       virConfPtr selinux_conf;
>       virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
>
> +    data->skipAllLabel = true;
> +
>       selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
>       if (!selinux_conf) {
>           virReportSystemError(errno,
> @@ -438,6 +441,8 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
>       char *ptr;
>       virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
>
> +    data->skipAllLabel = false;
> +
>       if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT,&(data->domain_context))<  0) {
>           virReportSystemError(errno,
>                                _("cannot read SELinux virtual domain context file '%s'"),
> @@ -1438,11 +1443,12 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
>
>
>   static int
> -virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> +virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
>                                             virDomainDefPtr def,
>                                             int migrated ATTRIBUTE_UNUSED)
>   {
>       virSecurityLabelDefPtr secdef;
> +    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
>       int i;
>       int rc = 0;
>
> @@ -1452,7 +1458,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
>       if (secdef == NULL)
>           return -1;
>
> -    if (secdef->norelabel)
> +    if (secdef->norelabel || data->skipAllLabel)
>           return 0;
>
>       for (i = 0 ; i<  def->nhostdevs ; i++) {
> @@ -1810,7 +1816,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
>       if (secdef == NULL)
>           return -1;
>
> -    if (secdef->norelabel)
> +    if (secdef->norelabel || data->skipAllLabel)
>           return 0;
>
>       for (i = 0 ; i<  def->ndisks ; i++) {

ACK