[libvirt] [PATCH 05/23] Skip bulk relabelling of resources in SELinux driver when used with LXC
Osier Yang
jyang at redhat.com
Fri Dec 14 09:40:18 UTC 2012
On 2012年12月01日 04:26, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange"<berrange at redhat.com>
>
> The virSecurityManager{Set,Restore}AllLabel methods are invoked
> at domain startup/shutdown to relabel resources associated with
> a domain. This works fine with QEMU, but with LXC they are in
> fact both currently no-ops since LXC does not support disks,
> hostdevs, or kernel/initrd files. Worse, when LXC gains support
> for disks/hostdevs, they will do the wrong thing, since they
> run in host context, not container context. Thus this patch
> turns then into a formal no-op when used with LXC. The LXC
> controller will call out to specific security manager labelling
> APIs as required during startup.
>
> Signed-off-by: Daniel P. Berrange<berrange at redhat.com>
> ---
> src/security/security_selinux.c | 12 +++++++++---
> 1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 5409e32..ddf3da3 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -61,6 +61,7 @@ struct _virSecuritySELinuxData {
> char *file_context;
> char *content_context;
> virHashTablePtr mcs;
> + bool skipAllLabel;
> };
>
> struct _virSecuritySELinuxCallbackData {
> @@ -363,6 +364,8 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
> virConfPtr selinux_conf;
> virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
>
> + data->skipAllLabel = true;
> +
> selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
> if (!selinux_conf) {
> virReportSystemError(errno,
> @@ -438,6 +441,8 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
> char *ptr;
> virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
>
> + data->skipAllLabel = false;
> +
> if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT,&(data->domain_context))< 0) {
> virReportSystemError(errno,
> _("cannot read SELinux virtual domain context file '%s'"),
> @@ -1438,11 +1443,12 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
>
>
> static int
> -virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> +virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
> virDomainDefPtr def,
> int migrated ATTRIBUTE_UNUSED)
> {
> virSecurityLabelDefPtr secdef;
> + virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
> int i;
> int rc = 0;
>
> @@ -1452,7 +1458,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
> if (secdef == NULL)
> return -1;
>
> - if (secdef->norelabel)
> + if (secdef->norelabel || data->skipAllLabel)
> return 0;
>
> for (i = 0 ; i< def->nhostdevs ; i++) {
> @@ -1810,7 +1816,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
> if (secdef == NULL)
> return -1;
>
> - if (secdef->norelabel)
> + if (secdef->norelabel || data->skipAllLabel)
> return 0;
>
> for (i = 0 ; i< def->ndisks ; i++) {
ACK
More information about the libvir-list
mailing list