[libvirt] [PATCH 08/23] Add support for SELinux labelling of hostdev storage/misc devices
Osier Yang
jyang at redhat.com
Fri Dec 14 10:07:50 UTC 2012
On 2012年12月01日 04:26, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange"<berrange at redhat.com>
>
> The SELinux security driver needs to learn to label storage/misc
> hostdev devices for LXC
>
> Signed-off-by: Daniel P. Berrange<berrange at redhat.com>
> ---
> src/security/security_selinux.c | 118 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 118 insertions(+)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index ad13490..6f0cd4d 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -1171,6 +1171,65 @@ done:
>
>
> static int
> +virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
> + virDomainHostdevDefPtr dev,
> + const char *vroot)
> +{
> + int ret = -1;
> + virSecurityLabelDefPtr secdef;
> + char *path;
> +
> + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
> + if (secdef == NULL)
> + return -1;
> +
> + switch (dev->source.caps.type) {
> + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
> + if (vroot) {
> + if (virAsprintf(&path, "%s/%s", vroot,
> + dev->source.caps.u.storage.block)< 0) {
> + virReportOOMError();
> + return -1;
> + }
> + } else {
> + if (!(path = strdup(dev->source.caps.u.storage.block))) {
> + virReportOOMError();
> + return -1;
> + }
> + }
> + ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
> + VIR_FREE(path);
> + break;
> + }
> +
> + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
> + if (vroot) {
> + if (virAsprintf(&path, "%s/%s", vroot,
> + dev->source.caps.u.misc.chardev)< 0) {
> + virReportOOMError();
> + return -1;
> + }
> + } else {
> + if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
> + virReportOOMError();
> + return -1;
> + }
> + }
> + ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
> + VIR_FREE(path);
> + break;
> + }
> +
> + default:
> + ret = 0;
> + break;
> + }
> +
> + return ret;
> +}
> +
> +
> +static int
> virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> virDomainDefPtr def,
> virDomainHostdevDefPtr dev,
> @@ -1190,6 +1249,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
> case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
> return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);
>
> + case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
> + return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);
> +
> default:
> return 0;
> }
> @@ -1265,6 +1327,59 @@ done:
>
>
> static int
> +virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev,
> + const char *vroot)
> +{
> + int ret = -1;
> + char *path;
> +
> + switch (dev->source.caps.type) {
> + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
> + if (vroot) {
> + if (virAsprintf(&path, "%s/%s", vroot,
> + dev->source.caps.u.storage.block)< 0) {
> + virReportOOMError();
> + return -1;
> + }
> + } else {
> + if (!(path = strdup(dev->source.caps.u.storage.block))) {
> + virReportOOMError();
> + return -1;
> + }
> + }
> + ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
> + VIR_FREE(path);
> + break;
> + }
> +
> + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
> + if (vroot) {
> + if (virAsprintf(&path, "%s/%s", vroot,
> + dev->source.caps.u.misc.chardev)< 0) {
> + virReportOOMError();
> + return -1;
> + }
> + } else {
> + if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
> + virReportOOMError();
> + return -1;
> + }
> + }
I think it's better helper to get the path to label, to avoid the
duplciate codes in virSecuritySELinuxRestoreSecurityHostdevCapsLabel
and virSecuritySELinuxSetSecurityHostdevCapsLabel.
ACK otherwise.
More information about the libvir-list
mailing list