[libvirt] [PATCH 2/2] security: Driver 'none' cannot create confined guests

Eric Blake eblake at redhat.com
Tue Feb 7 20:39:17 UTC 2012

On 02/07/2012 01:10 PM, Jiri Denemark wrote:
> In case the caller specifies that confined guests are required but the
> security driver turns out to be 'none', we should return an error since
> this driver clearly cannot meet that requirement.  As a result of this
> error, libvirtd fails to start when the host admin explicitly sets
> confined guests are required but there is no security driver available.
> Since security driver 'none' cannot create confined guests, we override
> default confined setting so that hypervisor drivers do not thing they


> should create confined guests.
> ---
>  src/security/security_manager.c |   20 ++++++++++++++++++++
>  tests/seclabeltest.c            |    2 +-
>  2 files changed, 21 insertions(+), 1 deletions(-)

ACK that this fixes the issue, but I'm wondering whether we should move
the logic that rejects requireConfig out of security_manager.c and into
security_nop.c:virSecurityDriverOpenNop().  That is, the special casing
is a property of the 'none' security manager.  Is it worth a v2 patch
that moves the error messages in that manner?

> +++ b/tests/seclabeltest.c
> @@ -13,7 +13,7 @@ main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED)
>      virSecurityManagerPtr mgr;
>      const char *doi, *model;
> -    mgr = virSecurityManagerNew(NULL, false, true, true);
> +    mgr = virSecurityManagerNew(NULL, false, true, false);

And here's a classic example that proves Laine's point that any
interface with more than one bool parameter is hard to read (you have to
check the implementation), compared to consolidating those into a flags
argument.  But no need to change the signature for this particular patch.

Eric Blake   eblake at redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120207/9d26a9aa/attachment-0001.sig>

More information about the libvir-list mailing list