[libvirt] [PATCH 6/7] Update LXC driver to support multiple security drivers
Michal Privoznik
mprivozn at redhat.com
Tue Jun 5 15:03:53 UTC 2012
On 21.05.2012 15:39, Marcelo Cerri wrote:
> ---
> src/lxc/lxc_conf.c | 8 ++++++--
> src/lxc/lxc_driver.c | 35 ++++++++++++++++++++---------------
> 2 files changed, 26 insertions(+), 17 deletions(-)
>
> diff --git a/src/lxc/lxc_conf.c b/src/lxc/lxc_conf.c
> index 72547c4..807c704 100644
> --- a/src/lxc/lxc_conf.c
> +++ b/src/lxc/lxc_conf.c
> @@ -134,9 +134,13 @@ virCapsPtr lxcCapsInit(lxc_driver_t *driver)
> doi = virSecurityManagerGetDOI(driver->securityManager);
> model = virSecurityManagerGetModel(driver->securityManager);
> if (STRNEQ(model, "none")) {
> - if (!(caps->host.secModel.model = strdup(model)))
> + /* Allocate just the primary security driver for LXC. */
> + if (VIR_ALLOC(caps->host.secModels) < 0)
> goto no_memory;
> - if (!(caps->host.secModel.doi = strdup(doi)))
> + caps->host.nsecModels = 1;
> + if (!(caps->host.secModels[0].model = strdup(model)))
> + goto no_memory;
> + if (!(caps->host.secModels[0].doi = strdup(doi)))
> goto no_memory;
> }
>
> diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
> index 4cccd53..ffd3c9c 100644
> --- a/src/lxc/lxc_driver.c
> +++ b/src/lxc/lxc_driver.c
> @@ -1479,10 +1479,12 @@ static int lxcVmTerminate(lxc_driver_t *driver,
> vm->def, false);
> virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
> /* Clear out dynamically assigned labels */
> - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
> - VIR_FREE(vm->def->seclabel.model);
> - VIR_FREE(vm->def->seclabel.label);
> - VIR_FREE(vm->def->seclabel.imagelabel);
> + /* Manages just the primary sec driver for lxc */
> + if (vm->def->nseclabels
> + && vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
> + VIR_FREE(vm->def->seclabels[0]->model);
> + VIR_FREE(vm->def->seclabels[0]->label);
> + VIR_FREE(vm->def->seclabels[0]->imagelabel);
> }
I guess we want to VIR_FREE(vm->def->seclabels) and m->def->nseclabels =
0; ...
>
> if (virCgroupForDomain(driver->cgroup, vm->def->name, &group, 0) == 0) {
> @@ -1818,8 +1820,10 @@ static int lxcVmStart(virConnectPtr conn,
> /* If you are using a SecurityDriver with dynamic labelling,
> then generate a security label for isolation */
> VIR_DEBUG("Generating domain security label (if required)");
> - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT)
> - vm->def->seclabel.type = VIR_DOMAIN_SECLABEL_NONE;
> + if (vm->def->nseclabels
> + && vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
> + vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
> + }
>
> if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) {
> virDomainAuditSecurityLabel(vm, false);
> @@ -1990,10 +1994,11 @@ cleanup:
> vm->def, false);
> virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
> /* Clear out dynamically assigned labels */
> - if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
> - VIR_FREE(vm->def->seclabel.model);
> - VIR_FREE(vm->def->seclabel.label);
> - VIR_FREE(vm->def->seclabel.imagelabel);
> + if (vm->def->nseclabels
> + && vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
> + VIR_FREE(vm->def->seclabels[0]->model);
> + VIR_FREE(vm->def->seclabels[0]->label);
> + VIR_FREE(vm->def->seclabels[0]->imagelabel);
... and here as well.
> }
> }
> for (i = 0 ; i < nttyFDs ; i++)
> @@ -2233,12 +2238,12 @@ static int lxcNodeGetSecurityModel(virConnectPtr conn,
> lxcDriverLock(driver);
> memset(secmodel, 0, sizeof(*secmodel));
>
> - /* NULL indicates no driver, which we treat as
> - * success, but simply return no data in *secmodel */
> - if (driver->caps->host.secModel.model == NULL)
> + /* we treat no driver as success, but simply return no data in *secmodel */
> + if (driver->caps->host.nsecModels == 0
> + || driver->caps->host.secModels[0].model == NULL)
> goto cleanup;
>
> - if (!virStrcpy(secmodel->model, driver->caps->host.secModel.model,
> + if (!virStrcpy(secmodel->model, driver->caps->host.secModels[0].model,
> VIR_SECURITY_MODEL_BUFLEN)) {
> lxcError(VIR_ERR_INTERNAL_ERROR,
> _("security model string exceeds max %d bytes"),
> @@ -2247,7 +2252,7 @@ static int lxcNodeGetSecurityModel(virConnectPtr conn,
> goto cleanup;
> }
>
> - if (!virStrcpy(secmodel->doi, driver->caps->host.secModel.doi,
> + if (!virStrcpy(secmodel->doi, driver->caps->host.secModels[0].doi,
> VIR_SECURITY_DOI_BUFLEN)) {
> lxcError(VIR_ERR_INTERNAL_ERROR,
> _("security DOI string exceeds max %d bytes"),
Otherwise looking good.
More information about the libvir-list
mailing list