[libvirt] [PATCH 6/7] Update LXC driver to support multiple security drivers

Marcelo Cerri mhcerri at linux.vnet.ibm.com
Mon May 21 13:39:28 UTC 2012 

---
 src/lxc/lxc_conf.c   |    8 ++++++--
 src/lxc/lxc_driver.c |   35 ++++++++++++++++++++---------------
 2 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/src/lxc/lxc_conf.c b/src/lxc/lxc_conf.c
index 72547c4..807c704 100644
--- a/src/lxc/lxc_conf.c
+++ b/src/lxc/lxc_conf.c
@@ -134,9 +134,13 @@ virCapsPtr lxcCapsInit(lxc_driver_t *driver)
         doi = virSecurityManagerGetDOI(driver->securityManager);
         model = virSecurityManagerGetModel(driver->securityManager);
         if (STRNEQ(model, "none")) {
-            if (!(caps->host.secModel.model = strdup(model)))
+            /* Allocate just the primary security driver for LXC. */
+            if (VIR_ALLOC(caps->host.secModels) < 0)
                 goto no_memory;
-            if (!(caps->host.secModel.doi = strdup(doi)))
+            caps->host.nsecModels = 1;
+            if (!(caps->host.secModels[0].model = strdup(model)))
+                goto no_memory;
+            if (!(caps->host.secModels[0].doi = strdup(doi)))
                 goto no_memory;
         }
 
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 4cccd53..ffd3c9c 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1479,10 +1479,12 @@ static int lxcVmTerminate(lxc_driver_t *driver,
                                       vm->def, false);
     virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
     /* Clear out dynamically assigned labels */
-    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
-        VIR_FREE(vm->def->seclabel.model);
-        VIR_FREE(vm->def->seclabel.label);
-        VIR_FREE(vm->def->seclabel.imagelabel);
+    /* Manages just the primary sec driver for lxc */
+    if (vm->def->nseclabels
+        && vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
+        VIR_FREE(vm->def->seclabels[0]->model);
+        VIR_FREE(vm->def->seclabels[0]->label);
+        VIR_FREE(vm->def->seclabels[0]->imagelabel);
     }
 
     if (virCgroupForDomain(driver->cgroup, vm->def->name, &group, 0) == 0) {
@@ -1818,8 +1820,10 @@ static int lxcVmStart(virConnectPtr conn,
     /* If you are using a SecurityDriver with dynamic labelling,
        then generate a security label for isolation */
     VIR_DEBUG("Generating domain security label (if required)");
-    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT)
-        vm->def->seclabel.type = VIR_DOMAIN_SECLABEL_NONE;
+    if (vm->def->nseclabels
+        && vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
+        vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
+    }
 
     if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) {
         virDomainAuditSecurityLabel(vm, false);
@@ -1990,10 +1994,11 @@ cleanup:
                                           vm->def, false);
         virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
         /* Clear out dynamically assigned labels */
-        if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
-            VIR_FREE(vm->def->seclabel.model);
-            VIR_FREE(vm->def->seclabel.label);
-            VIR_FREE(vm->def->seclabel.imagelabel);
+        if (vm->def->nseclabels
+            && vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
+            VIR_FREE(vm->def->seclabels[0]->model);
+            VIR_FREE(vm->def->seclabels[0]->label);
+            VIR_FREE(vm->def->seclabels[0]->imagelabel);
         }
     }
     for (i = 0 ; i < nttyFDs ; i++)
@@ -2233,12 +2238,12 @@ static int lxcNodeGetSecurityModel(virConnectPtr conn,
     lxcDriverLock(driver);
     memset(secmodel, 0, sizeof(*secmodel));
 
-    /* NULL indicates no driver, which we treat as
-     * success, but simply return no data in *secmodel */
-    if (driver->caps->host.secModel.model == NULL)
+    /* we treat no driver as success, but simply return no data in *secmodel */
+    if (driver->caps->host.nsecModels == 0
+        || driver->caps->host.secModels[0].model == NULL)
         goto cleanup;
 
-    if (!virStrcpy(secmodel->model, driver->caps->host.secModel.model,
+    if (!virStrcpy(secmodel->model, driver->caps->host.secModels[0].model,
                    VIR_SECURITY_MODEL_BUFLEN)) {
         lxcError(VIR_ERR_INTERNAL_ERROR,
                  _("security model string exceeds max %d bytes"),
@@ -2247,7 +2252,7 @@ static int lxcNodeGetSecurityModel(virConnectPtr conn,
         goto cleanup;
     }
 
-    if (!virStrcpy(secmodel->doi, driver->caps->host.secModel.doi,
+    if (!virStrcpy(secmodel->doi, driver->caps->host.secModels[0].doi,
                    VIR_SECURITY_DOI_BUFLEN)) {
         lxcError(VIR_ERR_INTERNAL_ERROR,
                  _("security DOI string exceeds max %d bytes"),
-- 
1.7.1

More information about the libvir-list mailing list