[libvirt] [PATCH 5/8] Support seclabels for volume type disk

John Ferlan jferlan at redhat.com
Fri Apr 5 23:58:51 UTC 2013 

On 04/04/2013 03:37 PM, Osier Yang wrote:
> "seclabels" is only valid for 'file' or 'block' type storage volume.
> ---
>  docs/formatdomain.html.in                            |  6 ++++--
>  docs/schemas/domaincommon.rng                        |  3 +++
>  src/conf/domain_conf.c                               | 20 ++++++++++++++------
>  .../qemuxml2argv-disk-source-pool.xml                |  6 +++++-
>  4 files changed, 26 insertions(+), 9 deletions(-)
> 
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index ce185a9..44e7f28 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -1439,11 +1439,13 @@
>          path to the file holding the disk. If the disk
>          <code>type</code> is "block", then the <code>dev</code>
>          attribute specifies the path to the host device to serve as
> -        the disk. With both "file" and "block", one or more optional
> +        the disk. With "file", "block", and "volume", one or more optional
>          sub-elements <code>seclabel</code>, <a href="#seclabel">described
>          below</a> (and <span class="since">since 0.9.9</span>), can be
>          used to override the domain security labeling policy for just
> -        that source file.  If the disk <code>type</code> is "dir", then the
> +        that source file. (NB, for "volume" type disk, <code>seclable</code>

s/seclable/seclabel/

> +        is only valid when the specified storage volume is of 'file' or
> +        'block' type).  If the disk <code>type</code> is "dir", then the
>          <code>dir</code> attribute specifies the fully-qualified path
>          to the directory to use as the disk. If the disk <code>type</code>
>          is "network", then the <code>protocol</code> attribute specifies
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index 4e7e712..80749e1 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -1106,6 +1106,9 @@
>                  <optional>
>                    <ref name="startupPolicy"/>
>                  </optional>
> +                <optional>
> +                  <ref name='devSeclabel'/>
> +                </optional>
>                </element>
>              </optional>
>              <ref name="diskspec"/>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index c1d2cbb..7f5e727 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -12888,16 +12888,24 @@ virDomainDiskSourceDefFormat(virBufferPtr buf,
>              }
>              break;
>          case VIR_DOMAIN_DISK_TYPE_VOLUME:
> -            /* Parsing guarantees the def->srcpool->volume cannot be NULL
> -             * if def->srcpool->pool is not NULL.
> -             */
> +            virBufferAddLit(buf, "      <source");
> +
>              if (def->srcpool)
> -                virBufferAsprintf(buf, "      <source pool='%s' volume='%s'",
> +                virBufferAsprintf(buf, " pool='%s' volume='%s'",
>                                    def->srcpool->pool, def->srcpool->volume);
>              if (def->startupPolicy)
> -                virBufferEscapeString(buf, " startupPolicy='%s'/>\n", startupPolicy);
> -            else
> +                virBufferEscapeString(buf, " startupPolicy='%s'", startupPolicy);
> +
> +            if (def->nseclabels) {
> +                virBufferAddLit(buf, ">\n");
> +                virBufferAdjustIndent(buf, 8);
> +                for (n = 0; n < def->nseclabels; n++)
> +                    virSecurityDeviceLabelDefFormat(buf, def->seclabels[n]);
> +                virBufferAdjustIndent(buf, -8);
> +                virBufferAddLit(buf, "      </source>\n");
> +            } else {
>                  virBufferAddLit(buf, "/>\n");
> +            }
>              break;
>          default:
>              virReportError(VIR_ERR_INTERNAL_ERROR,
> diff --git a/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml b/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml
> index a218e78..acf9753 100644
> --- a/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml
> +++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-source-pool.xml
> @@ -15,7 +15,11 @@
>    <devices>
>      <emulator>/usr/bin/qemu</emulator>
>      <disk type='volume' device='cdrom'>
> -      <source pool='blk-pool0' volume='blk-pool0-vol0' startupPolicy='optional'/>
> +      <source pool='blk-pool0' volume='blk-pool0-vol0' startupPolicy='optional'>
> +        <seclabel model='selinux' relabel='yes'>
> +          <label>system_u:system_r:public_content_t:s0</label>
> +        </seclabel>
> +      </source>
>        <target dev='hda' bus='ide'/>
>        <readonly/>
>        <address type='drive' controller='0' bus='0' target='0' unit='1'/>
> 

ACK, mechanically at least.  Although unlike the startupPolicy code,
there isn't any seclabel parsing code here.

John

More information about the libvir-list mailing list