[libvirt] [PATCH 07/10] security: Manage the security label for scsi host device
Osier Yang
jyang at redhat.com
Fri Apr 26 20:15:31 UTC 2013
To not introduce more redundant code, helpers are added for
both "selinux", "dac", and "apparmor" backends.
Signed-off-by: Han Cheng <hanc.fnst at cn.fujitsu.com>
Signed-off-by: Osier Yang <jyang at redhat>
v2.5 - v3:
* Splitted from 8/10 of v2.5
* Don't forget the other backends (DAC, and apparmor)
---
src/security/security_apparmor.c | 49 ++++++++++++++++---------
src/security/security_dac.c | 77 ++++++++++++++++++++++++++++++++--------
src/security/security_selinux.c | 72 ++++++++++++++++++++++++++++++-------
3 files changed, 155 insertions(+), 43 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 9dd8d74..feca838 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -306,8 +306,7 @@ reload_profile(virSecurityManagerPtr mgr,
}
static int
-AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
- const char *file, void *opaque)
+AppArmorSetSecurityHostdevLabelHelper(const char *file, void *opaque)
{
struct SDPDOP *ptr = opaque;
virDomainDefPtr def = ptr->def;
@@ -328,25 +327,24 @@ AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
}
static int
+AppArmorSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file, void *opaque)
+{
+ return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
+}
+
+static int
AppArmorSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
- struct SDPDOP *ptr = opaque;
- virDomainDefPtr def = ptr->def;
+ return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
+}
- if (reload_profile(ptr->mgr, def, file, true) < 0) {
- const virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(
- def, SECURITY_APPARMOR_NAME);
- if (!secdef) {
- virReportOOMError();
- return -1;
- }
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("cannot update AppArmor profile \'%s\'"),
- secdef->imagelabel);
- return -1;
- }
- return 0;
+static int
+AppArmorSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file, void *opaque)
+{
+ return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
}
/* Called on libvirtd startup to see if AppArmor is available */
@@ -836,6 +834,23 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
break;
}
+ case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+ virSCSIDevicePtr scsi =
+ virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+ dev->source.subsys.u.scsi.bus,
+ dev->source.subsys.u.scsi.target,
+ dev->source.subsys.u.scsi.unit,
+ dev->readonly);
+
+ if (!scsi)
+ goto done;
+
+ ret = virSCSIDeviceFileIterate(scsi, AppArmorSetSecuritySCSILabel, ptr);
+ virSCSIDeviceFree(scsi);
+
+ break;
+ }
+
default:
ret = 0;
break;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 38f7ba0..19fe447 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -30,6 +30,7 @@
#include "virlog.h"
#include "virpci.h"
#include "virusb.h"
+#include "virscsi.h"
#include "virstoragefile.h"
#define VIR_FROM_THIS VIR_FROM_SECURITY
@@ -432,11 +433,9 @@ virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
return virSecurityDACRestoreSecurityImageLabelInt(mgr, def, disk, 0);
}
-
static int
-virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
- const char *file,
- void *opaque)
+virSecurityDACSetSecurityHostdevLabelHelper(const char *file,
+ void *opaque)
{
void **params = opaque;
virSecurityManagerPtr mgr = params[0];
@@ -451,23 +450,29 @@ virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
return virSecurityDACSetOwnership(file, user, group);
}
+static int
+virSecurityDACSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque)
+{
+ return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
+}
+
static int
virSecurityDACSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
void *opaque)
{
- void **params = opaque;
- virSecurityManagerPtr mgr = params[0];
- virDomainDefPtr def = params[1];
- virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
- uid_t user;
- gid_t group;
-
- if (virSecurityDACGetIds(def, priv, &user, &group))
- return -1;
+ return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
+}
- return virSecurityDACSetOwnership(file, user, group);
+static int
+virSecurityDACSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque)
+{
+ return virSecurityDACSetSecurityHostdevLabelHelper(file, opaque);
}
@@ -523,6 +528,24 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
break;
}
+ case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+ virSCSIDevicePtr scsi =
+ virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+ dev->source.subsys.u.scsi.bus,
+ dev->source.subsys.u.scsi.target,
+ dev->source.subsys.u.scsi.unit,
+ dev->readonly);
+
+ if (!scsi)
+ goto done;
+
+ ret = virSCSIDeviceFileIterate(scsi, virSecurityDACSetSecuritySCSILabel,
+ params);
+ virSCSIDeviceFree(scsi);
+
+ break;
+ }
+
default:
ret = 0;
break;
@@ -552,6 +575,15 @@ virSecurityDACRestoreSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
static int
+virSecurityDACRestoreSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque ATTRIBUTE_UNUSED)
+{
+ return virSecurityDACRestoreSecurityFileLabel(file);
+}
+
+
+static int
virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev,
@@ -602,6 +634,23 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
break;
}
+ case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+ virSCSIDevicePtr scsi =
+ virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+ dev->source.subsys.u.scsi.bus,
+ dev->source.subsys.u.scsi.target,
+ dev->source.subsys.u.scsi.unit,
+ dev->readonly);
+
+ if (!scsi)
+ goto done;
+
+ ret = virSCSIDeviceFileIterate(scsi, virSecurityDACRestoreSecuritySCSILabel, mgr);
+ virSCSIDeviceFree(scsi);
+
+ break;
+ }
+
default:
ret = 0;
break;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 61ff1de..2156fff 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -39,6 +39,7 @@
#include "virlog.h"
#include "virpci.h"
#include "virusb.h"
+#include "virscsi.h"
#include "virstoragefile.h"
#include "virfile.h"
#include "virhash.h"
@@ -1277,10 +1278,8 @@ virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
&cbdata);
}
-
static int
-virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
- const char *file, void *opaque)
+virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
{
virSecurityLabelDefPtr secdef;
virDomainDefPtr def = opaque;
@@ -1292,19 +1291,25 @@ virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
}
static int
-virSecuritySELinuxSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
+virSecuritySELinuxSetSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
- virSecurityLabelDefPtr secdef;
- virDomainDefPtr def = opaque;
-
- secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (secdef == NULL)
- return -1;
+ return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
+}
- return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
+static int
+virSecuritySELinuxSetSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file, void *opaque)
+{
+ return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
}
+static int
+virSecuritySELinuxSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file, void *opaque)
+{
+ return virSecuritySELinuxSetSecurityHostdevLabelHelper(file, opaque);
+}
static int
virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
@@ -1348,6 +1353,23 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
break;
}
+ case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+ virSCSIDevicePtr scsi =
+ virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+ dev->source.subsys.u.scsi.bus,
+ dev->source.subsys.u.scsi.target,
+ dev->source.subsys.u.scsi.unit,
+ dev->readonly);
+
+ if (!scsi)
+ goto done;
+
+ ret = virSCSIDeviceFileIterate(scsi, virSecuritySELinuxSetSecuritySCSILabel, def);
+ virSCSIDeviceFree(scsi);
+
+ break;
+ }
+
default:
ret = 0;
break;
@@ -1445,7 +1467,6 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
}
}
-
static int
virSecuritySELinuxRestoreSecurityPCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
const char *file,
@@ -1468,6 +1489,16 @@ virSecuritySELinuxRestoreSecurityUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
static int
+virSecuritySELinuxRestoreSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque)
+{
+ virSecurityManagerPtr mgr = opaque;
+
+ return virSecuritySELinuxRestoreSecurityFileLabel(mgr, file);
+}
+
+static int
virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
virDomainHostdevDefPtr dev,
const char *vroot)
@@ -1510,6 +1541,23 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
break;
}
+ case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: {
+ virSCSIDevicePtr scsi =
+ virSCSIDeviceNew(dev->source.subsys.u.scsi.adapter,
+ dev->source.subsys.u.scsi.bus,
+ dev->source.subsys.u.scsi.target,
+ dev->source.subsys.u.scsi.unit,
+ dev->readonly);
+
+ if (!scsi)
+ goto done;
+
+ ret = virSCSIDeviceFileIterate(scsi, virSecuritySELinuxRestoreSecuritySCSILabel, mgr);
+ virSCSIDeviceFree(scsi);
+
+ break;
+ }
+
default:
ret = 0;
break;
--
1.8.1.4
More information about the libvir-list
mailing list