[libvirt] [PATCH 10/15] security: add new virSecurityManagerSetChildProcessLabel API
Daniel P. Berrange
berrange at redhat.com
Fri Feb 8 16:26:20 UTC 2013
On Thu, Feb 07, 2013 at 04:37:51PM -0500, Laine Stump wrote:
> The existing virSecurityManagerSetProcessLabel() API is designed so
> that it must be called after forking the child process, but before
> exec'ing the child. Due to the way the virCommand API works, that
> means it needs to be put in a "hook" function that virCommand is told
> to call out to at that time.
>
> Setting the child process label is a basic enough need when executing
> any process that virCommand should have a method of doing that. But
> virCommand must be told what label to set, and only the security
> driver knows the answer to that question.
>
> The new virSecurityManagerSet*Child*ProcessLabel() API is the way to
> transfer the knowledge about what label to set from the security
> driver to the virCommand object. It is given a virCommandPtr, and each
> security driver calls the appropriate virCommand* API to tell
> virCommand what to do between fork and exec.
>
> 1) in the case of the DAC security driver, it calls
> virCommandSetUID/GID() to set a uid and gid that must be set for the
> child process.
>
> 2) for the SELinux and AppArmor security drivers, it calls
> virCommandSetSecLabel() to save a copy of the char* that will be sent
> to each driver's respective "SetProcessLabel" API *after forking
> the child process*.
This will need a tweak based on the change I suggested to the
previous patch.
> diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> index bf795b0..4a81118 100644
> --- a/src/security/security_apparmor.c
> +++ b/src/security/security_apparmor.c
> @@ -1,7 +1,7 @@
> /*
> * AppArmor security driver for libvirt
> *
> - * Copyright (C) 2011 Red Hat, Inc.
> + * Copyright (C) 2011, 2013 Red Hat, Inc.
You can turn this into a range '2011-2013' - there were plenty of
Red Hat changes to this file throughout the last year(s). Likewise
for all others.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list