[libvirt] [PATCH] Apply security label when entering LXC namespaces

Eric Blake eblake at redhat.com
Tue Mar 12 19:06:59 UTC 2013 

On 03/12/2013 11:28 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
> 
> Add a new virDomainLxcEnterSecurityLabel() function as a
> counterpart to virDomainLxcEnterNamespaces(), which can
> change the current calling process to have a new security
> context. This call runs client side, not in libvirtd
> so we can't use the security driver infrastructure.
> 
> When entering a namespace, the process spawned from virsh
> will default to running with the security label of virsh.
> The actual desired behaviour is to run with the security
> label of the container most of the time. So this changes
> virsh lxc-enter-namespace command to invoke the
> virDomainLxcEnterSecurityLabel method.
> 

>  include/libvirt/libvirt-lxc.h |  4 ++
>  python/generator.py           |  1 +
>  src/libvirt-lxc.c             | 96 +++++++++++++++++++++++++++++++++++++++++++
>  tools/virsh-domain.c          | 32 +++++++++++++++
>  4 files changed, 133 insertions(+)

Missing an entry in src/libvirt_lxc.syms to actually expose the new
function in the .so.

> +++ b/src/libvirt-lxc.c
> @@ -29,6 +29,9 @@
>  #include "virlog.h"
>  #include "virprocess.h"
>  #include "datatypes.h"
> +#ifdef WITH_SELINUX
> +#include <selinux/selinux.h>
> +#endif

Will fail 'make syntax-check' if cppi is installed.

> @@ -8029,12 +8036,35 @@ cmdLxcEnterNamespace(vshControl *ctl, const vshCmd *cmd)
>      if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) < 0)
>          goto cleanup;
>  
> +    if (setlabel) {
> +        fprintf(stderr, "Getr sec\n");

Spurious debug message?

ACK with those things addressed.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 621 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130312/d0430d64/attachment-0001.sig>

More information about the libvir-list mailing list