[libvirt] [PATCH] Apply security label when entering LXC namespaces
Daniel J Walsh
dwalsh at redhat.com
Tue Mar 12 19:40:42 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/12/2013 03:06 PM, Eric Blake wrote:
> On 03/12/2013 11:28 AM, Daniel P. Berrange wrote:
>> From: "Daniel P. Berrange" <berrange at redhat.com>
>>
>> Add a new virDomainLxcEnterSecurityLabel() function as a counterpart to
>> virDomainLxcEnterNamespaces(), which can change the current calling
>> process to have a new security context. This call runs client side, not
>> in libvirtd so we can't use the security driver infrastructure.
>>
>> When entering a namespace, the process spawned from virsh will default to
>> running with the security label of virsh. The actual desired behaviour is
>> to run with the security label of the container most of the time. So this
>> changes virsh lxc-enter-namespace command to invoke the
>> virDomainLxcEnterSecurityLabel method.
>>
>
>> include/libvirt/libvirt-lxc.h | 4 ++ python/generator.py | 1
>> + src/libvirt-lxc.c | 96
>> +++++++++++++++++++++++++++++++++++++++++++ tools/virsh-domain.c
>> | 32 +++++++++++++++ 4 files changed, 133 insertions(+)
>
> Missing an entry in src/libvirt_lxc.syms to actually expose the new
> function in the .so.
>
>> +++ b/src/libvirt-lxc.c @@ -29,6 +29,9 @@ #include "virlog.h" #include
>> "virprocess.h" #include "datatypes.h" +#ifdef WITH_SELINUX +#include
>> <selinux/selinux.h> +#endif
>
> Will fail 'make syntax-check' if cppi is installed.
>
>> @@ -8029,12 +8036,35 @@ cmdLxcEnterNamespace(vshControl *ctl, const
>> vshCmd *cmd) if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) <
>> 0) goto cleanup;
>>
>> + if (setlabel) { + fprintf(stderr, "Getr sec\n");
>
> Spurious debug message?
>
> ACK with those things addressed.
>
Here is my current patch for this, with a fix for the syms file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlE/hLoACgkQrlYvE4MpobPImgCggDyVpwbhsy4lMd2nZmTGavCF
qkIAn0gJT1xc2487N8HP081M1ydC02rn
=VTUO
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libvirt-lxc-getSecurityLabel.patch
Type: text/x-patch
Size: 6412 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20130312/57a564fd/attachment-0001.bin>
More information about the libvir-list
mailing list