[libvirt] [PATCH] Apply security label when entering LXC namespaces

Daniel P. Berrange berrange at redhat.com
Wed Mar 13 14:51:24 UTC 2013


On Tue, Mar 12, 2013 at 01:06:59PM -0600, Eric Blake wrote:
> On 03/12/2013 11:28 AM, Daniel P. Berrange wrote:
> > From: "Daniel P. Berrange" <berrange at redhat.com>
> > 
> > Add a new virDomainLxcEnterSecurityLabel() function as a
> > counterpart to virDomainLxcEnterNamespaces(), which can
> > change the current calling process to have a new security
> > context. This call runs client side, not in libvirtd
> > so we can't use the security driver infrastructure.
> > 
> > When entering a namespace, the process spawned from virsh
> > will default to running with the security label of virsh.
> > The actual desired behaviour is to run with the security
> > label of the container most of the time. So this changes
> > virsh lxc-enter-namespace command to invoke the
> > virDomainLxcEnterSecurityLabel method.
> > 
> 
> >  include/libvirt/libvirt-lxc.h |  4 ++
> >  python/generator.py           |  1 +
> >  src/libvirt-lxc.c             | 96 +++++++++++++++++++++++++++++++++++++++++++
> >  tools/virsh-domain.c          | 32 +++++++++++++++
> >  4 files changed, 133 insertions(+)
> 
> Missing an entry in src/libvirt_lxc.syms to actually expose the new
> function in the .so.

Applying the following:

diff --git a/src/libvirt_lxc.syms b/src/libvirt_lxc.syms
index b5be18b..ccf1be9 100644
--- a/src/libvirt_lxc.syms
+++ b/src/libvirt_lxc.syms
@@ -15,3 +15,8 @@ LIBVIRT_LXC_1.0.2 {
         virDomainLxcEnterNamespace;
         virDomainLxcOpenNamespace;
 };
+
+LIBVIRT_LXC_1.0.4 {
+    global:
+        virDomainLxcEnterSecurityLabel;
+} LIBVIRT_LXC_1.0.2;




Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list