[libvirt] [PATCH v2 1/3] security: add new internal function "virSecurityManagerGetBaseLabel"
Daniel P. Berrange
berrange at redhat.com
Fri Sep 6 11:03:13 UTC 2013
On Thu, Sep 05, 2013 at 01:49:43PM +0200, Giuseppe Scrivano wrote:
> virSecurityManagerGetBaseLabel queries the default settings used by
> a security model.
>
> Signed-off-by: Giuseppe Scrivano <gscrivan at redhat.com>
> ---
> src/libvirt_private.syms | 1 +
> src/security/security_apparmor.c | 7 +++++++
> src/security/security_dac.c | 26 +++++++++++++++++++++++++-
> src/security/security_driver.h | 3 +++
> src/security/security_manager.c | 15 +++++++++++++++
> src/security/security_manager.h | 2 ++
> src/security/security_nop.c | 9 +++++++++
> src/security/security_selinux.c | 9 +++++++++
> src/security/security_stack.c | 8 ++++++++
> 9 files changed, 79 insertions(+), 1 deletion(-)
> +static const char *
> +AppArmorGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
> +{
> + return "";
> +}
I wonder if we should just return NULL here. I don't think we need
to be able to report errors other than "no base label", so I think
using NULL for that is sufficient.
> @@ -1170,6 +1173,25 @@ virSecurityDACGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> return NULL;
> }
>
> +static const char *
> +virSecurityDACGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
> +{
> + uid_t user;
> + gid_t group;
> + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> + if (priv->baselabel)
> + return priv->baselabel;
> +
> + if (virGetUserID(QEMU_USER, &user) < 0 ||
> + virGetGroupID(QEMU_GROUP, &group) < 0 ||
> + virAsprintf(&priv->baselabel, "%u:%u",
> + (unsigned int) priv->user,
> + (unsigned int) priv->group) < 0)
> + return NULL;
It would be better to initialize the 'pribv->baselabel' when we
first set the user/group, so that this getter does not have
side effects.
> +typedef const char *(*virSecurityDriverGetBaseLabel) (virSecurityManagerPtr mgr);
We need to be able to pass in 'int virttype' here...
> +static const char *
> +virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr)
> +{
> + virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> + return priv->domain_context;
....So that here we can do
if (virttype == VIR_DOMAIN_VIRT_QEMU)
return priv->alt_domain_context
else
return priv->domain_context
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list