[libvirt] [PATCHv2 2/2] security_dac: Honor norelabel attribute
Ján Tomko
jtomko at redhat.com
Thu Apr 17 11:02:50 UTC 2014
On 04/04/2014 02:34 PM, Michal Privoznik wrote:
> The inspiration for this patch comes from a question on the list
> asking if there's a way to not label some disks. Well, in DAC driver
> there's not. Even if user have requested norelabel:
>
> <disk type='file' device='disk'>
> <driver name='qemu' type='raw'/>
> <source file='/some/dummy/path/test.bin'>
> <seclabel model='dac' relabel='no'/>
> </source>
> <target dev='vdb' bus='virtio'/>
> <readonly/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
> </disk>
>
> the DAC driver ignores this completely.
I've found a bug for this:
https://bugzilla.redhat.com/show_bug.cgi?id=999301
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> src/security/security_dac.c | 92 +++++++++++++++++++++++++++++++++++----------
> 1 file changed, 73 insertions(+), 19 deletions(-)
>
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 8835d49..f15a0e9 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -286,7 +286,7 @@ virSecurityDACRestoreSecurityFileLabel(const char *path)
>
>
> static int
> -virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
> +virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk,
> const char *path,
> size_t depth ATTRIBUTE_UNUSED,
> void *opaque)
> @@ -295,11 +295,23 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
> virSecurityManagerPtr mgr = cbdata->manager;
> virSecurityLabelDefPtr secdef = cbdata->secdef;
> virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> + virSecurityDeviceLabelDefPtr disk_seclabel;
> uid_t user;
> gid_t group;
>
> - if (virSecurityDACGetImageIds(secdef, priv, &user, &group) < 0)
> - return -1;
> + disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
> + SECURITY_DAC_NAME);
> +
> + if (disk_seclabel && disk_seclabel->norelabel)
> + return 0;
What if the domain label has relabel='no', but the disk label has relabel='yes'?
> +
> + if (disk_seclabel && disk_seclabel->label) {
> + if (virParseOwnershipIds(disk_seclabel->label, &user, &group) < 0)
> + return -1;
> + } else {
> + if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
> + return -1;
> + }
>
> return virSecurityDACSetOwnership(path, user, group);
> }
Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140417/5a3b3a63/attachment-0001.sig>
More information about the libvir-list
mailing list