[libvirt] [PATCHv1.5 4/8] security: DAC: Introduce callback to perform image chown
John Ferlan
jferlan at redhat.com
Tue Jul 22 15:59:39 UTC 2014
On 07/22/2014 05:20 AM, Peter Krempa wrote:
> To integrate the security driver with the storage driver we need to
> pass a callback for a function that will chown storage volumes.
>
> Introduce and document the callback prototype.
ACK
Although I'm still not sure I completely follow how or what role the
cfg->user and cfg->group 'play'.... or if there needs to be a
relationship with the chownCallback.
John
> ---
> src/qemu/qemu_driver.c | 3 ++-
> src/security/security_dac.c | 9 +++++++++
> src/security/security_dac.h | 3 +++
> src/security/security_manager.c | 4 +++-
> src/security/security_manager.h | 19 ++++++++++++++++++-
> 5 files changed, 35 insertions(+), 3 deletions(-)
>
> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> index eae23d3..a5a9e0f 100644
> --- a/src/qemu/qemu_driver.c
> +++ b/src/qemu/qemu_driver.c
> @@ -374,7 +374,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
> cfg->allowDiskFormatProbing,
> cfg->securityDefaultConfined,
> cfg->securityRequireConfined,
> - cfg->dynamicOwnership)))
> + cfg->dynamicOwnership,
> + NULL)))
> goto error;
> if (!stack) {
> if (!(stack = virSecurityManagerNewStack(mgr)))
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index cdb2735..1fb0c86 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -51,6 +51,7 @@ struct _virSecurityDACData {
> int ngroups;
> bool dynamicOwnership;
> char *baselabel;
> + virSecurityManagerDACChownCallback chownCallback;
> };
>
> typedef struct _virSecurityDACCallbackData virSecurityDACCallbackData;
> @@ -87,6 +88,14 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
> priv->dynamicOwnership = dynamicOwnership;
> }
>
> +void
> +virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
> + virSecurityManagerDACChownCallback chownCallback)
> +{
> + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> + priv->chownCallback = chownCallback;
> +}
> +
> /* returns 1 if label isn't found, 0 on success, -1 on error */
> static int
> ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
> diff --git a/src/security/security_dac.h b/src/security/security_dac.h
> index dbcf56f..846cefb 100644
> --- a/src/security/security_dac.h
> +++ b/src/security/security_dac.h
> @@ -32,4 +32,7 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
> void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
> bool dynamic);
>
> +void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
> + virSecurityManagerDACChownCallback chownCallback);
> +
> #endif /* __VIR_SECURITY_DAC */
> diff --git a/src/security/security_manager.c b/src/security/security_manager.c
> index 8a45e04..8671620 100644
> --- a/src/security/security_manager.c
> +++ b/src/security/security_manager.c
> @@ -152,7 +152,8 @@ virSecurityManagerNewDAC(const char *virtDriver,
> bool allowDiskFormatProbing,
> bool defaultConfined,
> bool requireConfined,
> - bool dynamicOwnership)
> + bool dynamicOwnership,
> + virSecurityManagerDACChownCallback chownCallback)
> {
> virSecurityManagerPtr mgr =
> virSecurityManagerNewDriver(&virSecurityDriverDAC,
> @@ -170,6 +171,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
> }
>
> virSecurityDACSetDynamicOwnership(mgr, dynamicOwnership);
> + virSecurityDACSetChownCallback(mgr, chownCallback);
>
> return mgr;
> }
> diff --git a/src/security/security_manager.h b/src/security/security_manager.h
> index 97b6a2e..156f882 100644
> --- a/src/security/security_manager.h
> +++ b/src/security/security_manager.h
> @@ -25,6 +25,7 @@
>
> # include "domain_conf.h"
> # include "vircommand.h"
> +# include "virstoragefile.h"
>
> typedef struct _virSecurityManager virSecurityManager;
> typedef virSecurityManager *virSecurityManagerPtr;
> @@ -39,13 +40,29 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary);
> int virSecurityManagerStackAddNested(virSecurityManagerPtr stack,
> virSecurityManagerPtr nested);
>
> +/**
> + * virSecurityManagerDACChownCallback:
> + * @src: Storage file to chown
> + * @uid: target uid
> + * @gid: target gid
> + *
> + * A function callback to chown image files described by the disk source struct
> + * @src. The callback shall return 0 on success, -1 on error and errno set (no
> + * libvirt error reported) OR -2 and a libvirt error reported. */
> +typedef int
> +(*virSecurityManagerDACChownCallback)(virStorageSourcePtr src,
> + uid_t uid,
> + gid_t gid);
> +
> +
> virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
> uid_t user,
> gid_t group,
> bool allowDiskFormatProbing,
> bool defaultConfined,
> bool requireConfined,
> - bool dynamicOwnership);
> + bool dynamicOwnership,
> + virSecurityManagerDACChownCallback chownCallback);
>
> int virSecurityManagerPreFork(virSecurityManagerPtr mgr);
> void virSecurityManagerPostFork(virSecurityManagerPtr mgr);
>
More information about the libvir-list
mailing list