[libvirt] [libvirt-sandbox PATCH v3] Only set SELinux seclabel if supported by the host.
Christophe Fergeau
cfergeau at redhat.com
Tue Jun 17 08:30:00 UTC 2014
On Mon, Jun 16, 2014 at 02:07:21PM +0200, Cédric Bosdonnat wrote:
> This code depends on new API in libvirt-gconfig to extract the
> secmodels handled by the host.
> ---
> Diff to v2:
> * Added some missing g_object_unref and _g_list_free
> * Moved the SELinux-specific code to a separate function
>
> libvirt-sandbox/libvirt-sandbox-builder.c | 47 +++++++++++++++++++++++++++----
> 1 file changed, 41 insertions(+), 6 deletions(-)
>
> diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c b/libvirt-sandbox/libvirt-sandbox-builder.c
> index 48b3acc..65af23f 100644
> --- a/libvirt-sandbox/libvirt-sandbox-builder.c
> +++ b/libvirt-sandbox/libvirt-sandbox-builder.c
> @@ -322,12 +322,10 @@ static gboolean gvir_sandbox_builder_construct_devices(GVirSandboxBuilder *build
> return TRUE;
> }
>
> -
> -static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *builder G_GNUC_UNUSED,
> - GVirSandboxConfig *config G_GNUC_UNUSED,
> - const gchar *statedir G_GNUC_UNUSED,
> - GVirConfigDomain *domain,
> - GError **error G_GNUC_UNUSED)
> +static gboolean gvir_sandbox_builder_construct_security_selinux (GVirSandboxBuilder *builder,
> + GVirSandboxConfig *config,
> + GVirConfigDomain *domain,
> + GError **error)
> {
> GVirConfigDomainSeclabel *sec = gvir_config_domain_seclabel_new();
> const char *label = gvir_sandbox_config_get_security_label(config);
> @@ -360,6 +358,43 @@ static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil
> return TRUE;
> }
>
> +static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *builder,
> + GVirSandboxConfig *config,
> + const gchar *statedir G_GNUC_UNUSED,
> + GVirConfigDomain *domain,
> + GError **error)
> +{
> + GVirConnection *connection = gvir_sandbox_builder_get_connection(builder);
This needs to be unref'ed too.
> + GVirConfigCapabilities *configCapabilities;
> + GVirConfigCapabilitiesHost *hostCapabilities;
> + GList *secmodels, *iter;
> + gboolean supportsSelinux = FALSE;
> +
> + /* What security models are available on the host? */
> + if (!(configCapabilities = gvir_connection_get_capabilities(connection, error))) {
> + return FALSE;
> + }
> +
> + hostCapabilities = gvir_config_capabilities_get_host(configCapabilities);
> +
> + secmodels = gvir_config_capabilities_host_get_secmodels(hostCapabilities);
> + for (iter = secmodels; iter != NULL; iter = iter->next) {
> + supportsSelinux = g_str_equal(gvir_config_capabilities_host_secmodel_get_model(
> + GVIR_CONFIG_CAPABILITIES_HOST_SECMODEL(iter->data)), "selinux");
> + g_object_unref(iter->data);
I don't think the logic is correct here, supportsSelinux can only be
TRUE if the last secmodel is "selinux", I assume we want to break out of
the loop as soon as supportsSelinux is set to TRUE? In this case, the
g_object_unref can be removed from here, and the g_list_free changed to
g_list_free_full().
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140617/87ac3252/attachment-0001.sig>
More information about the libvir-list
mailing list