[libvirt] [PATCH] security: Fix labelling host devices (bz 1145968)
Cole Robinson
crobinso at redhat.com
Wed Sep 24 15:49:54 UTC 2014
The check for ISCSI devices was missing a check of subsys type, which
meant we could skip labelling of other host devices as well. This fixes
USB hotplug on F21
https://bugzilla.redhat.com/show_bug.cgi?id=1145968
---
src/security/security_apparmor.c | 3 ++-
src/security/security_dac.c | 6 ++++--
src/security/security_selinux.c | 6 ++++--
3 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 041ce65..3025284 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -828,7 +828,8 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
/* Like AppArmorRestoreSecurityImageLabel() for a networked disk,
* do nothing for an iSCSI hostdev
*/
- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
return 0;
if (profile_loaded(secdef->imagelabel) < 0)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index e398d2c..85253af 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -523,7 +523,8 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
/* Like virSecurityDACSetSecurityImageLabel() for a networked disk,
* do nothing for an iSCSI hostdev
*/
- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
return 0;
cbdata.manager = mgr;
@@ -657,7 +658,8 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
/* Like virSecurityDACRestoreSecurityImageLabelInt() for a networked disk,
* do nothing for an iSCSI hostdev
*/
- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
return 0;
switch ((virDomainHostdevSubsysType) dev->source.subsys.type) {
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b9efbc5..ea1efc9 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1327,7 +1327,8 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
/* Like virSecuritySELinuxSetSecurityImageLabelInternal() for a networked
* disk, do nothing for an iSCSI hostdev
*/
- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
return 0;
switch (dev->source.subsys.type) {
@@ -1520,7 +1521,8 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
/* Like virSecuritySELinuxRestoreSecurityImageLabelInt() for a networked
* disk, do nothing for an iSCSI hostdev
*/
- if (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+ if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
+ scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
return 0;
switch (dev->source.subsys.type) {
--
2.1.0
More information about the libvir-list
mailing list