[libvirt] [PATCH 2/4] security: add security part for shmem device
Luyao Huang
lhuang at redhat.com
Sun Aug 2 11:27:59 UTC 2015
On 07/30/2015 05:54 PM, Daniel P. Berrange wrote:
> On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
>> A new api to help set/restore the shmem deivce dac/selinux label.
> s/deivce/device/
Thanks, i will fix in next version
>
>> Signed-off-by: Luyao Huang <lhuang at redhat.com>
>> ---
>> src/libvirt_private.syms | 2 ++
>> src/security/security_dac.c | 67 +++++++++++++++++++++++++++++++++++++++
>> src/security/security_driver.h | 11 +++++++
>> src/security/security_manager.c | 38 ++++++++++++++++++++++
>> src/security/security_manager.h | 8 +++++
>> src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++
>> src/security/security_stack.c | 41 ++++++++++++++++++++++++
>> 7 files changed, 237 insertions(+)
> Also need to add to the security_nop.c impl
Okay, i must missed this file at that time :)
>> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
>> index deb6980..f954aa5 100644
>> --- a/src/security/security_dac.c
>> +++ b/src/security/security_dac.c
>> @@ -39,6 +39,7 @@
>> #include "virstoragefile.h"
>> #include "virstring.h"
>> #include "virutil.h"
>> +#include "virshm.h"
>>
>> #define VIR_FROM_THIS VIR_FROM_SECURITY
>>
>> @@ -922,6 +923,69 @@ virSecurityDACRestoreSecurityTPMFileLabel(virSecurityManagerPtr mgr,
>>
>>
>> static int
>> +virSecurityDACSetShmemLabel(virSecurityManagerPtr mgr,
>> + virDomainDefPtr def,
>> + virDomainShmemDefPtr shmem,
>> + char *path)
>> +{
>> + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
>> + virSecurityLabelDefPtr seclabel;
>> + virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
>> + char *tmppath;
>> + uid_t user;
>> + gid_t group;
>> +
>> + if (shmem->server.enabled)
>> + tmppath = shmem->server.chr.data.nix.path;
>> + else
>> + tmppath = path;
> Even when the server is enabled, QEMU still needs access to the path
> doesn't it.
...
>> + if (shmem->server.enabled)
>> + return virSecurityDACRestoreChardevLabel(mgr, def, NULL, &shmem->server.chr);
> We need to restore path, even when server is enabled
...
> Same comment as earlier
>
...
> +
> + if (shmem->server.enabled)
> + tmppath = shmem->server.chr.data.nix.path;
> + else
> + tmppath = path;
> And again
Hmm...these $path are the shm path, if the shmem device is server
enabled, the used shm is created by ivshmem-server, which will depends
on ivshmem-server's label. And qemu process will connect to the socket
created by ivshmem-server, so change the label for shm created by
ivshmem-sever is useless (also we don't know the shm name created by
ivshmem-server).
However, never mind, i will do a refactor and remove the variable $path
here to make this function easy to put in
virSecuritySELinuxSetSecurityAllLabel and
virSecuritySELinuxSetSecurityAllLabel, since i noticed another reply
from you for this patch.
>
> > +
>> + if (!tmppath)
>> + return 0;
>> +
>> + if (shmem_seclabel && shmem_seclabel->label)
>> + return virSecuritySELinuxSetFilecon(tmppath, shmem_seclabel->label);
>> + else
>> + return virSecuritySELinuxSetFilecon(tmppath, data->file_context);
>> +}
>> +
>> +
>> +static int
>> virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
>> virDomainDefPtr def,
>> const char *stdin_path)
> Regards,
> Daniel
Thanks a lot for your review and help.
Luyao
More information about the libvir-list
mailing list