[libvirt] [PATCH 2/4] security: add security part for shmem device

Luyao Huang lhuang at redhat.com
Sun Aug 2 11:43:52 UTC 2015 

On 07/30/2015 06:00 PM, Daniel P. Berrange wrote:
> On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
>> A new api to help set/restore the shmem deivce dac/selinux label.
>>
>> Signed-off-by: Luyao Huang <lhuang at redhat.com>
>> ---
>>   src/libvirt_private.syms        |  2 ++
>>   src/security/security_dac.c     | 67 +++++++++++++++++++++++++++++++++++++++
>>   src/security/security_driver.h  | 11 +++++++
>>   src/security/security_manager.c | 38 ++++++++++++++++++++++
>>   src/security/security_manager.h |  8 +++++
>>   src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++
>>   src/security/security_stack.c   | 41 ++++++++++++++++++++++++
>>   7 files changed, 237 insertions(+)
>>
>> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
>> index deb6980..f954aa5 100644
>> --- a/src/security/security_dac.c
>> +++ b/src/security/security_dac.c
>> @@ -1433,4 +1497,7 @@ virSecurityDriver virSecurityDriverDAC = {
>>       .domainGetSecurityMountOptions      = virSecurityDACGetMountOptions,
>>   
>>       .getBaseLabel                       = virSecurityDACGetBaseLabel,
>> +
>> +    .domainSetSecurityShmemLabel        = virSecurityDACSetShmemLabel,
>> +    .domainRestoreSecurityShmemLabel    = virSecurityDACRestoreShmemLabel,
> NB, you should also be modifying the virSecurityDACRestoreSecurityAllLabel
> and virSecurityDACSetSecurityAllLabel methods to call this code during
>
>
>> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
>> index 6e67a86..cbf89ee 100644
>> --- a/src/security/security_selinux.c
>> +++ b/src/security/security_selinux.c
>> @@ -2549,4 +2616,7 @@ virSecurityDriver virSecurityDriverSELinux = {
>>   
>>       .domainGetSecurityMountOptions      = virSecuritySELinuxGetSecurityMountOptions,
>>       .getBaseLabel                       = virSecuritySELinuxGetBaseLabel,
>> +
>> +    .domainSetSecurityShmemLabel        = virSecuritySELinuxSetShmemLabel,
>> +    .domainRestoreSecurityShmemLabel    = virSecuritySELinuxRestoreShmemLabel,
>>   };
> Likewise virSecuritySELinuxRestoreSecurityAllLabel and
> virSecuritySELinuxSetSecurityAllLabel
>
> Doing this avoids the need to manually call these shmem specific
> security methods during general guest startup/shutdown. They only
> need to be called manually during hotplug/unplug.

Okay, i see, i move these function in 
virSecuritySELinuxRestoreSecurityAllLabel and 
virSecuritySELinuxSetSecurityAllLabel.

Thanks a lot for your review and advise.

> Regards,
> Daniel

Luyao

More information about the libvir-list mailing list