[libvirt] [PATCH v3 2/2] security: Refactor virSecurityManagerGenLabel
Erik Skultety
eskultet at redhat.com
Thu Feb 12 17:32:41 UTC 2015
if (mgr == NULL || mgr->drv == NULL)
return ret;
This check isn't really necessary, security manager cannot be a NULL
pointer as it is either selinux (by default) or 'none', if no other driver is
set in the config. Even with no config file driver name yields 'none'.
The other hunk checks for domain's security model validity, but we should
also check devices' security model as well, therefore this hunk is moved into
a separate function which is called by virSecurityManagerCheckAllLabel that
checks both the domain's security model and devices' security model.
https://bugzilla.redhat.com/show_bug.cgi?id=1165485
---
src/security/security_manager.c | 41 ++++++++++++++++++++++-------------------
1 file changed, 22 insertions(+), 19 deletions(-)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 68ed85b..68d2279 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -576,33 +576,15 @@ virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm)
{
int ret = -1;
- size_t i, j;
+ size_t i;
virSecurityManagerPtr* sec_managers = NULL;
virSecurityLabelDefPtr seclabel;
bool generated = false;
- if (mgr == NULL || mgr->drv == NULL)
- return ret;
-
if ((sec_managers = virSecurityManagerGetNested(mgr)) == NULL)
return ret;
virObjectLock(mgr);
- for (i = 0; i < vm->nseclabels; i++) {
- if (!vm->seclabels[i]->model)
- continue;
-
- for (j = 0; sec_managers[j]; j++)
- if (STREQ(vm->seclabels[i]->model, sec_managers[j]->drv->name))
- break;
-
- if (!sec_managers[j]) {
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
- _("Unable to find security driver for label %s"),
- vm->seclabels[i]->model);
- goto cleanup;
- }
- }
for (i = 0; sec_managers[i]; i++) {
generated = false;
@@ -731,6 +713,22 @@ static int virSecurityManagerCheckSecurityModel(char *secmodel,
static int
+virSecurityManagerCheckSecurityDomainLabel(virDomainDefPtr def,
+ void *opaque)
+{
+ size_t i;
+
+ for (i = 0; i < def->nseclabels; i++) {
+ if (virSecurityManagerCheckSecurityModel(def->seclabels[i]->model,
+ opaque) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
+static int
virSecurityManagerCheckSecurityDiskLabel(virDomainDiskDefPtr disk,
void *opaque)
{
@@ -776,6 +774,11 @@ int virSecurityManagerCheckAllLabel(virSecurityManagerPtr mgr,
{
size_t i;
+ /* first check per-domain seclabels */
+ if (virSecurityManagerCheckSecurityDomainLabel(vm, mgr) < 0)
+ return -1;
+
+ /* second check per-device seclabels */
for (i = 0; i < vm->ndisks; i++) {
if (virSecurityManagerCheckSecurityDiskLabel(vm->disks[i],
mgr) < 0)
--
1.9.3
More information about the libvir-list
mailing list