[libvirt] [PATCH 2/4] security: add security part for shmem device

Daniel P. Berrange berrange at redhat.com
Thu Jul 30 09:54:37 UTC 2015


On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
> A new api to help set/restore the shmem deivce dac/selinux label.

s/deivce/device/

> Signed-off-by: Luyao Huang <lhuang at redhat.com>
> ---
>  src/libvirt_private.syms        |  2 ++
>  src/security/security_dac.c     | 67 +++++++++++++++++++++++++++++++++++++++
>  src/security/security_driver.h  | 11 +++++++
>  src/security/security_manager.c | 38 ++++++++++++++++++++++
>  src/security/security_manager.h |  8 +++++
>  src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++
>  src/security/security_stack.c   | 41 ++++++++++++++++++++++++
>  7 files changed, 237 insertions(+)

Also need to add to the security_nop.c impl

> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index deb6980..f954aa5 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -39,6 +39,7 @@
>  #include "virstoragefile.h"
>  #include "virstring.h"
>  #include "virutil.h"
> +#include "virshm.h"
>  
>  #define VIR_FROM_THIS VIR_FROM_SECURITY
>  
> @@ -922,6 +923,69 @@ virSecurityDACRestoreSecurityTPMFileLabel(virSecurityManagerPtr mgr,
>  
>  
>  static int
> +virSecurityDACSetShmemLabel(virSecurityManagerPtr mgr,
> +                            virDomainDefPtr def,
> +                            virDomainShmemDefPtr shmem,
> +                            char *path)
> +{
> +    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> +    virSecurityLabelDefPtr seclabel;
> +    virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
> +    char *tmppath;
> +    uid_t user;
> +    gid_t group;
> +
> +    if (shmem->server.enabled)
> +        tmppath = shmem->server.chr.data.nix.path;
> +    else
> +        tmppath = path;

Even when the server is enabled, QEMU still needs access to the path
doesn't it.

> +
> +    if (!tmppath)
> +        return 0;
> +
> +    shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_DAC_NAME);
> +
> +    if (shmem_seclabel && !shmem_seclabel->relabel)
> +        return 0;
> +
> +    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
> +
> +    if (shmem_seclabel && shmem_seclabel->label) {
> +        if (virParseOwnershipIds(shmem_seclabel->label, &user, &group) < 0)
> +            return -1;
> +    } else {
> +        if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
> +            return -1;
> +    }
> +
> +    return virSecurityDACSetOwnership(tmppath, user, group);
> +}
> +
> +
> +static int
> +virSecurityDACRestoreShmemLabel(virSecurityManagerPtr mgr,
> +                               virDomainDefPtr def,
> +                               virDomainShmemDefPtr shmem,
> +                               char *path)
> +{
> +    virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
> +
> +    shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_DAC_NAME);
> +
> +    if (shmem_seclabel && !shmem_seclabel->relabel)
> +        return 0;
> +
> +    if (shmem->server.enabled)
> +        return virSecurityDACRestoreChardevLabel(mgr, def, NULL, &shmem->server.chr);

We need to restore path, even when server is enabled

> +
> +    if (!path)
> +        return 0;
> +
> +    return virSecurityDACRestoreSecurityFileLabel(path);
> +}
> +
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 6e67a86..cbf89ee 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -46,6 +46,7 @@
>  #include "virconf.h"
>  #include "virtpm.h"
>  #include "virstring.h"
> +#include "virshm.h"
>  
>  #define VIR_FROM_THIS VIR_FROM_SECURITY
>  
> @@ -1888,6 +1889,37 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
>  }
>  
>  
> +static int
> +virSecuritySELinuxRestoreShmemLabel(virSecurityManagerPtr mgr,
> +                                    virDomainDefPtr def,
> +                                    virDomainShmemDefPtr shmem,
> +                                    char *path)
> +{
> +    char *tmppath = NULL;
> +    virSecurityLabelDefPtr seclabel;
> +    virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
> +
> +    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
> +    if (!seclabel || !seclabel->relabel)
> +        return 0;
> +
> +    shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_SELINUX_NAME);
> +
> +    if (shmem_seclabel && !shmem_seclabel->relabel)
> +        return 0;
> +
> +    if (shmem->server.enabled)
> +        tmppath = shmem->server.chr.data.nix.path;
> +    else
> +        tmppath = path;

Same comment as earlier

> +
> +    if (!tmppath)
> +        return 0;
> +
> +    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, tmppath);
> +}
> +
> +
>  static const char *
>  virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
>  {
> @@ -2284,6 +2316,41 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
>  
>  
>  static int
> +virSecuritySELinuxSetShmemLabel(virSecurityManagerPtr mgr,
> +                                virDomainDefPtr def,
> +                                virDomainShmemDefPtr shmem,
> +                                char *path)
> +{
> +    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
> +    char *tmppath = NULL;
> +    virSecurityLabelDefPtr seclabel;
> +    virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
> +
> +    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
> +    if (!seclabel || !seclabel->relabel)
> +        return 0;
> +
> +    shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_SELINUX_NAME);
> +
> +    if (shmem_seclabel && !shmem_seclabel->relabel)
> +        return 0;
> +
> +    if (shmem->server.enabled)
> +        tmppath = shmem->server.chr.data.nix.path;
> +    else
> +        tmppath = path;

And again

 > +
> +    if (!tmppath)
> +        return 0;
> +
> +    if (shmem_seclabel && shmem_seclabel->label)
> +        return virSecuritySELinuxSetFilecon(tmppath, shmem_seclabel->label);
> +    else
> +        return virSecuritySELinuxSetFilecon(tmppath, data->file_context);
> +}
> +
> +
> +static int
>  virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
>                                        virDomainDefPtr def,
>                                        const char *stdin_path)

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list