[libvirt] [PATCH 2/4] security: add security part for shmem device

Daniel P. Berrange berrange at redhat.com
Thu Jul 30 10:00:37 UTC 2015


On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
> A new api to help set/restore the shmem deivce dac/selinux label.
> 
> Signed-off-by: Luyao Huang <lhuang at redhat.com>
> ---
>  src/libvirt_private.syms        |  2 ++
>  src/security/security_dac.c     | 67 +++++++++++++++++++++++++++++++++++++++
>  src/security/security_driver.h  | 11 +++++++
>  src/security/security_manager.c | 38 ++++++++++++++++++++++
>  src/security/security_manager.h |  8 +++++
>  src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++
>  src/security/security_stack.c   | 41 ++++++++++++++++++++++++
>  7 files changed, 237 insertions(+)
> 

> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index deb6980..f954aa5 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c

> @@ -1433,4 +1497,7 @@ virSecurityDriver virSecurityDriverDAC = {
>      .domainGetSecurityMountOptions      = virSecurityDACGetMountOptions,
>  
>      .getBaseLabel                       = virSecurityDACGetBaseLabel,
> +
> +    .domainSetSecurityShmemLabel        = virSecurityDACSetShmemLabel,
> +    .domainRestoreSecurityShmemLabel    = virSecurityDACRestoreShmemLabel,

NB, you should also be modifying the virSecurityDACRestoreSecurityAllLabel
and virSecurityDACSetSecurityAllLabel methods to call this code during


> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 6e67a86..cbf89ee 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c

> @@ -2549,4 +2616,7 @@ virSecurityDriver virSecurityDriverSELinux = {
>  
>      .domainGetSecurityMountOptions      = virSecuritySELinuxGetSecurityMountOptions,
>      .getBaseLabel                       = virSecuritySELinuxGetBaseLabel,
> +
> +    .domainSetSecurityShmemLabel        = virSecuritySELinuxSetShmemLabel,
> +    .domainRestoreSecurityShmemLabel    = virSecuritySELinuxRestoreShmemLabel,
>  };

Likewise virSecuritySELinuxRestoreSecurityAllLabel and
virSecuritySELinuxSetSecurityAllLabel

Doing this avoids the need to manually call these shmem specific
security methods during general guest startup/shutdown. They only
need to be called manually during hotplug/unplug.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list