[libvirt] [PATCH 2/4] security: add security part for shmem device
Daniel P. Berrange
berrange at redhat.com
Thu Jul 30 09:54:37 UTC 2015
On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
> A new api to help set/restore the shmem deivce dac/selinux label.
s/deivce/device/
> Signed-off-by: Luyao Huang <lhuang at redhat.com>
> ---
> src/libvirt_private.syms | 2 ++
> src/security/security_dac.c | 67 +++++++++++++++++++++++++++++++++++++++
> src/security/security_driver.h | 11 +++++++
> src/security/security_manager.c | 38 ++++++++++++++++++++++
> src/security/security_manager.h | 8 +++++
> src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++
> src/security/security_stack.c | 41 ++++++++++++++++++++++++
> 7 files changed, 237 insertions(+)
Also need to add to the security_nop.c impl
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index deb6980..f954aa5 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -39,6 +39,7 @@
> #include "virstoragefile.h"
> #include "virstring.h"
> #include "virutil.h"
> +#include "virshm.h"
>
> #define VIR_FROM_THIS VIR_FROM_SECURITY
>
> @@ -922,6 +923,69 @@ virSecurityDACRestoreSecurityTPMFileLabel(virSecurityManagerPtr mgr,
>
>
> static int
> +virSecurityDACSetShmemLabel(virSecurityManagerPtr mgr,
> + virDomainDefPtr def,
> + virDomainShmemDefPtr shmem,
> + char *path)
> +{
> + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> + virSecurityLabelDefPtr seclabel;
> + virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
> + char *tmppath;
> + uid_t user;
> + gid_t group;
> +
> + if (shmem->server.enabled)
> + tmppath = shmem->server.chr.data.nix.path;
> + else
> + tmppath = path;
Even when the server is enabled, QEMU still needs access to the path
doesn't it.
> +
> + if (!tmppath)
> + return 0;
> +
> + shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_DAC_NAME);
> +
> + if (shmem_seclabel && !shmem_seclabel->relabel)
> + return 0;
> +
> + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
> +
> + if (shmem_seclabel && shmem_seclabel->label) {
> + if (virParseOwnershipIds(shmem_seclabel->label, &user, &group) < 0)
> + return -1;
> + } else {
> + if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
> + return -1;
> + }
> +
> + return virSecurityDACSetOwnership(tmppath, user, group);
> +}
> +
> +
> +static int
> +virSecurityDACRestoreShmemLabel(virSecurityManagerPtr mgr,
> + virDomainDefPtr def,
> + virDomainShmemDefPtr shmem,
> + char *path)
> +{
> + virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
> +
> + shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_DAC_NAME);
> +
> + if (shmem_seclabel && !shmem_seclabel->relabel)
> + return 0;
> +
> + if (shmem->server.enabled)
> + return virSecurityDACRestoreChardevLabel(mgr, def, NULL, &shmem->server.chr);
We need to restore path, even when server is enabled
> +
> + if (!path)
> + return 0;
> +
> + return virSecurityDACRestoreSecurityFileLabel(path);
> +}
> +
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 6e67a86..cbf89ee 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -46,6 +46,7 @@
> #include "virconf.h"
> #include "virtpm.h"
> #include "virstring.h"
> +#include "virshm.h"
>
> #define VIR_FROM_THIS VIR_FROM_SECURITY
>
> @@ -1888,6 +1889,37 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
> }
>
>
> +static int
> +virSecuritySELinuxRestoreShmemLabel(virSecurityManagerPtr mgr,
> + virDomainDefPtr def,
> + virDomainShmemDefPtr shmem,
> + char *path)
> +{
> + char *tmppath = NULL;
> + virSecurityLabelDefPtr seclabel;
> + virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
> +
> + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
> + if (!seclabel || !seclabel->relabel)
> + return 0;
> +
> + shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_SELINUX_NAME);
> +
> + if (shmem_seclabel && !shmem_seclabel->relabel)
> + return 0;
> +
> + if (shmem->server.enabled)
> + tmppath = shmem->server.chr.data.nix.path;
> + else
> + tmppath = path;
Same comment as earlier
> +
> + if (!tmppath)
> + return 0;
> +
> + return virSecuritySELinuxRestoreSecurityFileLabel(mgr, tmppath);
> +}
> +
> +
> static const char *
> virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
> {
> @@ -2284,6 +2316,41 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
>
>
> static int
> +virSecuritySELinuxSetShmemLabel(virSecurityManagerPtr mgr,
> + virDomainDefPtr def,
> + virDomainShmemDefPtr shmem,
> + char *path)
> +{
> + virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
> + char *tmppath = NULL;
> + virSecurityLabelDefPtr seclabel;
> + virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
> +
> + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
> + if (!seclabel || !seclabel->relabel)
> + return 0;
> +
> + shmem_seclabel = virDomainShmemDefGetSecurityLabelDef(shmem, SECURITY_SELINUX_NAME);
> +
> + if (shmem_seclabel && !shmem_seclabel->relabel)
> + return 0;
> +
> + if (shmem->server.enabled)
> + tmppath = shmem->server.chr.data.nix.path;
> + else
> + tmppath = path;
And again
> +
> + if (!tmppath)
> + return 0;
> +
> + if (shmem_seclabel && shmem_seclabel->label)
> + return virSecuritySELinuxSetFilecon(tmppath, shmem_seclabel->label);
> + else
> + return virSecuritySELinuxSetFilecon(tmppath, data->file_context);
> +}
> +
> +
> +static int
> virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
> virDomainDefPtr def,
> const char *stdin_path)
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list