[libvirt] [PATCH v1 22/23] security: Introduce virSecurityManagerDomainRestoreDirLabel
Michal Privoznik
mprivozn at redhat.com
Mon Oct 12 10:26:07 UTC 2015
This is a counterpart of virSecurityManagerDomainSetDirLabel.
We should restore the security labels on the directories where
we've changed them.
Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
---
src/libvirt_private.syms | 1 +
src/security/security_dac.c | 18 ++++++++++++++++++
src/security/security_driver.h | 5 ++++-
src/security/security_manager.c | 16 ++++++++++++++++
src/security/security_manager.h | 3 +++
src/security/security_selinux.c | 16 ++++++++++++++++
src/security/security_stack.c | 20 ++++++++++++++++++++
7 files changed, 78 insertions(+), 1 deletion(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 72dda41..0e03c6c 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1030,6 +1030,7 @@ virSecurityDriverLookup;
# security/security_manager.h
virSecurityManagerCheckAllLabel;
virSecurityManagerClearSocketLabel;
+virSecurityManagerDomainRestoreDirLabel;
virSecurityManagerDomainSetDirLabel;
virSecurityManagerGenLabel;
virSecurityManagerGetBaseLabel;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 59b16ef..043866e 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1578,6 +1578,23 @@ virSecurityDACDomainSetDirLabel(virSecurityManagerPtr mgr,
return virSecurityDACSetOwnership(priv, NULL, path, user, group);
}
+static int
+virSecurityDACDomainRestoreDirLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ const char *path)
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityLabelDefPtr seclabel;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+
+ if (!seclabel && !seclabel->relabel)
+ return 0;
+
+ return virSecurityDACRestoreSecurityFileLabel(priv, path);
+}
+
+
virSecurityDriver virSecurityDriverDAC = {
.privateDataLen = sizeof(virSecurityDACData),
.name = SECURITY_DAC_NAME,
@@ -1627,4 +1644,5 @@ virSecurityDriver virSecurityDriverDAC = {
.getBaseLabel = virSecurityDACGetBaseLabel,
.domainSetDirLabel = virSecurityDACDomainSetDirLabel,
+ .domainRestoreDirLabel = virSecurityDACDomainRestoreDirLabel,
};
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 784b0de..2503831 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -121,7 +121,9 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
typedef int (*virSecurityDomainSetDirLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
const char *path);
-
+typedef int (*virSecurityDomainRestoreDirLabel) (virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ const char *path);
struct _virSecurityDriver {
size_t privateDataLen;
@@ -173,6 +175,7 @@ struct _virSecurityDriver {
virSecurityDriverGetBaseLabel getBaseLabel;
virSecurityDomainSetDirLabel domainSetDirLabel;
+ virSecurityDomainRestoreDirLabel domainRestoreDirLabel;
};
virSecurityDriverPtr virSecurityDriverLookup(const char *name,
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index e41e761..a5308ac 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1003,3 +1003,19 @@ virSecurityManagerDomainSetDirLabel(virSecurityManagerPtr mgr,
return 0;
}
+
+int
+virSecurityManagerDomainRestoreDirLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ const char *path)
+{
+ if (mgr->drv->domainRestoreDirLabel) {
+ int ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->domainRestoreDirLabel(mgr, vm, path);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ return 0;
+}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 96f7053..bfec4fa 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -165,5 +165,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
int virSecurityManagerDomainSetDirLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
const char *path);
+int virSecurityManagerDomainRestoreDirLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ const char *path);
#endif /* VIR_SECURITY_MANAGER_H__ */
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index c2464c2..3d04123 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2550,6 +2550,21 @@ virSecuritySELinuxDomainSetDirLabel(virSecurityManagerPtr mgr,
return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel);
}
+static int
+virSecuritySELinuxDomainRestoreDirLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ const char *path)
+{
+ virSecurityLabelDefPtr seclabel;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (!seclabel || !seclabel->relabel)
+ return 0;
+
+ return virSecuritySELinuxRestoreSecurityFileLabel(mgr, path);
+}
+
+
virSecurityDriver virSecurityDriverSELinux = {
.privateDataLen = sizeof(virSecuritySELinuxData),
.name = SECURITY_SELINUX_NAME,
@@ -2596,4 +2611,5 @@ virSecurityDriver virSecurityDriverSELinux = {
.getBaseLabel = virSecuritySELinuxGetBaseLabel,
.domainSetDirLabel = virSecuritySELinuxDomainSetDirLabel,
+ .domainRestoreDirLabel = virSecuritySELinuxDomainRestoreDirLabel,
};
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 8d9560d..5c9d27f 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -617,6 +617,25 @@ virSecurityStackDomainSetDirLabel(virSecurityManagerPtr mgr,
return rc;
}
+static int
+virSecurityStackDomainRestoreDirLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ const char *path)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr item = priv->itemsHead;
+ int rc = 0;
+
+ for (; item; item = item->next) {
+ if (virSecurityManagerDomainRestoreDirLabel(item->securityManager,
+ vm, path) < 0)
+ rc = -1;
+ }
+
+ return rc;
+}
+
+
virSecurityDriver virSecurityDriverStack = {
.privateDataLen = sizeof(virSecurityStackData),
.name = "stack",
@@ -668,4 +687,5 @@ virSecurityDriver virSecurityDriverStack = {
.getBaseLabel = virSecurityStackGetBaseLabel,
.domainSetDirLabel = virSecurityStackDomainSetDirLabel,
+ .domainRestoreDirLabel = virSecurityStackDomainRestoreDirLabel,
};
--
2.4.9
More information about the libvir-list
mailing list