[libvirt] [PATCH 2/5] security: Introduce functions for input device hot(un)plug
Ján Tomko
jtomko at redhat.com
Tue Nov 21 15:05:40 UTC 2017
Export the existing DAC and SELinux for separate use and introduce
functions for stack, nop and the security manager.
---
src/libvirt_private.syms | 2 ++
src/security/security_dac.c | 3 +++
src/security/security_driver.h | 9 +++++++++
src/security/security_manager.c | 36 ++++++++++++++++++++++++++++++++++++
src/security/security_manager.h | 8 ++++++++
src/security/security_nop.c | 11 +++++++++++
src/security/security_selinux.c | 3 +++
src/security/security_stack.c | 38 ++++++++++++++++++++++++++++++++++++++
8 files changed, 110 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 2997a469d..31969a092 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1274,6 +1274,7 @@ virSecurityManagerRestoreAllLabel;
virSecurityManagerRestoreDiskLabel;
virSecurityManagerRestoreHostdevLabel;
virSecurityManagerRestoreImageLabel;
+virSecurityManagerRestoreInputLabel;
virSecurityManagerRestoreMemoryLabel;
virSecurityManagerRestoreSavedStateLabel;
virSecurityManagerSetAllLabel;
@@ -1283,6 +1284,7 @@ virSecurityManagerSetDiskLabel;
virSecurityManagerSetHostdevLabel;
virSecurityManagerSetImageFDLabel;
virSecurityManagerSetImageLabel;
+virSecurityManagerSetInputLabel;
virSecurityManagerSetMemoryLabel;
virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 54120890f..52ca07a10 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2123,6 +2123,9 @@ virSecurityDriver virSecurityDriverDAC = {
.domainSetSecurityMemoryLabel = virSecurityDACSetMemoryLabel,
.domainRestoreSecurityMemoryLabel = virSecurityDACRestoreMemoryLabel,
+ .domainSetSecurityInputLabel = virSecurityDACSetInputLabel,
+ .domainRestoreSecurityInputLabel = virSecurityDACRestoreInputLabel,
+
.domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecurityDACSetSocketLabel,
.domainClearSecuritySocketLabel = virSecurityDACClearSocketLabel,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 0b3b45248..1b3070d06 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -131,6 +131,12 @@ typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
typedef int (*virSecurityDomainRestoreMemoryLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainMemoryDefPtr mem);
+typedef int (*virSecurityDomainSetInputLabel) (virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainInputDefPtr input);
+typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainInputDefPtr input);
typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
const char *path);
@@ -163,6 +169,9 @@ struct _virSecurityDriver {
virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
+ virSecurityDomainSetInputLabel domainSetSecurityInputLabel;
+ virSecurityDomainRestoreInputLabel domainRestoreSecurityInputLabel;
+
virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 60cfc92e7..3cf12188a 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1116,3 +1116,39 @@ virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
virReportUnsupportedError();
return -1;
}
+
+
+int
+virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input)
+{
+ if (mgr->drv->domainSetSecurityInputLabel) {
+ int ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->domainSetSecurityInputLabel(mgr, vm, input);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ virReportUnsupportedError();
+ return -1;
+}
+
+
+int
+virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input)
+{
+ if (mgr->drv->domainRestoreSecurityInputLabel) {
+ int ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->domainRestoreSecurityInputLabel(mgr, vm, input);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ virReportUnsupportedError();
+ return -1;
+}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 6712112e7..834c7f159 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -172,6 +172,14 @@ int virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virDomainMemoryDefPtr mem);
+int virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input);
+int virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input);
+
+
int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
const char *path);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 527be11e5..cfb032c68 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -254,6 +254,14 @@ virSecurityDomainRestoreMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSE
return 0;
}
+static int
+virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ virDomainInputDefPtr input ATTRIBUTE_UNUSED)
+{
+ return 0;
+}
+
virSecurityDriver virSecurityDriverNop = {
.privateDataLen = 0,
@@ -276,6 +284,9 @@ virSecurityDriver virSecurityDriverNop = {
.domainSetSecurityMemoryLabel = virSecurityDomainSetMemoryLabelNop,
.domainRestoreSecurityMemoryLabel = virSecurityDomainRestoreMemoryLabelNop,
+ .domainSetSecurityInputLabel = virSecurityDomainInputLabelNop,
+ .domainRestoreSecurityInputLabel = virSecurityDomainInputLabelNop,
+
.domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop,
.domainSetSecuritySocketLabel = virSecurityDomainSetSocketLabelNop,
.domainClearSecuritySocketLabel = virSecurityDomainClearSocketLabelNop,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ed1828a12..b677fbcda 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3064,6 +3064,9 @@ virSecurityDriver virSecurityDriverSELinux = {
.domainSetSecurityMemoryLabel = virSecuritySELinuxSetMemoryLabel,
.domainRestoreSecurityMemoryLabel = virSecuritySELinuxRestoreMemoryLabel,
+ .domainSetSecurityInputLabel = virSecuritySELinuxSetInputLabel,
+ .domainRestoreSecurityInputLabel = virSecuritySELinuxRestoreInputLabel,
+
.domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecuritySELinuxSetSocketLabel,
.domainClearSecuritySocketLabel = virSecuritySELinuxClearSocketLabel,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 53eee1692..cd916382b 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -667,6 +667,41 @@ virSecurityStackRestoreMemoryLabel(virSecurityManagerPtr mgr,
}
static int
+virSecurityStackSetInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr item = priv->itemsHead;
+ int rc = 0;
+
+ for (; item; item = item->next) {
+ if (virSecurityManagerSetInputLabel(item->securityManager, vm, input) < 0)
+ rc = -1;
+ }
+
+ return rc;
+}
+
+static int
+virSecurityStackRestoreInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr item = priv->itemsHead;
+ int rc = 0;
+
+ for (; item; item = item->next) {
+ if (virSecurityManagerRestoreInputLabel(item->securityManager,
+ vm, input) < 0)
+ rc = -1;
+ }
+
+ return rc;
+}
+
+static int
virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
const char *path)
@@ -711,6 +746,9 @@ virSecurityDriver virSecurityDriverStack = {
.domainSetSecurityMemoryLabel = virSecurityStackSetMemoryLabel,
.domainRestoreSecurityMemoryLabel = virSecurityStackRestoreMemoryLabel,
+ .domainSetSecurityInputLabel = virSecurityStackSetInputLabel,
+ .domainRestoreSecurityInputLabel = virSecurityStackRestoreInputLabel,
+
.domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecurityStackSetSocketLabel,
.domainClearSecuritySocketLabel = virSecurityStackClearSocketLabel,
--
2.13.6
More information about the libvir-list
mailing list