[libvirt] [PATCH 07/10] conf: Separate seclabel validation from parsing
Peter Krempa
pkrempa at redhat.com
Tue Mar 13 14:37:33 UTC 2018
Rather than checking that the security label is legal when parsing it
move the code into a separate function.
Signed-off-by: Peter Krempa <pkrempa at redhat.com>
---
src/conf/domain_conf.c | 68 ++++++++++++++++++++++++++++++++------------------
1 file changed, 44 insertions(+), 24 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 8cd41edb5e..6c2a2f3a75 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -8214,8 +8214,7 @@ virSecurityLabelDefsParseXML(virDomainDefPtr def,
static int
virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
size_t *nseclabels_rtn,
- virSecurityLabelDefPtr *vmSeclabels,
- int nvmSeclabels, xmlXPathContextPtr ctxt,
+ xmlXPathContextPtr ctxt,
unsigned int flags)
{
virSecurityDeviceLabelDefPtr *seclabels = NULL;
@@ -8223,7 +8222,6 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
int n;
size_t i, j;
xmlNodePtr *list = NULL;
- virSecurityLabelDefPtr vmDef = NULL;
char *model, *relabel, *label, *labelskip;
if ((n = virXPathNodeSet("./seclabel", ctxt, &list)) < 0)
@@ -8243,14 +8241,6 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
/* get model associated to this override */
model = virXMLPropString(list[i], "model");
if (model) {
- /* find the security label that it's being overridden */
- for (j = 0; j < nvmSeclabels; j++) {
- if (STREQ(vmSeclabels[j]->model, model)) {
- vmDef = vmSeclabels[j];
- break;
- }
- }
-
/* check for duplicate seclabels */
for (j = 0; j < i; j++) {
if (STREQ_NULLABLE(model, seclabels[j]->model)) {
@@ -8262,14 +8252,6 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
seclabels[i]->model = model;
}
- /* Can't use overrides if top-level doesn't allow relabeling. */
- if (vmDef && !vmDef->relabel) {
- virReportError(VIR_ERR_XML_ERROR, "%s",
- _("label overrides require relabeling to be "
- "enabled at the domain level"));
- goto error;
- }
-
relabel = virXMLPropString(list[i], "relabel");
if (relabel != NULL) {
if (STREQ(relabel, "yes")) {
@@ -8324,6 +8306,37 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
}
+static int
+virSecurityDeviceLabelDefValidateXML(virSecurityDeviceLabelDefPtr *seclabels,
+ size_t nseclabels,
+ virSecurityLabelDefPtr *vmSeclabels,
+ size_t nvmSeclabels)
+{
+ virSecurityDeviceLabelDefPtr seclabel;
+ size_t i;
+ size_t j;
+
+ for (i = 0; i < nseclabels; i++) {
+ seclabel = seclabels[i];
+
+ /* find the security label that it's being overridden */
+ for (j = 0; j < nvmSeclabels; j++) {
+ if (STRNEQ_NULLABLE(vmSeclabels[j]->model, seclabel->model))
+ continue;
+
+ if (!vmSeclabels[j]->relabel) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("label overrides require relabeling to be "
+ "enabled at the domain level"));
+ return -1;
+ }
+ }
+ }
+
+ return 0;
+}
+
+
/* Parse the XML definition for a lease
*/
static virDomainLeaseDefPtr
@@ -9453,11 +9466,16 @@ virDomainDiskDefParseXML(virDomainXMLOptionPtr xmlopt,
ctxt->node = sourceNode;
if (virSecurityDeviceLabelDefParseXML(&def->src->seclabels,
&def->src->nseclabels,
- vmSeclabels,
- nvmSeclabels,
ctxt,
flags) < 0)
goto error;
+
+ if (virSecurityDeviceLabelDefValidateXML(def->src->seclabels,
+ def->src->nseclabels,
+ vmSeclabels,
+ nvmSeclabels) < 0)
+ goto error;
+
ctxt->node = saved_node;
}
@@ -12133,10 +12151,12 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def,
ctxt->node = cur;
if (virSecurityDeviceLabelDefParseXML(&def->seclabels,
&def->nseclabels,
- vmSeclabels,
- nvmSeclabels,
ctxt,
- flags) < 0) {
+ flags) < 0 ||
+ virSecurityDeviceLabelDefValidateXML(def->seclabels,
+ def->nseclabels,
+ vmSeclabels,
+ nvmSeclabels) < 0) {
ctxt->node = saved_node;
goto error;
}
--
2.16.2
More information about the libvir-list
mailing list