[libvirt] [PATCH v4 19/25] security: Introduce virSecurityManagerMoveImageMetadata

Michal Privoznik mprivozn at redhat.com
Thu Apr 25 08:19:55 UTC 2019 

The purpose of this API is to allow caller move XATTRs (or remove
them) from one file to another. This will be needed when moving
top level of disk chain (either by introducing new HEAD or
removing it).

Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
Reviewed-by: Cole Robinson <crobinso at redhat.com>
---
 src/libvirt_private.syms        |  1 +
 src/security/security_driver.h  |  5 +++++
 src/security/security_manager.c | 39 +++++++++++++++++++++++++++++++++
 src/security/security_manager.h |  4 ++++
 src/security/security_nop.c     | 10 +++++++++
 src/security/security_stack.c   | 20 +++++++++++++++++
 6 files changed, 79 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 5368392882..670daae5a2 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1388,6 +1388,7 @@ virSecurityManagerGetModel;
 virSecurityManagerGetMountOptions;
 virSecurityManagerGetNested;
 virSecurityManagerGetProcessLabel;
+virSecurityManagerMoveImageMetadata;
 virSecurityManagerNew;
 virSecurityManagerNewDAC;
 virSecurityManagerNewStack;
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 36cf9da037..998fe9697c 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -120,6 +120,10 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
                                                    virDomainDefPtr def,
                                                    virStorageSourcePtr src,
                                                    virSecurityDomainImageLabelFlags flags);
+typedef int (*virSecurityDomainMoveImageMetadata) (virSecurityManagerPtr mgr,
+                                                   pid_t pid,
+                                                   virStorageSourcePtr src,
+                                                   virStorageSourcePtr dst);
 typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
                                                 virDomainDefPtr def,
                                                 virDomainMemoryDefPtr mem);
@@ -170,6 +174,7 @@ struct _virSecurityDriver {
 
     virSecurityDomainSetImageLabel domainSetSecurityImageLabel;
     virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
+    virSecurityDomainMoveImageMetadata domainMoveImageMetadata;
 
     virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
     virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 74ab0d0dd3..c205c3bf17 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -432,6 +432,45 @@ virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
 }
 
 
+/**
+ * virSecurityManagerMoveImageMetadata:
+ * @mgr: security manager
+ * @pid: domain's PID
+ * @src: source of metadata
+ * @dst: destination to move metadata to
+ *
+ * For given source @src, metadata is moved to destination @dst.
+ *
+ * If @dst is NULL then metadata is removed from @src and not
+ * stored anywhere.
+ *
+ * If @pid is not -1 enther the @pid mount namespace (usually
+ * @pid refers to a domain) and perform the move from there. If
+ * @pid is -1 then the move is performed from the caller's
+ * namespace.
+ *
+ * Returns: 0 on success,
+ *         -1 otherwise.
+ */
+int
+virSecurityManagerMoveImageMetadata(virSecurityManagerPtr mgr,
+                                    pid_t pid,
+                                    virStorageSourcePtr src,
+                                    virStorageSourcePtr dst)
+{
+    if (mgr->drv->domainMoveImageMetadata) {
+        int ret;
+        virObjectLock(mgr);
+        ret = mgr->drv->domainMoveImageMetadata(mgr, pid, src, dst);
+        virObjectUnlock(mgr);
+        return ret;
+    }
+
+    virReportUnsupportedError();
+    return -1;
+}
+
+
 int
 virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
                                        virDomainDefPtr vm)
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 7e174a33ee..33e79b2095 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -160,6 +160,10 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
                                         virDomainDefPtr vm,
                                         virStorageSourcePtr src,
                                         virSecurityDomainImageLabelFlags flags);
+int virSecurityManagerMoveImageMetadata(virSecurityManagerPtr mgr,
+                                        pid_t pid,
+                                        virStorageSourcePtr src,
+                                        virStorageSourcePtr dst);
 
 int virSecurityManagerSetMemoryLabel(virSecurityManagerPtr mgr,
                                      virDomainDefPtr vm,
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 9b3263ad77..966b9d41a1 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -224,6 +224,15 @@ virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return 0;
 }
 
+static int
+virSecurityDomainMoveImageMetadataNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                                      pid_t pid ATTRIBUTE_UNUSED,
+                                      virStorageSourcePtr src ATTRIBUTE_UNUSED,
+                                      virStorageSourcePtr dst ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
 static int
 virSecurityDomainSetMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                    virDomainDefPtr def ATTRIBUTE_UNUSED,
@@ -280,6 +289,7 @@ virSecurityDriver virSecurityDriverNop = {
 
     .domainSetSecurityImageLabel        = virSecurityDomainSetImageLabelNop,
     .domainRestoreSecurityImageLabel    = virSecurityDomainRestoreImageLabelNop,
+    .domainMoveImageMetadata            = virSecurityDomainMoveImageMetadataNop,
 
     .domainSetSecurityMemoryLabel       = virSecurityDomainSetMemoryLabelNop,
     .domainRestoreSecurityMemoryLabel   = virSecurityDomainRestoreMemoryLabelNop,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index eba918e257..d445c0773e 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -599,6 +599,25 @@ virSecurityStackRestoreImageLabel(virSecurityManagerPtr mgr,
     return rc;
 }
 
+static int
+virSecurityStackMoveImageMetadata(virSecurityManagerPtr mgr,
+                                  pid_t pid,
+                                  virStorageSourcePtr src,
+                                  virStorageSourcePtr dst)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityStackItemPtr item = priv->itemsHead;
+    int rc = 0;
+
+    for (; item; item = item->next) {
+        if (virSecurityManagerMoveImageMetadata(item->securityManager,
+                                                pid, src, dst) < 0)
+            rc = -1;
+    }
+
+    return rc;
+}
+
 static int
 virSecurityStackSetMemoryLabel(virSecurityManagerPtr mgr,
                                virDomainDefPtr vm,
@@ -785,6 +804,7 @@ virSecurityDriver virSecurityDriverStack = {
 
     .domainSetSecurityImageLabel        = virSecurityStackSetImageLabel,
     .domainRestoreSecurityImageLabel    = virSecurityStackRestoreImageLabel,
+    .domainMoveImageMetadata            = virSecurityStackMoveImageMetadata,
 
     .domainSetSecurityMemoryLabel       = virSecurityStackSetMemoryLabel,
     .domainRestoreSecurityMemoryLabel   = virSecurityStackRestoreMemoryLabel,
-- 
2.21.0

More information about the libvir-list mailing list