[PATCH v2 15/27] security: Relabel virtio mem
Michal Privoznik
mprivozn at redhat.com
Thu Dec 3 12:36:18 UTC 2020
Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
---
src/security/security_apparmor.c | 26 ++++++++++++--------
src/security/security_dac.c | 42 +++++++++++++++++---------------
src/security/security_selinux.c | 42 ++++++++++++++++++--------------
src/security/virt-aa-helper.c | 22 ++++++++++++++---
4 files changed, 81 insertions(+), 51 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index b22ee739d8..8bf7570d4a 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -681,26 +681,32 @@ AppArmorSetMemoryLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainMemoryDefPtr mem)
{
- if (mem == NULL)
- return 0;
+ const char *path = NULL;
switch (mem->model) {
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
- if (!virFileExists(mem->s.nvdimm.path)) {
- virReportError(VIR_ERR_INTERNAL_ERROR,
- _("%s: \'%s\' does not exist"),
- __func__, mem->s.nvdimm.path);
- return -1;
- }
- return reload_profile(mgr, def, mem->s.nvdimm.path, true);
+ path = mem->s.nvdimm.path;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO:
+ path = mem->s.virtio.path;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
break;
}
- return 0;
+ if (!path)
+ return 0;
+
+ if (!virFileExists(path)) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("%s: \'%s\' does not exist"),
+ __func__, path);
+ return -1;
+ }
+
+ return reload_profile(mgr, def, path, true);
}
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 6b681c4021..24daa41898 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1885,22 +1885,25 @@ virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def G_GNUC_UNUSED,
virDomainMemoryDefPtr mem)
{
- int ret = -1;
+ const char *path = NULL;
switch (mem->model) {
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
- ret = virSecurityDACRestoreFileLabel(mgr, mem->s.nvdimm.path);
+ path = mem->s.nvdimm.path;
break;
-
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO:
+ path = mem->s.virtio.path;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
case VIR_DOMAIN_MEMORY_MODEL_NONE:
- ret = 0;
break;
}
- return ret;
+ if (!path)
+ return 0;
+
+ return virSecurityDACRestoreFileLabel(mgr, path);
}
@@ -2057,33 +2060,34 @@ virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr,
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
virSecurityLabelDefPtr seclabel;
- int ret = -1;
+ const char *path = NULL;
uid_t user;
gid_t group;
switch (mem->model) {
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
- seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (seclabel && !seclabel->relabel)
- return 0;
-
- if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
- return -1;
-
- ret = virSecurityDACSetOwnership(mgr, NULL,
- mem->s.nvdimm.path,
- user, group, true);
+ path = mem->s.nvdimm.path;
break;
-
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO:
+ path = mem->s.virtio.path;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
case VIR_DOMAIN_MEMORY_MODEL_NONE:
- ret = 0;
break;
}
- return ret;
+ if (!path)
+ return 0;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+ if (seclabel && !seclabel->relabel)
+ return 0;
+
+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+ return -1;
+
+ return virSecurityDACSetOwnership(mgr, NULL, path, user, group, true);
}
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 77b69447da..c0f78f8a46 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1570,26 +1570,29 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManagerPtr mgr,
virDomainMemoryDefPtr mem)
{
virSecurityLabelDefPtr seclabel;
+ const char *path = NULL;
switch (mem->model) {
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
- seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!seclabel || !seclabel->relabel)
- return 0;
-
- if (virSecuritySELinuxSetFilecon(mgr, mem->s.nvdimm.path,
- seclabel->imagelabel, true) < 0)
- return -1;
+ path = mem->s.nvdimm.path;
break;
-
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO:
+ path = mem->s.virtio.path;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
break;
}
- return 0;
+ if (!path)
+ return 0;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (!seclabel || !seclabel->relabel)
+ return 0;
+
+ return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, true);
}
@@ -1598,27 +1601,30 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainMemoryDefPtr mem)
{
- int ret = -1;
virSecurityLabelDefPtr seclabel;
+ const char *path = NULL;
switch (mem->model) {
case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
- seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!seclabel || !seclabel->relabel)
- return 0;
-
- ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->s.nvdimm.path, true);
+ path = mem->s.nvdimm.path;
break;
-
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO:
+ path = mem->s.virtio.path;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
- ret = 0;
break;
}
- return ret;
+ if (!path)
+ return 0;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (!seclabel || !seclabel->relabel)
+ return 0;
+
+ return virSecuritySELinuxRestoreFileLabel(mgr, path, true);
}
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index a8a05a0a90..f895fecea4 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1168,11 +1168,25 @@ get_files(vahControl * ctl)
}
for (i = 0; i < ctl->def->nmems; i++) {
- if (ctl->def->mems[i] &&
- ctl->def->mems[i]->model == VIR_DOMAIN_MEMORY_MODEL_NVDIMM) {
- if (vah_add_file(&buf, ctl->def->mems[i]->s.nvdimm.path, "rw") != 0)
- goto cleanup;
+ virDomainMemoryDefPtr mem = ctl->def->mems[i];
+ const char *path = NULL;
+
+ switch (mem->model) {
+ case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+ path = mem->s.nvdimm.path;
+ break;
+ case VIR_DOMAIN_MEMORY_MODEL_VIRTIO:
+ path = mem->s.virtio.path;
+ break;
+ case VIR_DOMAIN_MEMORY_MODEL_NONE:
+ case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_LAST:
+ break;
}
+
+ if (path &&
+ vah_add_file(&buf, path, "rw") != 0)
+ goto cleanup;
}
for (i = 0; i < ctl->def->nsysinfo; i++) {
--
2.26.2
More information about the libvir-list
mailing list