[PATCH 2/2] security: Add a new func use stat to get process DAC label

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When use qemuProcessAttach to attach a qemu process, cannot
get a right DAC label. Add a new func to get process label
via stat func. Do not remove virDomainDefGetSecurityLabelDef
before try to use stat to get process DAC label, because
There are some other func call virSecurityDACGetProcessLabel.

Signed-off-by: Luyao Huang <lhuang@xxxxxxxxxx>
---
 src/security/security_dac.c | 50 +++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 48 insertions(+), 2 deletions(-)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 85253af..2977f71 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1237,17 +1237,63 @@ virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 }
 
 static int
+virSecurityDACGetProcessLabelInternal(pid_t pid,
+                                      virSecurityLabelPtr seclabel)
+{
+    struct stat sb;
+    char *path = NULL;
+    char *label = NULL;
+    int ret = -1;
+
+    VIR_INFO("Getting DAC user and group on process '%d'", pid);
+
+    if (virAsprintf(&path, "/proc/%d", (int) pid) < 0)
+        goto cleanup;
+
+    if (stat(path, &sb) < 0)
+        goto cleanup;
+
+    if (virAsprintf(&label, "+%u:+%u",
+                    (unsigned int) sb.st_uid,
+                    (unsigned int) sb.st_gid) < 0)
+        goto cleanup;
+
+    if (virStrcpy(seclabel->label, label,VIR_SECURITY_LABEL_BUFLEN) == NULL)
+        goto cleanup;
+    ret = 0;
+
+cleanup:
+    VIR_FREE(path);
+    VIR_FREE(label);
+    return ret;
+}
+
+static int
 virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                               virDomainDefPtr def,
-                              pid_t pid ATTRIBUTE_UNUSED,
+                              pid_t pid,
                               virSecurityLabelPtr seclabel)
 {
     virSecurityLabelDefPtr secdef =
         virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
 
-    if (!secdef || !seclabel)
+    if (!seclabel)
         return -1;
 
+    if (secdef == NULL) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("missing label for DAC security "
+                         "driver in domain %s"), def->name);
+
+        if (virSecurityDACGetProcessLabelInternal(pid, seclabel) < 0) {
+            virReportError(VIR_ERR_INTERNAL_ERROR,
+                           _("Cannot get process %d DAC label"),pid);
+            return -1;
+        }
+
+        return 0;
+    }
+
     if (secdef->label)
         ignore_value(virStrcpy(seclabel->label, secdef->label,
                                VIR_SECURITY_LABEL_BUFLEN));
-- 
1.8.3.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]