Before we generate a security label (security driver with dynamic
labeling) for a domain, we first check for domain's security model
validity. We should also check devices' security model as well,
therefore it might be better to move this chunk of code in a separate function
which would check both the domain's security model and devices' security model.
This function would of course be called right before we try to generate
a security label in qemuProcessStart/qemuProcessAttach
---
src/security/security_manager.c | 20 +-------------------
1 file changed, 1 insertion(+), 19 deletions(-)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 302f54d..000bc82 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -576,33 +576,15 @@ virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm)
{
int ret = -1;
- size_t i, j;
+ size_t i;
virSecurityManagerPtr* sec_managers = NULL;
virSecurityLabelDefPtr seclabel;
bool generated = false;
- if (mgr == NULL || mgr->drv == NULL)
- return ret;
-
if ((sec_managers = virSecurityManagerGetNested(mgr)) == NULL)
return ret;
virObjectLock(mgr);
- for (i = 0; i < vm->nseclabels; i++) {
- if (!vm->seclabels[i]->model)
- continue;
-
- for (j = 0; sec_managers[j]; j++)
- if (STREQ(vm->seclabels[i]->model, sec_managers[j]->drv->name))
- break;
-
- if (!sec_managers[j]) {
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
- _("Unable to find security driver for label %s"),
- vm->seclabels[i]->model);
- goto cleanup;
- }
- }
for (i = 0; sec_managers[i]; i++) {
generated = false;
--
1.9.3
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list