Re: [PATCH v2 2/4] security: introduce virSecurityManagerCheckAllLabel function

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 10, 2015 at 05:17:34PM +0100, Erik Skultety wrote:
> We do have a check for valid per-domain security model, however we still
> do permit an invalid security model for a domain's device (those which
> are specified with <source> element).
> This patch introduces a new function virSecurityManagerCheckAllLabel
> which compares user specified security model against currently
> registered security drivers. That being said, it also permits 'none'
> being specified as a device security model.
> 
> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1165485
> ---
>  src/libvirt_private.syms        |   1 +
>  src/qemu/qemu_process.c         |   6 ++

missing src/lxc/lxc_process.c

>  src/security/security_manager.c | 126 ++++++++++++++++++++++++++++++++++++++++
>  src/security/security_manager.h |   2 +
>  4 files changed, 135 insertions(+)
> 
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index 3b4ff41..1b1d891 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -953,6 +953,7 @@ virSecurityDriverLookup;
>  
>  
>  # security/security_manager.h
> +virSecurityManagerCheckAllLabel;
>  virSecurityManagerClearSocketLabel;
>  virSecurityManagerGenLabel;
>  virSecurityManagerGetBaseLabel;
> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> index d5df60d..66ae779 100644
> --- a/src/qemu/qemu_process.c
> +++ b/src/qemu/qemu_process.c
> @@ -4428,6 +4428,10 @@ int qemuProcessStart(virConnectPtr conn,
>                                 NULL) < 0)
>          goto cleanup;
>  
> +    VIR_DEBUG("Checking domain and device security labels");
> +    if (virSecurityManagerCheckAllLabel(driver->securityManager, vm->def) < 0)
> +        goto cleanup;
> +
>      /* If you are using a SecurityDriver with dynamic labelling,
>         then generate a security label for isolation */
>      VIR_DEBUG("Generating domain security label (if required)");
> @@ -5424,6 +5428,8 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED,
>          }
>      }
>  
> +    if (virSecurityManagerCheckAllLabel(driver->securityManager, vm->def) < 0)
> +        goto error;
>      if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0)
>          goto error;
>  
> diff --git a/src/security/security_manager.c b/src/security/security_manager.c
> index 000bc82..32bc9fe 100644
> --- a/src/security/security_manager.c
> +++ b/src/security/security_manager.c
> @@ -685,6 +685,132 @@ virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
>  }
>  
>  
> +static int
> +virSecurityManagerCheckSecurityDiskLabel(virDomainDefPtr def ATTRIBUTE_UNUSED,
> +                                         virDomainDiskDefPtr disk,
> +                                         void *opaque)
> +{
> +    size_t i, j;
> +    virSecurityManagerPtr mgr = opaque;
> +    virSecurityManagerPtr *sec_managers = NULL;
> +
> +    if ((sec_managers = virSecurityManagerGetNested(mgr)) == NULL)
> +        return 0;
> +
> +    for (i = 0; i < disk->src->nseclabels; i++) {


> +        if (STREQ_NULLABLE(disk->src->seclabels[i]->model, "none"))
> +            continue;
> +
> +        for (j = 0; sec_managers[j]; j++) {
> +            if (STREQ_NULLABLE(disk->src->seclabels[i]->model,
> +                               sec_managers[j]->drv->name)) {
> +                break;

If you continue; here (or return success if it's in a separate
function), the error message below can be unconditional.

> +            }
> +        }
> +        if (!sec_managers[j]) {
> +            virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
> +                           _("Unable to find security driver for model %s"),
> +                           disk->src->seclabels[i]->model);
> +            return -1;
> +        }

This hunk of code is used three times, would be better as a separate
function.

Jan

Attachment: signature.asc
Description: Digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]