[PATCH 1/4] conf: introduce seclabels in shmem device element

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Introduce a new element in shmem device element, this
could help users to change the shm label to a specified
label.

Signed-off-by: Luyao Huang <lhuang@xxxxxxxxxx>
---
 docs/formatdomain.html.in     |  7 ++++++
 docs/schemas/domaincommon.rng |  3 +++
 src/conf/domain_conf.c        | 55 ++++++++++++++++++++++++++++++++++---------
 src/conf/domain_conf.h        |  5 ++++
 4 files changed, 59 insertions(+), 11 deletions(-)

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index d0c1741..e02c67c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6098,6 +6098,13 @@ qemu-kvm -net nic,model=? /dev/null
       vectors. The <code>ioeventd</code> attribute enables/disables (values
       "on"/"off", respectively) ioeventfd.
     </dd>
+    <dt><code>seclabel</code></dt>
+    <dd>
+      The  optional <code>seclabel</code> to override the way that labelling
+      is done on the shm object path or shm server path.  If this
+      element is not present, the <a href="#seclabel">security label is inherited
+      from the per-domain setting</a>.
+    </dd>
   </dl>
 
     <h4><a name="elementsMemory">Memory devices</a></h4>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 1120003..f58e8de 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3323,6 +3323,9 @@
             </optional>
           </element>
         </optional>
+        <zeroOrMore>
+          <ref name='devSeclabel'/>
+        </zeroOrMore>
         <optional>
           <ref name="address"/>
         </optional>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 73ac537..cb3d72a 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -11261,6 +11261,8 @@ virDomainNVRAMDefParseXML(xmlNodePtr node,
 static virDomainShmemDefPtr
 virDomainShmemDefParseXML(xmlNodePtr node,
                           xmlXPathContextPtr ctxt,
+                          virSecurityLabelDefPtr* vmSeclabels,
+                          int nvmSeclabels,
                           unsigned int flags)
 {
     char *tmp = NULL;
@@ -11332,6 +11334,10 @@ virDomainShmemDefParseXML(xmlNodePtr node,
     if (virDomainDeviceInfoParseXML(node, NULL, &def->info, flags) < 0)
         goto cleanup;
 
+    if (virSecurityDeviceLabelDefParseXML(&def->seclabels, &def->nseclabels,
+                                          vmSeclabels, nvmSeclabels,
+                                          ctxt, flags) < 0)
+        goto cleanup;
 
     ret = def;
     def = NULL;
@@ -12457,7 +12463,11 @@ virDomainDeviceDefParse(const char *xmlStr,
             goto error;
         break;
     case VIR_DOMAIN_DEVICE_SHMEM:
-        if (!(dev->data.shmem = virDomainShmemDefParseXML(node, ctxt, flags)))
+        if (!(dev->data.shmem = virDomainShmemDefParseXML(node,
+                                                          ctxt,
+                                                          def->seclabels,
+                                                          def->nseclabels,
+                                                          flags)))
             goto error;
         break;
     case VIR_DOMAIN_DEVICE_TPM:
@@ -16136,7 +16146,8 @@ virDomainDefParseXML(xmlDocPtr xml,
     for (i = 0; i < n; i++) {
         virDomainShmemDefPtr shmem;
         ctxt->node = nodes[i];
-        shmem = virDomainShmemDefParseXML(nodes[i], ctxt, flags);
+        shmem = virDomainShmemDefParseXML(nodes[i], ctxt, def->seclabels,
+                                          def->nseclabels, flags);
         if (!shmem)
             goto error;
 
@@ -20308,6 +20319,8 @@ virDomainShmemDefFormat(virBufferPtr buf,
                         virDomainShmemDefPtr def,
                         unsigned int flags)
 {
+    size_t n;
+
     virBufferEscapeString(buf, "<shmem name='%s'", def->name);
 
     if (!def->size &&
@@ -20341,6 +20354,9 @@ virDomainShmemDefFormat(virBufferPtr buf,
         virBufferAddLit(buf, "/>\n");
     }
 
+    for (n = 0; n < def->nseclabels; n++)
+        virSecurityDeviceLabelDefFormat(buf, def->seclabels[n], flags);
+
     if (virDomainDeviceInfoFormat(buf, &def->info, flags) < 0)
         return -1;
 
@@ -23851,11 +23867,25 @@ virDomainObjListExport(virDomainObjListPtr domlist,
 }
 
 
+static virSecurityDeviceLabelDefPtr
+virDomainGetDeviceSecurityLabelDef(virSecurityDeviceLabelDefPtr *seclabels,
+                                   size_t nseclabels,
+                                   const char *model)
+{
+    size_t i;
+
+    for (i = 0; i < nseclabels; i++) {
+        if (STREQ_NULLABLE(seclabels[i]->model, model))
+            return seclabels[i];
+    }
+    return NULL;
+}
+
+
 virSecurityLabelDefPtr
 virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char *model)
 {
     size_t i;
-    virSecurityLabelDefPtr seclabel = NULL;
 
     if (def == NULL || model == NULL)
         return NULL;
@@ -23866,24 +23896,27 @@ virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char *model)
         if (STREQ(def->seclabels[i]->model, model))
             return def->seclabels[i];
     }
-
-    return seclabel;
+    return NULL;
 }
 
 
 virSecurityDeviceLabelDefPtr
 virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model)
 {
-    size_t i;
+    if (def == NULL)
+        return NULL;
+
+    return virDomainGetDeviceSecurityLabelDef(def->seclabels, def->nseclabels, model);
+}
 
+
+virSecurityDeviceLabelDefPtr
+virDomainShmemDefGetSecurityLabelDef(virDomainShmemDefPtr def, const char *model)
+{
     if (def == NULL)
         return NULL;
 
-    for (i = 0; i < def->nseclabels; i++) {
-        if (STREQ_NULLABLE(def->seclabels[i]->model, model))
-            return def->seclabels[i];
-    }
-    return NULL;
+    return virDomainGetDeviceSecurityLabelDef(def->seclabels, def->nseclabels, model);
 }
 
 
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 0fe6b1a..1a0475e 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1608,6 +1608,8 @@ struct _virDomainShmemDef {
         unsigned vectors;
         virTristateSwitch ioeventfd;
     } msi;
+    size_t nseclabels;
+    virSecurityDeviceLabelDefPtr *seclabels;
     virDomainDeviceInfo info;
 };
 
@@ -2943,6 +2945,9 @@ virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char *model);
 virSecurityDeviceLabelDefPtr
 virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model);
 
+virSecurityDeviceLabelDefPtr
+virDomainShmemDefGetSecurityLabelDef(virDomainShmemDefPtr def, const char *model);
+
 typedef const char* (*virEventActionToStringFunc)(int type);
 typedef int (*virEventActionFromStringFunc)(const char *type);
 
-- 
1.8.3.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]