On 07/30/2015 05:54 PM, Daniel P. Berrange wrote:
On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
A new api to help set/restore the shmem deivce dac/selinux label.
s/deivce/device/
Thanks, i will fix in next version
Signed-off-by: Luyao Huang <lhuang@xxxxxxxxxx>
---
src/libvirt_private.syms | 2 ++
src/security/security_dac.c | 67 +++++++++++++++++++++++++++++++++++++++
src/security/security_driver.h | 11 +++++++
src/security/security_manager.c | 38 ++++++++++++++++++++++
src/security/security_manager.h | 8 +++++
src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++
src/security/security_stack.c | 41 ++++++++++++++++++++++++
7 files changed, 237 insertions(+)
Also need to add to the security_nop.c impl
Okay, i must missed this file at that time :)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index deb6980..f954aa5 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -39,6 +39,7 @@
#include "virstoragefile.h"
#include "virstring.h"
#include "virutil.h"
+#include "virshm.h"
#define VIR_FROM_THIS VIR_FROM_SECURITY
@@ -922,6 +923,69 @@ virSecurityDACRestoreSecurityTPMFileLabel(virSecurityManagerPtr mgr,
static int
+virSecurityDACSetShmemLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainShmemDefPtr shmem,
+ char *path)
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityLabelDefPtr seclabel;
+ virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
+ char *tmppath;
+ uid_t user;
+ gid_t group;
+
+ if (shmem->server.enabled)
+ tmppath = shmem->server.chr.data.nix.path;
+ else
+ tmppath = path;
Even when the server is enabled, QEMU still needs access to the path
doesn't it.
...
+ if (shmem->server.enabled)
+ return virSecurityDACRestoreChardevLabel(mgr, def, NULL, &shmem->server.chr);
We need to restore path, even when server is enabled
...
Same comment as earlier
...
+
+ if (shmem->server.enabled)
+ tmppath = shmem->server.chr.data.nix.path;
+ else
+ tmppath = path;
And again
Hmm...these $path are the shm path, if the shmem device is server
enabled, the used shm is created by ivshmem-server, which will depends
on ivshmem-server's label. And qemu process will connect to the socket
created by ivshmem-server, so change the label for shm created by
ivshmem-sever is useless (also we don't know the shm name created by
ivshmem-server).
However, never mind, i will do a refactor and remove the variable $path
here to make this function easy to put in
virSecuritySELinuxSetSecurityAllLabel and
virSecuritySELinuxSetSecurityAllLabel, since i noticed another reply
from you for this patch.
> +
+ if (!tmppath)
+ return 0;
+
+ if (shmem_seclabel && shmem_seclabel->label)
+ return virSecuritySELinuxSetFilecon(tmppath, shmem_seclabel->label);
+ else
+ return virSecuritySELinuxSetFilecon(tmppath, data->file_context);
+}
+
+
+static int
virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
const char *stdin_path)
Regards,
Daniel
Thanks a lot for your review and help.
Luyao
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list