[PATCH 4/7] security: Label parent directories of character devices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We are currently unable to label parent directories for some paths.
However, we will need to have per-domain directories that we would like
to have labelled, but we can't label all of them.  So let's add a
boolean variable that will determine whether parent directory for such
chardev should be labelled as well as that character device itself.

Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
---
 src/conf/domain_conf.h          |  1 +
 src/security/security_dac.c     | 13 ++++++++++++-
 src/security/security_selinux.c | 13 ++++++++++++-
 3 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index e1872bca002c..9d549a395e29 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1191,6 +1191,7 @@ struct _virDomainChrSourceDef {
         } udp;
         struct {
             char *path;
+            bool autopath;
             bool listen;
         } nix;
         int spicevmc;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index ea34d40fac51..28e9f0091e74 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -29,6 +29,7 @@
 #endif

 #include "security_dac.h"
+#include "dirname.h"
 #include "virerror.h"
 #include "virfile.h"
 #include "viralloc.h"
@@ -744,7 +745,7 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     virSecurityLabelDefPtr seclabel;
     virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
-    char *in = NULL, *out = NULL;
+    char *in = NULL, *out = NULL, *dir = NULL;
     int ret = -1;
     uid_t user;
     gid_t group;
@@ -795,6 +796,15 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
                                            user, group) < 0)
                 goto done;
         }
+        if (dev_source->data.nix.autopath) {
+            if (!(dir = mdir_name(dev_source->data.nix.path))) {
+                virReportOOMError();
+                goto done;
+            }
+
+            if (virSecurityDACSetOwnership(dir, user, group) < 0)
+                goto done;
+        }
         ret = 0;
         break;

@@ -813,6 +823,7 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
     }

  done:
+    VIR_FREE(dir);
     VIR_FREE(in);
     VIR_FREE(out);
     return ret;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7000701d0447..9f5ec05b59fb 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -33,6 +33,7 @@

 #include "security_driver.h"
 #include "security_selinux.h"
+#include "dirname.h"
 #include "virerror.h"
 #include "viralloc.h"
 #include "virlog.h"
@@ -1712,7 +1713,7 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
     virSecurityLabelDefPtr seclabel;
     virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
     char *imagelabel = NULL;
-    char *in = NULL, *out = NULL;
+    char *in = NULL, *out = NULL, *dir = NULL;
     int ret = -1;

     seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
@@ -1744,6 +1745,15 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
                                              imagelabel) < 0)
                 goto done;
         }
+        if (dev_source->data.nix.autopath) {
+            if (!(dir = mdir_name(dev_source->data.nix.path))) {
+                virReportOOMError();
+                goto done;
+            }
+
+            if (virSecuritySELinuxSetFilecon(dir, imagelabel) < 0)
+                goto done;
+        }
         ret = 0;
         break;

@@ -1769,6 +1779,7 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
     }

  done:
+    VIR_FREE(dir);
     VIR_FREE(in);
     VIR_FREE(out);
     return ret;
-- 
2.5.0

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]