Introduce a new element in shmem device element, this
could help users to change the shm label to a specified
label.
Signed-off-by: Luyao Huang <lhuang@xxxxxxxxxx>
---
docs/formatdomain.html.in | 7 ++
docs/schemas/domaincommon.rng | 3 +
src/conf/domain_conf.c | 97 +++++++++++++++-------
src/conf/domain_conf.h | 5 ++
.../qemuxml2argv-shmem-seclabel.xml | 55 ++++++++++++
tests/qemuxml2xmltest.c | 4 +
6 files changed, 141 insertions(+), 30 deletions(-)
create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-shmem-seclabel.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 5ca8ede..f2ac5fb 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6195,6 +6195,13 @@ qemu-kvm -net nic,model=? /dev/null
vectors. The <code>ioeventd</code> attribute enables/disables (values
"on"/"off", respectively) ioeventfd.
</dd>
+ <dt><code>seclabel</code></dt>
+ <dd>
+ The element may contain an optional <code>seclabel</code> to override the
+ way that labelling is done on the shm object path or shm server path. If this
+ element is not present, the <a href="#seclabel">security label is inherited
+ from the per-domain setting</a>.
+ </dd>
</dl>
<h4><a name="elementsMemory">Memory devices</a></h4>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index ccc74cc..f13f566 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3371,6 +3371,9 @@
</optional>
</element>
</optional>
+ <zeroOrMore>
+ <ref name='devSeclabel'/>
+ </zeroOrMore>
<optional>
<ref name="address"/>
</optional>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index c5e9653..ece9f2d 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -11515,6 +11515,8 @@ virDomainNVRAMDefParseXML(xmlNodePtr node,
static virDomainShmemDefPtr
virDomainShmemDefParseXML(xmlNodePtr node,
xmlXPathContextPtr ctxt,
+ virSecurityLabelDefPtr* vmSeclabels,
+ int nvmSeclabels,
unsigned int flags)
{
char *tmp = NULL;
@@ -11586,6 +11588,10 @@ virDomainShmemDefParseXML(xmlNodePtr node,
if (virDomainDeviceInfoParseXML(node, NULL, &def->info, flags) < 0)
goto cleanup;
+ if (virSecurityDeviceLabelDefParseXML(&def->seclabels, &def->nseclabels,
+ vmSeclabels, nvmSeclabels,
+ ctxt, flags) < 0)
+ goto cleanup;
ret = def;
def = NULL;
@@ -12708,7 +12714,11 @@ virDomainDeviceDefParse(const char *xmlStr,
goto error;
break;
case VIR_DOMAIN_DEVICE_SHMEM:
- if (!(dev->data.shmem = virDomainShmemDefParseXML(node, ctxt, flags)))
+ if (!(dev->data.shmem = virDomainShmemDefParseXML(node,
+ ctxt,
+ def->seclabels,
+ def->nseclabels,
+ flags)))
goto error;
break;
case VIR_DOMAIN_DEVICE_TPM:
@@ -16383,7 +16393,8 @@ virDomainDefParseXML(xmlDocPtr xml,
for (i = 0; i < n; i++) {
virDomainShmemDefPtr shmem;
ctxt->node = nodes[i];
- shmem = virDomainShmemDefParseXML(nodes[i], ctxt, flags);
+ shmem = virDomainShmemDefParseXML(nodes[i], ctxt, def->seclabels,
+ def->nseclabels, flags);
if (!shmem)
goto error;
@@ -20594,45 +20605,52 @@ virDomainShmemDefFormat(virBufferPtr buf,
virDomainShmemDefPtr def,
unsigned int flags)
{
- virBufferEscapeString(buf, "<shmem name='%s'", def->name);
+ virBuffer childrenBuf = VIR_BUFFER_INITIALIZER;
+ int indent = virBufferGetIndent(buf, false);
+ size_t n;
- if (!def->size &&
- !def->server.enabled &&
- !def->msi.enabled &&
- !virDomainDeviceInfoNeedsFormat(&def->info, flags)) {
- virBufferAddLit(buf, "/>\n");
- return 0;
- } else {
- virBufferAddLit(buf, ">\n");
- }
+ virBufferEscapeString(buf, "<shmem name='%s'", def->name);
- virBufferAdjustIndent(buf, 2);
+ virBufferAdjustIndent(&childrenBuf, indent + 2);
if (def->size)
- virBufferAsprintf(buf, "<size unit='M'>%llu</size>\n", def->size >> 20);
+ virBufferAsprintf(&childrenBuf, "<size unit='M'>%llu</size>\n",
+ def->size >> 20);
if (def->server.enabled) {
- virBufferAddLit(buf, "<server");
- virBufferEscapeString(buf, " path='%s'", def->server.chr.data.nix.path);
- virBufferAddLit(buf, "/>\n");
+ virBufferAddLit(&childrenBuf, "<server");
+ virBufferEscapeString(&childrenBuf, " path='%s'",
+ def->server.chr.data.nix.path);
+ virBufferAddLit(&childrenBuf, "/>\n");
}
if (def->msi.enabled) {
- virBufferAddLit(buf, "<msi");
+ virBufferAddLit(&childrenBuf, "<msi");
if (def->msi.vectors)
- virBufferAsprintf(buf, " vectors='%u'", def->msi.vectors);
+ virBufferAsprintf(&childrenBuf, " vectors='%u'", def->msi.vectors);
if (def->msi.ioeventfd)
- virBufferAsprintf(buf, " ioeventfd='%s'",
+ virBufferAsprintf(&childrenBuf, " ioeventfd='%s'",
virTristateSwitchTypeToString(def->msi.ioeventfd));
- virBufferAddLit(buf, "/>\n");
+ virBufferAddLit(&childrenBuf, "/>\n");
}
- if (virDomainDeviceInfoFormat(buf, &def->info, flags) < 0)
+ for (n = 0; n < def->nseclabels; n++)
+ virSecurityDeviceLabelDefFormat(&childrenBuf, def->seclabels[n], flags);
+
+ if (virDomainDeviceInfoFormat(&childrenBuf, &def->info, flags) < 0) {
+ virBufferFreeAndReset(&childrenBuf);
return -1;
+ }
- virBufferAdjustIndent(buf, -2);
- virBufferAddLit(buf, "</shmem>\n");
+ if (virBufferUse(&childrenBuf)) {
+ virBufferAddLit(buf, ">\n");
+ virBufferAddBuffer(buf, &childrenBuf);
+ virBufferAddLit(buf, "</shmem>\n");
+ } else {
+ virBufferAddLit(buf, "/>\n");
+ }
+ virBufferFreeAndReset(&childrenBuf);
return 0;
}
@@ -24137,6 +24155,21 @@ virDomainObjListExport(virDomainObjListPtr domlist,
}
+static virSecurityDeviceLabelDefPtr
+virDomainGetDeviceSecurityLabelDef(virSecurityDeviceLabelDefPtr *seclabels,
+ size_t nseclabels,
+ const char *model)
+{
+ size_t i;
+
+ for (i = 0; i < nseclabels; i++) {
+ if (STREQ_NULLABLE(seclabels[i]->model, model))
+ return seclabels[i];
+ }
+ return NULL;
+}
+
+
virSecurityLabelDefPtr
virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char *model)
{
@@ -24160,16 +24193,20 @@ virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char *model)
virSecurityDeviceLabelDefPtr
virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model)
{
- size_t i;
+ if (def == NULL)
+ return NULL;
+
+ return virDomainGetDeviceSecurityLabelDef(def->seclabels, def->nseclabels, model);
+}
+
+virSecurityDeviceLabelDefPtr
+virDomainShmemDefGetSecurityLabelDef(virDomainShmemDefPtr def, const char *model)
+{
if (def == NULL)
return NULL;
- for (i = 0; i < def->nseclabels; i++) {
- if (STREQ_NULLABLE(def->seclabels[i]->model, model))
- return def->seclabels[i];
- }
- return NULL;
+ return virDomainGetDeviceSecurityLabelDef(def->seclabels, def->nseclabels, model);
}
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 961e4ed..d53c36f 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1642,6 +1642,8 @@ struct _virDomainShmemDef {
unsigned vectors;
virTristateSwitch ioeventfd;
} msi;
+ size_t nseclabels;
+ virSecurityDeviceLabelDefPtr *seclabels;
virDomainDeviceInfo info;
};
@@ -2984,6 +2986,9 @@ virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char *model);
virSecurityDeviceLabelDefPtr
virDomainChrDefGetSecurityLabelDef(virDomainChrDefPtr def, const char *model);
+virSecurityDeviceLabelDefPtr
+virDomainShmemDefGetSecurityLabelDef(virDomainShmemDefPtr def, const char *model);
+
typedef const char* (*virEventActionToStringFunc)(int type);
typedef int (*virEventActionFromStringFunc)(const char *type);
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-shmem-seclabel.xml b/tests/qemuxml2argvdata/qemuxml2argv-shmem-seclabel.xml
new file mode 100644
index 0000000..feb7404
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-shmem-seclabel.xml
@@ -0,0 +1,55 @@
+<domain type='qemu'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='i686' machine='pc'>hvm</type>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <emulator>/usr/bin/qemu</emulator>
+ <controller type='usb' index='0'/>
+ <controller type='pci' index='0' model='pci-root'/>
+ <memballoon model='none'/>
+ <shmem name='shmem0'>
+ <seclabel model='dac' relabel='no'/>
+ </shmem>
+ <shmem name='shmem1'>
+ <size unit='M'>128</size>
+ <seclabel model='dac' relabel='no'/>
+ </shmem>
+ <shmem name='shmem2'>
+ <size unit='M'>256</size>
+ <seclabel model='selinux' relabel='yes'>
+ <label>system_u:system_r:svirt_custom_t:s0:c192,c392</label>
+ </seclabel>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+ </shmem>
+ <shmem name='shmem3'>
+ <size unit='M'>512</size>
+ <server/>
+ <seclabel model='selinux' relabel='yes'>
+ <label>system_u:system_r:svirt_custom_t:s0:c192,c392</label>
+ </seclabel>
+ </shmem>
+ <shmem name='shmem4'>
+ <size unit='M'>1024</size>
+ <server path='/tmp/shmem4-sock'/>
+ <seclabel model='selinux' relabel='yes'>
+ <label>system_u:system_r:svirt_custom_t:s0:c192,c392</label>
+ </seclabel>
+ </shmem>
+ <shmem name='shmem5'>
+ <size unit='M'>2048</size>
+ <server path='/tmp/shmem5-sock'/>
+ <msi ioeventfd='off'/>
+ <seclabel model='dac' relabel='no'/>
+ </shmem>
+ </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 5c1c2e9..7361db5 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -620,9 +620,13 @@ mymain(void)
DO_TEST("tap-vhost");
DO_TEST_DIFFERENT("tap-vhost-incorrect");
+
DO_TEST("shmem");
+ DO_TEST("shmem-seclabel");
+
DO_TEST("smbios");
DO_TEST("smbios-multiple-type2");
+
DO_TEST("aarch64-aavmf-virtio-mmio");
DO_TEST("memory-hotplug");
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list