[PATCH v1 22/23] security: Introduce virSecurityManagerDomainRestoreDirLabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a counterpart of virSecurityManagerDomainSetDirLabel.
We should restore the security labels on the directories where
we've changed them.

Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
 src/libvirt_private.syms        |  1 +
 src/security/security_dac.c     | 18 ++++++++++++++++++
 src/security/security_driver.h  |  5 ++++-
 src/security/security_manager.c | 16 ++++++++++++++++
 src/security/security_manager.h |  3 +++
 src/security/security_selinux.c | 16 ++++++++++++++++
 src/security/security_stack.c   | 20 ++++++++++++++++++++
 7 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 72dda41..0e03c6c 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1030,6 +1030,7 @@ virSecurityDriverLookup;
 # security/security_manager.h
 virSecurityManagerCheckAllLabel;
 virSecurityManagerClearSocketLabel;
+virSecurityManagerDomainRestoreDirLabel;
 virSecurityManagerDomainSetDirLabel;
 virSecurityManagerGenLabel;
 virSecurityManagerGetBaseLabel;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 59b16ef..043866e 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1578,6 +1578,23 @@ virSecurityDACDomainSetDirLabel(virSecurityManagerPtr mgr,
     return virSecurityDACSetOwnership(priv, NULL, path, user, group);
 }
 
+static int
+virSecurityDACDomainRestoreDirLabel(virSecurityManagerPtr mgr,
+                                    virDomainDefPtr def,
+                                    const char *path)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityLabelDefPtr seclabel;
+
+    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+
+    if (!seclabel && !seclabel->relabel)
+        return 0;
+
+    return virSecurityDACRestoreSecurityFileLabel(priv, path);
+}
+
+
 virSecurityDriver virSecurityDriverDAC = {
     .privateDataLen                     = sizeof(virSecurityDACData),
     .name                               = SECURITY_DAC_NAME,
@@ -1627,4 +1644,5 @@ virSecurityDriver virSecurityDriverDAC = {
     .getBaseLabel                       = virSecurityDACGetBaseLabel,
 
     .domainSetDirLabel                  = virSecurityDACDomainSetDirLabel,
+    .domainRestoreDirLabel              = virSecurityDACDomainRestoreDirLabel,
 };
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 784b0de..2503831 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -121,7 +121,9 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
 typedef int (*virSecurityDomainSetDirLabel) (virSecurityManagerPtr mgr,
                                              virDomainDefPtr def,
                                              const char *path);
-
+typedef int (*virSecurityDomainRestoreDirLabel) (virSecurityManagerPtr mgr,
+                                                 virDomainDefPtr def,
+                                                 const char *path);
 
 struct _virSecurityDriver {
     size_t privateDataLen;
@@ -173,6 +175,7 @@ struct _virSecurityDriver {
     virSecurityDriverGetBaseLabel getBaseLabel;
 
     virSecurityDomainSetDirLabel domainSetDirLabel;
+    virSecurityDomainRestoreDirLabel domainRestoreDirLabel;
 };
 
 virSecurityDriverPtr virSecurityDriverLookup(const char *name,
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index e41e761..a5308ac 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1003,3 +1003,19 @@ virSecurityManagerDomainSetDirLabel(virSecurityManagerPtr mgr,
 
     return 0;
 }
+
+int
+virSecurityManagerDomainRestoreDirLabel(virSecurityManagerPtr mgr,
+                                        virDomainDefPtr vm,
+                                        const char *path)
+{
+    if (mgr->drv->domainRestoreDirLabel) {
+        int ret;
+        virObjectLock(mgr);
+        ret = mgr->drv->domainRestoreDirLabel(mgr, vm, path);
+        virObjectUnlock(mgr);
+        return ret;
+    }
+
+    return 0;
+}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 96f7053..bfec4fa 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -165,5 +165,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
 int virSecurityManagerDomainSetDirLabel(virSecurityManagerPtr mgr,
                                         virDomainDefPtr vm,
                                         const char *path);
+int virSecurityManagerDomainRestoreDirLabel(virSecurityManagerPtr mgr,
+                                            virDomainDefPtr vm,
+                                            const char *path);
 
 #endif /* VIR_SECURITY_MANAGER_H__ */
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index c2464c2..3d04123 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2550,6 +2550,21 @@ virSecuritySELinuxDomainSetDirLabel(virSecurityManagerPtr mgr,
     return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel);
 }
 
+static int
+virSecuritySELinuxDomainRestoreDirLabel(virSecurityManagerPtr mgr,
+                                    virDomainDefPtr def,
+                                    const char *path)
+{
+    virSecurityLabelDefPtr seclabel;
+
+    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+    if (!seclabel || !seclabel->relabel)
+        return 0;
+
+    return virSecuritySELinuxRestoreSecurityFileLabel(mgr, path);
+}
+
+
 virSecurityDriver virSecurityDriverSELinux = {
     .privateDataLen                     = sizeof(virSecuritySELinuxData),
     .name                               = SECURITY_SELINUX_NAME,
@@ -2596,4 +2611,5 @@ virSecurityDriver virSecurityDriverSELinux = {
     .getBaseLabel                       = virSecuritySELinuxGetBaseLabel,
 
     .domainSetDirLabel                  = virSecuritySELinuxDomainSetDirLabel,
+    .domainRestoreDirLabel              = virSecuritySELinuxDomainRestoreDirLabel,
 };
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 8d9560d..5c9d27f 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -617,6 +617,25 @@ virSecurityStackDomainSetDirLabel(virSecurityManagerPtr mgr,
     return rc;
 }
 
+static int
+virSecurityStackDomainRestoreDirLabel(virSecurityManagerPtr mgr,
+                                      virDomainDefPtr vm,
+                                      const char *path)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityStackItemPtr item = priv->itemsHead;
+    int rc = 0;
+
+    for (; item; item = item->next) {
+        if (virSecurityManagerDomainRestoreDirLabel(item->securityManager,
+                                                    vm, path) < 0)
+            rc = -1;
+    }
+
+    return rc;
+}
+
+
 virSecurityDriver virSecurityDriverStack = {
     .privateDataLen                     = sizeof(virSecurityStackData),
     .name                               = "stack",
@@ -668,4 +687,5 @@ virSecurityDriver virSecurityDriverStack = {
     .getBaseLabel                       = virSecurityStackGetBaseLabel,
 
     .domainSetDirLabel                  = virSecurityStackDomainSetDirLabel,
+    .domainRestoreDirLabel              = virSecurityStackDomainRestoreDirLabel,
 };
-- 
2.4.9

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]