Re: [PATCH v2 12/19] security: Wire up virUdevMgr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 03, 2016 at 08:19:02PM +0800, Michal Privoznik wrote:
> Whenever a security driver wants to change label of some path, it
> should let virUdevMgr module know so that it can update its
> internal database too.
> 
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
>  src/libvirt_private.syms        |  2 ++
>  src/security/security_dac.c     | 36 ++++++++++++++++++++++++++++---
>  src/security/security_manager.c | 16 ++++++++++++++
>  src/security/security_manager.h |  5 +++++
>  src/security/security_selinux.c | 47 ++++++++++++++++++++++++++++++++++++++---
>  5 files changed, 100 insertions(+), 6 deletions(-)


> @@ -382,6 +408,7 @@ virSecurityDACRestoreFileLabelInternal(virSecurityManagerPtr mgr,
>                                         const char *path)
>  {
>      virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> +    virUdevMgrPtr udevMgr = virSecurityManagerGetUdevManager(mgr);
>      int rv;
>      uid_t uid = 0;  /* By default return to root:root */
>      gid_t gid = 0;
> @@ -399,6 +426,9 @@ virSecurityDACRestoreFileLabelInternal(virSecurityManagerPtr mgr,
>              return -1;
>          if (rv > 0)
>              return 0;
> +
> +        if (udevMgr)
> +            virUdevMgrRemoveAllLabels(udevMgr, path);
>      }

NB, this code path is never going to be reached for any disks that are marked
shared or readonly, since we've still not got a solution for ref counting of
shared disks. This will cause the JSON file database to grow without bound
until the host is rebooted, which is undesirable and could cause performance
issues for hosts which start/stop alot of guests with shared/readonly disks.

Fixing the shared disks problem will require us to maintain a database of
information about labelling/owership of files and devices, synchronized
across hosts. IMHO it is undesirable for us to end of maintaining the
same information in two separate places, once for udev and once for the
more general case. 

If we address the more general case first, then the majority of this series
is not required, as we would already have a suitable database of information.
We would only need the udev specific helper to query it.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]