Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
---
src/security/security_apparmor.c | 18 ++++++++++++++++-
src/security/security_dac.c | 42 ++++++++++++++++++++++++++++++++++++++--
src/security/security_selinux.c | 39 +++++++++++++++++++++++++++++++++++--
3 files changed, 94 insertions(+), 5 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index e7e3c8c..d7bc7d1 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -44,6 +44,7 @@
#include "viruuid.h"
#include "virpci.h"
#include "virusb.h"
+#include "virhost.h"
#include "virfile.h"
#include "configmake.h"
#include "vircommand.h"
@@ -357,6 +358,13 @@ AppArmorSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
}
+static int
+AppArmorSetSecurityHostLabel(virHostDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file, void *opaque)
+{
+ return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
+}
+
/* Called on libvirtd startup to see if AppArmor is available */
static int
AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED)
@@ -831,6 +839,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
+ virDomainHostdevSubsysHostPtr hostsrc = &dev->source.subsys.u.host;
if (!secdef)
return -1;
@@ -910,7 +919,14 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_HOST: {
- /* Fall through for now */
+ virHostDevicePtr host = virHostDeviceNew(hostsrc->wwpn);
+
+ if (!host)
+ goto done;
+
+ ret = virHostDeviceFileIterate(host, AppArmorSetSecurityHostLabel, ptr);
+ virHostDeviceFree(host);
+ break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index eba2a87..accb965 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -36,6 +36,7 @@
#include "virpci.h"
#include "virusb.h"
#include "virscsi.h"
+#include "virhost.h"
#include "virstoragefile.h"
#include "virstring.h"
#include "virutil.h"
@@ -582,6 +583,15 @@ virSecurityDACSetSCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
static int
+virSecurityDACSetHostLabel(virHostDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque)
+{
+ return virSecurityDACSetHostdevLabelHelper(file, opaque);
+}
+
+
+static int
virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainHostdevDefPtr dev,
@@ -592,6 +602,7 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
+ virDomainHostdevSubsysHostPtr hostsrc = &dev->source.subsys.u.host;
int ret = -1;
if (!priv->dynamicOwnership)
@@ -677,7 +688,14 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_HOST: {
- /* Fall through for now */
+ virHostDevicePtr host = virHostDeviceNew(hostsrc->wwpn);
+
+ if (!host)
+ goto done;
+
+ ret = virHostDeviceFileIterate(host, virSecurityDACSetHostLabel, &cbdata);
+ virHostDeviceFree(host);
+ break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
@@ -724,6 +742,17 @@ virSecurityDACRestoreSCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
static int
+virSecurityDACRestoreHostLabel(virHostDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque)
+{
+ virSecurityManagerPtr mgr = opaque;
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ return virSecurityDACRestoreFileLabel(priv, file);
+}
+
+
+static int
virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainHostdevDefPtr dev,
@@ -735,6 +764,7 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
+ virDomainHostdevSubsysHostPtr hostsrc = &dev->source.subsys.u.host;
int ret = -1;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
@@ -810,7 +840,15 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_HOST: {
- /* Fall through for now */
+ virHostDevicePtr host = virHostDeviceNew(hostsrc->wwpn);
+
+ if (!host)
+ goto done;
+
+ ret = virHostDeviceFileIterate(host, virSecurityDACRestoreHostLabel, mgr);
+ virHostDeviceFree(host);
+
+ break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a94bba3..0831582 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -39,6 +39,7 @@
#include "virpci.h"
#include "virusb.h"
#include "virscsi.h"
+#include "virhost.h"
#include "virstoragefile.h"
#include "virfile.h"
#include "virhash.h"
@@ -1416,6 +1417,13 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev,
}
static int
+virSecuritySELinuxSetHostLabel(virHostDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file, void *opaque)
+{
+ return virSecuritySELinuxSetHostdevLabelHelper(file, opaque);
+}
+
+static int
virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainHostdevDefPtr dev,
@@ -1425,6 +1433,7 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
+ virDomainHostdevSubsysHostPtr hostsrc = &dev->source.subsys.u.host;
virSecuritySELinuxCallbackData data = {.mgr = mgr, .def = def};
int ret = -1;
@@ -1499,7 +1508,14 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_HOST: {
- /* Fall through for now */
+ virHostDevicePtr host = virHostDeviceNew(hostsrc->wwpn);
+
+ if (!host)
+ goto done;
+
+ ret = virHostDeviceFileIterate(host, virSecuritySELinuxSetHostLabel, &data);
+ virHostDeviceFree(host);
+ break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
@@ -1627,6 +1643,16 @@ virSecuritySELinuxRestoreSCSILabel(virSCSIDevicePtr dev,
}
static int
+virSecuritySELinuxRestoreHostLabel(virHostDevicePtr dev ATTRIBUTE_UNUSED,
+ const char *file,
+ void *opaque)
+{
+ virSecurityManagerPtr mgr = opaque;
+
+ return virSecuritySELinuxRestoreFileLabel(mgr, file);
+}
+
+static int
virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
virDomainHostdevDefPtr dev,
const char *vroot)
@@ -1635,6 +1661,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
+ virDomainHostdevSubsysHostPtr hostsrc = &dev->source.subsys.u.host;
int ret = -1;
/* Like virSecuritySELinuxRestoreImageLabelInt() for a networked
@@ -1705,7 +1732,15 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_HOST: {
- /* Fall through for now */
+ virHostDevicePtr host = virHostDeviceNew(hostsrc->wwpn);
+
+ if (!host)
+ goto done;
+
+ ret = virHostDeviceFileIterate(host, virSecuritySELinuxRestoreHostLabel, mgr);
+ virHostDeviceFree(host);
+
+ break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
--
1.9.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list