Re: [PATCH v3 08/10] security: Include vhost-scsi in security labels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 11/08/2016 01:26 PM, Eric Farman wrote:
> Signed-off-by: Eric Farman <farman@xxxxxxxxxxxxxxxxxx>
> ---
>  src/security/security_apparmor.c | 18 ++++++++++++++++-
>  src/security/security_dac.c      | 42 ++++++++++++++++++++++++++++++++++++++--
>  src/security/security_selinux.c  | 39 +++++++++++++++++++++++++++++++++++--
>  3 files changed, 94 insertions(+), 5 deletions(-)
> 

Beyond the "Host" to "SCSIHost" changes - these do seem fine to me -
whether we should combine them in the final push w/ the domain changes
is not clear right now (it's been a long week of reviews)... With a more
final set of patches I'll know better.

And of course at this point all new subsys type should have code
associated with it (or a reason why not) - I didn't go back and look.

John
> diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> index e7e3c8c..d7bc7d1 100644
> --- a/src/security/security_apparmor.c
> +++ b/src/security/security_apparmor.c
> @@ -44,6 +44,7 @@
>  #include "viruuid.h"
>  #include "virpci.h"
>  #include "virusb.h"
> +#include "virhost.h"
>  #include "virfile.h"
>  #include "configmake.h"
>  #include "vircommand.h"
> @@ -357,6 +358,13 @@ AppArmorSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
>      return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
>  }
>  
> +static int
> +AppArmorSetSecurityHostLabel(virHostDevicePtr dev ATTRIBUTE_UNUSED,
> +                             const char *file, void *opaque)
> +{
> +    return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
> +}
> +
>  /* Called on libvirtd startup to see if AppArmor is available */
>  static int
>  AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED)
> @@ -831,6 +839,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
>      virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
>      virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
>      virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
> +    virDomainHostdevSubsysHostPtr hostsrc = &dev->source.subsys.u.host;
>  
>      if (!secdef)
>          return -1;
> @@ -910,7 +919,14 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_HOST: {
> -        /* Fall through for now */
> +        virHostDevicePtr host = virHostDeviceNew(hostsrc->wwpn);
> +
> +        if (!host)
> +            goto done;
> +
> +        ret = virHostDeviceFileIterate(host, AppArmorSetSecurityHostLabel, ptr);
> +        virHostDeviceFree(host);
> +        break;
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index eba2a87..accb965 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -36,6 +36,7 @@
>  #include "virpci.h"
>  #include "virusb.h"
>  #include "virscsi.h"
> +#include "virhost.h"
>  #include "virstoragefile.h"
>  #include "virstring.h"
>  #include "virutil.h"
> @@ -582,6 +583,15 @@ virSecurityDACSetSCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
>  
>  
>  static int
> +virSecurityDACSetHostLabel(virHostDevicePtr dev ATTRIBUTE_UNUSED,
> +                           const char *file,
> +                           void *opaque)
> +{
> +    return virSecurityDACSetHostdevLabelHelper(file, opaque);
> +}
> +
> +
> +static int
>  virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
>                                virDomainDefPtr def,
>                                virDomainHostdevDefPtr dev,
> @@ -592,6 +602,7 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
>      virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
>      virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
>      virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
> +    virDomainHostdevSubsysHostPtr hostsrc = &dev->source.subsys.u.host;
>      int ret = -1;
>  
>      if (!priv->dynamicOwnership)
> @@ -677,7 +688,14 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_HOST: {
> -        /* Fall through for now */
> +        virHostDevicePtr host = virHostDeviceNew(hostsrc->wwpn);
> +
> +        if (!host)
> +            goto done;
> +
> +        ret = virHostDeviceFileIterate(host, virSecurityDACSetHostLabel, &cbdata);
> +        virHostDeviceFree(host);
> +        break;
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
> @@ -724,6 +742,17 @@ virSecurityDACRestoreSCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
>  
>  
>  static int
> +virSecurityDACRestoreHostLabel(virHostDevicePtr dev ATTRIBUTE_UNUSED,
> +                               const char *file,
> +                               void *opaque)
> +{
> +    virSecurityManagerPtr mgr = opaque;
> +    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> +    return virSecurityDACRestoreFileLabel(priv, file);
> +}
> +
> +
> +static int
>  virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
>                                    virDomainDefPtr def,
>                                    virDomainHostdevDefPtr dev,
> @@ -735,6 +764,7 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
>      virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
>      virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
>      virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
> +    virDomainHostdevSubsysHostPtr hostsrc = &dev->source.subsys.u.host;
>      int ret = -1;
>  
>      secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
> @@ -810,7 +840,15 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_HOST: {
> -        /* Fall through for now */
> +        virHostDevicePtr host = virHostDeviceNew(hostsrc->wwpn);
> +
> +        if (!host)
> +            goto done;
> +
> +        ret = virHostDeviceFileIterate(host, virSecurityDACRestoreHostLabel, mgr);
> +        virHostDeviceFree(host);
> +
> +        break;
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index a94bba3..0831582 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -39,6 +39,7 @@
>  #include "virpci.h"
>  #include "virusb.h"
>  #include "virscsi.h"
> +#include "virhost.h"
>  #include "virstoragefile.h"
>  #include "virfile.h"
>  #include "virhash.h"
> @@ -1416,6 +1417,13 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev,
>  }
>  
>  static int
> +virSecuritySELinuxSetHostLabel(virHostDevicePtr dev ATTRIBUTE_UNUSED,
> +                               const char *file, void *opaque)
> +{
> +    return virSecuritySELinuxSetHostdevLabelHelper(file, opaque);
> +}
> +
> +static int
>  virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
>                                          virDomainDefPtr def,
>                                          virDomainHostdevDefPtr dev,
> @@ -1425,6 +1433,7 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
>      virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
>      virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
>      virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
> +    virDomainHostdevSubsysHostPtr hostsrc = &dev->source.subsys.u.host;
>      virSecuritySELinuxCallbackData data = {.mgr = mgr, .def = def};
>  
>      int ret = -1;
> @@ -1499,7 +1508,14 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_HOST: {
> -        /* Fall through for now */
> +        virHostDevicePtr host = virHostDeviceNew(hostsrc->wwpn);
> +
> +        if (!host)
> +            goto done;
> +
> +        ret = virHostDeviceFileIterate(host, virSecuritySELinuxSetHostLabel, &data);
> +        virHostDeviceFree(host);
> +        break;
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
> @@ -1627,6 +1643,16 @@ virSecuritySELinuxRestoreSCSILabel(virSCSIDevicePtr dev,
>  }
>  
>  static int
> +virSecuritySELinuxRestoreHostLabel(virHostDevicePtr dev ATTRIBUTE_UNUSED,
> +                                   const char *file,
> +                                   void *opaque)
> +{
> +    virSecurityManagerPtr mgr = opaque;
> +
> +    return virSecuritySELinuxRestoreFileLabel(mgr, file);
> +}
> +
> +static int
>  virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
>                                              virDomainHostdevDefPtr dev,
>                                              const char *vroot)
> @@ -1635,6 +1661,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
>      virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
>      virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
>      virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
> +    virDomainHostdevSubsysHostPtr hostsrc = &dev->source.subsys.u.host;
>      int ret = -1;
>  
>      /* Like virSecuritySELinuxRestoreImageLabelInt() for a networked
> @@ -1705,7 +1732,15 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_HOST: {
> -        /* Fall through for now */
> +        virHostDevicePtr host = virHostDeviceNew(hostsrc->wwpn);
> +
> +        if (!host)
> +            goto done;
> +
> +        ret = virHostDeviceFileIterate(host, virSecuritySELinuxRestoreHostLabel, mgr);
> +        virHostDeviceFree(host);
> +
> +        break;
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
> 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]