[PATCH 4/6] security_dac: Implement transaction APIs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
 src/security/security_dac.c | 193 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 193 insertions(+)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index b6f75fe1d..0208c1751 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -68,6 +68,117 @@ struct _virSecurityDACCallbackData {
     virSecurityLabelDefPtr secdef;
 };
 
+typedef struct _virSecurityDACChownItem virSecurityDACChownItem;
+typedef virSecurityDACChownItem *virSecurityDACChownItemPtr;
+struct _virSecurityDACChownItem {
+    const char *path;
+    const virStorageSource *src;
+    uid_t uid;
+    gid_t gid;
+};
+
+typedef struct _virSecurityDACChownList virSecurityDACChownList;
+typedef virSecurityDACChownList *virSecurityDACChownListPtr;
+struct _virSecurityDACChownList {
+    virSecurityDACDataPtr priv;
+    virSecurityDACChownItemPtr *items;
+    size_t nItems;
+};
+
+
+virThreadLocal chownList;
+
+static int
+virSecurityDACChownListAppend(virSecurityDACChownListPtr list,
+                              const char *path,
+                              const virStorageSource *src,
+                              uid_t uid,
+                              gid_t gid)
+{
+    virSecurityDACChownItemPtr item;
+
+    if (VIR_ALLOC(item) < 0)
+        return -1;
+
+    item->path = path;
+    item->src = src;
+    item->uid = uid;
+    item->gid = gid;
+
+    if (VIR_APPEND_ELEMENT(list->items, list->nItems, item) < 0) {
+        VIR_FREE(item);
+        return -1;
+    }
+
+    return 0;
+}
+
+static void
+virSecurityDACChownListFree(void *opaque)
+{
+    virSecurityDACChownListPtr list = opaque;
+    size_t i;
+
+    if (!list)
+        return;
+
+    for (i = 0; i < list->nItems; i++)
+        VIR_FREE(list->items[i]);
+    VIR_FREE(list);
+}
+
+
+static int
+virSecurityDACTransactionAppend(const char *path,
+                                const virStorageSource *src,
+                                uid_t uid,
+                                gid_t gid)
+{
+    virSecurityDACChownListPtr list;
+    int ret = -1;
+
+    list = virThreadLocalGet(&chownList);
+    if (!list)
+        return 0;
+
+    if (virSecurityDACChownListAppend(list, path, src, uid, gid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    return ret;
+}
+
+
+static int virSecurityDACSetOwnershipInternal(const virSecurityDACData *priv,
+                                              const virStorageSource *src,
+                                              const char *path,
+                                              uid_t uid,
+                                              gid_t gid);
+
+static int
+virSecurityDACTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
+                             void *opaque)
+{
+    virSecurityDACChownListPtr list = opaque;
+    size_t i;
+
+    ignore_value(virThreadLocalSet(&chownList, NULL));
+    for (i = 0; i < list->nItems; i++) {
+        virSecurityDACChownItemPtr item = list->items[i];
+
+        if (virSecurityDACSetOwnershipInternal(list->priv,
+                                               item->src,
+                                               item->path,
+                                               item->uid,
+                                               item->gid) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
 /* returns -1 on error, 0 on success */
 int
 virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
@@ -238,6 +349,13 @@ virSecurityDACProbe(const char *virtDriver ATTRIBUTE_UNUSED)
 static int
 virSecurityDACOpen(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
 {
+    if (virThreadLocalInit(&chownList,
+                           virSecurityDACChownListFree) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Unable to initialize thread local variable"));
+        return -1;
+    }
+
     return 0;
 }
 
@@ -278,6 +396,69 @@ virSecurityDACPreFork(virSecurityManagerPtr mgr)
     return 0;
 }
 
+static int
+virSecurityDACTransactionStart(virSecurityManagerPtr mgr)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityDACChownListPtr list;
+
+    list = virThreadLocalGet(&chownList);
+    if (list) {
+        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("Another relabel transaction is already started"));
+        return -1;
+    }
+
+    if (VIR_ALLOC(list) < 0)
+        return -1;
+
+    list->priv = priv;
+
+    if (virThreadLocalSet(&chownList, list) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Unable to set thread local variable"));
+        VIR_FREE(list);
+        return -1;
+    }
+
+    return 0;
+}
+
+static int
+virSecurityDACTransactionCommit(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                                pid_t pid)
+{
+    virSecurityDACChownListPtr list;
+    int ret = 0;
+
+    list = virThreadLocalGet(&chownList);
+    if (!list)
+        return 0;
+
+    if (virProcessRunInMountNamespace(pid,
+                                      virSecurityDACTransactionRun,
+                                      list) < 0)
+        ret = -1;
+
+    ignore_value(virThreadLocalSet(&chownList, NULL));
+    virSecurityDACChownListFree(list);
+    return ret;
+}
+
+static void
+virSecurityDACTransactionAbort(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+    virSecurityDACChownListPtr list;
+
+    list = virThreadLocalGet(&chownList);
+    if (!list)
+        return;
+
+    ignore_value(virThreadLocalSet(&chownList, NULL));
+    virSecurityDACChownListFree(list);
+}
+
+
 static int
 virSecurityDACSetOwnershipInternal(const virSecurityDACData *priv,
                                    const virStorageSource *src,
@@ -287,6 +468,14 @@ virSecurityDACSetOwnershipInternal(const virSecurityDACData *priv,
 {
     int rc;
 
+    /* Be aware that this function might run in a separate process.
+     * Therefore, any driver state changes would be thrown away. */
+
+    if ((rc = virSecurityDACTransactionAppend(path, src, uid, gid)) < 0)
+        return -1;
+    else if (rc > 0)
+        return 0;
+
     VIR_INFO("Setting DAC user and group on '%s' to '%ld:%ld'",
              NULLSTR(src ? src->path : path), (long) uid, (long) gid);
 
@@ -1626,6 +1815,10 @@ virSecurityDriver virSecurityDriverDAC = {
 
     .preFork                            = virSecurityDACPreFork,
 
+    .transactionStart                   = virSecurityDACTransactionStart,
+    .transactionCommit                  = virSecurityDACTransactionCommit,
+    .transactionAbort                   = virSecurityDACTransactionAbort,
+
     .domainSecurityVerify               = virSecurityDACVerify,
 
     .domainSetSecurityDiskLabel         = virSecurityDACSetDiskLabel,
-- 
2.11.0

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux