Re: [PATCH v2 08/14] security_dac: Label host side of NVDIMM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 02/27/2017 08:19 AM, Michal Privoznik wrote:
> When domain is being started up, we ought to relabel the host
> side of NVDIMM so qemu has access to it.
> 
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
>  src/security/security_dac.c | 73 +++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 73 insertions(+)
> 

Why are the security patches not earlier? Before the command line is
created?


> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 67219170c..b8601faa5 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -1386,6 +1386,30 @@ virSecurityDACRestoreInputLabel(virSecurityManagerPtr mgr,
>  }
>  
>  
> +static int
> +virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr,
> +                                 virDomainDefPtr def ATTRIBUTE_UNUSED,
> +                                 virDomainMemoryDefPtr mem)
> +{
> +    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> +    int ret = -1;
> +
> +    switch ((virDomainMemoryModel) mem->model) {
> +    case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
> +        ret = virSecurityDACRestoreFileLabel(priv, mem->path);
> +        break;
> +
> +    case VIR_DOMAIN_MEMORY_MODEL_DIMM:
> +    case VIR_DOMAIN_MEMORY_MODEL_LAST:
> +    case VIR_DOMAIN_MEMORY_MODEL_NONE:
> +        ret = 0;
> +        break;
> +    }
> +
> +    return ret;
> +}
> +
> +
>  static int
>  virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
>                                virDomainDefPtr def,
> @@ -1425,6 +1449,13 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
>              rc = -1;
>      }
>  
> +    for (i = 0; i < def->nmems; i++) {
> +        if (virSecurityDACRestoreMemoryLabel(mgr,
> +                                             def,
> +                                             def->mems[i]) < 0)
> +            rc = -1;
> +    }
> +
>      if (virDomainChrDefForeach(def,
>                                 false,
>                                 virSecurityDACRestoreChardevCallback,
> @@ -1457,6 +1488,41 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def,
>  }
>  
>  
> +static int
> +virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr,
> +                             virDomainDefPtr def,
> +                             virDomainMemoryDefPtr mem)
> +
> +{
> +    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> +    virSecurityLabelDefPtr seclabel;
> +    int ret = -1;
> +    uid_t user;
> +    gid_t group;
> +
> +    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
> +    if (seclabel && !seclabel->relabel)
> +        return 0;

If this only matters for NVDIMM, then why not put this within the case?

ACK in principle...

John

> +
> +    switch ((virDomainMemoryModel) mem->model) {
> +    case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
> +        if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
> +            return -1;
> +
> +        ret = virSecurityDACSetOwnership(priv, NULL, mem->path, user, group);
> +        break;
> +
> +    case VIR_DOMAIN_MEMORY_MODEL_DIMM:
> +    case VIR_DOMAIN_MEMORY_MODEL_LAST:
> +    case VIR_DOMAIN_MEMORY_MODEL_NONE:
> +        ret = 0;
> +        break;
> +    }
> +
> +    return ret;
> +}
> +
> +
>  static int
>  virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
>                            virDomainDefPtr def,
> @@ -1496,6 +1562,13 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
>              return -1;
>      }
>  
> +    for (i = 0; i < def->nmems; i++) {
> +        if (virSecurityDACSetMemoryLabel(mgr,
> +                                         def,
> +                                         def->mems[i]) < 0)
> +            return -1;
> +    }
> +
>      if (virDomainChrDefForeach(def,
>                                 true,
>                                 virSecurityDACSetChardevCallback,
> 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux