On 02/27/2017 08:19 AM, Michal Privoznik wrote:
> When domain is being started up, we ought to relabel the host
> side of NVDIMM so qemu has access to it.
>
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
> src/security/security_dac.c | 73 +++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 73 insertions(+)
>
Why are the security patches not earlier? Before the command line is
created?
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 67219170c..b8601faa5 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -1386,6 +1386,30 @@ virSecurityDACRestoreInputLabel(virSecurityManagerPtr mgr,
> }
>
>
> +static int
> +virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr,
> + virDomainDefPtr def ATTRIBUTE_UNUSED,
> + virDomainMemoryDefPtr mem)
> +{
> + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> + int ret = -1;
> +
> + switch ((virDomainMemoryModel) mem->model) {
> + case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
> + ret = virSecurityDACRestoreFileLabel(priv, mem->path);
> + break;
> +
> + case VIR_DOMAIN_MEMORY_MODEL_DIMM:
> + case VIR_DOMAIN_MEMORY_MODEL_LAST:
> + case VIR_DOMAIN_MEMORY_MODEL_NONE:
> + ret = 0;
> + break;
> + }
> +
> + return ret;
> +}
> +
> +
> static int
> virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
> virDomainDefPtr def,
> @@ -1425,6 +1449,13 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
> rc = -1;
> }
>
> + for (i = 0; i < def->nmems; i++) {
> + if (virSecurityDACRestoreMemoryLabel(mgr,
> + def,
> + def->mems[i]) < 0)
> + rc = -1;
> + }
> +
> if (virDomainChrDefForeach(def,
> false,
> virSecurityDACRestoreChardevCallback,
> @@ -1457,6 +1488,41 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def,
> }
>
>
> +static int
> +virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr,
> + virDomainDefPtr def,
> + virDomainMemoryDefPtr mem)
> +
> +{
> + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> + virSecurityLabelDefPtr seclabel;
> + int ret = -1;
> + uid_t user;
> + gid_t group;
> +
> + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
> + if (seclabel && !seclabel->relabel)
> + return 0;
If this only matters for NVDIMM, then why not put this within the case?
ACK in principle...
John
> +
> + switch ((virDomainMemoryModel) mem->model) {
> + case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
> + if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
> + return -1;
> +
> + ret = virSecurityDACSetOwnership(priv, NULL, mem->path, user, group);
> + break;
> +
> + case VIR_DOMAIN_MEMORY_MODEL_DIMM:
> + case VIR_DOMAIN_MEMORY_MODEL_LAST:
> + case VIR_DOMAIN_MEMORY_MODEL_NONE:
> + ret = 0;
> + break;
> + }
> +
> + return ret;
> +}
> +
> +
> static int
> virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
> virDomainDefPtr def,
> @@ -1496,6 +1562,13 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
> return -1;
> }
>
> + for (i = 0; i < def->nmems; i++) {
> + if (virSecurityDACSetMemoryLabel(mgr,
> + def,
> + def->mems[i]) < 0)
> + return -1;
> + }
> +
> if (virDomainChrDefForeach(def,
> true,
> virSecurityDACSetChardevCallback,
>
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
