[PATCH 07/10] conf: Separate seclabel validation from parsing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Rather than checking that the security label is legal when parsing it
move the code into a separate function.

Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx>
---
 src/conf/domain_conf.c | 68 ++++++++++++++++++++++++++++++++------------------
 1 file changed, 44 insertions(+), 24 deletions(-)

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 8cd41edb5e..6c2a2f3a75 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -8214,8 +8214,7 @@ virSecurityLabelDefsParseXML(virDomainDefPtr def,
 static int
 virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
                                   size_t *nseclabels_rtn,
-                                  virSecurityLabelDefPtr *vmSeclabels,
-                                  int nvmSeclabels, xmlXPathContextPtr ctxt,
+                                  xmlXPathContextPtr ctxt,
                                   unsigned int flags)
 {
     virSecurityDeviceLabelDefPtr *seclabels = NULL;
@@ -8223,7 +8222,6 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
     int n;
     size_t i, j;
     xmlNodePtr *list = NULL;
-    virSecurityLabelDefPtr vmDef = NULL;
     char *model, *relabel, *label, *labelskip;

     if ((n = virXPathNodeSet("./seclabel", ctxt, &list)) < 0)
@@ -8243,14 +8241,6 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
         /* get model associated to this override */
         model = virXMLPropString(list[i], "model");
         if (model) {
-            /* find the security label that it's being overridden */
-            for (j = 0; j < nvmSeclabels; j++) {
-                if (STREQ(vmSeclabels[j]->model, model)) {
-                    vmDef = vmSeclabels[j];
-                    break;
-                }
-            }
-
             /* check for duplicate seclabels */
             for (j = 0; j < i; j++) {
                 if (STREQ_NULLABLE(model, seclabels[j]->model)) {
@@ -8262,14 +8252,6 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
             seclabels[i]->model = model;
         }

-        /* Can't use overrides if top-level doesn't allow relabeling.  */
-        if (vmDef && !vmDef->relabel) {
-            virReportError(VIR_ERR_XML_ERROR, "%s",
-                           _("label overrides require relabeling to be "
-                             "enabled at the domain level"));
-            goto error;
-        }
-
         relabel = virXMLPropString(list[i], "relabel");
         if (relabel != NULL) {
             if (STREQ(relabel, "yes")) {
@@ -8324,6 +8306,37 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr **seclabels_rtn,
 }


+static int
+virSecurityDeviceLabelDefValidateXML(virSecurityDeviceLabelDefPtr *seclabels,
+                                     size_t nseclabels,
+                                     virSecurityLabelDefPtr *vmSeclabels,
+                                     size_t nvmSeclabels)
+{
+    virSecurityDeviceLabelDefPtr seclabel;
+    size_t i;
+    size_t j;
+
+    for (i = 0; i < nseclabels; i++) {
+        seclabel = seclabels[i];
+
+        /* find the security label that it's being overridden */
+        for (j = 0; j < nvmSeclabels; j++) {
+            if (STRNEQ_NULLABLE(vmSeclabels[j]->model, seclabel->model))
+                continue;
+
+            if (!vmSeclabels[j]->relabel) {
+                virReportError(VIR_ERR_XML_ERROR, "%s",
+                               _("label overrides require relabeling to be "
+                                 "enabled at the domain level"));
+                return -1;
+            }
+        }
+    }
+
+    return 0;
+}
+
+
 /* Parse the XML definition for a lease
  */
 static virDomainLeaseDefPtr
@@ -9453,11 +9466,16 @@ virDomainDiskDefParseXML(virDomainXMLOptionPtr xmlopt,
         ctxt->node = sourceNode;
         if (virSecurityDeviceLabelDefParseXML(&def->src->seclabels,
                                               &def->src->nseclabels,
-                                              vmSeclabels,
-                                              nvmSeclabels,
                                               ctxt,
                                               flags) < 0)
             goto error;
+
+        if (virSecurityDeviceLabelDefValidateXML(def->src->seclabels,
+                                                 def->src->nseclabels,
+                                                 vmSeclabels,
+                                                 nvmSeclabels) < 0)
+            goto error;
+
         ctxt->node = saved_node;
     }

@@ -12133,10 +12151,12 @@ virDomainChrSourceDefParseXML(virDomainChrSourceDefPtr def,
                 ctxt->node = cur;
                 if (virSecurityDeviceLabelDefParseXML(&def->seclabels,
                                                       &def->nseclabels,
-                                                      vmSeclabels,
-                                                      nvmSeclabels,
                                                       ctxt,
-                                                      flags) < 0) {
+                                                      flags) < 0 ||
+                    virSecurityDeviceLabelDefValidateXML(def->seclabels,
+                                                         def->nseclabels,
+                                                         vmSeclabels,
+                                                         nvmSeclabels) < 0) {
                     ctxt->node = saved_node;
                     goto error;
                 }
-- 
2.16.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux