[libvirt] [PATCH 05/12] Introduce a stacked security driver impl for QEMU

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* qemu/qemu_conf.h: Add securityPrimaryDriver and
  securitySecondaryDriver fields to 'struct qemud_driver'
* Makefile.am: Add new files
* qemu/qemu_security_stacked.c, qemu/qemu_security_stacked.h: A
  simple stacked security driver
---
 src/Makefile.am                  |    4 +-
 src/qemu/qemu_conf.h             |    2 +
 src/qemu/qemu_security_stacked.c |  353 ++++++++++++++++++++++++++++++++++++++
 src/qemu/qemu_security_stacked.h |   22 +++
 4 files changed, 380 insertions(+), 1 deletions(-)
 create mode 100644 src/qemu/qemu_security_stacked.c
 create mode 100644 src/qemu/qemu_security_stacked.h

diff --git a/src/Makefile.am b/src/Makefile.am
index 713cbda..0fb6dba 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -198,7 +198,9 @@ QEMU_DRIVER_SOURCES =						\
 		qemu/qemu_monitor_json.h			\
 		qemu/qemu_driver.c qemu/qemu_driver.h		\
 		qemu/qemu_bridge_filter.c 			\
-		qemu/qemu_bridge_filter.h
+		qemu/qemu_bridge_filter.h			\
+		qemu/qemu_security_stacked.h			\
+		qemu/qemu_security_stacked.c
 
 UML_DRIVER_SOURCES =						\
 		uml/uml_conf.c uml/uml_conf.h			\
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index ed2d32b..678bc6f 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -134,6 +134,8 @@ struct qemud_driver {
 
     char *securityDriverName;
     virSecurityDriverPtr securityDriver;
+    virSecurityDriverPtr securityPrimaryDriver;
+    virSecurityDriverPtr securitySecondaryDriver;
 
     char *saveImageFormat;
 
diff --git a/src/qemu/qemu_security_stacked.c b/src/qemu/qemu_security_stacked.c
new file mode 100644
index 0000000..60acb4c
--- /dev/null
+++ b/src/qemu/qemu_security_stacked.c
@@ -0,0 +1,353 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * QEMU stacked security driver
+ */
+
+#include <config.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "qemu_security_stacked.h"
+
+#include "qemu_conf.h"
+#include "datatypes.h"
+#include "virterror_internal.h"
+#include "util.h"
+#include "memory.h"
+#include "logging.h"
+#include "pci.h"
+#include "hostusb.h"
+#include "storage_file.h"
+
+#define VIR_FROM_THIS VIR_FROM_QEMU
+
+
+static struct qemud_driver *driver;
+
+void qemuSecurityStackedSetDriver(struct qemud_driver *newdriver)
+{
+    driver = newdriver;
+}
+
+
+static int
+qemuSecurityStackedVerify(virConnectPtr conn,
+                          virDomainDefPtr def)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainSecurityVerify &&
+        driver->securitySecondaryDriver->domainSecurityVerify(conn, def) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainSecurityVerify &&
+        driver->securityPrimaryDriver->domainSecurityVerify(conn, def) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedGenLabel(virConnectPtr conn,
+                            virDomainObjPtr vm)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainGenSecurityLabel &&
+        driver->securitySecondaryDriver->domainGenSecurityLabel(conn, vm) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainGenSecurityLabel &&
+        driver->securityPrimaryDriver->domainGenSecurityLabel(conn, vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedReleaseLabel(virConnectPtr conn,
+                                virDomainObjPtr vm)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainReleaseSecurityLabel &&
+        driver->securitySecondaryDriver->domainReleaseSecurityLabel(conn, vm) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainReleaseSecurityLabel &&
+        driver->securityPrimaryDriver->domainReleaseSecurityLabel(conn, vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedReserveLabel(virConnectPtr conn,
+                                virDomainObjPtr vm)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainReserveSecurityLabel &&
+        driver->securitySecondaryDriver->domainReserveSecurityLabel(conn, vm) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainReserveSecurityLabel &&
+        driver->securityPrimaryDriver->domainReserveSecurityLabel(conn, vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedSetSecurityImageLabel(virConnectPtr conn,
+                                         virDomainObjPtr vm,
+                                         virDomainDiskDefPtr disk)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainSetSecurityImageLabel &&
+        driver->securitySecondaryDriver->domainSetSecurityImageLabel(conn, vm, disk) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainSetSecurityImageLabel &&
+        driver->securityPrimaryDriver->domainSetSecurityImageLabel(conn, vm, disk) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedRestoreSecurityImageLabel(virConnectPtr conn,
+                                             virDomainObjPtr vm,
+                                             virDomainDiskDefPtr disk)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainRestoreSecurityImageLabel &&
+        driver->securitySecondaryDriver->domainRestoreSecurityImageLabel(conn, vm, disk) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainRestoreSecurityImageLabel &&
+        driver->securityPrimaryDriver->domainRestoreSecurityImageLabel(conn, vm, disk) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedSetSecurityHostdevLabel(virConnectPtr conn,
+                                           virDomainObjPtr vm,
+                                           virDomainHostdevDefPtr dev)
+
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainSetSecurityHostdevLabel &&
+        driver->securitySecondaryDriver->domainSetSecurityHostdevLabel(conn, vm, dev) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainSetSecurityHostdevLabel &&
+        driver->securityPrimaryDriver->domainSetSecurityHostdevLabel(conn, vm, dev) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedRestoreSecurityHostdevLabel(virConnectPtr conn,
+                                               virDomainObjPtr vm,
+                                               virDomainHostdevDefPtr dev)
+
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel &&
+        driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel(conn, vm, dev) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel &&
+        driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel(conn, vm, dev) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedSetSecurityAllLabel(virConnectPtr conn,
+                                       virDomainObjPtr vm)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainSetSecurityAllLabel &&
+        driver->securitySecondaryDriver->domainSetSecurityAllLabel(conn, vm) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainSetSecurityAllLabel &&
+        driver->securityPrimaryDriver->domainSetSecurityAllLabel(conn, vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedRestoreSecurityAllLabel(virConnectPtr conn,
+                                           virDomainObjPtr vm)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainRestoreSecurityAllLabel &&
+        driver->securitySecondaryDriver->domainRestoreSecurityAllLabel(conn, vm) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainRestoreSecurityAllLabel &&
+        driver->securityPrimaryDriver->domainRestoreSecurityAllLabel(conn, vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedSetSavedStateLabel(virConnectPtr conn,
+                                      virDomainObjPtr vm,
+                                      const char *savefile)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainSetSavedStateLabel &&
+        driver->securitySecondaryDriver->domainSetSavedStateLabel(conn, vm, savefile) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainSetSavedStateLabel &&
+        driver->securityPrimaryDriver->domainSetSavedStateLabel(conn, vm, savefile) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedRestoreSavedStateLabel(virConnectPtr conn,
+                                          virDomainObjPtr vm,
+                                          const char *savefile)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainRestoreSavedStateLabel &&
+        driver->securitySecondaryDriver->domainRestoreSavedStateLabel(conn, vm, savefile) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainRestoreSavedStateLabel &&
+        driver->securityPrimaryDriver->domainRestoreSavedStateLabel(conn, vm, savefile) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
+qemuSecurityStackedSetProcessLabel(virConnectPtr conn,
+                                   virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
+                                   virDomainObjPtr vm)
+{
+    int rc = 0;
+
+    if (driver->securitySecondaryDriver &&
+        driver->securitySecondaryDriver->domainSetSecurityProcessLabel &&
+        driver->securitySecondaryDriver->domainSetSecurityProcessLabel(conn,
+                                                                       driver->securitySecondaryDriver,
+                                                                       vm) < 0)
+        rc = -1;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainSetSecurityProcessLabel &&
+        driver->securityPrimaryDriver->domainSetSecurityProcessLabel(conn,
+                                                                     driver->securityPrimaryDriver,
+                                                                     vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+static int
+qemuSecurityStackedGetProcessLabel(virConnectPtr conn,
+                                   virDomainObjPtr vm,
+                                   virSecurityLabelPtr seclabel)
+{
+    int rc = 0;
+
+    if (driver->securityPrimaryDriver &&
+        driver->securityPrimaryDriver->domainGetSecurityProcessLabel &&
+        driver->securityPrimaryDriver->domainGetSecurityProcessLabel(conn,
+                                                                     vm,
+                                                                     seclabel) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+virSecurityDriver qemuStackedSecurityDriver = {
+    .name                       = "qemuStacked",
+    .domainSecurityVerify = qemuSecurityStackedVerify,
+
+    .domainGenSecurityLabel = qemuSecurityStackedGenLabel,
+    .domainReleaseSecurityLabel = qemuSecurityStackedReleaseLabel,
+    .domainReserveSecurityLabel = qemuSecurityStackedReserveLabel,
+
+    .domainGetSecurityProcessLabel = qemuSecurityStackedGetProcessLabel,
+    .domainSetSecurityProcessLabel = qemuSecurityStackedSetProcessLabel,
+
+    .domainSetSecurityImageLabel = qemuSecurityStackedSetSecurityImageLabel,
+    .domainRestoreSecurityImageLabel = qemuSecurityStackedRestoreSecurityImageLabel,
+
+    .domainSetSecurityAllLabel     = qemuSecurityStackedSetSecurityAllLabel,
+    .domainRestoreSecurityAllLabel = qemuSecurityStackedRestoreSecurityAllLabel,
+
+    .domainSetSecurityHostdevLabel = qemuSecurityStackedSetSecurityHostdevLabel,
+    .domainRestoreSecurityHostdevLabel = qemuSecurityStackedRestoreSecurityHostdevLabel,
+
+    .domainSetSavedStateLabel = qemuSecurityStackedSetSavedStateLabel,
+    .domainRestoreSavedStateLabel = qemuSecurityStackedRestoreSavedStateLabel,
+};
diff --git a/src/qemu/qemu_security_stacked.h b/src/qemu/qemu_security_stacked.h
new file mode 100644
index 0000000..d67a5f1
--- /dev/null
+++ b/src/qemu/qemu_security_stacked.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2010 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * QEMU stacked security driver
+ */
+
+#include "security/security_driver.h"
+#include "qemu_conf.h"
+
+#ifndef __QEMU_SECURITY_STACKED
+#define __QEMU_SECURITY_STACKED
+
+extern virSecurityDriver qemuStackedSecurityDriver;
+
+void qemuSecurityStackedSetDriver(struct qemud_driver *driver);
+
+#endif /* __QEMU_SECURITY_DAC */
-- 
1.6.5.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]