The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match --- src/qemu/qemu_driver.c | 90 ++++++++++++++++------------------ src/qemu/qemu_security_dac.c | 43 +++++++---------- src/qemu/qemu_security_stacked.c | 99 ++++++++++++++++---------------------- src/security/security_apparmor.c | 69 ++++++++++++-------------- src/security/security_driver.c | 17 +++---- src/security/security_driver.h | 54 +++++++------------- src/security/security_selinux.c | 73 +++++++++++---------------- 7 files changed, 189 insertions(+), 256 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 7c5dfe4..4cc66be 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -118,8 +118,7 @@ static int qemudStartVMDaemon(virConnectPtr conn, const char *migrateFrom, int stdin_fd); -static void qemudShutdownVMDaemon(virConnectPtr conn, - struct qemud_driver *driver, +static void qemudShutdownVMDaemon(struct qemud_driver *driver, virDomainObjPtr vm); static int qemudDomainGetMaxVcpus(virDomainPtr dom); @@ -681,7 +680,7 @@ qemuHandleMonitorEOF(qemuMonitorPtr mon ATTRIBUTE_UNUSED, VIR_DOMAIN_EVENT_STOPPED_FAILED : VIR_DOMAIN_EVENT_STOPPED_SHUTDOWN); - qemudShutdownVMDaemon(NULL, driver, vm); + qemudShutdownVMDaemon(driver, vm); if (!vm->persistent) virDomainRemoveInactive(&driver->domains, vm); else @@ -865,7 +864,7 @@ qemuReconnectDomain(void *payload, const char *name ATTRIBUTE_UNUSED, void *opaq if (driver->securityDriver && driver->securityDriver->domainReserveSecurityLabel && - driver->securityDriver->domainReserveSecurityLabel(NULL, obj) < 0) + driver->securityDriver->domainReserveSecurityLabel(obj) < 0) goto error; if (obj->def->id >= driver->nextvmid) @@ -878,7 +877,7 @@ error: /* We can't get the monitor back, so must kill the VM * to remove danger of it ending up running twice if * user tries to start it again later */ - qemudShutdownVMDaemon(NULL, driver, obj); + qemudShutdownVMDaemon(driver, obj); if (!obj->persistent) virDomainRemoveInactive(&driver->domains, obj); else @@ -2468,7 +2467,7 @@ static int qemudSecurityHook(void *data) { if (h->driver->securityDriver && h->driver->securityDriver->domainSetSecurityProcessLabel && - h->driver->securityDriver->domainSetSecurityProcessLabel(h->conn, h->driver->securityDriver, h->vm) < 0) + h->driver->securityDriver->domainSetSecurityProcessLabel(h->driver->securityDriver, h->vm) < 0) return -1; return 0; @@ -2536,12 +2535,12 @@ static int qemudStartVMDaemon(virConnectPtr conn, then generate a security label for isolation */ if (driver->securityDriver && driver->securityDriver->domainGenSecurityLabel && - driver->securityDriver->domainGenSecurityLabel(conn, vm) < 0) + driver->securityDriver->domainGenSecurityLabel(vm) < 0) return -1; if (driver->securityDriver && driver->securityDriver->domainSetSecurityAllLabel && - driver->securityDriver->domainSetSecurityAllLabel(conn, vm) < 0) + driver->securityDriver->domainSetSecurityAllLabel(vm) < 0) goto cleanup; /* Ensure no historical cgroup for this VM is lieing around bogus settings */ @@ -2767,10 +2766,10 @@ cleanup: if (driver->securityDriver && driver->securityDriver->domainRestoreSecurityAllLabel) - driver->securityDriver->domainRestoreSecurityAllLabel(conn, vm); + driver->securityDriver->domainRestoreSecurityAllLabel(vm); if (driver->securityDriver && driver->securityDriver->domainReleaseSecurityLabel) - driver->securityDriver->domainReleaseSecurityLabel(conn, vm); + driver->securityDriver->domainReleaseSecurityLabel(vm); qemuRemoveCgroup(driver, vm, 0); if ((vm->def->ngraphics == 1) && vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC && @@ -2784,7 +2783,7 @@ cleanup: abort: /* We jump here if we failed to initialize the now running VM * killing it off and pretend we never started it */ - qemudShutdownVMDaemon(conn, driver, vm); + qemudShutdownVMDaemon(driver, vm); if (logfile != -1) close(logfile); @@ -2793,8 +2792,7 @@ abort: } -static void qemudShutdownVMDaemon(virConnectPtr conn, - struct qemud_driver *driver, +static void qemudShutdownVMDaemon(struct qemud_driver *driver, virDomainObjPtr vm) { int ret; int retries = 0; @@ -2851,10 +2849,10 @@ static void qemudShutdownVMDaemon(virConnectPtr conn, /* Reset Security Labels */ if (driver->securityDriver && driver->securityDriver->domainRestoreSecurityAllLabel) - driver->securityDriver->domainRestoreSecurityAllLabel(conn, vm); + driver->securityDriver->domainRestoreSecurityAllLabel(vm); if (driver->securityDriver && driver->securityDriver->domainReleaseSecurityLabel) - driver->securityDriver->domainReleaseSecurityLabel(conn, vm); + driver->securityDriver->domainReleaseSecurityLabel(vm); /* Clear out dynamically assigned labels */ if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) { @@ -3306,7 +3304,7 @@ static virDomainPtr qemudDomainCreate(virConnectPtr conn, const char *xml, VIR_DOMAIN_XML_INACTIVE))) goto cleanup; - if (virSecurityDriverVerify(conn, def) < 0) + if (virSecurityDriverVerify(def) < 0) goto cleanup; if (virDomainObjIsDuplicate(&driver->domains, def, 1) < 0) @@ -3535,7 +3533,7 @@ static int qemudDomainDestroy(virDomainPtr dom) { goto endjob; } - qemudShutdownVMDaemon(dom->conn, driver, vm); + qemudShutdownVMDaemon(driver, vm); event = virDomainEventNewFromObj(vm, VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED_DESTROYED); @@ -3911,7 +3909,7 @@ static int qemudDomainSave(virDomainPtr dom, if (driver->securityDriver && driver->securityDriver->domainSetSavedStateLabel && - driver->securityDriver->domainSetSavedStateLabel(dom->conn, vm, path) == -1) + driver->securityDriver->domainSetSavedStateLabel(vm, path) == -1) goto endjob; if (header.compressed == QEMUD_SAVE_FORMAT_RAW) { @@ -3938,13 +3936,13 @@ static int qemudDomainSave(virDomainPtr dom, if (driver->securityDriver && driver->securityDriver->domainRestoreSavedStateLabel && - driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, vm, path) == -1) + driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1) goto endjob; ret = 0; /* Shut it down */ - qemudShutdownVMDaemon(dom->conn, driver, vm); + qemudShutdownVMDaemon(driver, vm); event = virDomainEventNewFromObj(vm, VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED_SAVED); @@ -4025,7 +4023,7 @@ static int qemudDomainCoreDump(virDomainPtr dom, if (driver->securityDriver && driver->securityDriver->domainSetSavedStateLabel && - driver->securityDriver->domainSetSavedStateLabel(dom->conn, vm, path) == -1) + driver->securityDriver->domainSetSavedStateLabel(vm, path) == -1) goto endjob; /* Migrate will always stop the VM, so the resume condition is @@ -4052,12 +4050,12 @@ static int qemudDomainCoreDump(virDomainPtr dom, if (driver->securityDriver && driver->securityDriver->domainRestoreSavedStateLabel && - driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, vm, path) == -1) + driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1) goto endjob; endjob: if ((ret == 0) && (flags & VIR_DUMP_CRASH)) { - qemudShutdownVMDaemon(dom->conn, driver, vm); + qemudShutdownVMDaemon(driver, vm); event = virDomainEventNewFromObj(vm, VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED_CRASHED); @@ -4388,7 +4386,7 @@ static int qemudDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr sec */ if (virDomainObjIsActive(vm)) { if (driver->securityDriver && driver->securityDriver->domainGetSecurityProcessLabel) { - if (driver->securityDriver->domainGetSecurityProcessLabel(dom->conn, vm, seclabel) == -1) { + if (driver->securityDriver->domainGetSecurityProcessLabel(vm, seclabel) == -1) { qemuReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("Failed to get security label")); goto cleanup; @@ -5000,7 +4998,7 @@ static virDomainPtr qemudDomainDefine(virConnectPtr conn, const char *xml) { VIR_DOMAIN_XML_INACTIVE))) goto cleanup; - if (virSecurityDriverVerify(conn, def) < 0) + if (virSecurityDriverVerify(def) < 0) goto cleanup; if ((dupVM = virDomainObjIsDuplicate(&driver->domains, def, 0)) < 0) @@ -5095,8 +5093,7 @@ cleanup: } -static int qemudDomainChangeEjectableMedia(virConnectPtr conn, - struct qemud_driver *driver, +static int qemudDomainChangeEjectableMedia(struct qemud_driver *driver, virDomainObjPtr vm, virDomainDiskDefPtr disk) { @@ -5137,7 +5134,7 @@ static int qemudDomainChangeEjectableMedia(virConnectPtr conn, if (driver->securityDriver && driver->securityDriver->domainSetSecurityImageLabel && - driver->securityDriver->domainSetSecurityImageLabel(conn, vm, disk) < 0) + driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0) return -1; qemuDomainObjPrivatePtr priv = vm->privateData; @@ -5163,7 +5160,7 @@ static int qemudDomainChangeEjectableMedia(virConnectPtr conn, if (driver->securityDriver && driver->securityDriver->domainRestoreSecurityImageLabel && - driver->securityDriver->domainRestoreSecurityImageLabel(conn, vm, origdisk) < 0) + driver->securityDriver->domainRestoreSecurityImageLabel(vm, origdisk) < 0) VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src); VIR_FREE(origdisk->src); @@ -5178,7 +5175,7 @@ static int qemudDomainChangeEjectableMedia(virConnectPtr conn, error: if (driver->securityDriver && driver->securityDriver->domainRestoreSecurityImageLabel && - driver->securityDriver->domainRestoreSecurityImageLabel(conn, vm, disk) < 0) + driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0) VIR_WARN("Unable to restore security label on new media %s", disk->src); return -1; } @@ -5205,7 +5202,7 @@ static int qemudDomainAttachPciDiskDevice(struct qemud_driver *driver, if (driver->securityDriver && driver->securityDriver->domainSetSecurityImageLabel && - driver->securityDriver->domainSetSecurityImageLabel(NULL, vm, disk) < 0) + driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0) return -1; if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) { @@ -5266,7 +5263,7 @@ error: if (driver->securityDriver && driver->securityDriver->domainRestoreSecurityImageLabel && - driver->securityDriver->domainRestoreSecurityImageLabel(NULL, vm, disk) < 0) + driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); return -1; @@ -5398,7 +5395,7 @@ static int qemudDomainAttachSCSIDisk(struct qemud_driver *driver, if (driver->securityDriver && driver->securityDriver->domainSetSecurityImageLabel && - driver->securityDriver->domainSetSecurityImageLabel(NULL, vm, disk) < 0) + driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0) return -1; /* We should have an address already, so make sure */ @@ -5475,7 +5472,7 @@ error: if (driver->securityDriver && driver->securityDriver->domainRestoreSecurityImageLabel && - driver->securityDriver->domainRestoreSecurityImageLabel(NULL, vm, disk) < 0) + driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); return -1; @@ -5502,7 +5499,7 @@ static int qemudDomainAttachUsbMassstorageDevice(struct qemud_driver *driver, if (driver->securityDriver && driver->securityDriver->domainSetSecurityImageLabel && - driver->securityDriver->domainSetSecurityImageLabel(NULL, vm, disk) < 0) + driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0) return -1; if (!disk->src) { @@ -5554,7 +5551,7 @@ error: if (driver->securityDriver && driver->securityDriver->domainRestoreSecurityImageLabel && - driver->securityDriver->domainRestoreSecurityImageLabel(NULL, vm, disk) < 0) + driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0) VIR_WARN("Unable to restore security label on %s", disk->src); return -1; @@ -5825,8 +5822,7 @@ error: } -static int qemudDomainAttachHostDevice(virConnectPtr conn, - struct qemud_driver *driver, +static int qemudDomainAttachHostDevice(struct qemud_driver *driver, virDomainObjPtr vm, virDomainHostdevDefPtr hostdev, int qemuCmdFlags) @@ -5840,7 +5836,7 @@ static int qemudDomainAttachHostDevice(virConnectPtr conn, if (driver->securityDriver && driver->securityDriver->domainSetSecurityHostdevLabel && - driver->securityDriver->domainSetSecurityHostdevLabel(conn, vm, hostdev) < 0) + driver->securityDriver->domainSetSecurityHostdevLabel(vm, hostdev) < 0) return -1; switch (hostdev->source.subsys.type) { @@ -5868,7 +5864,7 @@ static int qemudDomainAttachHostDevice(virConnectPtr conn, error: if (driver->securityDriver && driver->securityDriver->domainRestoreSecurityHostdevLabel && - driver->securityDriver->domainRestoreSecurityHostdevLabel(conn, vm, hostdev) < 0) + driver->securityDriver->domainRestoreSecurityHostdevLabel(vm, hostdev) < 0) VIR_WARN0("Unable to restore host device labelling on hotplug fail"); return -1; @@ -5936,7 +5932,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom, switch (dev->data.disk->device) { case VIR_DOMAIN_DISK_DEVICE_CDROM: case VIR_DOMAIN_DISK_DEVICE_FLOPPY: - ret = qemudDomainChangeEjectableMedia(dom->conn, driver, vm, dev->data.disk); + ret = qemudDomainChangeEjectableMedia(driver, vm, dev->data.disk); if (ret == 0) dev->data.disk = NULL; break; @@ -5991,7 +5987,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom, if (ret == 0) dev->data.net = NULL; } else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV) { - ret = qemudDomainAttachHostDevice(dom->conn, driver, vm, + ret = qemudDomainAttachHostDevice(driver, vm, dev->data.hostdev, qemuCmdFlags); if (ret == 0) dev->data.hostdev = NULL; @@ -6085,7 +6081,7 @@ static int qemudDomainDetachPciDiskDevice(struct qemud_driver *driver, if (driver->securityDriver && driver->securityDriver->domainRestoreSecurityImageLabel && - driver->securityDriver->domainRestoreSecurityImageLabel(NULL, vm, dev->data.disk) < 0) + driver->securityDriver->domainRestoreSecurityImageLabel(vm, dev->data.disk) < 0) VIR_WARN("Unable to restore security label on %s", dev->data.disk->src); ret = 0; @@ -6357,7 +6353,7 @@ static int qemudDomainDetachHostDevice(struct qemud_driver *driver, if (driver->securityDriver && driver->securityDriver->domainRestoreSecurityHostdevLabel && - driver->securityDriver->domainRestoreSecurityHostdevLabel(NULL, vm, dev->data.hostdev) < 0) + driver->securityDriver->domainRestoreSecurityHostdevLabel(vm, dev->data.hostdev) < 0) VIR_WARN0("Failed to restore host device labelling"); return ret; @@ -7506,7 +7502,7 @@ qemudDomainMigratePrepareTunnel(virConnectPtr dconn, qemust = qemuStreamMigOpen(st, unixfile); if (qemust == NULL) { - qemudShutdownVMDaemon(NULL, driver, vm); + qemudShutdownVMDaemon(driver, vm); if (!vm->persistent) { if (qemuDomainObjEndJob(vm) > 0) virDomainRemoveInactive(&driver->domains, vm); @@ -8193,7 +8189,7 @@ qemudDomainMigratePerform (virDomainPtr dom, } /* Clean up the source domain. */ - qemudShutdownVMDaemon (dom->conn, driver, vm); + qemudShutdownVMDaemon(driver, vm); paused = 0; event = virDomainEventNewFromObj(vm, @@ -8336,7 +8332,7 @@ qemudDomainMigrateFinish2 (virConnectPtr dconn, } virDomainSaveStatus(driver->caps, driver->stateDir, vm); } else { - qemudShutdownVMDaemon (dconn, driver, vm); + qemudShutdownVMDaemon(driver, vm); event = virDomainEventNewFromObj(vm, VIR_DOMAIN_EVENT_STOPPED, VIR_DOMAIN_EVENT_STOPPED_FAILED); diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c index e753490..11f41b3 100644 --- a/src/qemu/qemu_security_dac.c +++ b/src/qemu/qemu_security_dac.c @@ -105,8 +105,7 @@ err: static int -qemuSecurityDACSetSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, +qemuSecurityDACSetSecurityImageLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk) { @@ -149,8 +148,7 @@ qemuSecurityDACSetSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED, static int -qemuSecurityDACRestoreSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, +qemuSecurityDACRestoreSecurityImageLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk) { if (!driver->privileged || !driver->dynamicOwnership) @@ -195,8 +193,7 @@ qemuSecurityDACSetSecurityUSBLabel(virConnectPtr conn ATTRIBUTE_UNUSED, static int -qemuSecurityDACSetSecurityHostdevLabel(virConnectPtr conn, - virDomainObjPtr vm, +qemuSecurityDACSetSecurityHostdevLabel(virDomainObjPtr vm, virDomainHostdevDefPtr dev) { @@ -218,7 +215,7 @@ qemuSecurityDACSetSecurityHostdevLabel(virConnectPtr conn, if (!usb) goto done; - ret = usbDeviceFileIterate(conn, usb, qemuSecurityDACSetSecurityUSBLabel, vm); + ret = usbDeviceFileIterate(NULL, usb, qemuSecurityDACSetSecurityUSBLabel, vm); usbFreeDevice(usb); break; } @@ -232,7 +229,7 @@ qemuSecurityDACSetSecurityHostdevLabel(virConnectPtr conn, if (!pci) goto done; - ret = pciDeviceFileIterate(conn, pci, qemuSecurityDACSetSecurityPCILabel, vm); + ret = pciDeviceFileIterate(NULL, pci, qemuSecurityDACSetSecurityPCILabel, vm); pciFreeDevice(pci); break; @@ -269,8 +266,7 @@ qemuSecurityDACRestoreSecurityUSBLabel(virConnectPtr conn ATTRIBUTE_UNUSED, static int -qemuSecurityDACRestoreSecurityHostdevLabel(virConnectPtr conn, - virDomainObjPtr vm ATTRIBUTE_UNUSED, +qemuSecurityDACRestoreSecurityHostdevLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev) { @@ -292,7 +288,7 @@ qemuSecurityDACRestoreSecurityHostdevLabel(virConnectPtr conn, if (!usb) goto done; - ret = usbDeviceFileIterate(conn, usb, qemuSecurityDACRestoreSecurityUSBLabel, NULL); + ret = usbDeviceFileIterate(NULL, usb, qemuSecurityDACRestoreSecurityUSBLabel, NULL); usbFreeDevice(usb); break; @@ -307,7 +303,7 @@ qemuSecurityDACRestoreSecurityHostdevLabel(virConnectPtr conn, if (!pci) goto done; - ret = pciDeviceFileIterate(conn, pci, qemuSecurityDACRestoreSecurityPCILabel, NULL); + ret = pciDeviceFileIterate(NULL, pci, qemuSecurityDACRestoreSecurityPCILabel, NULL); pciFreeDevice(pci); break; @@ -324,8 +320,7 @@ done: static int -qemuSecurityDACRestoreSecurityAllLabel(virConnectPtr conn, - virDomainObjPtr vm) +qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm) { int i; int rc = 0; @@ -336,12 +331,12 @@ qemuSecurityDACRestoreSecurityAllLabel(virConnectPtr conn, VIR_DEBUG("Restoring security label on %s", vm->def->name); for (i = 0 ; i < vm->def->nhostdevs ; i++) { - if (qemuSecurityDACRestoreSecurityHostdevLabel(conn, vm, + if (qemuSecurityDACRestoreSecurityHostdevLabel(vm, vm->def->hostdevs[i]) < 0) rc = -1; } for (i = 0 ; i < vm->def->ndisks ; i++) { - if (qemuSecurityDACRestoreSecurityImageLabel(conn, vm, + if (qemuSecurityDACRestoreSecurityImageLabel(vm, vm->def->disks[i]) < 0) rc = -1; } @@ -350,8 +345,7 @@ qemuSecurityDACRestoreSecurityAllLabel(virConnectPtr conn, static int -qemuSecurityDACSetSecurityAllLabel(virConnectPtr conn, - virDomainObjPtr vm) +qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm) { int i; @@ -362,11 +356,11 @@ qemuSecurityDACSetSecurityAllLabel(virConnectPtr conn, /* XXX fixme - we need to recursively label the entriy tree :-( */ if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) continue; - if (qemuSecurityDACSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) + if (qemuSecurityDACSetSecurityImageLabel(vm, vm->def->disks[i]) < 0) return -1; } for (i = 0 ; i < vm->def->nhostdevs ; i++) { - if (qemuSecurityDACSetSecurityHostdevLabel(conn, vm, vm->def->hostdevs[i]) < 0) + if (qemuSecurityDACSetSecurityHostdevLabel(vm, vm->def->hostdevs[i]) < 0) return -1; } @@ -375,8 +369,7 @@ qemuSecurityDACSetSecurityAllLabel(virConnectPtr conn, static int -qemuSecurityDACSetSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, +qemuSecurityDACSetSavedStateLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED, const char *savefile) { if (!driver->privileged || !driver->dynamicOwnership) @@ -387,8 +380,7 @@ qemuSecurityDACSetSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, static int -qemuSecurityDACRestoreSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, +qemuSecurityDACRestoreSavedStateLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED, const char *savefile) { if (!driver->privileged || !driver->dynamicOwnership) @@ -399,8 +391,7 @@ qemuSecurityDACRestoreSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, static int -qemuSecurityDACSetProcessLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virSecurityDriverPtr drv ATTRIBUTE_UNUSED, +qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED, virDomainObjPtr vm ATTRIBUTE_UNUSED) { DEBUG("Dropping privileges of VM to %d:%d", driver->user, driver->group); diff --git a/src/qemu/qemu_security_stacked.c b/src/qemu/qemu_security_stacked.c index deabe0a..c0258ce 100644 --- a/src/qemu/qemu_security_stacked.c +++ b/src/qemu/qemu_security_stacked.c @@ -38,19 +38,18 @@ void qemuSecurityStackedSetDriver(struct qemud_driver *newdriver) static int -qemuSecurityStackedVerify(virConnectPtr conn, - virDomainDefPtr def) +qemuSecurityStackedVerify(virDomainDefPtr def) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainSecurityVerify && - driver->securitySecondaryDriver->domainSecurityVerify(conn, def) < 0) + driver->securitySecondaryDriver->domainSecurityVerify(def) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainSecurityVerify && - driver->securityPrimaryDriver->domainSecurityVerify(conn, def) < 0) + driver->securityPrimaryDriver->domainSecurityVerify(def) < 0) rc = -1; return rc; @@ -58,19 +57,18 @@ qemuSecurityStackedVerify(virConnectPtr conn, static int -qemuSecurityStackedGenLabel(virConnectPtr conn, - virDomainObjPtr vm) +qemuSecurityStackedGenLabel(virDomainObjPtr vm) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainGenSecurityLabel && - driver->securitySecondaryDriver->domainGenSecurityLabel(conn, vm) < 0) + driver->securitySecondaryDriver->domainGenSecurityLabel(vm) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainGenSecurityLabel && - driver->securityPrimaryDriver->domainGenSecurityLabel(conn, vm) < 0) + driver->securityPrimaryDriver->domainGenSecurityLabel(vm) < 0) rc = -1; return rc; @@ -78,19 +76,18 @@ qemuSecurityStackedGenLabel(virConnectPtr conn, static int -qemuSecurityStackedReleaseLabel(virConnectPtr conn, - virDomainObjPtr vm) +qemuSecurityStackedReleaseLabel(virDomainObjPtr vm) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainReleaseSecurityLabel && - driver->securitySecondaryDriver->domainReleaseSecurityLabel(conn, vm) < 0) + driver->securitySecondaryDriver->domainReleaseSecurityLabel(vm) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainReleaseSecurityLabel && - driver->securityPrimaryDriver->domainReleaseSecurityLabel(conn, vm) < 0) + driver->securityPrimaryDriver->domainReleaseSecurityLabel(vm) < 0) rc = -1; return rc; @@ -98,19 +95,18 @@ qemuSecurityStackedReleaseLabel(virConnectPtr conn, static int -qemuSecurityStackedReserveLabel(virConnectPtr conn, - virDomainObjPtr vm) +qemuSecurityStackedReserveLabel(virDomainObjPtr vm) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainReserveSecurityLabel && - driver->securitySecondaryDriver->domainReserveSecurityLabel(conn, vm) < 0) + driver->securitySecondaryDriver->domainReserveSecurityLabel(vm) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainReserveSecurityLabel && - driver->securityPrimaryDriver->domainReserveSecurityLabel(conn, vm) < 0) + driver->securityPrimaryDriver->domainReserveSecurityLabel(vm) < 0) rc = -1; return rc; @@ -118,20 +114,19 @@ qemuSecurityStackedReserveLabel(virConnectPtr conn, static int -qemuSecurityStackedSetSecurityImageLabel(virConnectPtr conn, - virDomainObjPtr vm, +qemuSecurityStackedSetSecurityImageLabel(virDomainObjPtr vm, virDomainDiskDefPtr disk) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainSetSecurityImageLabel && - driver->securitySecondaryDriver->domainSetSecurityImageLabel(conn, vm, disk) < 0) + driver->securitySecondaryDriver->domainSetSecurityImageLabel(vm, disk) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainSetSecurityImageLabel && - driver->securityPrimaryDriver->domainSetSecurityImageLabel(conn, vm, disk) < 0) + driver->securityPrimaryDriver->domainSetSecurityImageLabel(vm, disk) < 0) rc = -1; return rc; @@ -139,20 +134,19 @@ qemuSecurityStackedSetSecurityImageLabel(virConnectPtr conn, static int -qemuSecurityStackedRestoreSecurityImageLabel(virConnectPtr conn, - virDomainObjPtr vm, +qemuSecurityStackedRestoreSecurityImageLabel(virDomainObjPtr vm, virDomainDiskDefPtr disk) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainRestoreSecurityImageLabel && - driver->securitySecondaryDriver->domainRestoreSecurityImageLabel(conn, vm, disk) < 0) + driver->securitySecondaryDriver->domainRestoreSecurityImageLabel(vm, disk) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainRestoreSecurityImageLabel && - driver->securityPrimaryDriver->domainRestoreSecurityImageLabel(conn, vm, disk) < 0) + driver->securityPrimaryDriver->domainRestoreSecurityImageLabel(vm, disk) < 0) rc = -1; return rc; @@ -160,8 +154,7 @@ qemuSecurityStackedRestoreSecurityImageLabel(virConnectPtr conn, static int -qemuSecurityStackedSetSecurityHostdevLabel(virConnectPtr conn, - virDomainObjPtr vm, +qemuSecurityStackedSetSecurityHostdevLabel(virDomainObjPtr vm, virDomainHostdevDefPtr dev) { @@ -169,12 +162,12 @@ qemuSecurityStackedSetSecurityHostdevLabel(virConnectPtr conn, if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainSetSecurityHostdevLabel && - driver->securitySecondaryDriver->domainSetSecurityHostdevLabel(conn, vm, dev) < 0) + driver->securitySecondaryDriver->domainSetSecurityHostdevLabel(vm, dev) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainSetSecurityHostdevLabel && - driver->securityPrimaryDriver->domainSetSecurityHostdevLabel(conn, vm, dev) < 0) + driver->securityPrimaryDriver->domainSetSecurityHostdevLabel(vm, dev) < 0) rc = -1; return rc; @@ -182,8 +175,7 @@ qemuSecurityStackedSetSecurityHostdevLabel(virConnectPtr conn, static int -qemuSecurityStackedRestoreSecurityHostdevLabel(virConnectPtr conn, - virDomainObjPtr vm, +qemuSecurityStackedRestoreSecurityHostdevLabel(virDomainObjPtr vm, virDomainHostdevDefPtr dev) { @@ -191,12 +183,12 @@ qemuSecurityStackedRestoreSecurityHostdevLabel(virConnectPtr conn, if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel && - driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel(conn, vm, dev) < 0) + driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel(vm, dev) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel && - driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel(conn, vm, dev) < 0) + driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel(vm, dev) < 0) rc = -1; return rc; @@ -204,19 +196,18 @@ qemuSecurityStackedRestoreSecurityHostdevLabel(virConnectPtr conn, static int -qemuSecurityStackedSetSecurityAllLabel(virConnectPtr conn, - virDomainObjPtr vm) +qemuSecurityStackedSetSecurityAllLabel(virDomainObjPtr vm) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainSetSecurityAllLabel && - driver->securitySecondaryDriver->domainSetSecurityAllLabel(conn, vm) < 0) + driver->securitySecondaryDriver->domainSetSecurityAllLabel(vm) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainSetSecurityAllLabel && - driver->securityPrimaryDriver->domainSetSecurityAllLabel(conn, vm) < 0) + driver->securityPrimaryDriver->domainSetSecurityAllLabel(vm) < 0) rc = -1; return rc; @@ -224,19 +215,18 @@ qemuSecurityStackedSetSecurityAllLabel(virConnectPtr conn, static int -qemuSecurityStackedRestoreSecurityAllLabel(virConnectPtr conn, - virDomainObjPtr vm) +qemuSecurityStackedRestoreSecurityAllLabel(virDomainObjPtr vm) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainRestoreSecurityAllLabel && - driver->securitySecondaryDriver->domainRestoreSecurityAllLabel(conn, vm) < 0) + driver->securitySecondaryDriver->domainRestoreSecurityAllLabel(vm) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainRestoreSecurityAllLabel && - driver->securityPrimaryDriver->domainRestoreSecurityAllLabel(conn, vm) < 0) + driver->securityPrimaryDriver->domainRestoreSecurityAllLabel(vm) < 0) rc = -1; return rc; @@ -244,20 +234,19 @@ qemuSecurityStackedRestoreSecurityAllLabel(virConnectPtr conn, static int -qemuSecurityStackedSetSavedStateLabel(virConnectPtr conn, - virDomainObjPtr vm, +qemuSecurityStackedSetSavedStateLabel(virDomainObjPtr vm, const char *savefile) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainSetSavedStateLabel && - driver->securitySecondaryDriver->domainSetSavedStateLabel(conn, vm, savefile) < 0) + driver->securitySecondaryDriver->domainSetSavedStateLabel(vm, savefile) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainSetSavedStateLabel && - driver->securityPrimaryDriver->domainSetSavedStateLabel(conn, vm, savefile) < 0) + driver->securityPrimaryDriver->domainSetSavedStateLabel(vm, savefile) < 0) rc = -1; return rc; @@ -265,20 +254,19 @@ qemuSecurityStackedSetSavedStateLabel(virConnectPtr conn, static int -qemuSecurityStackedRestoreSavedStateLabel(virConnectPtr conn, - virDomainObjPtr vm, +qemuSecurityStackedRestoreSavedStateLabel(virDomainObjPtr vm, const char *savefile) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainRestoreSavedStateLabel && - driver->securitySecondaryDriver->domainRestoreSavedStateLabel(conn, vm, savefile) < 0) + driver->securitySecondaryDriver->domainRestoreSavedStateLabel(vm, savefile) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainRestoreSavedStateLabel && - driver->securityPrimaryDriver->domainRestoreSavedStateLabel(conn, vm, savefile) < 0) + driver->securityPrimaryDriver->domainRestoreSavedStateLabel(vm, savefile) < 0) rc = -1; return rc; @@ -286,23 +274,20 @@ qemuSecurityStackedRestoreSavedStateLabel(virConnectPtr conn, static int -qemuSecurityStackedSetProcessLabel(virConnectPtr conn, - virSecurityDriverPtr drv ATTRIBUTE_UNUSED, +qemuSecurityStackedSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED, virDomainObjPtr vm) { int rc = 0; if (driver->securitySecondaryDriver && driver->securitySecondaryDriver->domainSetSecurityProcessLabel && - driver->securitySecondaryDriver->domainSetSecurityProcessLabel(conn, - driver->securitySecondaryDriver, + driver->securitySecondaryDriver->domainSetSecurityProcessLabel(driver->securitySecondaryDriver, vm) < 0) rc = -1; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainSetSecurityProcessLabel && - driver->securityPrimaryDriver->domainSetSecurityProcessLabel(conn, - driver->securityPrimaryDriver, + driver->securityPrimaryDriver->domainSetSecurityProcessLabel(driver->securityPrimaryDriver, vm) < 0) rc = -1; @@ -310,16 +295,14 @@ qemuSecurityStackedSetProcessLabel(virConnectPtr conn, } static int -qemuSecurityStackedGetProcessLabel(virConnectPtr conn, - virDomainObjPtr vm, +qemuSecurityStackedGetProcessLabel(virDomainObjPtr vm, virSecurityLabelPtr seclabel) { int rc = 0; if (driver->securityPrimaryDriver && driver->securityPrimaryDriver->domainGetSecurityProcessLabel && - driver->securityPrimaryDriver->domainGetSecurityProcessLabel(conn, - vm, + driver->securityPrimaryDriver->domainGetSecurityProcessLabel(vm, seclabel) < 0) rc = -1; diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 2d5f944..23f40f8 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -148,7 +148,7 @@ profile_status_file(const char *str) * load (add) a profile. Will create one if necessary */ static int -load_profile(virConnectPtr conn, const char *profile, virDomainObjPtr vm, +load_profile(const char *profile, virDomainObjPtr vm, virDomainDiskDefPtr disk) { int rc = -1, status, ret; @@ -162,7 +162,7 @@ load_profile(virConnectPtr conn, const char *profile, virDomainObjPtr vm, return rc; } - xml = virDomainDefFormat(conn, vm->def, VIR_DOMAIN_XML_SECURE); + xml = virDomainDefFormat(vm->def, VIR_DOMAIN_XML_SECURE); if (!xml) goto clean; @@ -204,7 +204,7 @@ load_profile(virConnectPtr conn, const char *profile, virDomainObjPtr vm, if (errno == EINTR) goto rewait; - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("Unexpected exit status from virt-aa-helper " "%d pid %lu"), WEXITSTATUS(status), (unsigned long)child); @@ -311,9 +311,9 @@ AppArmorSecurityDriverProbe(void) * currently not used. */ static int -AppArmorSecurityDriverOpen(virConnectPtr conn, virSecurityDriverPtr drv) +AppArmorSecurityDriverOpen(virSecurityDriverPtr drv) { - virSecurityDriverSetDOI(conn, drv, SECURITY_APPARMOR_VOID_DOI); + virSecurityDriverSetDOI(drv, SECURITY_APPARMOR_VOID_DOI); return 0; } @@ -323,7 +323,7 @@ AppArmorSecurityDriverOpen(virConnectPtr conn, virSecurityDriverPtr drv) * called on shutdown. */ static int -AppArmorGenSecurityLabel(virConnectPtr conn, virDomainObjPtr vm) +AppArmorGenSecurityLabel(virDomainObjPtr vm) { int rc = -1; char *profile_name = NULL; @@ -333,7 +333,7 @@ AppArmorGenSecurityLabel(virConnectPtr conn, virDomainObjPtr vm) if ((vm->def->seclabel.label) || (vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); return rc; @@ -377,15 +377,15 @@ AppArmorGenSecurityLabel(virConnectPtr conn, virDomainObjPtr vm) } static int -AppArmorSetSecurityAllLabel(virConnectPtr conn, virDomainObjPtr vm) +AppArmorSetSecurityAllLabel(virDomainObjPtr vm) { if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) return 0; /* if the profile is not already loaded, then load one */ if (profile_loaded(vm->def->seclabel.label) < 0) { - if (load_profile(conn, vm->def->seclabel.label, vm, NULL) < 0) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + if (load_profile(vm->def->seclabel.label, vm, NULL) < 0) { + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate AppArmor profile " "\'%s\'"), vm->def->seclabel.label); return -1; @@ -399,8 +399,7 @@ AppArmorSetSecurityAllLabel(virConnectPtr conn, virDomainObjPtr vm) * running. */ static int -AppArmorGetSecurityProcessLabel(virConnectPtr conn, - virDomainObjPtr vm, virSecurityLabelPtr sec) +AppArmorGetSecurityProcessLabel(virDomainObjPtr vm, virSecurityLabelPtr sec) { int rc = -1; char *profile_name = NULL; @@ -410,13 +409,13 @@ AppArmorGetSecurityProcessLabel(virConnectPtr conn, if (virStrcpy(sec->label, profile_name, VIR_SECURITY_LABEL_BUFLEN) == NULL) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("error copying profile name")); goto clean; } if ((sec->enforcing = profile_status(profile_name, 1)) < 0) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("error calling profile_status()")); goto clean; } @@ -432,7 +431,7 @@ AppArmorGetSecurityProcessLabel(virConnectPtr conn, * more details. Currently called via qemudShutdownVMDaemon. */ static int -AppArmorReleaseSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, virDomainObjPtr vm) +AppArmorReleaseSecurityLabel(virDomainObjPtr vm) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; @@ -445,14 +444,14 @@ AppArmorReleaseSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, virDomainObjPt static int -AppArmorRestoreSecurityAllLabel(virConnectPtr conn, virDomainObjPtr vm) +AppArmorRestoreSecurityAllLabel(virDomainObjPtr vm) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; int rc = 0; if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if ((rc = remove_profile(secdef->label)) != 0) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("could not remove profile for \'%s\'"), secdef->label); } @@ -464,8 +463,7 @@ AppArmorRestoreSecurityAllLabel(virConnectPtr conn, virDomainObjPtr vm) * LOCAL_STATE_DIR/log/libvirt/qemu/<vm name>.log */ static int -AppArmorSetSecurityProcessLabel(virConnectPtr conn, - virSecurityDriverPtr drv, virDomainObjPtr vm) +AppArmorSetSecurityProcessLabel(virSecurityDriverPtr drv, virDomainObjPtr vm) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; int rc = -1; @@ -475,7 +473,7 @@ AppArmorSetSecurityProcessLabel(virConnectPtr conn, return rc; if (STRNEQ(drv->name, secdef->model)) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("security label driver mismatch: " "\'%s\' model configured for domain, but " "hypervisor driver is \'%s\'."), @@ -485,7 +483,7 @@ AppArmorSetSecurityProcessLabel(virConnectPtr conn, } if (aa_change_profile(profile_name) < 0) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("error calling aa_change_profile()")); goto clean; } @@ -500,8 +498,7 @@ AppArmorSetSecurityProcessLabel(virConnectPtr conn, /* Called when hotplugging */ static int -AppArmorRestoreSecurityImageLabel(virConnectPtr conn, - virDomainObjPtr vm, +AppArmorRestoreSecurityImageLabel(virDomainObjPtr vm, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; @@ -516,8 +513,8 @@ AppArmorRestoreSecurityImageLabel(virConnectPtr conn, /* Update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(conn, secdef->imagelabel, vm, NULL) < 0) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + if (load_profile(secdef->imagelabel, vm, NULL) < 0) { + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), secdef->imagelabel); @@ -534,8 +531,7 @@ AppArmorRestoreSecurityImageLabel(virConnectPtr conn, /* Called when hotplugging */ static int -AppArmorSetSecurityImageLabel(virConnectPtr conn, - virDomainObjPtr vm, virDomainDiskDefPtr disk) +AppArmorSetSecurityImageLabel(virDomainObjPtr vm, virDomainDiskDefPtr disk) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; int rc = -1; @@ -550,7 +546,7 @@ AppArmorSetSecurityImageLabel(virConnectPtr conn, if (secdef->imagelabel) { /* if the device doesn't exist, error out */ if (!virFileExists(disk->src)) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("\'%s\' does not exist"), disk->src); return rc; } @@ -560,8 +556,8 @@ AppArmorSetSecurityImageLabel(virConnectPtr conn, /* update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(conn, secdef->imagelabel, vm, disk) < 0) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + if (load_profile(secdef->imagelabel, vm, disk) < 0) { + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot update AppArmor profile " "\'%s\'"), secdef->imagelabel); @@ -578,13 +574,13 @@ AppArmorSetSecurityImageLabel(virConnectPtr conn, } static int -AppArmorSecurityVerify(virConnectPtr conn, virDomainDefPtr def) +AppArmorSecurityVerify(virDomainDefPtr def) { const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) { if (use_apparmor() < 0 || profile_status(secdef->label, 0) < 0) { - virSecurityReportError(conn, VIR_ERR_XML_ERROR, + virSecurityReportError(VIR_ERR_XML_ERROR, _("Invalid security label \'%s\'"), secdef->label); return -1; @@ -594,16 +590,14 @@ AppArmorSecurityVerify(virConnectPtr conn, virDomainDefPtr def) } static int -AppArmorReserveSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) +AppArmorReserveSecurityLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED) { /* NOOP. Nothing to reserve with AppArmor */ return 0; } static int -AppArmorSetSecurityHostdevLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm, +AppArmorSetSecurityHostdevLabel(virDomainObjPtr vm, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { @@ -617,8 +611,7 @@ AppArmorSetSecurityHostdevLabel(virConnectPtr conn ATTRIBUTE_UNUSED, } static int -AppArmorRestoreSecurityHostdevLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm, +AppArmorRestoreSecurityHostdevLabel(virDomainObjPtr vm, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { diff --git a/src/security/security_driver.c b/src/security/security_driver.c index 4e6172d..27945a6 100644 --- a/src/security/security_driver.c +++ b/src/security/security_driver.c @@ -35,7 +35,7 @@ static virSecurityDriverPtr security_drivers[] = { }; int -virSecurityDriverVerify(virConnectPtr conn, virDomainDefPtr def) +virSecurityDriverVerify(virDomainDefPtr def) { unsigned int i; const virSecurityLabelDefPtr secdef = &def->seclabel; @@ -46,10 +46,10 @@ virSecurityDriverVerify(virConnectPtr conn, virDomainDefPtr def) for (i = 0; security_drivers[i] != NULL ; i++) { if (STREQ(security_drivers[i]->name, secdef->model)) { - return security_drivers[i]->domainSecurityVerify(conn, def); + return security_drivers[i]->domainSecurityVerify(def); } } - virSecurityReportError(conn, VIR_ERR_XML_ERROR, + virSecurityReportError(VIR_ERR_XML_ERROR, _("invalid security model '%s'"), secdef->model); return -1; } @@ -72,7 +72,7 @@ virSecurityDriverStartup(virSecurityDriverPtr *drv, switch (tmp->probe()) { case SECURITY_DRIVER_ENABLE: virSecurityDriverInit(tmp); - if (tmp->open(NULL, tmp) == -1) { + if (tmp->open(tmp) == -1) { return -1; } else { *drv = tmp; @@ -91,7 +91,7 @@ virSecurityDriverStartup(virSecurityDriverPtr *drv, } void -virSecurityReportError(virConnectPtr conn, int code, const char *fmt, ...) +virSecurityReportError(int code, const char *fmt, ...) { va_list args; char errorMessage[1024]; @@ -103,7 +103,7 @@ virSecurityReportError(virConnectPtr conn, int code, const char *fmt, ...) } else errorMessage[0] = '\0'; - virRaiseError(conn, NULL, NULL, VIR_FROM_SECURITY, code, + virRaiseError(NULL, NULL, NULL, VIR_FROM_SECURITY, code, VIR_ERR_ERROR, NULL, NULL, NULL, -1, -1, "%s", errorMessage); } @@ -118,12 +118,11 @@ virSecurityDriverInit(virSecurityDriverPtr drv) } int -virSecurityDriverSetDOI(virConnectPtr conn, - virSecurityDriverPtr drv, +virSecurityDriverSetDOI(virSecurityDriverPtr drv, const char *doi) { if (strlen(doi) >= VIR_SECURITY_DOI_BUFLEN) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("%s: DOI \'%s\' is " "longer than the maximum allowed length of %d"), __func__, doi, VIR_SECURITY_DOI_BUFLEN - 1); diff --git a/src/security/security_driver.h b/src/security/security_driver.h index 5d2446d..8860d81 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -29,44 +29,29 @@ typedef enum { typedef struct _virSecurityDriver virSecurityDriver; typedef virSecurityDriver *virSecurityDriverPtr; typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void); -typedef int (*virSecurityDriverOpen) (virConnectPtr conn, - virSecurityDriverPtr drv); -typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn, - virDomainObjPtr vm, +typedef int (*virSecurityDriverOpen) (virSecurityDriverPtr drv); +typedef int (*virSecurityDomainRestoreImageLabel) (virDomainObjPtr vm, virDomainDiskDefPtr disk); -typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn, - virDomainObjPtr vm, +typedef int (*virSecurityDomainSetImageLabel) (virDomainObjPtr vm, virDomainDiskDefPtr disk); -typedef int (*virSecurityDomainRestoreHostdevLabel) (virConnectPtr conn, - virDomainObjPtr vm, +typedef int (*virSecurityDomainRestoreHostdevLabel) (virDomainObjPtr vm, virDomainHostdevDefPtr dev); -typedef int (*virSecurityDomainSetHostdevLabel) (virConnectPtr conn, - virDomainObjPtr vm, +typedef int (*virSecurityDomainSetHostdevLabel) (virDomainObjPtr vm, virDomainHostdevDefPtr dev); -typedef int (*virSecurityDomainSetSavedStateLabel) (virConnectPtr conn, - virDomainObjPtr vm, +typedef int (*virSecurityDomainSetSavedStateLabel) (virDomainObjPtr vm, const char *savefile); -typedef int (*virSecurityDomainRestoreSavedStateLabel) (virConnectPtr conn, - virDomainObjPtr vm, +typedef int (*virSecurityDomainRestoreSavedStateLabel) (virDomainObjPtr vm, const char *savefile); -typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn, - virDomainObjPtr sec); -typedef int (*virSecurityDomainReserveLabel) (virConnectPtr conn, - virDomainObjPtr sec); -typedef int (*virSecurityDomainReleaseLabel) (virConnectPtr conn, - virDomainObjPtr sec); -typedef int (*virSecurityDomainSetAllLabel) (virConnectPtr conn, - virDomainObjPtr sec); -typedef int (*virSecurityDomainRestoreAllLabel) (virConnectPtr conn, - virDomainObjPtr vm); -typedef int (*virSecurityDomainGetProcessLabel) (virConnectPtr conn, - virDomainObjPtr vm, +typedef int (*virSecurityDomainGenLabel) (virDomainObjPtr sec); +typedef int (*virSecurityDomainReserveLabel) (virDomainObjPtr sec); +typedef int (*virSecurityDomainReleaseLabel) (virDomainObjPtr sec); +typedef int (*virSecurityDomainSetAllLabel) (virDomainObjPtr sec); +typedef int (*virSecurityDomainRestoreAllLabel) (virDomainObjPtr vm); +typedef int (*virSecurityDomainGetProcessLabel) (virDomainObjPtr vm, virSecurityLabelPtr sec); -typedef int (*virSecurityDomainSetProcessLabel) (virConnectPtr conn, - virSecurityDriverPtr drv, +typedef int (*virSecurityDomainSetProcessLabel) (virSecurityDriverPtr drv, virDomainObjPtr vm); -typedef int (*virSecurityDomainSecurityVerify) (virConnectPtr conn, - virDomainDefPtr def); +typedef int (*virSecurityDomainSecurityVerify) (virDomainDefPtr def); struct _virSecurityDriver { const char *name; @@ -101,16 +86,15 @@ int virSecurityDriverStartup(virSecurityDriverPtr *drv, const char *name); int -virSecurityDriverVerify(virConnectPtr conn, virDomainDefPtr def); +virSecurityDriverVerify(virDomainDefPtr def); void -virSecurityReportError(virConnectPtr conn, int code, const char *fmt, ...) - ATTRIBUTE_FMT_PRINTF(3, 4); +virSecurityReportError(int code, const char *fmt, ...) + ATTRIBUTE_FMT_PRINTF(2, 3); /* Helpers */ void virSecurityDriverInit(virSecurityDriverPtr drv); -int virSecurityDriverSetDOI(virConnectPtr conn, - virSecurityDriverPtr drv, +int virSecurityDriverSetDOI(virSecurityDriverPtr drv, const char *doi); const char *virSecurityDriverGetDOI(virSecurityDriverPtr drv); const char *virSecurityDriverGetModel(virSecurityDriverPtr drv); diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index a97d3de..7507549 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -156,8 +156,7 @@ SELinuxInitialize(void) } static int -SELinuxGenSecurityLabel(virConnectPtr conn, - virDomainObjPtr vm) +SELinuxGenSecurityLabel(virDomainObjPtr vm) { int rc = -1; char mcs[1024]; @@ -171,7 +170,7 @@ SELinuxGenSecurityLabel(virConnectPtr conn, if (vm->def->seclabel.label || vm->def->seclabel.model || vm->def->seclabel.imagelabel) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("security label already defined for VM")); return rc; } @@ -192,13 +191,13 @@ SELinuxGenSecurityLabel(virConnectPtr conn, vm->def->seclabel.label = SELinuxGenNewContext(default_domain_context, mcs); if (! vm->def->seclabel.label) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); goto err; } vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); if (! vm->def->seclabel.imagelabel) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("cannot generate selinux context for %s"), mcs); goto err; } @@ -221,8 +220,7 @@ done: } static int -SELinuxReserveSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm) +SELinuxReserveSecurityLabel(virDomainObjPtr vm) { security_context_t pctx; context_t ctx = NULL; @@ -266,19 +264,18 @@ SELinuxSecurityDriverProbe(void) } static int -SELinuxSecurityDriverOpen(virConnectPtr conn, virSecurityDriverPtr drv) +SELinuxSecurityDriverOpen(virSecurityDriverPtr drv) { /* * Where will the DOI come from? SELinux configuration, or qemu * configuration? For the moment, we'll just set it to "0". */ - virSecurityDriverSetDOI(conn, drv, SECURITY_SELINUX_VOID_DOI); + virSecurityDriverSetDOI(drv, SECURITY_SELINUX_VOID_DOI); return SELinuxInitialize(); } static int -SELinuxGetSecurityProcessLabel(virConnectPtr conn, - virDomainObjPtr vm, +SELinuxGetSecurityProcessLabel(virDomainObjPtr vm, virSecurityLabelPtr sec) { security_context_t ctx; @@ -291,7 +288,7 @@ SELinuxGetSecurityProcessLabel(virConnectPtr conn, } if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("security label exceeds " "maximum length: %d"), VIR_SECURITY_LABEL_BUFLEN - 1); @@ -380,8 +377,7 @@ err: } static int -SELinuxRestoreSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm, +SELinuxRestoreSecurityImageLabel(virDomainObjPtr vm, virDomainDiskDefPtr disk) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; @@ -407,8 +403,7 @@ SELinuxRestoreSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED, } static int -SELinuxSetSecurityImageLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm, +SELinuxSetSecurityImageLabel(virDomainObjPtr vm, virDomainDiskDefPtr disk) { @@ -482,8 +477,7 @@ SELinuxSetSecurityUSBLabel(virConnectPtr conn ATTRIBUTE_UNUSED, } static int -SELinuxSetSecurityHostdevLabel(virConnectPtr conn, - virDomainObjPtr vm, +SELinuxSetSecurityHostdevLabel(virDomainObjPtr vm, virDomainHostdevDefPtr dev) { @@ -506,7 +500,7 @@ SELinuxSetSecurityHostdevLabel(virConnectPtr conn, if (!usb) goto done; - ret = usbDeviceFileIterate(conn, usb, SELinuxSetSecurityUSBLabel, vm); + ret = usbDeviceFileIterate(NULL, usb, SELinuxSetSecurityUSBLabel, vm); usbFreeDevice(usb); break; } @@ -520,7 +514,7 @@ SELinuxSetSecurityHostdevLabel(virConnectPtr conn, if (!pci) goto done; - ret = pciDeviceFileIterate(conn, pci, SELinuxSetSecurityPCILabel, vm); + ret = pciDeviceFileIterate(NULL, pci, SELinuxSetSecurityPCILabel, vm); pciFreeDevice(pci); break; @@ -555,8 +549,7 @@ SELinuxRestoreSecurityUSBLabel(virConnectPtr conn ATTRIBUTE_UNUSED, } static int -SELinuxRestoreSecurityHostdevLabel(virConnectPtr conn, - virDomainObjPtr vm, +SELinuxRestoreSecurityHostdevLabel(virDomainObjPtr vm, virDomainHostdevDefPtr dev) { @@ -579,7 +572,7 @@ SELinuxRestoreSecurityHostdevLabel(virConnectPtr conn, if (!usb) goto done; - ret = usbDeviceFileIterate(conn, usb, SELinuxRestoreSecurityUSBLabel, NULL); + ret = usbDeviceFileIterate(NULL, usb, SELinuxRestoreSecurityUSBLabel, NULL); usbFreeDevice(usb); break; @@ -594,7 +587,7 @@ SELinuxRestoreSecurityHostdevLabel(virConnectPtr conn, if (!pci) goto done; - ret = pciDeviceFileIterate(conn, pci, SELinuxRestoreSecurityPCILabel, NULL); + ret = pciDeviceFileIterate(NULL, pci, SELinuxRestoreSecurityPCILabel, NULL); pciFreeDevice(pci); break; @@ -610,8 +603,7 @@ done: } static int -SELinuxRestoreSecurityAllLabel(virConnectPtr conn, - virDomainObjPtr vm) +SELinuxRestoreSecurityAllLabel(virDomainObjPtr vm) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; int i; @@ -623,11 +615,11 @@ SELinuxRestoreSecurityAllLabel(virConnectPtr conn, return 0; for (i = 0 ; i < vm->def->nhostdevs ; i++) { - if (SELinuxRestoreSecurityHostdevLabel(conn, vm, vm->def->hostdevs[i]) < 0) + if (SELinuxRestoreSecurityHostdevLabel(vm, vm->def->hostdevs[i]) < 0) rc = -1; } for (i = 0 ; i < vm->def->ndisks ; i++) { - if (SELinuxRestoreSecurityImageLabel(conn, vm, + if (SELinuxRestoreSecurityImageLabel(vm, vm->def->disks[i]) < 0) rc = -1; } @@ -636,8 +628,7 @@ SELinuxRestoreSecurityAllLabel(virConnectPtr conn, } static int -SELinuxReleaseSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm) +SELinuxReleaseSecurityLabel(virDomainObjPtr vm) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; @@ -659,8 +650,7 @@ SELinuxReleaseSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, static int -SELinuxSetSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm, +SELinuxSetSavedStateLabel(virDomainObjPtr vm, const char *savefile) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; @@ -673,8 +663,7 @@ SELinuxSetSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, static int -SELinuxRestoreSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm, +SELinuxRestoreSavedStateLabel(virDomainObjPtr vm, const char *savefile) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; @@ -687,12 +676,12 @@ SELinuxRestoreSavedStateLabel(virConnectPtr conn ATTRIBUTE_UNUSED, static int -SELinuxSecurityVerify(virConnectPtr conn, virDomainDefPtr def) +SELinuxSecurityVerify(virDomainDefPtr def) { const virSecurityLabelDefPtr secdef = &def->seclabel; if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) { if (security_check_context(secdef->label) != 0) { - virSecurityReportError(conn, VIR_ERR_XML_ERROR, + virSecurityReportError(VIR_ERR_XML_ERROR, _("Invalid security label %s"), secdef->label); return -1; } @@ -701,8 +690,7 @@ SELinuxSecurityVerify(virConnectPtr conn, virDomainDefPtr def) } static int -SELinuxSetSecurityProcessLabel(virConnectPtr conn, - virSecurityDriverPtr drv, +SELinuxSetSecurityProcessLabel(virSecurityDriverPtr drv, virDomainObjPtr vm) { /* TODO: verify DOI */ @@ -712,7 +700,7 @@ SELinuxSetSecurityProcessLabel(virConnectPtr conn, return 0; if (!STREQ(drv->name, secdef->model)) { - virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR, + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, _("security label driver mismatch: " "'%s' model configured for domain, but " "hypervisor driver is '%s'."), @@ -733,8 +721,7 @@ SELinuxSetSecurityProcessLabel(virConnectPtr conn, } static int -SELinuxSetSecurityAllLabel(virConnectPtr conn, - virDomainObjPtr vm) +SELinuxSetSecurityAllLabel(virDomainObjPtr vm) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; int i; @@ -749,11 +736,11 @@ SELinuxSetSecurityAllLabel(virConnectPtr conn, vm->def->disks[i]->src, vm->def->disks[i]->dst); continue; } - if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) + if (SELinuxSetSecurityImageLabel(vm, vm->def->disks[i]) < 0) return -1; } for (i = 0 ; i < vm->def->nhostdevs ; i++) { - if (SELinuxSetSecurityHostdevLabel(conn, vm, vm->def->hostdevs[i]) < 0) + if (SELinuxSetSecurityHostdevLabel(vm, vm->def->hostdevs[i]) < 0) return -1; } -- 1.6.6 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list