Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> --- docs/manpages/virsh.rst | 22 +++++++++++ tools/virsh-domain.c | 83 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) diff --git a/docs/manpages/virsh.rst b/docs/manpages/virsh.rst index c85bc8151d..7e57796384 100644 --- a/docs/manpages/virsh.rst +++ b/docs/manpages/virsh.rst @@ -5225,6 +5225,28 @@ If *--print-xml* is specified, the XML that would be used to change media is printed instead of changing the media. +dom-fd-associate +---------------- + +**Syntax:** + +:: + + dom-fd-associate domain --name FDGROUPNAME --pass-fds M,N,.... + [--seclabel-writable] [--seclabel-restore] [--seclabel-restore-require] + +Associate one or more fds described via *--pass-fds* argument to *domain* as +*--name*. The lifetime of the passed fd group is the same as the connection, thus +exitting virsh un-registers them afterwards. + +By default security labels are applied if needed but they are not restored after +use to avoid keeping them open unnecessarily. Best-effort security label restore +may be requested by using the *--seclabel-restore* flag. + +Passing *--seclabel-restore-require* instructs the hypervisor to try harder to +restore security labels. **Note:** Hypervisors currently don't support this flag. + + NODEDEV COMMANDS ================ diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c index 2d162cf8c0..5cbbb4bd28 100644 --- a/tools/virsh-domain.c +++ b/tools/virsh-domain.c @@ -9816,6 +9816,83 @@ cmdDomSetLaunchSecState(vshControl * ctl, const vshCmd * cmd) return ret; } + +/* + * "dom-fd-associate" command + */ +static const vshCmdInfo info_dom_fd_associate[] = { + {.name = "help", + .data = N_("associate a FD with a domain") + }, + {.name = "desc", + .data = N_("associate a FD with a domain") + }, + {.name = NULL} +}; + +static const vshCmdOptDef opts_dom_fd_associate[] = { + VIRSH_COMMON_OPT_DOMAIN_FULL(0), + {.name = "name", + .type = VSH_OT_DATA, + .flags = VSH_OFLAG_REQ, + .completer = virshCompleteEmpty, + .help = N_("name of the FD group") + }, + {.name = "pass-fds", + .type = VSH_OT_DATA, + .flags = VSH_OFLAG_REQ, + .completer = virshCompleteEmpty, + .help = N_("file descriptors N,M,... to associate") + }, + {.name = "seclabel-writable", + .type = VSH_OT_BOOL, + .help = N_("use seclabels allowing writes") + }, + {.name = "seclabel-restore", + .type = VSH_OT_BOOL, + .help = N_("Try to restore security label after use if possible") + }, + {.name = "seclabel-restore-require", + .type = VSH_OT_BOOL, + .help = N_("require that security label is restored after use") + }, + {.name = NULL} +}; + +static bool +cmdDomFdAssociate(vshControl *ctl, const vshCmd *cmd) +{ + g_autoptr(virshDomain) dom = NULL; + const char *name = NULL; + unsigned int flags = 0; + g_autofree int *fds = NULL; + size_t nfds = 0; + + if (vshCommandOptBool(cmd, "seclabel-writable")) + flags |= VIR_DOMAIN_FD_ASSOCIATE_SECLABEL_WRITABLE; + + if (vshCommandOptBool(cmd, "seclabel-restore")) + flags |= VIR_DOMAIN_FD_ASSOCIATE_SECLABEL_RESTORE; + + if (vshCommandOptBool(cmd, "seclabel-restore-require")) + flags |= VIR_DOMAIN_FD_ASSOCIATE_SECLABEL_WRITABLE; + + if (!(dom = virshCommandOptDomain(ctl, cmd, NULL))) + return false; + + if (vshCommandOptStringReq(ctl, cmd, "name", &name) < 0) + return false; + + if (virshFetchPassFdsList(ctl, cmd, &nfds, &fds) < 0) + return false; + + if (virDomainFDAssociate(dom, name, nfds, fds, flags) < 0) + return false; + + return true; +} + + /* * "qemu-monitor-command" command */ @@ -14417,5 +14494,11 @@ const vshCmdDef domManagementCmds[] = { .info = info_domdirtyrate_calc, .flags = 0 }, + {.name = "dom-fd-associate", + .handler = cmdDomFdAssociate, + .opts = opts_dom_fd_associate, + .info = info_dom_fd_associate, + .flags = 0 + }, {.name = NULL} }; -- 2.38.1