Re: [PATCH 2/2] Set labelling for character devices in security drivers

Matthias Bolte <matthias.bolte@xxxxxxxxxxxxxx> · Thu, 24 Jun 2010 18:36:36 +0200

2010/6/24 Daniel P. Berrange <berrange@xxxxxxxxxx>:
> When configuring serial, parallel, console or channel devices
> with a file, dev or pipe backend type, it is neccessary to label
> the file path in the security drivers. For char devices of type
> file, it is neccessary to pre-create (touch) the file if it does
> not already exist since QEMU won't be allowed todo so itself.
> dev/pipe configs already require the admin to pre-create before
> starting the guest.

Two typos: s/neccessary/necessary

> * src/qemu/qemu_security_dac.c: set file ownership for character
>  devices
> * src/security/security_selinux.c: Set file labelling for character

Another typo: s/labelling/labeling

>  devices
> * src/qemu/qemu_driver.c: Add character devices to cgroup ACL
> ---
>  src/qemu/qemu_driver.c          |   59 +++++++++++++++++++
>  src/qemu/qemu_security_dac.c    |  117 ++++++++++++++++++++++++++++++++++++++
>  src/security/security_selinux.c |  119 +++++++++++++++++++++++++++++++++++++++
>  src/util/cgroup.c               |    2 +-
>  4 files changed, 296 insertions(+), 1 deletions(-)
>
> diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> index a7b3f25..6274d4c 100644
> --- a/src/qemu/qemu_driver.c
> +++ b/src/qemu/qemu_driver.c
> @@ -2950,6 +2950,28 @@ qemuPrepareHostDevices(struct qemud_driver *driver,
>  }
>
>
> +static int
> +qemuPrepareChardevDevice(virDomainDefPtr def ATTRIBUTE_UNUSED,
> +                         virDomainChrDefPtr dev,
> +                         void *opaque ATTRIBUTE_UNUSED)
> +{
> +    int fd;
> +    if (dev->type != VIR_DOMAIN_CHR_TYPE_FILE)
> +        return 0;
> +
> +    if ((fd = open(dev->data.file.path, O_CREAT | O_APPEND, S_IRUSR|S_IWUSR)) < 0) {
> +        virReportSystemError(errno,
> +                             _("Unable to pre-create chardev file %s"),

Maybe use '%s' here instead of plain %s.

> +                             dev->data.file.path);
> +        return -1;
> +    }
> +
> +    close(fd);
> +
> +    return 0;
> +}
> +
> +
>  static void
>  qemudReattachManagedDevice(pciDevice *dev)
>  {
> @@ -3124,6 +3146,30 @@ cleanup:
>  }
>
>
> +static int qemuSetupChardevCgroup(virDomainDefPtr def,
> +                                  virDomainChrDefPtr dev,
> +                                  void *opaque)
> +{
> +    virCgroupPtr cgroup = opaque;
> +    int rc;
> +
> +    if (dev->type != VIR_DOMAIN_CHR_TYPE_DEV)
> +        return 0;
> +
> +
> +    VIR_DEBUG("Process path %s for disk", dev->data.file.path);

Again '%s' instead of plain %s.

> +    rc = virCgroupAllowDevicePath(cgroup, dev->data.file.path);
> +    if (rc != 0) {
> +        virReportSystemError(-rc,
> +                             _("Unable to allow device %s for %s"),

Here too.

ACK.

Matthias

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list