Enabling a security driver in qemu.conf is currently all or nothing. The option to disable security on a per VM basis can be a useful debugging tool or work around for frustrated users. Patches 1-3 and 5-6 are prep and cleanup work. Patch 4 fixes an easily triggerable segfault when defining a domain in qemu. Patch 7 is the actual feature. Cole Robinson (7): tests: Add qemuxml2xml tests for <seclabel> handling security: Use virDomainSeclabelDefClear security: Add virSecurityIsSpecifiedDriver qemu: Fix segfault if defining a domain without <seclabel> domain: Handle seclabel model with an enum domain: Always validate seclabel model security: Allow disabling security on a per VM basis cfg.mk | 1 + docs/schemas/domain.rng | 13 ++- src/conf/domain_conf.c | 69 ++++++++++----- src/conf/domain_conf.h | 15 +++- src/libvirt_private.syms | 2 +- src/qemu/qemu_driver.c | 4 +- src/security/security_apparmor.c | 31 ++----- src/security/security_driver.c | 25 ++++++ src/security/security_driver.h | 3 + src/security/security_manager.c | 90 +++++++++++++------- src/security/security_selinux.c | 50 +++--------- tests/domainschematest | 2 +- .../qemuxml2xml-balloon-device-auto-out.xml | 25 ++++++ .../qemuxml2xml-channel-virtio-auto-out.xml | 54 ++++++++++++ .../qemuxml2xml-console-compat-auto-out.xml | 31 +++++++ .../qemuxml2xml-console-virtio-out.xml | 29 ++++++ .../qemuxml2xml-disk-scsi-device-auto-out.xml | 31 +++++++ .../qemuxml2xml-seclabel-dynamic-in.xml | 24 +++++ .../qemuxml2xml-seclabel-dynamic-out.xml | 21 +++++ .../qemuxml2xml-seclabel-model-none-in.xml | 21 +++++ .../qemuxml2xml-seclabel-model-none-out.xml | 21 +++++ .../qemuxml2xml-seclabel-static-in.xml | 24 +++++ .../qemuxml2xml-seclabel-static-out.xml | 23 +++++ .../qemuxml2xmlout-balloon-device-auto.xml | 25 ------ .../qemuxml2xmlout-channel-virtio-auto.xml | 54 ------------ .../qemuxml2xmlout-console-compat-auto.xml | 31 ------- .../qemuxml2xmlout-console-virtio.xml | 29 ------ .../qemuxml2xmlout-disk-scsi-device-auto.xml | 31 ------- tests/qemuxml2xmltest.c | 26 ++++-- 29 files changed, 501 insertions(+), 304 deletions(-) create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-balloon-device-auto-out.xml create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-channel-virtio-auto-out.xml create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-console-compat-auto-out.xml create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-console-virtio-out.xml create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-disk-scsi-device-auto-out.xml create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-seclabel-dynamic-in.xml create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-seclabel-dynamic-out.xml create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-in.xml create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-out.xml create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-seclabel-static-in.xml create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-seclabel-static-out.xml delete mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-balloon-device-auto.xml delete mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-channel-virtio-auto.xml delete mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-console-compat-auto.xml delete mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-console-virtio.xml delete mode 100644 tests/qemuxml2xmloutdata/qemuxml2xmlout-disk-scsi-device-auto.xml -- 1.7.3.2 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list