[PATCH 5/7] domain: Handle seclabel model with an enum

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This allows us to explicitly handle the 'default' seclabel case, as
well as provide easier model validation.

Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
---
 src/conf/domain_conf.c           |   38 ++++++++++++++++++++++++++++++--------
 src/conf/domain_conf.h           |   14 ++++++++++++--
 src/security/security_apparmor.c |    9 +++------
 src/security/security_driver.c   |   15 ++++++++++-----
 src/security/security_selinux.c  |    8 ++------
 5 files changed, 57 insertions(+), 27 deletions(-)

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 8f6ef55..077a396 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -313,6 +313,12 @@ VIR_ENUM_IMPL(virDomainSeclabel, VIR_DOMAIN_SECLABEL_LAST,
               "dynamic",
               "static")
 
+VIR_ENUM_IMPL(virDomainSeclabelModel, VIR_DOMAIN_SECLABEL_MODEL_LAST,
+              "default",
+              "selinux",
+              "apparmor",
+              "none")
+
 VIR_ENUM_IMPL(virDomainNetdevMacvtap, VIR_DOMAIN_NETDEV_MACVTAP_MODE_LAST,
               "vepa",
               "private",
@@ -759,7 +765,7 @@ void virDomainSeclabelDefClear(virSecurityLabelDefPtr seclabel)
     if (!seclabel)
         return;
 
-    VIR_FREE(seclabel->model);
+    seclabel->model = VIR_DOMAIN_SECLABEL_MODEL_DEFAULT;
     VIR_FREE(seclabel->label);
     VIR_FREE(seclabel->imagelabel);
 }
@@ -4244,7 +4250,15 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
                                  "%s", _("missing security model"));
             goto error;
         }
-        def->seclabel.model = p;
+
+        def->seclabel.model = virDomainSeclabelModelTypeFromString(p);
+        if (def->seclabel.model < 0) {
+            virDomainReportError(VIR_ERR_XML_ERROR,
+                                 _("unknown security model '%s'"), p);
+            VIR_FREE(p);
+            goto error;
+        }
+        VIR_FREE(p);
 
         p = virXPathStringLimit("string(./seclabel/label[1])",
                                 VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
@@ -7336,18 +7350,26 @@ char *virDomainDefFormat(virDomainDefPtr def,
 
     virBufferAddLit(&buf, "  </devices>\n");
 
-    if (def->seclabel.model) {
-        const char *sectype = virDomainSeclabelTypeToString(def->seclabel.type);
+    if (def->seclabel.model != VIR_DOMAIN_SECLABEL_MODEL_DEFAULT) {
+        const char *sectype, *secmodel;
+
+        sectype = virDomainSeclabelTypeToString(def->seclabel.type);
         if (!sectype)
             goto cleanup;
+
+        secmodel = virDomainSeclabelModelTypeToString(def->seclabel.model);
+        if (!secmodel)
+            goto cleanup;
+
+        virBufferVSprintf(&buf, "  <seclabel type='%s' model='%s'",
+                          sectype, secmodel);
+
         if (!def->seclabel.label ||
             (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
              (flags & VIR_DOMAIN_XML_INACTIVE))) {
-            virBufferVSprintf(&buf, "  <seclabel type='%s' model='%s'/>\n",
-                              sectype, def->seclabel.model);
+            virBufferAddLit(&buf, "/>\n");
         } else {
-            virBufferVSprintf(&buf, "  <seclabel type='%s' model='%s'>\n",
-                                  sectype, def->seclabel.model);
+            virBufferAddLit(&buf, ">\n");
             virBufferEscapeString(&buf, "    <label>%s</label>\n",
                                   def->seclabel.label);
             if (def->seclabel.imagelabel &&
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index b5cf433..81409f8 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -782,14 +782,23 @@ enum virDomainSeclabelType {
     VIR_DOMAIN_SECLABEL_LAST,
 };
 
+enum virDomainSeclabelModel {
+    VIR_DOMAIN_SECLABEL_MODEL_DEFAULT,
+    VIR_DOMAIN_SECLABEL_MODEL_SELINUX,
+    VIR_DOMAIN_SECLABEL_MODEL_APPARMOR,
+    VIR_DOMAIN_SECLABEL_MODEL_NONE,
+
+    VIR_DOMAIN_SECLABEL_MODEL_LAST,
+};
+
 /* Security configuration for domain */
 typedef struct _virSecurityLabelDef virSecurityLabelDef;
 typedef virSecurityLabelDef *virSecurityLabelDefPtr;
 struct _virSecurityLabelDef {
-    char *model;        /* name of security model */
     char *label;        /* security label string */
     char *imagelabel;   /* security image label string */
-    int type;
+    int type;           /* dynamic vs. static */
+    int model;          /* name of security model */
 };
 
 enum virDomainTimerNameType {
@@ -1287,6 +1296,7 @@ VIR_ENUM_DECL(virDomainGraphicsSpiceChannelMode)
 /* from libvirt.h */
 VIR_ENUM_DECL(virDomainState)
 VIR_ENUM_DECL(virDomainSeclabel)
+VIR_ENUM_DECL(virDomainSeclabelModel)
 VIR_ENUM_DECL(virDomainClockOffset)
 
 VIR_ENUM_DECL(virDomainNetdevMacvtap)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 00e5a01..7a6fe5c 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -441,7 +441,8 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
         return 0;
 
     if ((vm->def->seclabel.label) ||
-        (vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) {
+        (vm->def->seclabel.model != VIR_DOMAIN_SECLABEL_MODEL_DEFAULT) ||
+        (vm->def->seclabel.imagelabel)) {
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                "%s",
                                _("security label already defined for VM"));
@@ -465,11 +466,7 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
         goto err;
     }
 
-    vm->def->seclabel.model = strdup(SECURITY_APPARMOR_NAME);
-    if (!vm->def->seclabel.model) {
-        virReportOOMError();
-        goto err;
-    }
+    vm->def->seclabel.model = VIR_DOMAIN_SECLABEL_MODEL_APPARMOR;
 
     rc = 0;
     goto clean;
diff --git a/src/security/security_driver.c b/src/security/security_driver.c
index 7d2e0de..2cd4c0e 100644
--- a/src/security/security_driver.c
+++ b/src/security/security_driver.c
@@ -80,18 +80,23 @@ bool
 virSecurityIsSpecifiedDriver(virSecurityManagerPtr mgr,
                              virDomainDefPtr def)
 {
-    bool ret = true;
+    bool ret = false;
+    const char *model = virDomainSeclabelModelTypeToString(def->seclabel.model);
+    if (!model)
+        goto err;
 
-    if (def->seclabel.model &&
-        !STREQ(virSecurityManagerGetModel(mgr), def->seclabel.model)) {
+    if (def->seclabel.model != VIR_DOMAIN_SECLABEL_MODEL_DEFAULT &&
+        !STREQ(virSecurityManagerGetModel(mgr), model)) {
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                _("security label driver mismatch: "
                                  "'%s' model configured for domain, but "
                                  "hypervisor driver is '%s'."),
-                               def->seclabel.model,
+                               model,
                                virSecurityManagerGetModel(mgr));
-        ret = false;
+        goto err;
     }
 
+    ret = true;
+err:
     return ret;
 }
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index f3b76f9..2266c21 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -173,7 +173,7 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
         return 0;
 
     if (vm->def->seclabel.label ||
-        vm->def->seclabel.model ||
+        vm->def->seclabel.model != VIR_DOMAIN_SECLABEL_MODEL_DEFAULT ||
         vm->def->seclabel.imagelabel) {
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                "%s", _("security label already defined for VM"));
@@ -206,12 +206,8 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                _("cannot generate selinux context for %s"), mcs);
         goto err;
     }
-    vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME);
-    if (!vm->def->seclabel.model) {
-        virReportOOMError();
-        goto err;
-    }
 
+    vm->def->seclabel.model = VIR_DOMAIN_SECLABEL_MODEL_SELINUX;
 
     rc = 0;
     goto done;
-- 
1.7.3.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]