[PATCH 7/7] security: Allow disabling security on a per VM basis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Make the SecurityManager explicitly handle the case when seclabel
model='none'.

Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
---
 src/security/security_manager.c                    |   90 +++++++++++++-------
 .../qemuxml2xml-seclabel-model-none-in.xml         |   21 +++++
 .../qemuxml2xml-seclabel-model-none-out.xml        |   21 +++++
 tests/qemuxml2xmltest.c                            |    1 +
 4 files changed, 101 insertions(+), 32 deletions(-)
 create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-in.xml
 create mode 100644 tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-out.xml

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 66cffb5..9f98886 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -122,6 +122,16 @@ void virSecurityManagerFree(virSecurityManagerPtr mgr)
     VIR_FREE(mgr);
 }
 
+static virSecurityDriverPtr
+virSecurityManagerGetDriver(virSecurityManagerPtr mgr,
+                            virDomainDefPtr def)
+{
+    if (def->seclabel.model == VIR_DOMAIN_SECLABEL_MODEL_NONE)
+        return virSecurityDriverLookup("none");
+
+    return mgr->drv;
+}
+
 const char *
 virSecurityManagerGetDOI(virSecurityManagerPtr mgr)
 {
@@ -151,8 +161,9 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
                                         virDomainObjPtr vm,
                                         virDomainDiskDefPtr disk)
 {
-    if (mgr->drv->domainRestoreSecurityImageLabel)
-        return mgr->drv->domainRestoreSecurityImageLabel(mgr, vm, disk);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainRestoreSecurityImageLabel)
+        return drv->domainRestoreSecurityImageLabel(mgr, vm, disk);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -161,8 +172,9 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
 int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
                                      virDomainObjPtr vm)
 {
-    if (mgr->drv->domainSetSecuritySocketLabel)
-        return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainSetSecuritySocketLabel)
+        return drv->domainSetSecuritySocketLabel(mgr, vm);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -171,8 +183,9 @@ int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                        virDomainObjPtr vm)
 {
-    if (mgr->drv->domainClearSecuritySocketLabel)
-        return mgr->drv->domainClearSecuritySocketLabel(mgr, vm);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainClearSecuritySocketLabel)
+        return drv->domainClearSecuritySocketLabel(mgr, vm);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -182,8 +195,9 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
                                     virDomainObjPtr vm,
                                     virDomainDiskDefPtr disk)
 {
-    if (mgr->drv->domainSetSecurityImageLabel)
-        return mgr->drv->domainSetSecurityImageLabel(mgr, vm, disk);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainSetSecurityImageLabel)
+        return drv->domainSetSecurityImageLabel(mgr, vm, disk);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -193,8 +207,9 @@ int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
                                           virDomainObjPtr vm,
                                           virDomainHostdevDefPtr dev)
 {
-    if (mgr->drv->domainRestoreSecurityHostdevLabel)
-        return mgr->drv->domainRestoreSecurityHostdevLabel(mgr, vm, dev);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainRestoreSecurityHostdevLabel)
+        return drv->domainRestoreSecurityHostdevLabel(mgr, vm, dev);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -204,8 +219,9 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
                                       virDomainObjPtr vm,
                                       virDomainHostdevDefPtr dev)
 {
-    if (mgr->drv->domainSetSecurityHostdevLabel)
-        return mgr->drv->domainSetSecurityHostdevLabel(mgr, vm, dev);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainSetSecurityHostdevLabel)
+        return drv->domainSetSecurityHostdevLabel(mgr, vm, dev);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -215,8 +231,9 @@ int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
                                          virDomainObjPtr vm,
                                          const char *savefile)
 {
-    if (mgr->drv->domainSetSavedStateLabel)
-        return mgr->drv->domainSetSavedStateLabel(mgr, vm, savefile);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainSetSavedStateLabel)
+        return drv->domainSetSavedStateLabel(mgr, vm, savefile);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -226,8 +243,9 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
                                              virDomainObjPtr vm,
                                              const char *savefile)
 {
-    if (mgr->drv->domainRestoreSavedStateLabel)
-        return mgr->drv->domainRestoreSavedStateLabel(mgr, vm, savefile);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainRestoreSavedStateLabel)
+        return drv->domainRestoreSavedStateLabel(mgr, vm, savefile);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -236,8 +254,9 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
 int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
                                virDomainObjPtr vm)
 {
-    if (mgr->drv->domainGenSecurityLabel)
-        return mgr->drv->domainGenSecurityLabel(mgr, vm);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainGenSecurityLabel)
+        return drv->domainGenSecurityLabel(mgr, vm);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -246,8 +265,9 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
 int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
                                    virDomainObjPtr vm)
 {
-    if (mgr->drv->domainReserveSecurityLabel)
-        return mgr->drv->domainReserveSecurityLabel(mgr, vm);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainReserveSecurityLabel)
+        return drv->domainReserveSecurityLabel(mgr, vm);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -256,8 +276,9 @@ int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
 int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
                                    virDomainObjPtr vm)
 {
-    if (mgr->drv->domainReleaseSecurityLabel)
-        return mgr->drv->domainReleaseSecurityLabel(mgr, vm);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainReleaseSecurityLabel)
+        return drv->domainReleaseSecurityLabel(mgr, vm);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -267,8 +288,9 @@ int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
                                   virDomainObjPtr vm,
                                   const char *stdin_path)
 {
-    if (mgr->drv->domainSetSecurityAllLabel)
-        return mgr->drv->domainSetSecurityAllLabel(mgr, vm, stdin_path);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainSetSecurityAllLabel)
+        return drv->domainSetSecurityAllLabel(mgr, vm, stdin_path);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -278,8 +300,9 @@ int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
                                       virDomainObjPtr vm,
                                       int migrated)
 {
-    if (mgr->drv->domainRestoreSecurityAllLabel)
-        return mgr->drv->domainRestoreSecurityAllLabel(mgr, vm, migrated);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainRestoreSecurityAllLabel)
+        return drv->domainRestoreSecurityAllLabel(mgr, vm, migrated);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -289,8 +312,9 @@ int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
                                       virDomainObjPtr vm,
                                       virSecurityLabelPtr sec)
 {
-    if (mgr->drv->domainGetSecurityProcessLabel)
-        return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, sec);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainGetSecurityProcessLabel)
+        return drv->domainGetSecurityProcessLabel(mgr, vm, sec);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -299,8 +323,9 @@ int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
 int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
                                       virDomainObjPtr vm)
 {
-    if (mgr->drv->domainSetSecurityProcessLabel)
-        return mgr->drv->domainSetSecurityProcessLabel(mgr, vm);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, vm->def);
+    if (drv->domainSetSecurityProcessLabel)
+        return drv->domainSetSecurityProcessLabel(mgr, vm);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
@@ -309,8 +334,9 @@ int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
 int virSecurityManagerVerify(virSecurityManagerPtr mgr,
                              virDomainDefPtr def)
 {
-    if (mgr->drv->domainSecurityVerify)
-        return mgr->drv->domainSecurityVerify(mgr, def);
+    virSecurityDriverPtr drv = virSecurityManagerGetDriver(mgr, def);
+    if (drv->domainSecurityVerify)
+        return drv->domainSecurityVerify(mgr, def);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
diff --git a/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-in.xml b/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-in.xml
new file mode 100644
index 0000000..2b3d40b
--- /dev/null
+++ b/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-in.xml
@@ -0,0 +1,21 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory>219200</memory>
+  <currentMemory>219200</currentMemory>
+  <vcpu>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <controller type='ide' index='0'/>
+    <memballoon model='virtio'/>
+  </devices>
+  <seclabel type='dynamic' model='none'/>
+</domain>
diff --git a/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-out.xml b/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-out.xml
new file mode 100644
index 0000000..2b3d40b
--- /dev/null
+++ b/tests/qemuxml2xmldata/qemuxml2xml-seclabel-model-none-out.xml
@@ -0,0 +1,21 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory>219200</memory>
+  <currentMemory>219200</currentMemory>
+  <vcpu>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <controller type='ide' index='0'/>
+    <memballoon model='virtio'/>
+  </devices>
+  <seclabel type='dynamic' model='none'/>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index 2af7494..8c08ee6 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -200,6 +200,7 @@ mymain(int argc, char **argv)
     input_folder_fmt = (char *) XML2XMLIN_FMT;
     DO_TEST_DIFFERENT("seclabel-dynamic");
     DO_TEST_DIFFERENT("seclabel-static");
+    DO_TEST_DIFFERENT("seclabel-model-none");
 
     virCapabilitiesFree(driver.caps);
 
-- 
1.7.3.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]