[PATCH 3/7] security: Add virSecurityIsSpecifiedDriver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
---
 src/security/security_apparmor.c |    7 +------
 src/security/security_driver.c   |   19 +++++++++++++++++++
 src/security/security_driver.h   |    3 +++
 src/security/security_selinux.c  |   29 +++++------------------------
 4 files changed, 28 insertions(+), 30 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 42f812c..00e5a01 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -581,12 +581,7 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm)
     if ((profile_name = get_profile_name(vm)) == NULL)
         return rc;
 
-    if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) {
-        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
-                               _("security label driver mismatch: "
-                               "\'%s\' model configured for domain, but "
-                               "hypervisor driver is \'%s\'."),
-                               secdef->model, virSecurityManagerGetModel(mgr));
+    if (!virSecurityIsSpecifiedDriver(mgr, vm->def)) {
         if (use_apparmor() > 0)
             goto clean;
     }
diff --git a/src/security/security_driver.c b/src/security/security_driver.c
index fd2c01a..5711aee 100644
--- a/src/security/security_driver.c
+++ b/src/security/security_driver.c
@@ -75,3 +75,22 @@ virSecurityDriverPtr virSecurityDriverLookup(const char *name)
 
     return drv;
 }
+
+bool
+virSecurityIsSpecifiedDriver(virSecurityManagerPtr mgr,
+                             virDomainDefPtr def)
+{
+    bool ret = true;
+
+    if (!STREQ(virSecurityManagerGetModel(mgr), def->seclabel.model)) {
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("security label driver mismatch: "
+                                 "'%s' model configured for domain, but "
+                                 "hypervisor driver is '%s'."),
+                               def->seclabel.model,
+                               virSecurityManagerGetModel(mgr));
+        ret = false;
+    }
+
+    return ret;
+}
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index e5a8d41..a0b15f4 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -117,5 +117,8 @@ struct _virSecurityDriver {
 };
 
 virSecurityDriverPtr virSecurityDriverLookup(const char *name);
+bool virSecurityIsSpecifiedDriver(virSecurityManagerPtr mgr,
+                                  virDomainDefPtr def)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
 
 #endif /* __VIR_SECURITY_H__ */
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index f11e209..f3b76f9 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -866,12 +866,8 @@ SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                       virDomainDefPtr def)
 {
     const virSecurityLabelDefPtr secdef = &def->seclabel;
-    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
-        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
-                               _("security label driver mismatch: "
-                                 "'%s' model configured for domain, but "
-                                 "hypervisor driver is '%s'."),
-                               secdef->model, virSecurityManagerGetModel(mgr));
+
+    if (!virSecurityIsSpecifiedDriver(mgr, def)) {
         return -1;
     }
 
@@ -895,12 +891,7 @@ SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
     if (vm->def->seclabel.label == NULL)
         return 0;
 
-    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
-        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
-                               _("security label driver mismatch: "
-                                 "'%s' model configured for domain, but "
-                                 "hypervisor driver is '%s'."),
-                               secdef->model, virSecurityManagerGetModel(mgr));
+    if (!virSecurityIsSpecifiedDriver(mgr, vm->def)) {
         if (security_getenforce() == 1)
             return -1;
     }
@@ -930,12 +921,7 @@ SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
     if (vm->def->seclabel.label == NULL)
         return 0;
 
-    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
-        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
-                               _("security label driver mismatch: "
-                                 "'%s' model configured for domain, but "
-                                 "hypervisor driver is '%s'."),
-                               secdef->model, virSecurityManagerGetModel(mgr));
+    if (!virSecurityIsSpecifiedDriver(mgr, vm->def)) {
         goto done;
     }
 
@@ -997,12 +983,7 @@ SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
     if (vm->def->seclabel.label == NULL)
         return 0;
 
-    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
-        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
-                               _("security label driver mismatch: "
-                                 "'%s' model configured for domain, but "
-                                 "hypervisor driver is '%s'."),
-                               secdef->model, virSecurityManagerGetModel(mgr));
+    if (!virSecurityIsSpecifiedDriver(mgr, vm->def)) {
         if (security_getenforce() == 1)
             return -1;
     }
-- 
1.7.3.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]