On Wed, Jan 12, 2011 at 12:23:01PM -0500, Cole Robinson wrote:
> This allows us to explicitly handle the 'default' seclabel case, as
> well as provide easier model validation.
>
> Signed-off-by: Cole Robinson <crobinso@xxxxxxxxxx>
> ---
> src/conf/domain_conf.c | 38 ++++++++++++++++++++++++++++++--------
> src/conf/domain_conf.h | 14 ++++++++++++--
> src/security/security_apparmor.c | 9 +++------
> src/security/security_driver.c | 15 ++++++++++-----
> src/security/security_selinux.c | 8 ++------
> 5 files changed, 57 insertions(+), 27 deletions(-)
>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index 8f6ef55..077a396 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -313,6 +313,12 @@ VIR_ENUM_IMPL(virDomainSeclabel, VIR_DOMAIN_SECLABEL_LAST,
> "dynamic",
> "static")
>
> +VIR_ENUM_IMPL(virDomainSeclabelModel, VIR_DOMAIN_SECLABEL_MODEL_LAST,
> + "default",
> + "selinux",
> + "apparmor",
> + "none")
If we remove 'none' from the enum, this is ok.
> +
> VIR_ENUM_IMPL(virDomainNetdevMacvtap, VIR_DOMAIN_NETDEV_MACVTAP_MODE_LAST,
> "vepa",
> "private",
> @@ -759,7 +765,7 @@ void virDomainSeclabelDefClear(virSecurityLabelDefPtr seclabel)
> if (!seclabel)
> return;
>
> - VIR_FREE(seclabel->model);
> + seclabel->model = VIR_DOMAIN_SECLABEL_MODEL_DEFAULT;
> VIR_FREE(seclabel->label);
> VIR_FREE(seclabel->imagelabel);
> }
> @@ -4244,7 +4250,15 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def,
> "%s", _("missing security model"));
> goto error;
> }
> - def->seclabel.model = p;
> +
> + def->seclabel.model = virDomainSeclabelModelTypeFromString(p);
> + if (def->seclabel.model < 0) {
> + virDomainReportError(VIR_ERR_XML_ERROR,
> + _("unknown security model '%s'"), p);
> + VIR_FREE(p);
> + goto error;
> + }
> + VIR_FREE(p);
>
> p = virXPathStringLimit("string(./seclabel/label[1])",
> VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
> @@ -7336,18 +7350,26 @@ char *virDomainDefFormat(virDomainDefPtr def,
>
> virBufferAddLit(&buf, " </devices>\n");
>
> - if (def->seclabel.model) {
> - const char *sectype = virDomainSeclabelTypeToString(def->seclabel.type);
> + if (def->seclabel.model != VIR_DOMAIN_SECLABEL_MODEL_DEFAULT) {
> + const char *sectype, *secmodel;
> +
> + sectype = virDomainSeclabelTypeToString(def->seclabel.type);
> if (!sectype)
> goto cleanup;
> +
> + secmodel = virDomainSeclabelModelTypeToString(def->seclabel.model);
> + if (!secmodel)
> + goto cleanup;
> +
> + virBufferVSprintf(&buf, " <seclabel type='%s' model='%s'",
> + sectype, secmodel);
> +
> if (!def->seclabel.label ||
> (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
> (flags & VIR_DOMAIN_XML_INACTIVE))) {
> - virBufferVSprintf(&buf, " <seclabel type='%s' model='%s'/>\n",
> - sectype, def->seclabel.model);
> + virBufferAddLit(&buf, "/>\n");
> } else {
> - virBufferVSprintf(&buf, " <seclabel type='%s' model='%s'>\n",
> - sectype, def->seclabel.model);
> + virBufferAddLit(&buf, ">\n");
> virBufferEscapeString(&buf, " <label>%s</label>\n",
> def->seclabel.label);
> if (def->seclabel.imagelabel &&
> diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
> index b5cf433..81409f8 100644
> --- a/src/conf/domain_conf.h
> +++ b/src/conf/domain_conf.h
> @@ -782,14 +782,23 @@ enum virDomainSeclabelType {
> VIR_DOMAIN_SECLABEL_LAST,
> };
>
> +enum virDomainSeclabelModel {
> + VIR_DOMAIN_SECLABEL_MODEL_DEFAULT,
> + VIR_DOMAIN_SECLABEL_MODEL_SELINUX,
> + VIR_DOMAIN_SECLABEL_MODEL_APPARMOR,
> + VIR_DOMAIN_SECLABEL_MODEL_NONE,
> +
> + VIR_DOMAIN_SECLABEL_MODEL_LAST,
> +};
Remove NONE here too.
ACK, if the 'none' / NONE bits are removed.
Daniel
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list