[PATCHv4 4/5] smartcard: enable SELinux support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* src/security/security_selinux.c
(SELinuxRestoreSecuritySmartcardCallback)
(SELinuxSetSecuritySmartcardCallback): New helper functions.
(SELinuxRestoreSecurityAllLabel, SELinuxSetSecurityAllLabel): Use
them.

---
Notes:
    v3: new patch
    v4: match xml changes
 src/security/security_selinux.c |   76 +++++++++++++++++++++++++++++++++++++++
 1 files changed, 76 insertions(+), 0 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 24609bc..587b3b5 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -809,6 +809,38 @@ SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,


 static int
+SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+                                        virDomainSmartcardDefPtr dev,
+                                        void *opaque)
+{
+    virDomainObjPtr vm = opaque;
+    const char *database;
+
+    switch (dev->type) {
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+        break;
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+        database = dev->data.cert.database;
+        if (!database)
+            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
+        return SELinuxRestoreSecurityFileLabel(database);
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+        return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);
+
+    default:
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("unknown smartcard type %d"),
+                               dev->type);
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
 SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                virDomainObjPtr vm,
                                int migrated ATTRIBUTE_UNUSED)
@@ -842,6 +874,12 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                vm) < 0)
         rc = -1;

+    if (virDomainSmartcardDefForeach(vm->def,
+                                     false,
+                                     SELinuxRestoreSecuritySmartcardCallback,
+                                     vm) < 0)
+        rc = -1;
+
     if (vm->def->os.kernel &&
         SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
         rc = -1;
@@ -1074,6 +1112,38 @@ SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,


 static int
+SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+                                    virDomainSmartcardDefPtr dev,
+                                    void *opaque)
+{
+    virDomainObjPtr vm = opaque;
+    const char *database;
+
+    switch (dev->type) {
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
+        break;
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
+        database = dev->data.cert.database;
+        if (!database)
+            database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
+        return SELinuxSetFilecon(database, default_content_context);
+
+    case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
+        return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);
+
+    default:
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("unknown smartcard type %d"),
+                               dev->type);
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
 SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
                            virDomainObjPtr vm,
                            const char *stdin_path)
@@ -1108,6 +1178,12 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
                                vm) < 0)
         return -1;

+    if (virDomainSmartcardDefForeach(vm->def,
+                                     true,
+                                     SELinuxSetSecuritySmartcardCallback,
+                                     vm) < 0)
+        return -1;
+
     if (vm->def->os.kernel &&
         SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
         return -1;
-- 
1.7.3.5

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]