Re: [PATCH 2/3] Add a virSecurityManagerSetProcessFDLabel

[Jamie Strandboge <jamie@xxxxxxxxxxxxx>]

On Fri, 2011-06-24 at 16:09 +0100, Daniel P. Berrange wrote:
> Add a new security driver method for labelling an FD with
> the process label, rather than the image label

> 
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index 90725cd..2d3f9d8 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -852,6 +852,7 @@ virSecurityManagerSetAllLabel;
>  virSecurityManagerSetImageFDLabel;
>  virSecurityManagerSetImageLabel;
>  virSecurityManagerSetHostdevLabel;
> +virSecurityManagerSetProcessFDLabel;
>  virSecurityManagerSetProcessLabel;
>  virSecurityManagerSetSavedStateLabel;
>  virSecurityManagerSetSocketLabel;
> diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> index 50a7383..df8c66c 100644
> --- a/src/security/security_apparmor.c
> +++ b/src/security/security_apparmor.c
> @@ -784,6 +784,34 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
>      return reload_profile(mgr, vm, fd_path, true);
>  }
>  
> +static int
> +AppArmorSetProcessFDLabel(virSecurityManagerPtr mgr,
> +                          virDomainObjPtr vm,
> +                          int fd)
> +{
> +    int rc = -1;
> +    char *proc = NULL;
> +    char *fd_path = NULL;
> +
> +    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
> +
> +    if (secdef->imagelabel == NULL)
> +        return 0;
> +
> +    if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1) {
> +        virReportOOMError();
> +        return rc;
> +    }
> +
> +    if (virFileResolveLink(proc, &fd_path) < 0) {
> +        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
> +                               "%s", _("could not find path for descriptor"));
> +        return rc;
> +    }
> +
> +    return reload_profile(mgr, vm, fd_path, true);
> +}
> +
>  virSecurityDriver virAppArmorSecurityDriver = {
>      0,
>      SECURITY_APPARMOR_NAME,
> @@ -819,4 +847,5 @@ virSecurityDriver virAppArmorSecurityDriver = {
>      AppArmorRestoreSavedStateLabel,
>  
>      AppArmorSetImageFDLabel,
> +    AppArmorSetProcessFDLabel,
>  };

ACK, though this and AppArmorSetImageFDLabel() are now identical and
could therefore be refactored. I've made a note to check on this after
the SetProcessFDLabel() changes are in place.

-- 
Jamie Strandboge             | http://www.canonical.com

Attachment: signature.asc
Description: This is a digitally signed message part

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list