The virSecurityManagerSetProcessFDLabel method was introduced after a mis-understanding from a conversation about SELinux socket labelling. The virSecurityManagerSetSocketLabel method should have been used for all such scenarios. * src/security/security_apparmor.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_selinux.c, src/security/security_stack.c: Remove SetProcessFDLabel driver --- src/security/security_apparmor.c | 29 ----------------------------- src/security/security_dac.c | 9 --------- src/security/security_driver.h | 4 ---- src/security/security_manager.c | 11 ----------- src/security/security_manager.h | 3 --- src/security/security_selinux.c | 14 -------------- src/security/security_stack.c | 18 ------------------ 7 files changed, 0 insertions(+), 88 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index dbd1290..299dcc6 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -799,34 +799,6 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr, return reload_profile(mgr, vm, fd_path, true); } -static int -AppArmorSetProcessFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, - int fd) -{ - int rc = -1; - char *proc = NULL; - char *fd_path = NULL; - - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; - - if (secdef->imagelabel == NULL) - return 0; - - if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1) { - virReportOOMError(); - return rc; - } - - if (virFileResolveLink(proc, &fd_path) < 0) { - virSecurityReportError(VIR_ERR_INTERNAL_ERROR, - "%s", _("could not find path for descriptor")); - return rc; - } - - return reload_profile(mgr, vm, fd_path, true); -} - virSecurityDriver virAppArmorSecurityDriver = { 0, SECURITY_APPARMOR_NAME, @@ -863,5 +835,4 @@ virSecurityDriver virAppArmorSecurityDriver = { AppArmorRestoreSavedStateLabel, AppArmorSetImageFDLabel, - AppArmorSetProcessFDLabel, }; diff --git a/src/security/security_dac.c b/src/security/security_dac.c index e5465fc..af02236 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -697,14 +697,6 @@ virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, return 0; } -static int -virSecurityDACSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED, - int fd ATTRIBUTE_UNUSED) -{ - return 0; -} - virSecurityDriver virSecurityDriverDAC = { sizeof(virSecurityDACData), @@ -743,5 +735,4 @@ virSecurityDriver virSecurityDriverDAC = { virSecurityDACRestoreSavedStateLabel, virSecurityDACSetImageFDLabel, - virSecurityDACSetProcessFDLabel, }; diff --git a/src/security/security_driver.h b/src/security/security_driver.h index 94f27f8..aea90b0 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -84,9 +84,6 @@ typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr, virDomainObjPtr vm, int fd); -typedef int (*virSecurityDomainSetProcessFDLabel) (virSecurityManagerPtr mgr, - virDomainObjPtr vm, - int fd); struct _virSecurityDriver { size_t privateDataLen; @@ -124,7 +121,6 @@ struct _virSecurityDriver { virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel; virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel; - virSecurityDomainSetProcessFDLabel domainSetSecurityProcessFDLabel; }; virSecurityDriverPtr virSecurityDriverLookup(const char *name); diff --git a/src/security/security_manager.c b/src/security/security_manager.c index b2fd0d0..cae9b83 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -346,14 +346,3 @@ int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); return -1; } - -int virSecurityManagerSetProcessFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, - int fd) -{ - if (mgr->drv->domainSetSecurityProcessFDLabel) - return mgr->drv->domainSetSecurityProcessFDLabel(mgr, vm, fd); - - virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); - return -1; -} diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 38342c2..12cd498 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -96,8 +96,5 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr, int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm, int fd); -int virSecurityManagerSetProcessFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, - int fd); #endif /* VIR_SECURITY_MANAGER_H__ */ diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index cddbed5..ca54f9b 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1321,19 +1321,6 @@ SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, return SELinuxFSetFilecon(fd, secdef->imagelabel); } -static int -SELinuxSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, - virDomainObjPtr vm, - int fd) -{ - const virSecurityLabelDefPtr secdef = &vm->def->seclabel; - - if (secdef->label == NULL) - return 0; - - return SELinuxFSetFilecon(fd, secdef->label); -} - virSecurityDriver virSecurityDriverSELinux = { 0, SECURITY_SELINUX_NAME, @@ -1370,5 +1357,4 @@ virSecurityDriver virSecurityDriverSELinux = { SELinuxRestoreSavedStateLabel, SELinuxSetImageFDLabel, - SELinuxSetProcessFDLabel, }; diff --git a/src/security/security_stack.c b/src/security/security_stack.c index f263f5b..3f601c1 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -402,23 +402,6 @@ virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr, } -static int -virSecurityStackSetProcessFDLabel(virSecurityManagerPtr mgr, - virDomainObjPtr vm, - int fd) -{ - virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); - int rc = 0; - - if (virSecurityManagerSetProcessFDLabel(priv->secondary, vm, fd) < 0) - rc = -1; - if (virSecurityManagerSetProcessFDLabel(priv->primary, vm, fd) < 0) - rc = -1; - - return rc; -} - - virSecurityDriver virSecurityDriverStack = { sizeof(virSecurityStackData), "stack", @@ -455,5 +438,4 @@ virSecurityDriver virSecurityDriverStack = { virSecurityStackRestoreSavedStateLabel, virSecurityStackSetImageFDLabel, - virSecurityStackSetProcessFDLabel, }; -- 1.7.4.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list