Re: [PATCH v2 1/5] conf: add XML schema for capability XML

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2011年12月22日 15:02, Taku Izumi wrote:

This patch introduces XML schema for capability XML.
"process" and "cap" element are added.
The list of "cap" elements represents process capabilities host supports.


<capabilities>
   <host>
     ...
     <process>
       <cap name='chown'/>
       <cap name='dac_override'/>
       ...
     </process>
   </host>
   ...
</capabilities>


Signed-off-by: Taku Izumi<izumi.taku@xxxxxxxxxxxxxx>
---
  docs/schemas/capability.rng  |   50 +++++++++++++++++++++++++++++++
  include/libvirt/libvirt.h.in |   45 ++++++++++++++++++++++++++++
  src/conf/capabilities.c      |   69 +++++++++++++++++++++++++++++++++++++++++++
  src/conf/capabilities.h      |    5 +++
  4 files changed, 169 insertions(+)

Index: libvirt/src/conf/capabilities.h
===================================================================
--- libvirt.orig/src/conf/capabilities.h
+++ libvirt/src/conf/capabilities.h
@@ -119,6 +119,10 @@ struct _virCapsHost {
      virCapsHostSecModel secModel;
      virCPUDefPtr cpu;
      unsigned char host_uuid[VIR_UUID_BUFLEN];
+
+    unsigned long long processCaps; /* Bitmask of the Process capabilities
+                                     * see enum vir

s/vir/virCapsProcessCaps/

+                                     */
  };

  typedef int (*virDomainDefNamespaceParse)(xmlDocPtr, xmlNodePtr,
@@ -263,5 +267,6 @@ virCapabilitiesDefaultGuestEmulator(virC
  extern char *
  virCapabilitiesFormatXML(virCapsPtr caps);

+VIR_ENUM_DECL(virCapsProcessCaps)


  #endif /* __VIR_CAPABILITIES_H */
Index: libvirt/src/conf/capabilities.c
===================================================================
--- libvirt.orig/src/conf/capabilities.c
+++ libvirt/src/conf/capabilities.c
@@ -33,6 +33,9 @@
  #include "cpu_conf.h"
  #include "virterror_internal.h"

+#if HAVE_CAPNG
+# include<cap-ng.h>
+#endif

  #define VIR_FROM_THIS VIR_FROM_CAPABILITIES

@@ -40,6 +43,42 @@ VIR_ENUM_DECL(virCapsHostPMTarget)
  VIR_ENUM_IMPL(virCapsHostPMTarget, VIR_NODE_SUSPEND_TARGET_LAST,
                "suspend_mem", "suspend_disk", "suspend_hybrid");

+VIR_ENUM_IMPL(virCapsProcessCaps, VIR_PROCESS_CAPABILITY_LAST,
+              "chown",
+              "dac_override",
+              "dac_read_search",
+              "fowner",
+              "fsetid",
+              "kill",
+              "setgid",
+              "setuid",
+              "setpcap",
+              "linux_immutable",
+              "net_bind_service",
+              "net_broadcast",
+              "net_admin",
+              "net_raw",
+              "ipc_lock",
+              "ipc_owner",
+              "sys_module",
+              "sys_rawio",
+              "sys_chroot",
+              "sys_ptrace",
+              "sys_pacct",
+              "sys_admin",
+              "sys_boot",
+              "sys_nice",
+              "sys_resource",
+              "sys_time",
+              "sys_tty_config",
+              "mknod",
+              "lease",
+              "audit_write",
+              "audit_control",
+              "setfcap",
+              "mac_override",
+              "mac_admin")
+
  /**
   * virCapabilitiesNew:
   * @arch: host machine architecture
@@ -63,6 +102,8 @@ virCapabilitiesNew(const char *arch,
      caps->host.offlineMigrate = offlineMigrate;
      caps->host.liveMigrate = liveMigrate;

+    virCapabilitiesInitProcessCaps(caps);

Mark [1]

+
      return caps;

   no_memory:
@@ -754,6 +795,18 @@ virCapabilitiesFormatXML(virCapsPtr caps
          virBufferAddLit(&xml, "</secmodel>\n");
      }

+    if (caps->host.processCaps) {
+        virBufferAddLit(&xml, "<process>\n");
+        for (i = 0; i<  VIR_PROCESS_CAPABILITY_LAST; i++) {
+            if (caps->host.processCaps&  (1ULL<<  i)) {
+                const char *name = virCapsProcessCapsTypeToString(i);
+                if (name)
+                    virBufferAsprintf(&xml, "<cap name='%s'/>\n", name);
+            }
+        }
+        virBufferAddLit(&xml, "</process>\n");
+    }
+
      virBufferAddLit(&xml, "</host>\n\n");


@@ -837,6 +890,22 @@ virCapabilitiesFormatXML(virCapsPtr caps
      return virBufferContentAndReset(&xml);
  }

+#ifdef HAVE_CAPNG
+void

s/void/static void/

+virCapabilitiesInitProcessCaps(virCapsPtr caps)
+{
+    caps->host.processCaps |= (1ULL<<  (CAP_LAST_CAP + 1)) - 1;
+}
+
+#else
+void
+virCapabilitiesInitProcessCaps(virCapsPtr caps)
+{
+    caps->host.processCaps = 0;
+}

This is no need IMHO, host.processCaps is already initialized
as 0 when doing VIR_ALLOC on caps. And what we need might be
an "ifdef HAVE_CAPNG" at [1] (see above).

+
+#endif
+
  extern void
  virCapabilitiesSetMacPrefix(virCapsPtr caps,
                              unsigned char *prefix)
Index: libvirt/docs/schemas/capability.rng
===================================================================
--- libvirt.orig/docs/schemas/capability.rng
+++ libvirt/docs/schemas/capability.rng
@@ -46,6 +46,56 @@
        <optional>
          <ref name='secmodel'/>
        </optional>
+<optional>
+<ref name='process'/>
+</optional>
+</element>
+</define>
+
+<define name='process'>
+<element name='process'>
+<zeroOrMore>
+<element name='cap'>
+<attribute name='name'>
+<choice>
+<value>chown</value>
+<value>dac_override</value>
+<value>dac_read_search</value>
+<value>fowner</value>
+<value>fsetid</value>
+<value>kill</value>
+<value>setgid</value>
+<value>setuid</value>
+<value>setpcap</value>
+<value>linux_immutable</value>
+<value>net_bind_service</value>
+<value>net_broadcast</value>
+<value>net_admin</value>
+<value>net_raw</value>
+<value>ipc_lock</value>
+<value>ipc_owner</value>
+<value>sys_module</value>
+<value>sys_rawio</value>
+<value>sys_chroot</value>
+<value>sys_ptrace</value>
+<value>sys_pacct</value>
+<value>sys_admin</value>
+<value>sys_boot</value>
+<value>sys_nice</value>
+<value>sys_resource</value>
+<value>sys_time</value>
+<value>sys_tty_config</value>
+<value>mknod</value>
+<value>lease</value>
+<value>audit_write</value>
+<value>audit_control</value>
+<value>setfcap</value>
+<value>mac_override</value>
+<value>mac_admin</value>
+</choice>
+</attribute>
+</element>
+</zeroOrMore>
      </element>
    </define>

Index: libvirt/include/libvirt/libvirt.h.in
===================================================================
--- libvirt.orig/include/libvirt/libvirt.h.in
+++ libvirt/include/libvirt/libvirt.h.in
@@ -3540,6 +3540,51 @@ int virConnectSetKeepAlive(virConnectPtr
                             int interval,
                             unsigned int count);

+
+/*
+ * virProcessCapabilityType
+ *
+ * A process capability Type
+ */
+typedef enum {
+    VIR_PROCESS_CAPABILITY_CHOWN,
+    VIR_PROCESS_CAPABILITY_DAC_OVERRIDE,
+    VIR_PROCESS_CAPABILITY_DAC_READ_SEARCH,
+    VIR_PROCESS_CAPABILITY_FOWNER,
+    VIR_PROCESS_CAPABILITY_FSETID,
+    VIR_PROCESS_CAPABILITY_KILL,
+    VIR_PROCESS_CAPABILITY_SETGID,
+    VIR_PROCESS_CAPABILITY_SETUID,
+    VIR_PROCESS_CAPABILITY_SETPCAP,
+    VIR_PROCESS_CAPABILITY_LINUX_IMMUTABLE,
+    VIR_PROCESS_CAPABILITY_NET_BIND_SERVICE,
+    VIR_PROCESS_CAPABILITY_NET_BROADCAST,
+    VIR_PROCESS_CAPABILITY_NET_ADMIN,
+    VIR_PROCESS_CAPABILITY_NET_RAW,
+    VIR_PROCESS_CAPABILITY_IPC_LOCK,
+    VIR_PROCESS_CAPABILITY_IPC_OWNER,
+    VIR_PROCESS_CAPABILITY_SYS_MODULE,
+    VIR_PROCESS_CAPABILITY_SYS_RAWIO,
+    VIR_PROCESS_CAPABILITY_SYS_CHROOT,
+    VIR_PROCESS_CAPABILITY_SYS_PTRACE,
+    VIR_PROCESS_CAPABILITY_SYS_PACCT,
+    VIR_PROCESS_CAPABILITY_SYS_ADMIN,
+    VIR_PROCESS_CAPABILITY_SYS_BOOT,
+    VIR_PROCESS_CAPABILITY_SYS_NICE,
+    VIR_PROCESS_CAPABILITY_SYS_RESOURCE,
+    VIR_PROCESS_CAPABILITY_SYS_TIME,
+    VIR_PROCESS_CAPABILITY_SYS_TTY_CONFIG,
+    VIR_PROCESS_CAPABILITY_MKNOD,
+    VIR_PROCESS_CAPABILITY_LEASE,
+    VIR_PROCESS_CAPABILITY_AUDIT_WRITE,
+    VIR_PROCESS_CAPABILITY_AUDIT_CONTROL,
+    VIR_PROCESS_CAPABILITY_SETFCAP,
+    VIR_PROCESS_CAPABILITY_MAC_OVERRIDE,
+    VIR_PROCESS_CAPABILITY_MAC_ADMIN,
+
+    VIR_PROCESS_CAPABILITY_LAST
+} virProcessCapabilityType;
+

Perhaps I could get the answer in following patches, but now I'm
wondering why it's a public ENUM.

  #ifdef __cplusplus
  }
  #endif

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]