Re: [PATCH 2/2] security: Driver 'none' cannot create confined guests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 02/07/2012 01:10 PM, Jiri Denemark wrote:
> In case the caller specifies that confined guests are required but the
> security driver turns out to be 'none', we should return an error since
> this driver clearly cannot meet that requirement.  As a result of this
> error, libvirtd fails to start when the host admin explicitly sets
> confined guests are required but there is no security driver available.
> 
> Since security driver 'none' cannot create confined guests, we override
> default confined setting so that hypervisor drivers do not thing they

s/thing/think/

> should create confined guests.
> ---
>  src/security/security_manager.c |   20 ++++++++++++++++++++
>  tests/seclabeltest.c            |    2 +-
>  2 files changed, 21 insertions(+), 1 deletions(-)

ACK that this fixes the issue, but I'm wondering whether we should move
the logic that rejects requireConfig out of security_manager.c and into
security_nop.c:virSecurityDriverOpenNop().  That is, the special casing
is a property of the 'none' security manager.  Is it worth a v2 patch
that moves the error messages in that manner?

> +++ b/tests/seclabeltest.c
> @@ -13,7 +13,7 @@ main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED)
>      virSecurityManagerPtr mgr;
>      const char *doi, *model;
>  
> -    mgr = virSecurityManagerNew(NULL, false, true, true);
> +    mgr = virSecurityManagerNew(NULL, false, true, false);

And here's a classic example that proves Laine's point that any
interface with more than one bool parameter is hard to read (you have to
check the implementation), compared to consolidating those into a flags
argument.  But no need to change the signature for this particular patch.

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]