From: Daniel Walsh <dwalsh@xxxxxxxxxx> To allow the security drivers to apply different configuration information per hypervisor, pass the virtualization driver name into the security manager constructor. Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> --- src/lxc/lxc_conf.h | 2 ++ src/lxc/lxc_controller.c | 8 ++++++-- src/lxc/lxc_driver.c | 7 ++++--- src/qemu/qemu_driver.c | 10 +++++++--- src/security/security_apparmor.c | 2 +- src/security/security_dac.c | 2 +- src/security/security_driver.c | 5 +++-- src/security/security_driver.h | 5 +++-- src/security/security_manager.c | 18 ++++++++++++++++-- src/security/security_manager.h | 5 ++++- src/security/security_nop.c | 2 +- src/security/security_selinux.c | 2 +- src/security/security_stack.c | 2 +- tests/seclabeltest.c | 2 +- 14 files changed, 51 insertions(+), 21 deletions(-) diff --git a/src/lxc/lxc_conf.h b/src/lxc/lxc_conf.h index ebdc173..cc279b2 100644 --- a/src/lxc/lxc_conf.h +++ b/src/lxc/lxc_conf.h @@ -36,6 +36,8 @@ # include "security/security_manager.h" # include "configmake.h" +# define LXC_DRIVER_NAME "LXC" + # define LXC_CONFIG_DIR SYSCONFDIR "/libvirt/lxc" # define LXC_STATE_DIR LOCALSTATEDIR "/run/libvirt/lxc" # define LXC_LOG_DIR LOCALSTATEDIR "/log/libvirt/lxc" diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 26b3115..1292751 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1723,7 +1723,9 @@ int main(int argc, char *argv[]) break; case 'S': - if (!(securityDriver = virSecurityManagerNew(optarg, false, false, false))) { + if (!(securityDriver = virSecurityManagerNew(optarg, + LXC_DRIVER_NAME, + false, false, false))) { fprintf(stderr, "Cannot create security manager '%s'", optarg); goto cleanup; @@ -1750,7 +1752,9 @@ int main(int argc, char *argv[]) } if (securityDriver == NULL) { - if (!(securityDriver = virSecurityManagerNew("none", false, false, false))) { + if (!(securityDriver = virSecurityManagerNew("none", + LXC_DRIVER_NAME, + false, false, false))) { fprintf(stderr, "%s: cannot initialize nop security manager", argv[0]); goto cleanup; } diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c index 03783ff..42d1d94 100644 --- a/src/lxc/lxc_driver.c +++ b/src/lxc/lxc_driver.c @@ -2533,7 +2533,8 @@ error: static int lxcSecurityInit(lxc_driver_t *driver) { - virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName, + virSecurityManagerPtr mgr = virSecurityManagerNew(LXC_DRIVER_NAME, + driver->securityDriverName, false, driver->securityDefaultConfined, driver->securityRequireConfined); @@ -3851,7 +3852,7 @@ static virNWFilterCallbackDriver lxcCallbackDriver = { /* Function Tables */ static virDriver lxcDriver = { .no = VIR_DRV_LXC, - .name = "LXC", + .name = LXC_DRIVER_NAME, .open = lxcOpen, /* 0.4.2 */ .close = lxcClose, /* 0.4.2 */ .version = lxcVersion, /* 0.4.6 */ @@ -3915,7 +3916,7 @@ static virDriver lxcDriver = { }; static virStateDriver lxcStateDriver = { - .name = "LXC", + .name = LXC_DRIVER_NAME, .initialize = lxcStartup, .cleanup = lxcShutdown, .active = lxcActive, diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 2bec617..aed1daa 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -95,6 +95,8 @@ #define VIR_FROM_THIS VIR_FROM_QEMU +#define QEMU_DRIVER_NAME "QEMU" + #define QEMU_NB_MEM_PARAM 3 #define QEMU_NB_BLOCK_IO_TUNE_PARAM 6 @@ -213,6 +215,7 @@ static int qemuSecurityInit(struct qemud_driver *driver) { virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName, + QEMU_DRIVER_NAME, driver->allowDiskFormatProbing, driver->securityDefaultConfined, driver->securityRequireConfined); @@ -221,7 +224,8 @@ qemuSecurityInit(struct qemud_driver *driver) goto error; if (driver->privileged) { - virSecurityManagerPtr dac = virSecurityManagerNewDAC(driver->user, + virSecurityManagerPtr dac = virSecurityManagerNewDAC(QEMU_DRIVER_NAME, + driver->user, driver->group, driver->allowDiskFormatProbing, driver->securityDefaultConfined, @@ -12784,7 +12788,7 @@ cleanup: static virDriver qemuDriver = { .no = VIR_DRV_QEMU, - .name = "QEMU", + .name = QEMU_DRIVER_NAME, .open = qemudOpen, /* 0.2.0 */ .close = qemudClose, /* 0.2.0 */ .supports_feature = qemudSupportsFeature, /* 0.5.0 */ @@ -12975,7 +12979,7 @@ qemuVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED, } static virNWFilterCallbackDriver qemuCallbackDriver = { - .name = "QEMU", + .name = QEMU_DRIVER_NAME, .vmFilterRebuild = qemuVMFilterRebuild, .vmDriverLock = qemuVMDriverLock, .vmDriverUnlock = qemuVMDriverUnlock, diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 8f8b200..d638d1f 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -328,7 +328,7 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED, /* Called on libvirtd startup to see if AppArmor is available */ static int -AppArmorSecurityManagerProbe(void) +AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED) { char *template = NULL; int rc = SECURITY_DRIVER_DISABLE; diff --git a/src/security/security_dac.c b/src/security/security_dac.c index e71dc20..8201022 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -65,7 +65,7 @@ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, } static virSecurityDriverStatus -virSecurityDACProbe(void) +virSecurityDACProbe(const char *virtDriver ATTRIBUTE_UNUSED) { return SECURITY_DRIVER_ENABLE; } diff --git a/src/security/security_driver.c b/src/security/security_driver.c index fd2c01a..39736cf 100644 --- a/src/security/security_driver.c +++ b/src/security/security_driver.c @@ -37,7 +37,8 @@ static virSecurityDriverPtr security_drivers[] = { &virSecurityDriverNop, /* Must always be last, since it will always probe */ }; -virSecurityDriverPtr virSecurityDriverLookup(const char *name) +virSecurityDriverPtr virSecurityDriverLookup(const char *name, + const char *virtDriver) { virSecurityDriverPtr drv = NULL; int i; @@ -51,7 +52,7 @@ virSecurityDriverPtr virSecurityDriverLookup(const char *name) STRNEQ(tmp->name, name)) continue; - switch (tmp->probe()) { + switch (tmp->probe(virtDriver)) { case SECURITY_DRIVER_ENABLE: VIR_DEBUG("Probed name=%s", tmp->name); drv = tmp; diff --git a/src/security/security_driver.h b/src/security/security_driver.h index f0ace1c..d24304c 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -31,7 +31,7 @@ typedef enum { typedef struct _virSecurityDriver virSecurityDriver; typedef virSecurityDriver *virSecurityDriverPtr; -typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void); +typedef virSecurityDriverStatus (*virSecurityDriverProbe) (const char *virtDriver); typedef int (*virSecurityDriverOpen) (virSecurityManagerPtr mgr); typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr); @@ -125,6 +125,7 @@ struct _virSecurityDriver { virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel; }; -virSecurityDriverPtr virSecurityDriverLookup(const char *name); +virSecurityDriverPtr virSecurityDriverLookup(const char *name, + const char *virtDriver); #endif /* __VIR_SECURITY_H__ */ diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 0a43458..e0dd165 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -38,9 +38,11 @@ struct _virSecurityManager { bool allowDiskFormatProbing; bool defaultConfined; bool requireConfined; + const char *virtDriver; }; static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr drv, + const char *virtDriver, bool allowDiskFormatProbing, bool defaultConfined, bool requireConfined) @@ -56,6 +58,7 @@ static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr dr mgr->allowDiskFormatProbing = allowDiskFormatProbing; mgr->defaultConfined = defaultConfined; mgr->requireConfined = requireConfined; + mgr->virtDriver = virtDriver; if (drv->open(mgr) < 0) { virSecurityManagerFree(mgr); @@ -70,6 +73,7 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary, { virSecurityManagerPtr mgr = virSecurityManagerNewDriver(&virSecurityDriverStack, + virSecurityManagerGetDriver(primary), virSecurityManagerGetAllowDiskFormatProbing(primary), virSecurityManagerGetDefaultConfined(primary), virSecurityManagerGetRequireConfined(primary)); @@ -83,7 +87,8 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary, return mgr; } -virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user, +virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver, + uid_t user, gid_t group, bool allowDiskFormatProbing, bool defaultConfined, @@ -92,6 +97,7 @@ virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user, { virSecurityManagerPtr mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC, + virtDriver, allowDiskFormatProbing, defaultConfined, requireConfined); @@ -107,11 +113,12 @@ virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user, } virSecurityManagerPtr virSecurityManagerNew(const char *name, + const char *virtDriver, bool allowDiskFormatProbing, bool defaultConfined, bool requireConfined) { - virSecurityDriverPtr drv = virSecurityDriverLookup(name); + virSecurityDriverPtr drv = virSecurityDriverLookup(name, virtDriver); if (!drv) return NULL; @@ -136,6 +143,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name, } return virSecurityManagerNewDriver(drv, + virtDriver, allowDiskFormatProbing, defaultConfined, requireConfined); @@ -162,6 +170,12 @@ void virSecurityManagerFree(virSecurityManagerPtr mgr) } const char * +virSecurityManagerGetDriver(virSecurityManagerPtr mgr) +{ + return mgr->virtDriver; +} + +const char * virSecurityManagerGetDOI(virSecurityManagerPtr mgr) { if (mgr->drv->getDOI) diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 32c8c3b..ca27bc6 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -32,6 +32,7 @@ typedef struct _virSecurityManager virSecurityManager; typedef virSecurityManager *virSecurityManagerPtr; virSecurityManagerPtr virSecurityManagerNew(const char *name, + const char *virtDriver, bool allowDiskFormatProbing, bool defaultConfined, bool requireConfined); @@ -39,7 +40,8 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name, virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary, virSecurityManagerPtr secondary); -virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user, +virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver, + uid_t user, gid_t group, bool allowDiskFormatProbing, bool defaultConfined, @@ -50,6 +52,7 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr); void virSecurityManagerFree(virSecurityManagerPtr mgr); +const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr); const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr); const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr); bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr); diff --git a/src/security/security_nop.c b/src/security/security_nop.c index c3bd426..e979b54 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -21,7 +21,7 @@ #include "security_nop.h" -static virSecurityDriverStatus virSecurityDriverProbeNop(void) +static virSecurityDriverStatus virSecurityDriverProbeNop(const char *virtDriver ATTRIBUTE_UNUSED) { return SECURITY_DRIVER_ENABLE; } diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 1e27e10..4bd33a5 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -346,7 +346,7 @@ err: static int -SELinuxSecurityDriverProbe(void) +SELinuxSecurityDriverProbe(const char *virtDriver ATTRIBUTE_UNUSED) { return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE; } diff --git a/src/security/security_stack.c b/src/security/security_stack.c index c82865f..2eab38c 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -49,7 +49,7 @@ void virSecurityStackSetSecondary(virSecurityManagerPtr mgr, } static virSecurityDriverStatus -virSecurityStackProbe(void) +virSecurityStackProbe(const char *virtDriver ATTRIBUTE_UNUSED) { return SECURITY_DRIVER_ENABLE; } diff --git a/tests/seclabeltest.c b/tests/seclabeltest.c index fca76b9..2f65ec1 100644 --- a/tests/seclabeltest.c +++ b/tests/seclabeltest.c @@ -13,7 +13,7 @@ main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED) virSecurityManagerPtr mgr; const char *doi, *model; - mgr = virSecurityManagerNew(NULL, false, true, false); + mgr = virSecurityManagerNew(NULL, "QEMU", false, true, false); if (mgr == NULL) { fprintf (stderr, "Failed to start security driver"); exit (-1); -- 1.7.10.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list