Re: [PATCH 3/7] Update remote API to support multiples security labels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21.05.2012 15:39, Marcelo Cerri wrote:
> ---
>  daemon/remote.c              |   49 ++++++++++++++++++++++++++++++++++++++++++
>  include/libvirt/libvirt.h.in |    3 ++
>  python/generator.py          |    1 +
>  src/libvirt.c                |   49 ++++++++++++++++++++++++++++++++++++++++++
>  src/libvirt_private.syms     |    3 ++
>  src/libvirt_public.syms      |    1 +
>  src/remote/remote_driver.c   |   42 ++++++++++++++++++++++++++++++++++++
>  src/remote/remote_protocol.x |   14 ++++++++++-
>  src/remote_protocol-structs  |    1 +
>  9 files changed, 161 insertions(+), 2 deletions(-)
> 
> diff --git a/daemon/remote.c b/daemon/remote.c
> index 16a8a05..03799bf 100644
> --- a/daemon/remote.c
> +++ b/daemon/remote.c
> @@ -1341,6 +1341,55 @@ cleanup:
>  }
>  
>  static int
> +remoteDispatchDomainGetSecurityLabelList(virNetServerPtr server ATTRIBUTE_UNUSED,
> +                                         virNetServerClientPtr client ATTRIBUTE_UNUSED,
> +                                         virNetMessagePtr msg ATTRIBUTE_UNUSED,
> +                                         virNetMessageErrorPtr rerr,
> +                                         remote_domain_get_security_label_list_args *args,
> +                                         remote_domain_get_security_label_list_ret *ret)
> +{
> +    virDomainPtr dom = NULL;
> +    virSecurityLabelPtr seclabel = NULL;
> +    int rv = -1;
> +    struct daemonClientPrivate *priv =
> +        virNetServerClientGetPrivateData(client);
> +
> +    if (!priv->conn) {
> +        virNetError(VIR_ERR_INTERNAL_ERROR, "%s", _("connection not open"));
> +        goto cleanup;
> +    }
> +
> +    if (!(dom = get_nonnull_domain(priv->conn, args->dom)))
> +        goto cleanup;
> +
> +    if (VIR_ALLOC(seclabel) < 0) {
> +        virReportOOMError();
> +        goto cleanup;
> +    }
> +
> +    if (virDomainGetSecurityLabelList(dom, seclabel, args->nlabels) < 0)
> +        goto cleanup;

Are you really allocating only one seclabel but telling
virDomainGetSecurityLabelList() it has nlabels (possibly more than one)?
Or am I missing something?

> +
> +    ret->label.label_len = strlen(seclabel->label) + 1;
> +    if (VIR_ALLOC_N(ret->label.label_val, ret->label.label_len) < 0) {
> +        virReportOOMError();
> +        goto cleanup;
> +    }
> +    strcpy(ret->label.label_val, seclabel->label);

I would rather use virStrcpyStatic instead of strcpy().

> +    ret->enforcing = seclabel->enforcing;
> +
> +    rv = 0;
> +
> +cleanup:
> +    if (rv < 0)
> +        virNetMessageSaveError(rerr);
> +    if (dom)
> +        virDomainFree(dom);
> +    VIR_FREE(seclabel);
> +    return rv;
> +}
> +
> +static int
>  remoteDispatchNodeGetSecurityModel(virNetServerPtr server ATTRIBUTE_UNUSED,
>                                     virNetServerClientPtr client ATTRIBUTE_UNUSED,
>                                     virNetMessagePtr msg ATTRIBUTE_UNUSED,
> diff --git a/include/libvirt/libvirt.h.in b/include/libvirt/libvirt.h.in
> index a817db8..fdcffd1 100644
> --- a/include/libvirt/libvirt.h.in
> +++ b/include/libvirt/libvirt.h.in
> @@ -1539,6 +1539,9 @@ int                     virDomainSetMemoryFlags (virDomainPtr domain,
>  int                     virDomainGetMaxVcpus    (virDomainPtr domain);
>  int                     virDomainGetSecurityLabel (virDomainPtr domain,
>                                                     virSecurityLabelPtr seclabel);
> +int                     virDomainGetSecurityLabelList (virDomainPtr domain,
> +                                                       virSecurityLabelPtr seclabel,
> +                                                       int nseclabels);
>  
>  typedef enum {
>      VIR_DOMAIN_METADATA_DESCRIPTION = 0, /* Operate on <description> */
> diff --git a/python/generator.py b/python/generator.py
> index 9530867..2753d43 100755
> --- a/python/generator.py
> +++ b/python/generator.py
> @@ -446,6 +446,7 @@ skip_function = (
>      'virConnectOpenAuth', # Python C code is manually written
>      'virDefaultErrorFunc', # Python virErrorFuncHandler impl calls this from C
>      'virDomainGetSecurityLabel', # Needs investigation...
> +    'virDomainGetSecurityLabelList', # Needs investigation...
>      'virNodeGetSecurityModel', # Needs investigation...
>      'virConnectDomainEventRegister',   # overridden in virConnect.py
>      'virConnectDomainEventDeregister', # overridden in virConnect.py
> diff --git a/src/libvirt.c b/src/libvirt.c
> index 22fc863..9e83c05 100644
> --- a/src/libvirt.c
> +++ b/src/libvirt.c
> @@ -9024,6 +9024,55 @@ error:
>  }
>  
>  /**
> + * virDomainGetSecurityLabelList:
> + * @domain: a domain object
> + * @seclabels: pointer to a pre allocated array of virSecurityLabel structures
> + * @nseclabels: number of elements on seclabels array
> + *
> + * Extract the security labels of an active domain. The 'label' field
> + * in the @seclabels argument will be initialized to the empty
> + * string if the domain is not running under a security model.
> + *
> + * Returns 0 in case of success, -1 in case of failure
> + */
> +int
> +virDomainGetSecurityLabelList(virDomainPtr domain,
> +                              virSecurityLabelPtr seclabels,
> +                              int nseclabels)
> +{
> +    virConnectPtr conn;
> +
> +    VIR_DOMAIN_DEBUG(domain, "seclabels=%p", seclabels);
> +
> +    if (!VIR_IS_CONNECTED_DOMAIN(domain)) {
> +        virLibDomainError(VIR_ERR_INVALID_DOMAIN, __FUNCTION__);
> +        virDispatchError(NULL);
> +        return -1;
> +    }
> +
> +    if (seclabels == NULL) {
> +        virLibDomainError(VIR_ERR_INVALID_ARG, __FUNCTION__);
> +        goto error;
> +    }
> +
> +    conn = domain->conn;
> +
> +    if (conn->driver->domainGetSecurityLabelList) {
> +        int ret;
> +        ret = conn->driver->domainGetSecurityLabelList(domain, seclabels,
> +                                                       nseclabels);
> +        if (ret < 0)
> +            goto error;
> +        return ret;
> +    }
> +
> +    virLibConnError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
> +
> +error:
> +    virDispatchError(domain->conn);
> +    return -1;
> +}
> +/**
>   * virDomainSetMetadata:
>   * @domain: a domain object
>   * @type: type of description, from virDomainMetadataType
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index f5c2184..edeaae1 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -278,6 +278,7 @@ virDomainDefClearPCIAddresses;
>  virDomainDefFormat;
>  virDomainDefFormatInternal;
>  virDomainDefFree;
> +virDomainDefGetSecurityLabelDef;
>  virDomainDefParseFile;
>  virDomainDefParseNode;
>  virDomainDefParseString;
> @@ -943,6 +944,7 @@ virSecurityManagerClearSocketLabel;
>  virSecurityManagerFree;
>  virSecurityManagerGenLabel;
>  virSecurityManagerGetDOI;
> +virSecurityManagerGetNested;
>  virSecurityManagerGetModel;
>  virSecurityManagerGetProcessLabel;
>  virSecurityManagerNew;
> @@ -962,6 +964,7 @@ virSecurityManagerSetHostdevLabel;
>  virSecurityManagerSetProcessLabel;
>  virSecurityManagerSetSavedStateLabel;
>  virSecurityManagerSetSocketLabel;
> +virSecurityManagerStackAddNested;
>  virSecurityManagerVerify;
>  virSecurityManagerGetMountOptions;
>  
> diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms
> index 46c13fb..2c85d22 100644
> --- a/src/libvirt_public.syms
> +++ b/src/libvirt_public.syms
> @@ -527,6 +527,7 @@ LIBVIRT_0.9.10 {
>          virDomainShutdownFlags;
>          virStorageVolResize;
>          virStorageVolWipePattern;
> +        virDomainGetSecurityLabelList;
>  } LIBVIRT_0.9.9;

No, this API (symbol) wasn't introduced in 0.9.10 release. In fact, next
release will be 0.9.13. Therefore you need:

LIBVIRT_0.9.13 {
    global:
       virDomainGetSecurityLabelList;
} LIBVIRT_0.9.11;

>  
>  LIBVIRT_0.9.11 {
> diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
> index 5c87561..04b3b67 100644
> --- a/src/remote/remote_driver.c
> +++ b/src/remote/remote_driver.c
> @@ -1858,6 +1858,47 @@ done:
>  }
>  
>  static int
> +remoteDomainGetSecurityLabelList (virDomainPtr domain, virSecurityLabelPtr seclabel,
> +                                  int nlabels ATTRIBUTE_UNUSED)
> +{
> +    remote_domain_get_security_label_list_args args;
> +    remote_domain_get_security_label_list_ret ret;
> +    struct private_data *priv = domain->conn->privateData;
> +    int rv = -1;
> +
> +    remoteDriverLock(priv);
> +
> +    make_nonnull_domain (&args.dom, domain);
> +    memset (&ret, 0, sizeof ret);
> +    memset (seclabel, 0, sizeof (*seclabel));
> +
> +    if (call (domain->conn, priv, 0, REMOTE_PROC_DOMAIN_GET_SECURITY_LABEL_LIST,
> +              (xdrproc_t) xdr_remote_domain_get_security_label_list_args, (char *)&args,
> +              (xdrproc_t) xdr_remote_domain_get_security_label_list_ret, (char *)&ret) == -1) {
> +        goto done;
> +    }
> +
> +    if (ret.label.label_val != NULL) {
> +        if (strlen (ret.label.label_val) >= sizeof seclabel->label) {
> +            remoteError(VIR_ERR_RPC, _("security label exceeds maximum: %zd"),
> +                        sizeof seclabel->label - 1);
> +            goto cleanup;
> +        }
> +        strcpy (seclabel->label, ret.label.label_val);
> +        seclabel->enforcing = ret.enforcing;
> +    }
> +
> +    rv = 0;
> +
> +cleanup:
> +    xdr_free((xdrproc_t) xdr_remote_domain_get_security_label_list_ret, (char *)&ret);
> +
> +done:
> +    remoteDriverUnlock(priv);
> +    return rv;
> +}
> +
> +static int
>  remoteDomainGetState(virDomainPtr domain,
>                       int *state,
>                       int *reason,
> @@ -5006,6 +5047,7 @@ static virDriver remote_driver = {
>      .domainGetVcpus = remoteDomainGetVcpus, /* 0.3.0 */
>      .domainGetMaxVcpus = remoteDomainGetMaxVcpus, /* 0.3.0 */
>      .domainGetSecurityLabel = remoteDomainGetSecurityLabel, /* 0.6.1 */
> +    .domainGetSecurityLabelList = remoteDomainGetSecurityLabelList, /* ? */

And then this needs to be 0.9.13 in the comment

>      .nodeGetSecurityModel = remoteNodeGetSecurityModel, /* 0.6.1 */
>      .domainGetXMLDesc = remoteDomainGetXMLDesc, /* 0.3.0 */
>      .domainXMLFromNative = remoteDomainXMLFromNative, /* 0.6.4 */
> diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
> index 2d57247..d1e3692 100644
> --- a/src/remote/remote_protocol.x
> +++ b/src/remote/remote_protocol.x
> @@ -1082,6 +1082,16 @@ struct remote_domain_get_security_label_ret {
>      int enforcing;
>  };
>  
> +struct remote_domain_get_security_label_list_args {
> +    remote_nonnull_domain dom;
> +    int nlabels;
> +};
> +
> +struct remote_domain_get_security_label_list_ret {
> +    char label<REMOTE_SECURITY_LABEL_MAX>;
> +    int enforcing;
> +};
> +
>  struct remote_node_get_security_model_ret {
>      char model<REMOTE_SECURITY_MODEL_MAX>;
>      char doi<REMOTE_SECURITY_DOI_MAX>;
> @@ -2782,8 +2792,8 @@ enum remote_procedure {
>      REMOTE_PROC_DOMAIN_PM_WAKEUP = 267, /* autogen autogen */
>      REMOTE_PROC_DOMAIN_EVENT_TRAY_CHANGE = 268, /* autogen autogen */
>      REMOTE_PROC_DOMAIN_EVENT_PMWAKEUP = 269, /* autogen autogen */
> -    REMOTE_PROC_DOMAIN_EVENT_PMSUSPEND = 270 /* autogen autogen */
> -
> +    REMOTE_PROC_DOMAIN_EVENT_PMSUSPEND = 270, /* autogen autogen */
> +    REMOTE_PROC_DOMAIN_GET_SECURITY_LABEL_LIST = 271 /* skipgen skipgen priority:high */
>      /*
>       * Notice how the entries are grouped in sets of 10 ?
>       * Nice isn't it. Please keep it this way when adding more.

Well, the sets mentioned in the comment just below the lines you're
changing start with [0-9]*1 not [0-9]*0. Therefore you don't want to
move REMOTE_PROC_DOMAIN_EVENT_PMSUSPENDED;

> diff --git a/src/remote_protocol-structs b/src/remote_protocol-structs
> index 9b2414f..ee08e07 100644
> --- a/src/remote_protocol-structs
> +++ b/src/remote_protocol-structs
> @@ -2192,4 +2192,5 @@ enum remote_procedure {
>          REMOTE_PROC_DOMAIN_EVENT_TRAY_CHANGE = 268,
>          REMOTE_PROC_DOMAIN_EVENT_PMWAKEUP = 269,
>          REMOTE_PROC_DOMAIN_EVENT_PMSUSPEND = 270,
> +        REMOTE_PROC_DOMAIN_GET_SECURITY_LABEL_list = 271,
>  };

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]