[PATCH v2 4/5] Support for multiple default security drivers in QEMU config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch replaces the key "security_driver" in QEMU config by
"security_drivers", which accepts a list of default drivers. If
"security_drivers" can't be found, libvirt will use "security_driver" to
ensure that it will remain compatible with older version of the config
file.
---
 src/qemu/libvirtd_qemu.aug         |    2 +-
 src/qemu/qemu.conf                 |    2 +-
 src/qemu/qemu_conf.c               |   42 ++++++++++++++-
 src/qemu/qemu_conf.h               |    2 +-
 src/qemu/qemu_driver.c             |   97 ++++++++++++++++++++++++++++--------
 src/qemu/test_libvirtd_qemu.aug.in |    2 +-
 6 files changed, 119 insertions(+), 28 deletions(-)

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 683aadb..fab97d7 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -39,7 +39,7 @@ module Libvirtd_qemu =
                  | str_entry  "spice_tls_x509_cert_dir"
                  | str_entry "spice_password"
 
-   let security_entry = str_entry "security_driver"
+   let security_entry = str_entry "security_drivers"
                  | bool_entry "security_default_confined"
                  | bool_entry "security_require_confined"
                  | str_entry "user"
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index ed4683c..ffb03f8 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -146,7 +146,7 @@
 # leaving SELinux enabled for the host in general, then set this
 # to 'none' instead.
 #
-#security_driver = "selinux"
+#security_drivers = "selinux"
 
 # If set to non-zero, then the default security labeling
 # will make guests confined. If set to zero, then guests
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 88a04bc..6e1c608 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -192,14 +192,50 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
         }
     }
 
-    p = virConfGetValue (conf, "security_driver");
-    CHECK_TYPE ("security_driver", VIR_CONF_STRING);
+    p = virConfGetValue (conf, "security_drivers");
+    CHECK_TYPE ("security_drivers", VIR_CONF_STRING);
     if (p && p->str) {
-        if (!(driver->securityDriverName = strdup(p->str))) {
+        char *it, *tok;
+        size_t len;
+
+        for (len = 1, it = p->str; *it; it++)
+            len++;
+        if (VIR_ALLOC_N(driver->securityDriverNames, len + 1) < 0) {
             virReportOOMError();
             virConfFree(conf);
             return -1;
         }
+
+        i = 0;
+        tok = it = p->str;
+        while (1) {
+            if (*it == ',' || *it == '\0') {
+                driver->securityDriverNames[i] = strndup(tok, it - tok);
+                if (driver->securityDriverNames == NULL) {
+                    virReportOOMError();
+                    virConfFree(conf);
+                    return -1;
+                }
+                tok = it + 1;
+                i++;
+            }
+            if (*it == '\0')
+                break;
+            it++;
+        }
+    } else {
+        VIR_WARN("'security_drivers' config not found. Trying 'security_driver'");
+        p = virConfGetValue (conf, "security_driver");
+        CHECK_TYPE ("security_driver", VIR_CONF_STRING);
+        if (p && p->str) {
+            if (VIR_ALLOC_N(driver->securityDriverNames, 2) < 0 ||
+                !(driver->securityDriverNames[0] = strdup(p->str))) {
+                virReportOOMError();
+                virConfFree(conf);
+                return -1;
+            }
+            driver->securityDriverNames[1] = NULL;
+        }
     }
 
     p = virConfGetValue (conf, "security_default_confined");
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 482e6d3..e808f4f 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -116,7 +116,7 @@ struct qemud_driver {
 
     virDomainEventStatePtr domainEventState;
 
-    char *securityDriverName;
+    char **securityDriverNames;
     bool securityDefaultConfined;
     bool securityRequireConfined;
     virSecurityManagerPtr securityManager;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 1b02f28..f01566b 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -220,36 +220,91 @@ qemuAutostartDomains(struct qemud_driver *driver)
 static int
 qemuSecurityInit(struct qemud_driver *driver)
 {
-    virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName,
-                                                      QEMU_DRIVER_NAME,
-                                                      driver->allowDiskFormatProbing,
-                                                      driver->securityDefaultConfined,
-                                                      driver->securityRequireConfined);
+    char **names;
+    char *primary;
+    virSecurityManagerPtr mgr, nested, stack;
 
+    if (driver->securityDriverNames == NULL)
+        primary = NULL;
+    else
+        primary = driver->securityDriverNames[0];
+
+    /* Create primary driver */
+    mgr = virSecurityManagerNew(primary,
+                                QEMU_DRIVER_NAME,
+                                driver->allowDiskFormatProbing,
+                                driver->securityDefaultConfined,
+                                driver->securityRequireConfined);
     if (!mgr)
         goto error;
 
-    if (driver->privileged) {
-        virSecurityManagerPtr dac = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
-                                                             driver->user,
-                                                             driver->group,
-                                                             driver->allowDiskFormatProbing,
-                                                             driver->securityDefaultConfined,
-                                                             driver->securityRequireConfined,
-                                                             driver->dynamicOwnership);
-        if (!dac)
+    /* If a DAC driver is required or additional drivers are provived, a stack
+     * driver should be create to group them all */
+    if (driver->privileged ||
+        (driver->securityDriverNames && driver->securityDriverNames[1])) {
+        stack = virSecurityManagerNewStack(mgr);
+        if (!stack)
             goto error;
+        mgr = stack;
+    }
+
+    /* Loop through additional driver names and add a secudary driver to each
+     * one */
+    if (driver->securityDriverNames) {
+        names = driver->securityDriverNames + 1;
+        while (names && *names) {
+            if (STREQ("dac", *names)) {
+                /* A DAC driver has specific parameters */
+                nested = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
+                                                  driver->user,
+                                                  driver->group,
+                                                  driver->allowDiskFormatProbing,
+                                                  driver->securityDefaultConfined,
+                                                  driver->securityRequireConfined,
+                                                  driver->dynamicOwnership);
+            } else {
+                nested = virSecurityManagerNew(*names,
+                                               QEMU_DRIVER_NAME,
+                                               driver->allowDiskFormatProbing,
+                                               driver->securityDefaultConfined,
+                                               driver->securityRequireConfined);
+            }
+            if (nested == NULL)
+                goto error;
+            if (virSecurityManagerStackAddNested(stack, nested))
+                goto error;
+            names++;
+        }
+    }
 
-        if (!(driver->securityManager = virSecurityManagerNewStack(mgr)) ||
-            !(virSecurityManagerStackAddNested(mgr, dac))) {
-
-            virSecurityManagerFree(dac);
-            goto error;
+    if (driver->privileged) {
+        /* When a DAC driver is required, check if there is already one in the
+         * additional drivers */
+        names = driver->securityDriverNames;
+        while (names && *names) {
+            if (STREQ("dac", *names)) {
+               break;
+            }
+            names++;
+        }
+        /* If there is no DAC driver, create a new one and add it to the stack
+         * manager */
+        if (names == NULL || *names == NULL) {
+            nested = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
+                                              driver->user,
+                                              driver->group,
+                                              driver->allowDiskFormatProbing,
+                                              driver->securityDefaultConfined,
+                                              driver->securityRequireConfined,
+                                              driver->dynamicOwnership);
+            if (nested == NULL)
+                goto error;
+            if (virSecurityManagerStackAddNested(stack, nested))
+                goto error;
         }
-    } else {
-        driver->securityManager = mgr;
     }
 
+    driver->securityManager = mgr;
     return 0;
 
 error:
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index 959f250..ff24a38 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -15,7 +15,7 @@ module Test_libvirtd_qemu =
 { "spice_tls" = "1" }
 { "spice_tls_x509_cert_dir" = "/etc/pki/libvirt-spice" }
 { "spice_password" = "XYZ12345" }
-{ "security_driver" = "selinux" }
+{ "security_drivers" = "selinux" }
 { "security_default_confined" = "1" }
 { "security_require_confined" = "1" }
 { "user" = "root" }
-- 
1.7.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]