From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
When LXC labels USB devices during hotplug, it is running in
host context, so it needs to pass in a vroot path to the
container root.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/qemu/qemu_cgroup.c | 3 ++-
src/qemu/qemu_hostdev.c | 11 +++++++----
src/qemu/qemu_hotplug.c | 11 ++++++-----
src/security/security_apparmor.c | 10 ++++++----
src/security/security_dac.c | 20 +++++++++++++-------
src/security/security_driver.h | 6 ++++--
src/security/security_manager.c | 10 ++++++----
src/security/security_manager.h | 6 ++++--
src/security/security_nop.c | 6 ++++--
src/security/security_selinux.c | 20 +++++++++++++-------
src/security/security_stack.c | 16 ++++++++++++----
src/util/hostusb.c | 17 +++++++++++++----
src/util/hostusb.h | 6 +++++-
13 files changed, 95 insertions(+), 47 deletions(-)
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 30cd1d6..084d89d 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -290,7 +290,8 @@ int qemuSetupCgroup(virQEMUDriverPtr driver,
continue;
if ((usb = usbGetDevice(hostdev->source.subsys.u.usb.bus,
- hostdev->source.subsys.u.usb.device)) == NULL)
+ hostdev->source.subsys.u.usb.device,
+ NULL)) == NULL)
goto cleanup;
if (usbDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup,
diff --git a/src/qemu/qemu_hostdev.c b/src/qemu/qemu_hostdev.c
index ab0f173..6d706a6 100644
--- a/src/qemu/qemu_hostdev.c
+++ b/src/qemu/qemu_hostdev.c
@@ -179,7 +179,8 @@ qemuUpdateActiveUsbHostdevs(virQEMUDriverPtr driver,
continue;
usb = usbGetDevice(hostdev->source.subsys.u.usb.bus,
- hostdev->source.subsys.u.usb.device);
+ hostdev->source.subsys.u.usb.device,
+ NULL);
if (!usb) {
VIR_WARN("Unable to reattach USB device %03d.%03d on domain %s",
hostdev->source.subsys.u.usb.bus,
@@ -657,6 +658,7 @@ qemuFindHostdevUSBDevice(virDomainHostdevDefPtr hostdev,
if (vendor && bus) {
rc = usbFindDevice(vendor, product, bus, device,
+ NULL,
autoAddress ? false : mandatory,
usb);
if (rc < 0) {
@@ -677,7 +679,7 @@ qemuFindHostdevUSBDevice(virDomainHostdevDefPtr hostdev,
if (vendor) {
usbDeviceList *devs;
- rc = usbFindDeviceByVendor(vendor, product, mandatory, &devs);
+ rc = usbFindDeviceByVendor(vendor, product, NULL, mandatory, &devs);
if (rc < 0)
return -1;
@@ -717,7 +719,7 @@ qemuFindHostdevUSBDevice(virDomainHostdevDefPtr hostdev,
bus, device);
}
} else if (!vendor && bus) {
- if (usbFindDeviceByBus(bus, device, mandatory, usb) < 0)
+ if (usbFindDeviceByBus(bus, device, NULL, mandatory, usb) < 0)
return -1;
}
@@ -936,7 +938,8 @@ qemuDomainReAttachHostUsbDevices(virQEMUDriverPtr driver,
continue;
usb = usbGetDevice(hostdev->source.subsys.u.usb.bus,
- hostdev->source.subsys.u.usb.device);
+ hostdev->source.subsys.u.usb.device,
+ NULL);
if (!usb) {
VIR_WARN("Unable to reattach USB device %03d.%03d on domain %s",
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index cfeae68..36022e4 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1105,7 +1105,8 @@ int qemuDomainAttachHostUsbDevice(virQEMUDriverPtr driver,
}
if ((usb = usbGetDevice(hostdev->source.subsys.u.usb.bus,
- hostdev->source.subsys.u.usb.device)) == NULL)
+ hostdev->source.subsys.u.usb.device,
+ NULL)) == NULL)
goto error;
data.vm = vm;
@@ -1173,7 +1174,7 @@ int qemuDomainAttachHostDevice(virQEMUDriverPtr driver,
}
if (virSecurityManagerSetHostdevLabel(driver->securityManager,
- vm->def, hostdev) < 0)
+ vm->def, hostdev, NULL) < 0)
goto cleanup;
switch (hostdev->source.subsys.type) {
@@ -1201,7 +1202,7 @@ int qemuDomainAttachHostDevice(virQEMUDriverPtr driver,
error:
if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
- vm->def, hostdev) < 0)
+ vm->def, hostdev, NULL) < 0)
VIR_WARN("Unable to restore host device labelling on hotplug fail");
cleanup:
@@ -2337,7 +2338,7 @@ qemuDomainDetachHostUsbDevice(virQEMUDriverPtr driver,
if (ret < 0)
return -1;
- usb = usbGetDevice(subsys->u.usb.bus, subsys->u.usb.device);
+ usb = usbGetDevice(subsys->u.usb.bus, subsys->u.usb.device, NULL);
if (usb) {
usbDeviceListDel(driver->activeUsbHostdevs, usb);
usbFreeDevice(usb);
@@ -2388,7 +2389,7 @@ int qemuDomainDetachThisHostDevice(virQEMUDriverPtr driver,
if (!ret) {
if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
- vm->def, detach) < 0) {
+ vm->def, detach, NULL) < 0) {
VIR_WARN("Failed to restore host device labelling");
}
virDomainHostdevRemove(vm->def, idx);
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index b0cdb65..f57b81f 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -742,8 +742,8 @@ AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int
AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
- virDomainHostdevDefPtr dev)
-
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
{
struct SDPDOP *ptr;
int ret = -1;
@@ -770,7 +770,8 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
switch (dev->source.subsys.type) {
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
usbDevice *usb = usbGetDevice(dev->source.subsys.u.usb.bus,
- dev->source.subsys.u.usb.device);
+ dev->source.subsys.u.usb.device,
+ vroot);
if (!usb)
goto done;
@@ -808,7 +809,8 @@ done:
static int
AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
- virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
+ virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED,
+ const char *vroot ATTRIBUTE_UNUSED)
{
const virSecurityLabelDefPtr secdef =
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index b07c132..2861725 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -474,7 +474,8 @@ virSecurityDACSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
static int
virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
- virDomainHostdevDefPtr dev)
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
{
void *params[] = {mgr, def};
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -494,7 +495,8 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
return 0;
usb = usbGetDevice(dev->source.subsys.u.usb.bus,
- dev->source.subsys.u.usb.device);
+ dev->source.subsys.u.usb.device,
+ vroot);
if (!usb)
goto done;
@@ -550,8 +552,9 @@ virSecurityDACRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
static int
virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainDefPtr def ATTRIBUTE_UNUSED,
- virDomainHostdevDefPtr dev)
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -571,7 +574,8 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
return 0;
usb = usbGetDevice(dev->source.subsys.u.usb.bus,
- dev->source.subsys.u.usb.device);
+ dev->source.subsys.u.usb.device,
+ vroot);
if (!usb)
goto done;
@@ -728,7 +732,8 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecurityDACRestoreSecurityHostdevLabel(mgr,
def,
- def->hostdevs[i]) < 0)
+ def->hostdevs[i],
+ NULL) < 0)
rc = -1;
}
for (i = 0 ; i < def->ndisks ; i++) {
@@ -793,7 +798,8 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecurityDACSetSecurityHostdevLabel(mgr,
def,
- def->hostdevs[i]) < 0)
+ def->hostdevs[i],
+ NULL) < 0)
return -1;
}
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index d49b401..d4ddb45 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -61,10 +61,12 @@ typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
- virDomainHostdevDefPtr dev);
+ virDomainHostdevDefPtr dev,
+ const char *vroot);
typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
- virDomainHostdevDefPtr dev);
+ virDomainHostdevDefPtr dev,
+ const char *vroot);
typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
const char *savefile);
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 0ebd53b..567f86c 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -275,10 +275,11 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
- virDomainHostdevDefPtr dev)
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
{
if (mgr->drv->domainRestoreSecurityHostdevLabel)
- return mgr->drv->domainRestoreSecurityHostdevLabel(mgr, vm, dev);
+ return mgr->drv->domainRestoreSecurityHostdevLabel(mgr, vm, dev, vroot);
virReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
@@ -286,10 +287,11 @@ int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
- virDomainHostdevDefPtr dev)
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
{
if (mgr->drv->domainSetSecurityHostdevLabel)
- return mgr->drv->domainSetSecurityHostdevLabel(mgr, vm, dev);
+ return mgr->drv->domainSetSecurityHostdevLabel(mgr, vm, dev, vroot);
virReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 1fdaf8e..e49cce7 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -71,10 +71,12 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
virDomainDiskDefPtr disk);
int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
- virDomainHostdevDefPtr dev);
+ virDomainHostdevDefPtr dev,
+ const char *vroot);
int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
- virDomainHostdevDefPtr dev);
+ virDomainHostdevDefPtr dev,
+ const char *vroot);
int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
const char *savefile);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 5f3270a..7bc8bba 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -84,14 +84,16 @@ static int virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE
static int virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr vm ATTRIBUTE_UNUSED,
- virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
+ virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED,
+ const char *vroot ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr vm ATTRIBUTE_UNUSED,
- virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
+ virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED,
+ const char *vroot ATTRIBUTE_UNUSED)
{
return 0;
}
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ddf3da3..9070ff9 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1121,7 +1121,8 @@ virSecuritySELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
static int
virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def,
- virDomainHostdevDefPtr dev)
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
{
virSecurityLabelDefPtr secdef;
@@ -1145,7 +1146,8 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
return 0;
usb = usbGetDevice(dev->source.subsys.u.usb.bus,
- dev->source.subsys.u.usb.device);
+ dev->source.subsys.u.usb.device,
+ vroot);
if (!usb)
goto done;
@@ -1198,7 +1200,8 @@ virSecuritySELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
static int
virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def,
- virDomainHostdevDefPtr dev)
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
{
virSecurityLabelDefPtr secdef;
@@ -1222,7 +1225,8 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUT
return 0;
usb = usbGetDevice(dev->source.subsys.u.usb.bus,
- dev->source.subsys.u.usb.device);
+ dev->source.subsys.u.usb.device,
+ vroot);
if (!usb)
goto done;
@@ -1464,7 +1468,8 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecuritySELinuxRestoreSecurityHostdevLabel(mgr,
def,
- def->hostdevs[i]) < 0)
+ def->hostdevs[i],
+ NULL) < 0)
rc = -1;
}
for (i = 0 ; i < def->ndisks ; i++) {
@@ -1834,8 +1839,9 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecuritySELinuxSetSecurityHostdevLabel(mgr,
- def,
- def->hostdevs[i]) < 0)
+ def,
+ def->hostdevs[i],
+ NULL) < 0)
return -1;
}
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 1094cbe..51510e5 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -236,7 +236,8 @@ virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
- virDomainHostdevDefPtr dev)
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -244,7 +245,10 @@ virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
int rc = 0;
for (; item; item = item->next) {
- if (virSecurityManagerSetHostdevLabel(item->securityManager, vm, dev) < 0)
+ if (virSecurityManagerSetHostdevLabel(item->securityManager,
+ vm,
+ dev,
+ vroot) < 0)
rc = -1;
}
@@ -255,14 +259,18 @@ virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
static int
virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
- virDomainHostdevDefPtr dev)
+ virDomainHostdevDefPtr dev,
+ const char *vroot)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
virSecurityStackItemPtr item = priv->itemsHead;
int rc = 0;
for (; item; item = item->next) {
- if (virSecurityManagerRestoreHostdevLabel(item->securityManager, vm, dev) < 0)
+ if (virSecurityManagerRestoreHostdevLabel(item->securityManager,
+ vm,
+ dev,
+ vroot) < 0)
rc = -1;
}
diff --git a/src/util/hostusb.c b/src/util/hostusb.c
index 81a9f5a..24f925b 100644
--- a/src/util/hostusb.c
+++ b/src/util/hostusb.c
@@ -101,6 +101,7 @@ usbDeviceSearch(unsigned int vendor,
unsigned int product,
unsigned int bus,
unsigned int devno,
+ const char *vroot,
unsigned int flags)
{
DIR *dir = NULL;
@@ -160,7 +161,7 @@ usbDeviceSearch(unsigned int vendor,
found = true;
}
- usb = usbGetDevice(found_bus, found_devno);
+ usb = usbGetDevice(found_bus, found_devno, vroot);
if (!usb)
goto cleanup;
@@ -189,6 +190,7 @@ cleanup:
int
usbFindDeviceByVendor(unsigned int vendor,
unsigned product,
+ const char *vroot,
bool mandatory,
usbDeviceList **devices)
{
@@ -196,6 +198,7 @@ usbFindDeviceByVendor(unsigned int vendor,
int count;
if (!(list = usbDeviceSearch(vendor, product, 0 , 0,
+ vroot,
USB_DEVICE_FIND_BY_VENDOR)))
return -1;
@@ -226,12 +229,14 @@ usbFindDeviceByVendor(unsigned int vendor,
int
usbFindDeviceByBus(unsigned int bus,
unsigned devno,
+ const char *vroot,
bool mandatory,
usbDevice **usb)
{
usbDeviceList *list;
if (!(list = usbDeviceSearch(0, 0, bus, devno,
+ vroot,
USB_DEVICE_FIND_BY_BUS)))
return -1;
@@ -265,13 +270,15 @@ usbFindDevice(unsigned int vendor,
unsigned int product,
unsigned int bus,
unsigned int devno,
+ const char *vroot,
bool mandatory,
usbDevice **usb)
{
usbDeviceList *list;
unsigned int flags = USB_DEVICE_FIND_BY_VENDOR|USB_DEVICE_FIND_BY_BUS;
- if (!(list = usbDeviceSearch(vendor, product, bus, devno, flags)))
+ if (!(list = usbDeviceSearch(vendor, product, bus, devno,
+ vroot, flags)))
return -1;
if (list->count == 0) {
@@ -301,7 +308,8 @@ usbFindDevice(unsigned int vendor,
usbDevice *
usbGetDevice(unsigned int bus,
- unsigned int devno)
+ unsigned int devno,
+ const char *vroot)
{
usbDevice *dev;
@@ -321,7 +329,8 @@ usbGetDevice(unsigned int bus,
usbFreeDevice(dev);
return NULL;
}
- if (virAsprintf(&dev->path, USB_DEVFS "%03d/%03d",
+ if (virAsprintf(&dev->path, "%s" USB_DEVFS "%03d/%03d",
+ vroot ? vroot : "",
dev->bus, dev->dev) < 0) {
virReportOOMError();
usbFreeDevice(dev);
diff --git a/src/util/hostusb.h b/src/util/hostusb.h
index 4f55fdc..aee1526 100644
--- a/src/util/hostusb.h
+++ b/src/util/hostusb.h
@@ -29,15 +29,18 @@ typedef struct _usbDevice usbDevice;
typedef struct _usbDeviceList usbDeviceList;
usbDevice *usbGetDevice(unsigned int bus,
- unsigned int devno);
+ unsigned int devno,
+ const char *vroot);
int usbFindDeviceByBus(unsigned int bus,
unsigned int devno,
+ const char *vroot,
bool mandatory,
usbDevice **usb);
int usbFindDeviceByVendor(unsigned int vendor,
unsigned int product,
+ const char *vroot,
bool mandatory,
usbDeviceList **devices);
@@ -45,6 +48,7 @@ int usbFindDevice(unsigned int vendor,
unsigned int product,
unsigned int bus,
unsigned int devno,
+ const char *vroot,
bool mandatory,
usbDevice **usb);
--
1.8.0.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list