On 2012年12月01日 04:26, Daniel P. Berrange wrote:
From: "Daniel P. Berrange"<berrange@xxxxxxxxxx> The SELinux security driver needs to learn to label storage/misc hostdev devices for LXC Signed-off-by: Daniel P. Berrange<berrange@xxxxxxxxxx> --- src/security/security_selinux.c | 118 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index ad13490..6f0cd4d 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1171,6 +1171,65 @@ done: static int +virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def, + virDomainHostdevDefPtr dev, + const char *vroot) +{ + int ret = -1; + virSecurityLabelDefPtr secdef; + char *path; + + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (secdef == NULL) + return -1; + + switch (dev->source.caps.type) { + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.storage.block)< 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.storage.block))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel); + VIR_FREE(path); + break; + } + + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.misc.chardev)< 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.misc.chardev))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel); + VIR_FREE(path); + break; + } + + default: + ret = 0; + break; + } + + return ret; +} + + +static int virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr def, virDomainHostdevDefPtr dev, @@ -1190,6 +1249,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS: return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot); + case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES: + return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot); + default: return 0; } @@ -1265,6 +1327,59 @@ done: static int +virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev, + const char *vroot) +{ + int ret = -1; + char *path; + + switch (dev->source.caps.type) { + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.storage.block)< 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.storage.block))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxRestoreSecurityFileLabel(path); + VIR_FREE(path); + break; + } + + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.misc.chardev)< 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.misc.chardev))) { + virReportOOMError(); + return -1; + } + }
I think it's better helper to get the path to label, to avoid the duplciate codes in virSecuritySELinuxRestoreSecurityHostdevCapsLabel and virSecuritySELinuxSetSecurityHostdevCapsLabel. ACK otherwise. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list