Re: [PATCH 08/23] Add support for SELinux labelling of hostdev storage/misc devices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2012年12月01日 04:26, Daniel P. Berrange wrote:
From: "Daniel P. Berrange"<berrange@xxxxxxxxxx>

The SELinux security driver needs to learn to label storage/misc
hostdev devices for LXC

Signed-off-by: Daniel P. Berrange<berrange@xxxxxxxxxx>
---
  src/security/security_selinux.c | 118 ++++++++++++++++++++++++++++++++++++++++
  1 file changed, 118 insertions(+)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ad13490..6f0cd4d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1171,6 +1171,65 @@ done:


  static int
+virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
+                                              virDomainHostdevDefPtr dev,
+                                              const char *vroot)
+{
+    int ret = -1;
+    virSecurityLabelDefPtr secdef;
+    char *path;
+
+    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+    if (secdef == NULL)
+        return -1;
+
+    switch (dev->source.caps.type) {
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.storage.block)<  0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.storage.block))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
+        VIR_FREE(path);
+        break;
+    }
+
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.misc.chardev)<  0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
+        VIR_FREE(path);
+        break;
+    }
+
+    default:
+        ret = 0;
+        break;
+    }
+
+    return ret;
+}
+
+
+static int
  virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                            virDomainDefPtr def,
                                            virDomainHostdevDefPtr dev,
@@ -1190,6 +1249,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
      case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
          return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);

+    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
+        return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);
+
      default:
          return 0;
      }
@@ -1265,6 +1327,59 @@ done:


  static int
+virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev,
+                                                  const char *vroot)
+{
+    int ret = -1;
+    char *path;
+
+    switch (dev->source.caps.type) {
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.storage.block)<  0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.storage.block))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
+        VIR_FREE(path);
+        break;
+    }
+
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.misc.chardev)<  0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
+                virReportOOMError();
+                return -1;
+            }
+        }

I think it's better helper to get the path to label, to avoid the
duplciate codes in virSecuritySELinuxRestoreSecurityHostdevCapsLabel
and virSecuritySELinuxSetSecurityHostdevCapsLabel.

ACK otherwise.

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]