Re: [PATCH 10/15] security: add new virSecurityManagerSetChildProcessLabel API

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Feb 07, 2013 at 04:37:51PM -0500, Laine Stump wrote:
> The existing virSecurityManagerSetProcessLabel() API is designed so
> that it must be called after forking the child process, but before
> exec'ing the child. Due to the way the virCommand API works, that
> means it needs to be put in a "hook" function that virCommand is told
> to call out to at that time.
> 
> Setting the child process label is a basic enough need when executing
> any process that virCommand should have a method of doing that. But
> virCommand must be told what label to set, and only the security
> driver knows the answer to that question.
> 
> The new virSecurityManagerSet*Child*ProcessLabel() API is the way to
> transfer the knowledge about what label to set from the security
> driver to the virCommand object. It is given a virCommandPtr, and each
> security driver calls the appropriate virCommand* API to tell
> virCommand what to do between fork and exec.
> 
> 1) in the case of the DAC security driver, it calls
> virCommandSetUID/GID() to set a uid and gid that must be set for the
> child process.
> 
> 2) for the SELinux and AppArmor security drivers, it calls
> virCommandSetSecLabel() to save a copy of the char* that will be sent
> to each driver's respective "SetProcessLabel" API *after forking
> the child process*.

This will need a tweak based on the change I suggested to the
previous patch.

> diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> index bf795b0..4a81118 100644
> --- a/src/security/security_apparmor.c
> +++ b/src/security/security_apparmor.c
> @@ -1,7 +1,7 @@
>  /*
>   * AppArmor security driver for libvirt
>   *
> - * Copyright (C) 2011 Red Hat, Inc.
> + * Copyright (C) 2011, 2013 Red Hat, Inc.

You can turn this into a range '2011-2013' - there were plenty of
Red Hat changes to this file throughout the last year(s). Likewise
for all others.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]