On 02/12/2013 01:15 PM, Laine Stump wrote: > virCommand gets two new APIs: virCommandSetSELinuxLabel() and > virCommandSetAppArmorProfile(), which both save a copy of a > null-terminated string in the virCommand. During virCommandRun, if the > string is non-NULL and we've been compiled with AppArmor and/or > SELinux security driver support, the appropriate security library > function is called for the child process, using the string that was > previously set. In the case of SELinux, setexeccon_raw() is called, > and for AppArmor, aa_change_profile() is called. > > This functionality has been added so that users of virCommand can use > the upcoming virSecurityManagerSetChildProcessLabel() prior to running > a child process, rather than needing to setup a hook function to be > called (and in turn call virSecurityManagerSetProcessLabel()) *during* > the setup of the child process. > --- > Change from V1: > > * V1 had a single API that did double duty for both SELinux and > AppArmor (because I didn't realize both could be built in > simultaneously). V1 treats each separately, with two different APIs. ACK. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list