[PATCH v3 1/2] security: add new internal function "virSecurityManagerGetBaseLabel"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



virSecurityManagerGetBaseLabel queries the default settings used by
a security model.

Signed-off-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx>
---
 src/libvirt_private.syms         |  1 +
 src/security/security_apparmor.c |  8 ++++++++
 src/security/security_dac.c      | 34 ++++++++++++++++++++++++----------
 src/security/security_dac.h      |  7 +++----
 src/security/security_driver.h   |  4 ++++
 src/security/security_manager.c  | 22 ++++++++++++++++++++--
 src/security/security_manager.h  |  2 ++
 src/security/security_nop.c      | 10 ++++++++++
 src/security/security_selinux.c  | 12 ++++++++++++
 src/security/security_stack.c    |  9 +++++++++
 10 files changed, 93 insertions(+), 16 deletions(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 35f0f1b..aea7e94 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1033,6 +1033,7 @@ virSecurityDriverLookup;
 # security/security_manager.h
 virSecurityManagerClearSocketLabel;
 virSecurityManagerGenLabel;
+virSecurityManagerGetBaseLabel;
 virSecurityManagerGetDOI;
 virSecurityManagerGetModel;
 virSecurityManagerGetMountOptions;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index adc9918..2d74cdd 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -931,6 +931,12 @@ AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return opts;
 }
 
+static const char *
+AppArmorGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                     int virtType ATTRIBUTE_UNUSED)
+{
+    return NULL;
+}
 
 virSecurityDriver virAppArmorSecurityDriver = {
     .privateDataLen                     = 0,
@@ -972,4 +978,6 @@ virSecurityDriver virAppArmorSecurityDriver = {
     .domainSetSecurityTapFDLabel        = AppArmorSetFDLabel,
 
     .domainGetSecurityMountOptions      = AppArmorGetMountOptions,
+
+    .getBaseLabel                       = AppArmoryGetBaseLabel,
 };
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 6876bd5..019c789 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -47,22 +47,25 @@ struct _virSecurityDACData {
     gid_t *groups;
     int ngroups;
     bool dynamicOwnership;
+    char *baselabel;
 };
 
-void
-virSecurityDACSetUser(virSecurityManagerPtr mgr,
-                      uid_t user)
+/* returns -1 on error, 0 on success */
+int
+virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
+                              uid_t user,
+                              gid_t group)
 {
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     priv->user = user;
-}
-
-void
-virSecurityDACSetGroup(virSecurityManagerPtr mgr,
-                       gid_t group)
-{
-    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     priv->group = group;
+
+    if (virAsprintf(&priv->baselabel, "%u:%u",
+                    (unsigned int) user,
+                    (unsigned int) group) < 0)
+        return -1;
+
+    return 0;
 }
 
 void
@@ -217,6 +220,7 @@ virSecurityDACClose(virSecurityManagerPtr mgr)
 {
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     VIR_FREE(priv->groups);
+    VIR_FREE(priv->baselabel);
     return 0;
 }
 
@@ -1170,6 +1174,14 @@ virSecurityDACGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return NULL;
 }
 
+static const char *
+virSecurityDACGetBaseLabel(virSecurityManagerPtr mgr,
+                           int virt ATTRIBUTE_UNUSED)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    return priv->baselabel;
+}
+
 virSecurityDriver virSecurityDriverDAC = {
     .privateDataLen                     = sizeof(virSecurityDACData),
     .name                               = SECURITY_DAC_NAME,
@@ -1212,4 +1224,6 @@ virSecurityDriver virSecurityDriverDAC = {
     .domainSetSecurityTapFDLabel        = virSecurityDACSetTapFDLabel,
 
     .domainGetSecurityMountOptions      = virSecurityDACGetMountOptions,
+
+    .getBaseLabel                       = virSecurityDACGetBaseLabel,
 };
diff --git a/src/security/security_dac.h b/src/security/security_dac.h
index 02432a5..dbcf56f 100644
--- a/src/security/security_dac.h
+++ b/src/security/security_dac.h
@@ -25,10 +25,9 @@
 
 extern virSecurityDriver virSecurityDriverDAC;
 
-void virSecurityDACSetUser(virSecurityManagerPtr mgr,
-                           uid_t user);
-void virSecurityDACSetGroup(virSecurityManagerPtr mgr,
-                            gid_t group);
+int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
+                                  uid_t user,
+                                  gid_t group);
 
 void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
                                        bool dynamic);
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 8735558..ced1b92 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -46,6 +46,8 @@ typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr);
 
 typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr);
 typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr);
+typedef const char *(*virSecurityDriverGetBaseLabel) (virSecurityManagerPtr mgr,
+                                                      int virtType);
 
 typedef int (*virSecurityDriverPreFork) (virSecurityManagerPtr mgr);
 
@@ -154,6 +156,8 @@ struct _virSecurityDriver {
 
     virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
     virSecurityDomainSetHugepages domainSetSecurityHugepages;
+
+    virSecurityDriverGetBaseLabel getBaseLabel;
 };
 
 virSecurityDriverPtr virSecurityDriverLookup(const char *name,
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 92fb504..c4b8f10 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -146,8 +146,10 @@ virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
     if (!mgr)
         return NULL;
 
-    virSecurityDACSetUser(mgr, user);
-    virSecurityDACSetGroup(mgr, group);
+    if (virSecurityDACSetUserAndGroup(mgr, user, group) < 0) {
+        virSecurityManagerDispose(mgr);
+        return NULL;
+    }
     virSecurityDACSetDynamicOwnership(mgr, dynamicOwnership);
 
     return mgr;
@@ -273,6 +275,22 @@ virSecurityManagerGetModel(virSecurityManagerPtr mgr)
     return NULL;
 }
 
+/* return NULL if a base label is not present */
+const char *
+virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+    if (mgr->drv->getBaseLabel) {
+        const char *ret;
+        virObjectLock(mgr);
+        ret = mgr->drv->getBaseLabel(mgr, virtType);
+        virObjectUnlock(mgr);
+        return ret;
+    }
+
+    virReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+    return NULL;
+}
+
 bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
 {
     return mgr->allowDiskFormatProbing;
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 9252830..81d3160 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -55,6 +55,8 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
+const char *virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr, int virtType);
+
 bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
 bool virSecurityManagerGetDefaultConfined(virSecurityManagerPtr mgr);
 bool virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 233404c..73e1ac1 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -186,6 +186,14 @@ static char *virSecurityDomainGetMountOptionsNop(virSecurityManagerPtr mgr ATTRI
     return opts;
 }
 
+static const char *
+virSecurityGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                        int virtType ATTRIBUTE_UNUSED)
+{
+    return NULL;
+}
+
+
 virSecurityDriver virSecurityDriverNop = {
     .privateDataLen                     = 0,
     .name                               = "none",
@@ -226,4 +234,6 @@ virSecurityDriver virSecurityDriverNop = {
     .domainSetSecurityTapFDLabel        = virSecurityDomainSetFDLabelNop,
 
     .domainGetSecurityMountOptions      = virSecurityDomainGetMountOptionsNop,
+
+    .getBaseLabel                       = virSecurityGetBaseLabel,
 };
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 38de060..1c2ea64 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1827,6 +1827,17 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
 }
 
 
+static const char *
+virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+    virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    if (virtType == VIR_DOMAIN_VIRT_QEMU)
+        return priv->alt_domain_context;
+    else
+        return priv->domain_context;
+}
+
+
 static int
 virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
                                           virDomainDefPtr def,
@@ -2474,4 +2485,5 @@ virSecurityDriver virSecurityDriverSELinux = {
     .domainSetSecurityTapFDLabel        = virSecuritySELinuxSetTapFDLabel,
 
     .domainGetSecurityMountOptions      = virSecuritySELinuxGetSecurityMountOptions,
+    .getBaseLabel                       = virSecuritySELinuxGetBaseLabel,
 };
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 0a0dc92..ff0f06b 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -555,6 +555,13 @@ virSecurityStackGetNested(virSecurityManagerPtr mgr)
     return list;
 }
 
+static const char *
+virSecurityStackGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+    return virSecurityManagerGetBaseLabel(virSecurityStackGetPrimary(mgr),
+                                          virtType);
+}
+
 virSecurityDriver virSecurityDriverStack = {
     .privateDataLen                     = sizeof(virSecurityStackData),
     .name                               = "stack",
@@ -599,4 +606,6 @@ virSecurityDriver virSecurityDriverStack = {
     .domainGetSecurityMountOptions      = virSecurityStackGetMountOptions,
 
     .domainSetSecurityHugepages         = virSecurityStackSetHugepages,
+
+    .getBaseLabel                       = virSecurityStackGetBaseLabel,
 };
-- 
1.8.3.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]