Re: [PATCH v4 3/3] capabilities: add baselabel per sec driver/virt type to secmodel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Oct 18, 2013 at 02:13:21PM +0200, Giuseppe Scrivano wrote:
> Expand the "secmodel" XML fragment of "host" with a sequence of
> baselabel's which describe the default security context used by
> libvirt with a specific security model and virtualization type:
> 
> <secmodel>
>   <model>selinux</model>
>   <doi>0</doi>
>   <baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
>   <baselabel type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel>
> </secmodel>
> <secmodel>
>   <model>dac</model>
>   <doi>0</doi>
>   <baselabel type='kvm'>107:107</baselabel>
>   <baselabel type='qemu'>107:107</baselabel>
> </secmodel>
> 
> "baselabel" is driver-specific information, e.g. in the DAC security
> model, it indicates USER_ID:GROUP_ID.
> 
> Signed-off-by: Giuseppe Scrivano <gscrivan@xxxxxxxxxx>
> ---
>  docs/schemas/capability.rng                  |  8 ++++
>  src/conf/capabilities.c                      | 60 +++++++++++++++++++++++++++-
>  src/conf/capabilities.h                      | 14 +++++++
>  src/libvirt_private.syms                     |  1 +
>  src/lxc/lxc_conf.c                           | 10 ++++-
>  src/qemu/qemu_conf.c                         | 21 ++++++++--
>  tests/capabilityschemadata/caps-qemu-kvm.xml |  2 +
>  tests/capabilityschemadata/caps-test3.xml    |  2 +
>  8 files changed, 111 insertions(+), 7 deletions(-)


> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index 8d7bee8..c234dd0 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -584,12 +584,15 @@ virQEMUDriverCreateXMLConf(virQEMUDriverPtr driver)
>  
>  virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
>  {
> -    size_t i;
> +    size_t i, j;
>      virCapsPtr caps;
>      virSecurityManagerPtr *sec_managers = NULL;
>      /* Security driver data */
> -    const char *doi, *model;
> +    const char *doi, *model, *lbl, *type;
>      virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
> +    const int virtTypes[] = {VIR_DOMAIN_VIRT_KVM,
> +                             VIR_DOMAIN_VIRT_QEMU,
> +                             VIR_DOMAIN_VIRT_LAST};

No need for having VIR_DOMAIN_VIRT_LAST here, since we have a 
handy ARRAY_CARDINALITY macro

> +        for (j = 0; virtTypes[j] != VIR_DOMAIN_VIRT_LAST; j++) {

eg

  for (j = 0 ; j < ARRAY_CARDINALITY(virtTypes) ; j++)  

> +            lbl = virSecurityManagerGetBaseLabel(sec_managers[i], virtTypes[j]);
> +            type = virDomainVirtTypeToString(virtTypes[j]);
> +            if (lbl &&
> +                virCapabilitiesHostSecModelAddBaseLabel(sm, type, lbl) < 0)
> +                goto error;
> +        }
> +


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]