Re: [libvirt-sandbox PATCH v3] Only set SELinux seclabel if supported by the host.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 16, 2014 at 02:07:21PM +0200, Cédric Bosdonnat wrote:
> This code depends on new API in libvirt-gconfig to extract the
> secmodels handled by the host.
> ---
>  Diff to v2:
>    * Added some missing g_object_unref and _g_list_free
>    * Moved the SELinux-specific code to a separate function
> 
>  libvirt-sandbox/libvirt-sandbox-builder.c | 47 +++++++++++++++++++++++++++----
>  1 file changed, 41 insertions(+), 6 deletions(-)
> 
> diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c b/libvirt-sandbox/libvirt-sandbox-builder.c
> index 48b3acc..65af23f 100644
> --- a/libvirt-sandbox/libvirt-sandbox-builder.c
> +++ b/libvirt-sandbox/libvirt-sandbox-builder.c
> @@ -322,12 +322,10 @@ static gboolean gvir_sandbox_builder_construct_devices(GVirSandboxBuilder *build
>      return TRUE;
>  }
>  
> -
> -static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *builder G_GNUC_UNUSED,
> -                                                        GVirSandboxConfig *config G_GNUC_UNUSED,
> -                                                        const gchar *statedir G_GNUC_UNUSED,
> -                                                        GVirConfigDomain *domain,
> -                                                        GError **error G_GNUC_UNUSED)
> +static gboolean gvir_sandbox_builder_construct_security_selinux (GVirSandboxBuilder *builder,
> +                                                                 GVirSandboxConfig *config,
> +                                                                 GVirConfigDomain *domain,
> +                                                                 GError **error)
>  {
>      GVirConfigDomainSeclabel *sec = gvir_config_domain_seclabel_new();
>      const char *label = gvir_sandbox_config_get_security_label(config);
> @@ -360,6 +358,43 @@ static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil
>      return TRUE;
>  }
>  
> +static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *builder,
> +                                                        GVirSandboxConfig *config,
> +                                                        const gchar *statedir G_GNUC_UNUSED,
> +                                                        GVirConfigDomain *domain,
> +                                                        GError **error)
> +{
> +    GVirConnection *connection = gvir_sandbox_builder_get_connection(builder);

This needs to be unref'ed too.

> +    GVirConfigCapabilities *configCapabilities;
> +    GVirConfigCapabilitiesHost *hostCapabilities;
> +    GList *secmodels, *iter;
> +    gboolean supportsSelinux = FALSE;
> +
> +    /* What security models are available on the host? */
> +    if (!(configCapabilities = gvir_connection_get_capabilities(connection, error))) {
> +        return FALSE;
> +    }
> +
> +    hostCapabilities = gvir_config_capabilities_get_host(configCapabilities);
> +
> +    secmodels = gvir_config_capabilities_host_get_secmodels(hostCapabilities);
> +    for (iter = secmodels; iter != NULL; iter = iter->next) {
> +        supportsSelinux = g_str_equal(gvir_config_capabilities_host_secmodel_get_model(
> +                GVIR_CONFIG_CAPABILITIES_HOST_SECMODEL(iter->data)), "selinux");
> +        g_object_unref(iter->data);

I don't think the logic is correct here, supportsSelinux can only be
TRUE if the last secmodel is "selinux", I assume we want to break out of
the loop as soon as supportsSelinux is set to TRUE? In this case, the
g_object_unref can be removed from here, and the g_list_free changed to
g_list_free_full().

Christophe

Attachment: pgp5ijlxN9uT_.pgp
Description: PGP signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]