NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

security: Introduce APIs to label single images

Browse Source 
Add security driver functions to label separate storage images using the
virStorageSource definition. This will help to avoid the need to do ugly
changes to the disk struct and use the source directly.
This commit is contained in:
Peter Krempa 2014-06-23 16:35:34 +02:00
parent 68f0deb0dc
commit 1797128ef6
6 changed files with 132 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libvirt_private.syms
View File

@ -924,6 +924,7 @@ virSecurityManagerReserveLabel;
virSecurityManagerRestoreAllLabel; virSecurityManagerRestoreAllLabel;
virSecurityManagerRestoreDiskLabel; virSecurityManagerRestoreDiskLabel;
virSecurityManagerRestoreHostdevLabel; virSecurityManagerRestoreHostdevLabel;
virSecurityManagerRestoreImageLabel;
virSecurityManagerRestoreSavedStateLabel; virSecurityManagerRestoreSavedStateLabel;
virSecurityManagerSetAllLabel; virSecurityManagerSetAllLabel;
virSecurityManagerSetChildProcessLabel; virSecurityManagerSetChildProcessLabel;
@ -932,6 +933,7 @@ virSecurityManagerSetDiskLabel;
virSecurityManagerSetHostdevLabel; virSecurityManagerSetHostdevLabel;
virSecurityManagerSetHugepages; virSecurityManagerSetHugepages;
virSecurityManagerSetImageFDLabel; virSecurityManagerSetImageFDLabel;
virSecurityManagerSetImageLabel;
virSecurityManagerSetProcessLabel; virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel; virSecurityManagerSetSavedStateLabel;
virSecurityManagerSetSocketLabel; virSecurityManagerSetSocketLabel;

10
src/security/security_driver.h
View File

@ -112,6 +112,13 @@ typedef char *(*virSecurityDomainGetMountOptions) (virSecurityManagerPtr mgr,
typedef int (*virSecurityDomainSetHugepages) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetHugepages) (virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
const char *path); const char *path);
typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
virStorageSourcePtr src);
typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
virStorageSourcePtr src);
struct _virSecurityDriver { struct _virSecurityDriver {
size_t privateDataLen; size_t privateDataLen;
@ -130,6 +137,9 @@ struct _virSecurityDriver {
virSecurityDomainSetDiskLabel domainSetSecurityDiskLabel; virSecurityDomainSetDiskLabel domainSetSecurityDiskLabel;
virSecurityDomainRestoreDiskLabel domainRestoreSecurityDiskLabel; virSecurityDomainRestoreDiskLabel domainRestoreSecurityDiskLabel;
virSecurityDomainSetImageLabel domainSetSecurityImageLabel;
virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel; virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel; virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel; virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;

56
src/security/security_manager.c
View File

@ -360,6 +360,34 @@ virSecurityManagerRestoreDiskLabel(virSecurityManagerPtr mgr,
} }
/**
* virSecurityManagerRestoreImageLabel:
* @mgr: security manager object
* @vm: domain definition object
* @src: disk source definition to operate on
*
* Removes security label from a single storage image.
*
* Returns: 0 on success, -1 on error.
*/
int
virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virStorageSourcePtr src)
{
if (mgr->drv->domainRestoreSecurityImageLabel) {
int ret;
virObjectLock(mgr);
ret = mgr->drv->domainRestoreSecurityImageLabel(mgr, vm, src);
virObjectUnlock(mgr);
return ret;
}
virReportUnsupportedError();
return -1;
}
int int
virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm) virDomainDefPtr vm)
@ -440,6 +468,34 @@ virSecurityManagerSetDiskLabel(virSecurityManagerPtr mgr,
} }
/**
* virSecurityManagerSetImageLabel:
* @mgr: security manager object
* @vm: domain definition object
* @src: disk source definition to operate on
*
* Labels a single storage image with the configured security label.
*
* Returns: 0 on success, -1 on error.
*/
int
virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virStorageSourcePtr src)
{
if (mgr->drv->domainSetSecurityImageLabel) {
int ret;
virObjectLock(mgr);
ret = mgr->drv->domainSetSecurityImageLabel(mgr, vm, src);
virObjectUnlock(mgr);
return ret;
}
virReportUnsupportedError();
return -1;
}
int int
virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr, virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm, virDomainDefPtr vm,

7
src/security/security_manager.h
View File

@ -124,4 +124,11 @@ int virSecurityManagerSetHugepages(virSecurityManagerPtr mgr,
virDomainDefPtr sec, virDomainDefPtr sec,
const char *hugepages_path); const char *hugepages_path);
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virStorageSourcePtr src);
int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virStorageSourcePtr src);
#endif /* VIR_SECURITY_MANAGER_H__ */ #endif /* VIR_SECURITY_MANAGER_H__ */

19
src/security/security_nop.c
View File

@ -220,6 +220,22 @@ virSecurityGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return NULL; return NULL;
} }
static int
virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def ATTRIBUTE_UNUSED,
virStorageSourcePtr src ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def ATTRIBUTE_UNUSED,
virStorageSourcePtr src ATTRIBUTE_UNUSED)
{
return 0;
}
virSecurityDriver virSecurityDriverNop = { virSecurityDriver virSecurityDriverNop = {
.privateDataLen = 0, .privateDataLen = 0,
@ -236,6 +252,9 @@ virSecurityDriver virSecurityDriverNop = {
.domainSetSecurityDiskLabel = virSecurityDomainSetDiskLabelNop, .domainSetSecurityDiskLabel = virSecurityDomainSetDiskLabelNop,
.domainRestoreSecurityDiskLabel = virSecurityDomainRestoreDiskLabelNop, .domainRestoreSecurityDiskLabel = virSecurityDomainRestoreDiskLabelNop,
.domainSetSecurityImageLabel = virSecurityDomainSetImageLabelNop,
.domainRestoreSecurityImageLabel = virSecurityDomainRestoreImageLabelNop,
.domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop, .domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop,
.domainSetSecuritySocketLabel = virSecurityDomainSetSocketLabelNop, .domainSetSecuritySocketLabel = virSecurityDomainSetSocketLabelNop,
.domainClearSecuritySocketLabel = virSecurityDomainClearSocketLabelNop, .domainClearSecuritySocketLabel = virSecurityDomainClearSocketLabelNop,

38
src/security/security_stack.c
View File

@ -564,6 +564,41 @@ virSecurityStackGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
virtType); virtType);
} }
static int
virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virStorageSourcePtr src)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
virSecurityStackItemPtr item = priv->itemsHead;
int rc = 0;
for (; item; item = item->next) {
if (virSecurityManagerSetImageLabel(item->securityManager, vm, src) < 0)
rc = -1;
}
return rc;
}
static int
virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virStorageSourcePtr src)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
virSecurityStackItemPtr item = priv->itemsHead;
int rc = 0;
for (; item; item = item->next) {
if (virSecurityManagerRestoreImageLabel(item->securityManager,
vm, src) < 0)
rc = -1;
}
return rc;
}
virSecurityDriver virSecurityDriverStack = { virSecurityDriver virSecurityDriverStack = {
.privateDataLen = sizeof(virSecurityStackData), .privateDataLen = sizeof(virSecurityStackData),
.name = "stack", .name = "stack",
@ -581,6 +616,9 @@ virSecurityDriver virSecurityDriverStack = {
.domainSetSecurityDiskLabel = virSecurityStackSetSecurityDiskLabel, .domainSetSecurityDiskLabel = virSecurityStackSetSecurityDiskLabel,
.domainRestoreSecurityDiskLabel = virSecurityStackRestoreSecurityDiskLabel, .domainRestoreSecurityDiskLabel = virSecurityStackRestoreSecurityDiskLabel,
.domainSetSecurityImageLabel = virSecurityStackSetSecurityImageLabel,
.domainRestoreSecurityImageLabel = virSecurityStackRestoreSecurityImageLabel,
.domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel, .domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecurityStackSetSocketLabel, .domainSetSecuritySocketLabel = virSecurityStackSetSocketLabel,
.domainClearSecuritySocketLabel = virSecurityStackClearSocketLabel, .domainClearSecuritySocketLabel = virSecurityStackClearSocketLabel,