mirror of
https://github.com/libvirt/libvirt.git
synced 2025-02-25 18:55:26 -06:00
security: selinux: Implement per-image seclabel set
Refactor the code and reuse it to implement the functionality.
This commit is contained in:
Peter Krempa
parent
b2790e33a4
commit
4983931701
@ -56,9 +56,6 @@ VIR_LOG_INIT("security.security_selinux");
|
|||||||
typedef struct _virSecuritySELinuxData virSecuritySELinuxData;
|
typedef struct _virSecuritySELinuxData virSecuritySELinuxData;
|
||||||
typedef virSecuritySELinuxData *virSecuritySELinuxDataPtr;
|
typedef virSecuritySELinuxData *virSecuritySELinuxDataPtr;
|
||||||
|
|
||||||
typedef struct _virSecuritySELinuxCallbackData virSecuritySELinuxCallbackData;
|
|
||||||
typedef virSecuritySELinuxCallbackData *virSecuritySELinuxCallbackDataPtr;
|
|
||||||
|
|
||||||
struct _virSecuritySELinuxData {
|
struct _virSecuritySELinuxData {
|
||||||
char *domain_context;
|
char *domain_context;
|
||||||
char *alt_domain_context;
|
char *alt_domain_context;
|
||||||
@ -71,11 +68,6 @@ struct _virSecuritySELinuxData {
|
|||||||
#endif
|
#endif
|
||||||
};
|
};
|
||||||
|
|
||||||
struct _virSecuritySELinuxCallbackData {
|
|
||||||
virSecurityManagerPtr manager;
|
|
||||||
virSecurityLabelDefPtr secdef;
|
|
||||||
};
|
|
||||||
|
|
||||||
#define SECURITY_SELINUX_VOID_DOI "0"
|
#define SECURITY_SELINUX_VOID_DOI "0"
|
||||||
#define SECURITY_SELINUX_NAME "selinux"
|
#define SECURITY_SELINUX_NAME "selinux"
|
||||||
|
|
||||||
@ -1196,40 +1188,49 @@ virSecuritySELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
|
virSecuritySELinuxSetSecurityImageLabelInternal(virSecurityManagerPtr mgr,
|
||||||
const char *path,
|
virDomainDefPtr def,
|
||||||
size_t depth,
|
virStorageSourcePtr src,
|
||||||
void *opaque)
|
bool first)
|
||||||
{
|
{
|
||||||
int ret;
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
virSecurityLabelDefPtr secdef;
|
||||||
virSecurityDeviceLabelDefPtr disk_seclabel;
|
virSecurityDeviceLabelDefPtr disk_seclabel;
|
||||||
virSecuritySELinuxCallbackDataPtr cbdata = opaque;
|
int ret;
|
||||||
virSecurityLabelDefPtr secdef = cbdata->secdef;
|
|
||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(cbdata->manager);
|
|
||||||
|
|
||||||
disk_seclabel = virStorageSourceGetSecurityLabelDef(disk->src,
|
if (!src->path || !virStorageSourceIsLocalStorage(src))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
||||||
|
if (!secdef || secdef->norelabel)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
|
||||||
SECURITY_SELINUX_NAME);
|
SECURITY_SELINUX_NAME);
|
||||||
|
|
||||||
if (disk_seclabel && disk_seclabel->norelabel)
|
if (disk_seclabel && disk_seclabel->norelabel)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (disk_seclabel && !disk_seclabel->norelabel &&
|
if (disk_seclabel && !disk_seclabel->norelabel && disk_seclabel->label) {
|
||||||
disk_seclabel->label) {
|
ret = virSecuritySELinuxSetFilecon(src->path, disk_seclabel->label);
|
||||||
ret = virSecuritySELinuxSetFilecon(path, disk_seclabel->label);
|
} else if (first) {
|
||||||
} else if (depth == 0) {
|
if (src->shared) {
|
||||||
|
ret = virSecuritySELinuxSetFileconOptional(src->path,
|
||||||
if (disk->src->shared) {
|
data->file_context);
|
||||||
ret = virSecuritySELinuxSetFileconOptional(path, data->file_context);
|
} else if (src->readonly) {
|
||||||
} else if (disk->src->readonly) {
|
ret = virSecuritySELinuxSetFileconOptional(src->path,
|
||||||
ret = virSecuritySELinuxSetFileconOptional(path, data->content_context);
|
data->content_context);
|
||||||
} else if (secdef->imagelabel) {
|
} else if (secdef->imagelabel) {
|
||||||
ret = virSecuritySELinuxSetFileconOptional(path, secdef->imagelabel);
|
ret = virSecuritySELinuxSetFileconOptional(src->path,
|
||||||
|
secdef->imagelabel);
|
||||||
} else {
|
} else {
|
||||||
ret = 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
ret = virSecuritySELinuxSetFileconOptional(path, data->content_context);
|
ret = virSecuritySELinuxSetFileconOptional(src->path,
|
||||||
|
data->content_context);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ret == 1 && !disk_seclabel) {
|
if (ret == 1 && !disk_seclabel) {
|
||||||
/* If we failed to set a label, but virt_use_nfs let us
|
/* If we failed to set a label, but virt_use_nfs let us
|
||||||
* proceed anyway, then we don't need to relabel later. */
|
* proceed anyway, then we don't need to relabel later. */
|
||||||
@ -1237,35 +1238,48 @@ virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
|
|||||||
if (!disk_seclabel)
|
if (!disk_seclabel)
|
||||||
return -1;
|
return -1;
|
||||||
disk_seclabel->labelskip = true;
|
disk_seclabel->labelskip = true;
|
||||||
if (VIR_APPEND_ELEMENT(disk->src->seclabels, disk->src->nseclabels,
|
if (VIR_APPEND_ELEMENT(src->seclabels, src->nseclabels,
|
||||||
disk_seclabel) < 0) {
|
disk_seclabel) < 0) {
|
||||||
virSecurityDeviceLabelDefFree(disk_seclabel);
|
virSecurityDeviceLabelDefFree(disk_seclabel);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
ret = 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr def,
|
||||||
|
virStorageSourcePtr src)
|
||||||
|
{
|
||||||
|
return virSecuritySELinuxSetSecurityImageLabelInternal(mgr, def, src, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecuritySELinuxSetSecurityDiskLabel(virSecurityManagerPtr mgr,
|
virSecuritySELinuxSetSecurityDiskLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virDomainDiskDefPtr disk)
|
virDomainDiskDefPtr disk)
|
||||||
|
|
||||||
{
|
{
|
||||||
virSecuritySELinuxCallbackData cbdata;
|
bool first = true;
|
||||||
cbdata.manager = mgr;
|
virStorageSourcePtr next;
|
||||||
cbdata.secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
|
|
||||||
|
|
||||||
if (!cbdata.secdef || cbdata.secdef->norelabel)
|
for (next = disk->src; next; next = next->backingStore) {
|
||||||
return 0;
|
if (virSecuritySELinuxSetSecurityImageLabelInternal(mgr, def, next,
|
||||||
|
first) < 0)
|
||||||
|
return -1;
|
||||||
|
|
||||||
return virDomainDiskDefForeachPath(disk,
|
first = false;
|
||||||
true,
|
}
|
||||||
virSecuritySELinuxSetSecurityFileLabel,
|
|
||||||
&cbdata);
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
|
virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
|
||||||
{
|
{
|
||||||
@ -2434,6 +2448,7 @@ virSecurityDriver virSecurityDriverSELinux = {
|
|||||||
.domainSetSecurityDiskLabel = virSecuritySELinuxSetSecurityDiskLabel,
|
.domainSetSecurityDiskLabel = virSecuritySELinuxSetSecurityDiskLabel,
|
||||||
.domainRestoreSecurityDiskLabel = virSecuritySELinuxRestoreSecurityDiskLabel,
|
.domainRestoreSecurityDiskLabel = virSecuritySELinuxRestoreSecurityDiskLabel,
|
||||||
|
|
||||||
|
.domainSetSecurityImageLabel = virSecuritySELinuxSetSecurityImageLabel,
|
||||||
.domainRestoreSecurityImageLabel = virSecuritySELinuxRestoreSecurityImageLabel,
|
.domainRestoreSecurityImageLabel = virSecuritySELinuxRestoreSecurityImageLabel,
|
||||||
|
|
||||||
.domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetSecurityDaemonSocketLabel,
|
.domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetSecurityDaemonSocketLabel,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user