mirror of
https://github.com/libvirt/libvirt.git
synced 2025-02-25 18:55:26 -06:00
Internal refactory of data structures
This patch updates the structures that store information about each domain and each hypervisor to support multiple security labels and drivers. It also updates all the remaining code to use the new fields. Signed-off-by: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
This commit is contained in:
Marcelo Cerri
Michal Privoznik
parent
b6ad2c2334
commit
6c3cf57d6c
@ -181,8 +181,13 @@ virCapabilitiesFree(virCapsPtr caps) {
|
|||||||
VIR_FREE(caps->host.migrateTrans);
|
VIR_FREE(caps->host.migrateTrans);
|
||||||
|
|
||||||
VIR_FREE(caps->host.arch);
|
VIR_FREE(caps->host.arch);
|
||||||
VIR_FREE(caps->host.secModel.model);
|
|
||||||
VIR_FREE(caps->host.secModel.doi);
|
for (i = 0; i < caps->host.nsecModels; i++) {
|
||||||
|
VIR_FREE(caps->host.secModels[i].model);
|
||||||
|
VIR_FREE(caps->host.secModels[i].doi);
|
||||||
|
}
|
||||||
|
VIR_FREE(caps->host.secModels);
|
||||||
|
|
||||||
virCPUDefFree(caps->host.cpu);
|
virCPUDefFree(caps->host.cpu);
|
||||||
|
|
||||||
VIR_FREE(caps);
|
VIR_FREE(caps);
|
||||||
@ -767,10 +772,12 @@ virCapabilitiesFormatXML(virCapsPtr caps)
|
|||||||
virBufferAddLit(&xml, " </topology>\n");
|
virBufferAddLit(&xml, " </topology>\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (caps->host.secModel.model) {
|
if (caps->host.nsecModels) {
|
||||||
virBufferAddLit(&xml, " <secmodel>\n");
|
virBufferAddLit(&xml, " <secmodel>\n");
|
||||||
virBufferAsprintf(&xml, " <model>%s</model>\n", caps->host.secModel.model);
|
virBufferAsprintf(&xml, " <model>%s</model>\n",
|
||||||
virBufferAsprintf(&xml, " <doi>%s</doi>\n", caps->host.secModel.doi);
|
caps->host.secModels[0].model);
|
||||||
|
virBufferAsprintf(&xml, " <doi>%s</doi>\n",
|
||||||
|
caps->host.secModels[0].doi);
|
||||||
virBufferAddLit(&xml, " </secmodel>\n");
|
virBufferAddLit(&xml, " </secmodel>\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -93,6 +93,7 @@ struct _virCapsHostNUMACell {
|
|||||||
};
|
};
|
||||||
|
|
||||||
typedef struct _virCapsHostSecModel virCapsHostSecModel;
|
typedef struct _virCapsHostSecModel virCapsHostSecModel;
|
||||||
|
typedef virCapsHostSecModel *virCapsHostSecModelPtr;
|
||||||
struct _virCapsHostSecModel {
|
struct _virCapsHostSecModel {
|
||||||
char *model;
|
char *model;
|
||||||
char *doi;
|
char *doi;
|
||||||
@ -116,7 +117,10 @@ struct _virCapsHost {
|
|||||||
size_t nnumaCell;
|
size_t nnumaCell;
|
||||||
size_t nnumaCell_max;
|
size_t nnumaCell_max;
|
||||||
virCapsHostNUMACellPtr *numaCell;
|
virCapsHostNUMACellPtr *numaCell;
|
||||||
virCapsHostSecModel secModel;
|
|
||||||
|
size_t nsecModels;
|
||||||
|
virCapsHostSecModelPtr secModels;
|
||||||
|
|
||||||
virCPUDefPtr cpu;
|
virCPUDefPtr cpu;
|
||||||
unsigned char host_uuid[VIR_UUID_BUFLEN];
|
unsigned char host_uuid[VIR_UUID_BUFLEN];
|
||||||
};
|
};
|
||||||
|
|||||||
@ -618,6 +618,7 @@ virDomainAuditSecurityLabel(virDomainObjPtr vm, bool success)
|
|||||||
char uuidstr[VIR_UUID_STRING_BUFLEN];
|
char uuidstr[VIR_UUID_STRING_BUFLEN];
|
||||||
char *vmname;
|
char *vmname;
|
||||||
const char *virt;
|
const char *virt;
|
||||||
|
int i;
|
||||||
|
|
||||||
virUUIDFormat(vm->def->uuid, uuidstr);
|
virUUIDFormat(vm->def->uuid, uuidstr);
|
||||||
if (!(vmname = virAuditEncode("vm", vm->def->name))) {
|
if (!(vmname = virAuditEncode("vm", vm->def->name))) {
|
||||||
@ -630,11 +631,14 @@ virDomainAuditSecurityLabel(virDomainObjPtr vm, bool success)
|
|||||||
virt = "?";
|
virt = "?";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < vm->def->nseclabels; i++) {
|
||||||
VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_ID, success,
|
VIR_AUDIT(VIR_AUDIT_RECORD_MACHINE_ID, success,
|
||||||
"virt=%s %s uuid=%s vm-ctx=%s img-ctx=%s",
|
"virt=%s %s uuid=%s vm-ctx=%s img-ctx=%s model=%s",
|
||||||
virt, vmname, uuidstr,
|
virt, vmname, uuidstr,
|
||||||
VIR_AUDIT_STR(vm->def->seclabel.label),
|
VIR_AUDIT_STR(vm->def->seclabels[i]->label),
|
||||||
VIR_AUDIT_STR(vm->def->seclabel.imagelabel));
|
VIR_AUDIT_STR(vm->def->seclabels[i]->imagelabel),
|
||||||
|
VIR_AUDIT_STR(vm->def->seclabels[i]->model));
|
||||||
|
}
|
||||||
|
|
||||||
VIR_FREE(vmname);
|
VIR_FREE(vmname);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -865,12 +865,15 @@ virDomainGraphicsListenDefClear(virDomainGraphicsListenDefPtr def)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
virSecurityLabelDefClear(virSecurityLabelDefPtr def)
|
virSecurityLabelDefFree(virSecurityLabelDefPtr def)
|
||||||
{
|
{
|
||||||
|
if (!def)
|
||||||
|
return;
|
||||||
VIR_FREE(def->model);
|
VIR_FREE(def->model);
|
||||||
VIR_FREE(def->label);
|
VIR_FREE(def->label);
|
||||||
VIR_FREE(def->imagelabel);
|
VIR_FREE(def->imagelabel);
|
||||||
VIR_FREE(def->baselabel);
|
VIR_FREE(def->baselabel);
|
||||||
|
VIR_FREE(def);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -879,6 +882,7 @@ virSecurityDeviceLabelDefFree(virSecurityDeviceLabelDefPtr def)
|
|||||||
{
|
{
|
||||||
if (!def)
|
if (!def)
|
||||||
return;
|
return;
|
||||||
|
VIR_FREE(def->model);
|
||||||
VIR_FREE(def->label);
|
VIR_FREE(def->label);
|
||||||
VIR_FREE(def);
|
VIR_FREE(def);
|
||||||
}
|
}
|
||||||
@ -964,7 +968,11 @@ void virDomainDiskDefFree(virDomainDiskDefPtr def)
|
|||||||
virStorageEncryptionFree(def->encryption);
|
virStorageEncryptionFree(def->encryption);
|
||||||
virDomainDeviceInfoClear(&def->info);
|
virDomainDeviceInfoClear(&def->info);
|
||||||
|
|
||||||
virSecurityDeviceLabelDefFree(def->seclabel);
|
if (def->seclabels) {
|
||||||
|
for (i = 0; i < def->nseclabels; i++)
|
||||||
|
virSecurityDeviceLabelDefFree(def->seclabels[i]);
|
||||||
|
VIR_FREE(def->seclabels);
|
||||||
|
}
|
||||||
|
|
||||||
for (i = 0 ; i < def->nhosts ; i++)
|
for (i = 0 ; i < def->nhosts ; i++)
|
||||||
virDomainDiskHostDefFree(&def->hosts[i]);
|
virDomainDiskHostDefFree(&def->hosts[i]);
|
||||||
@ -1626,7 +1634,9 @@ void virDomainDefFree(virDomainDefPtr def)
|
|||||||
|
|
||||||
virDomainMemballoonDefFree(def->memballoon);
|
virDomainMemballoonDefFree(def->memballoon);
|
||||||
|
|
||||||
virSecurityLabelDefClear(&def->seclabel);
|
for (i = 0; i < def->nseclabels; i++)
|
||||||
|
virSecurityLabelDefFree(def->seclabels[i]);
|
||||||
|
VIR_FREE(def->seclabels);
|
||||||
|
|
||||||
virCPUDefFree(def->cpu);
|
virCPUDefFree(def->cpu);
|
||||||
|
|
||||||
@ -2982,10 +2992,10 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
|||||||
{
|
{
|
||||||
char *p;
|
char *p;
|
||||||
|
|
||||||
if (virXPathNode("./seclabel", ctxt) == NULL)
|
if (virXPathNode("./seclabel[1]", ctxt) == NULL)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
p = virXPathStringLimit("string(./seclabel/@type)",
|
p = virXPathStringLimit("string(./seclabel[1]/@type)",
|
||||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||||
if (p == NULL) {
|
if (p == NULL) {
|
||||||
def->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
def->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
||||||
@ -2999,7 +3009,7 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
p = virXPathStringLimit("string(./seclabel/@relabel)",
|
p = virXPathStringLimit("string(./seclabel[1]/@relabel)",
|
||||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||||
if (p != NULL) {
|
if (p != NULL) {
|
||||||
if (STREQ(p, "yes")) {
|
if (STREQ(p, "yes")) {
|
||||||
@ -3039,7 +3049,7 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
|||||||
if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
|
if (def->type == VIR_DOMAIN_SECLABEL_STATIC ||
|
||||||
(!(flags & VIR_DOMAIN_XML_INACTIVE) &&
|
(!(flags & VIR_DOMAIN_XML_INACTIVE) &&
|
||||||
def->type != VIR_DOMAIN_SECLABEL_NONE)) {
|
def->type != VIR_DOMAIN_SECLABEL_NONE)) {
|
||||||
p = virXPathStringLimit("string(./seclabel/label[1])",
|
p = virXPathStringLimit("string(./seclabel[1]/label[1])",
|
||||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||||
if (p == NULL) {
|
if (p == NULL) {
|
||||||
virReportError(VIR_ERR_XML_ERROR,
|
virReportError(VIR_ERR_XML_ERROR,
|
||||||
@ -3054,7 +3064,7 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
|||||||
if (!def->norelabel &&
|
if (!def->norelabel &&
|
||||||
(!(flags & VIR_DOMAIN_XML_INACTIVE) &&
|
(!(flags & VIR_DOMAIN_XML_INACTIVE) &&
|
||||||
def->type != VIR_DOMAIN_SECLABEL_NONE)) {
|
def->type != VIR_DOMAIN_SECLABEL_NONE)) {
|
||||||
p = virXPathStringLimit("string(./seclabel/imagelabel[1])",
|
p = virXPathStringLimit("string(./seclabel[1]/imagelabel[1])",
|
||||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||||
if (p == NULL) {
|
if (p == NULL) {
|
||||||
virReportError(VIR_ERR_XML_ERROR,
|
virReportError(VIR_ERR_XML_ERROR,
|
||||||
@ -3066,7 +3076,7 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
|||||||
|
|
||||||
/* Only parse baselabel for dynamic label type */
|
/* Only parse baselabel for dynamic label type */
|
||||||
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
||||||
p = virXPathStringLimit("string(./seclabel/baselabel[1])",
|
p = virXPathStringLimit("string(./seclabel[1]/baselabel[1])",
|
||||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||||
def->baselabel = p;
|
def->baselabel = p;
|
||||||
}
|
}
|
||||||
@ -3078,7 +3088,7 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
|||||||
def->baselabel ||
|
def->baselabel ||
|
||||||
(!(flags & VIR_DOMAIN_XML_INACTIVE) &&
|
(!(flags & VIR_DOMAIN_XML_INACTIVE) &&
|
||||||
def->type != VIR_DOMAIN_SECLABEL_NONE)) {
|
def->type != VIR_DOMAIN_SECLABEL_NONE)) {
|
||||||
p = virXPathStringLimit("string(./seclabel/@model)",
|
p = virXPathStringLimit("string(./seclabel[1]/@model)",
|
||||||
VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
|
VIR_SECURITY_MODEL_BUFLEN-1, ctxt);
|
||||||
if (p == NULL) {
|
if (p == NULL) {
|
||||||
virReportError(VIR_ERR_XML_ERROR,
|
virReportError(VIR_ERR_XML_ERROR,
|
||||||
@ -3091,7 +3101,7 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def,
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
error:
|
error:
|
||||||
virSecurityLabelDefClear(def);
|
virSecurityLabelDefFree(def);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -3105,7 +3115,7 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr *def,
|
|||||||
|
|
||||||
*def = NULL;
|
*def = NULL;
|
||||||
|
|
||||||
if (virXPathNode("./seclabel", ctxt) == NULL)
|
if (virXPathNode("./seclabel[1]", ctxt) == NULL)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* Can't use overrides if top-level doesn't allow relabeling. */
|
/* Can't use overrides if top-level doesn't allow relabeling. */
|
||||||
@ -3121,7 +3131,7 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr *def,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
p = virXPathStringLimit("string(./seclabel/@relabel)",
|
p = virXPathStringLimit("string(./seclabel[1]/@relabel)",
|
||||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||||
if (p != NULL) {
|
if (p != NULL) {
|
||||||
if (STREQ(p, "yes")) {
|
if (STREQ(p, "yes")) {
|
||||||
@ -3140,7 +3150,7 @@ virSecurityDeviceLabelDefParseXML(virSecurityDeviceLabelDefPtr *def,
|
|||||||
(*def)->norelabel = false;
|
(*def)->norelabel = false;
|
||||||
}
|
}
|
||||||
|
|
||||||
p = virXPathStringLimit("string(./seclabel/label[1])",
|
p = virXPathStringLimit("string(./seclabel[1]/label[1])",
|
||||||
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
VIR_SECURITY_LABEL_BUFLEN-1, ctxt);
|
||||||
(*def)->label = p;
|
(*def)->label = p;
|
||||||
|
|
||||||
@ -3574,10 +3584,15 @@ virDomainDiskDefParseXML(virCapsPtr caps,
|
|||||||
if (sourceNode) {
|
if (sourceNode) {
|
||||||
xmlNodePtr saved_node = ctxt->node;
|
xmlNodePtr saved_node = ctxt->node;
|
||||||
ctxt->node = sourceNode;
|
ctxt->node = sourceNode;
|
||||||
if (virSecurityDeviceLabelDefParseXML(&def->seclabel,
|
if ((VIR_ALLOC(def->seclabels) < 0)) {
|
||||||
|
virReportOOMError();
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
if (virSecurityDeviceLabelDefParseXML(&def->seclabels[0],
|
||||||
vmSeclabel,
|
vmSeclabel,
|
||||||
ctxt) < 0)
|
ctxt) < 0)
|
||||||
goto error;
|
goto error;
|
||||||
|
def->nseclabels = 1;
|
||||||
ctxt->node = saved_node;
|
ctxt->node = saved_node;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -7030,7 +7045,7 @@ static int virDomainLifecycleParseXML(xmlXPathContextPtr ctxt,
|
|||||||
}
|
}
|
||||||
|
|
||||||
virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps,
|
virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps,
|
||||||
const virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
const char *xmlStr,
|
const char *xmlStr,
|
||||||
unsigned int flags)
|
unsigned int flags)
|
||||||
{
|
{
|
||||||
@ -7049,10 +7064,19 @@ virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps,
|
|||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!def->seclabels) {
|
||||||
|
if ((VIR_ALLOC(def->seclabels) < 0) ||
|
||||||
|
(VIR_ALLOC(def->seclabels[0])) < 0 ) {
|
||||||
|
virReportOOMError();
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (xmlStrEqual(node->name, BAD_CAST "disk")) {
|
if (xmlStrEqual(node->name, BAD_CAST "disk")) {
|
||||||
dev->type = VIR_DOMAIN_DEVICE_DISK;
|
dev->type = VIR_DOMAIN_DEVICE_DISK;
|
||||||
if (!(dev->data.disk = virDomainDiskDefParseXML(caps, node, ctxt,
|
if (!(dev->data.disk = virDomainDiskDefParseXML(caps, node, ctxt,
|
||||||
NULL, &def->seclabel, flags)))
|
NULL, def->seclabels[0],
|
||||||
|
flags)))
|
||||||
goto error;
|
goto error;
|
||||||
} else if (xmlStrEqual(node->name, BAD_CAST "lease")) {
|
} else if (xmlStrEqual(node->name, BAD_CAST "lease")) {
|
||||||
dev->type = VIR_DOMAIN_DEVICE_LEASE;
|
dev->type = VIR_DOMAIN_DEVICE_LEASE;
|
||||||
@ -7990,7 +8014,13 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
|
|||||||
|
|
||||||
/* analysis of security label, done early even though we format it
|
/* analysis of security label, done early even though we format it
|
||||||
* late, so devices can refer to this for defaults */
|
* late, so devices can refer to this for defaults */
|
||||||
if (virSecurityLabelDefParseXML(&def->seclabel, ctxt, flags) == -1)
|
if ((VIR_ALLOC(def->seclabels) < 0) ||
|
||||||
|
(VIR_ALLOC(def->seclabels[0]) < 0)) {
|
||||||
|
virReportOOMError();
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
def->nseclabels = 1;
|
||||||
|
if (virSecurityLabelDefParseXML(def->seclabels[0], ctxt, flags) == -1)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
/* Extract domain memory */
|
/* Extract domain memory */
|
||||||
@ -8590,7 +8620,7 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps,
|
|||||||
nodes[i],
|
nodes[i],
|
||||||
ctxt,
|
ctxt,
|
||||||
bootMap,
|
bootMap,
|
||||||
&def->seclabel,
|
def->seclabels[0],
|
||||||
flags);
|
flags);
|
||||||
if (!disk)
|
if (!disk)
|
||||||
goto error;
|
goto error;
|
||||||
@ -11118,10 +11148,10 @@ virDomainDiskDefFormat(virBufferPtr buf,
|
|||||||
if (def->startupPolicy)
|
if (def->startupPolicy)
|
||||||
virBufferEscapeString(buf, " startupPolicy='%s'",
|
virBufferEscapeString(buf, " startupPolicy='%s'",
|
||||||
startupPolicy);
|
startupPolicy);
|
||||||
if (def->seclabel) {
|
if (def->seclabels && def->seclabels[0]) {
|
||||||
virBufferAddLit(buf, ">\n");
|
virBufferAddLit(buf, ">\n");
|
||||||
virBufferAdjustIndent(buf, 8);
|
virBufferAdjustIndent(buf, 8);
|
||||||
virSecurityDeviceLabelDefFormat(buf, def->seclabel);
|
virSecurityDeviceLabelDefFormat(buf, def->seclabels[0]);
|
||||||
virBufferAdjustIndent(buf, -8);
|
virBufferAdjustIndent(buf, -8);
|
||||||
virBufferAddLit(buf, " </source>\n");
|
virBufferAddLit(buf, " </source>\n");
|
||||||
} else {
|
} else {
|
||||||
@ -11131,10 +11161,10 @@ virDomainDiskDefFormat(virBufferPtr buf,
|
|||||||
case VIR_DOMAIN_DISK_TYPE_BLOCK:
|
case VIR_DOMAIN_DISK_TYPE_BLOCK:
|
||||||
virBufferEscapeString(buf, " <source dev='%s'",
|
virBufferEscapeString(buf, " <source dev='%s'",
|
||||||
def->src);
|
def->src);
|
||||||
if (def->seclabel) {
|
if (def->seclabels && def->seclabels[0]) {
|
||||||
virBufferAddLit(buf, ">\n");
|
virBufferAddLit(buf, ">\n");
|
||||||
virBufferAdjustIndent(buf, 8);
|
virBufferAdjustIndent(buf, 8);
|
||||||
virSecurityDeviceLabelDefFormat(buf, def->seclabel);
|
virSecurityDeviceLabelDefFormat(buf, def->seclabels[0]);
|
||||||
virBufferAdjustIndent(buf, -8);
|
virBufferAdjustIndent(buf, -8);
|
||||||
virBufferAddLit(buf, " </source>\n");
|
virBufferAddLit(buf, " </source>\n");
|
||||||
} else {
|
} else {
|
||||||
@ -13128,9 +13158,11 @@ virDomainDefFormatInternal(virDomainDefPtr def,
|
|||||||
|
|
||||||
virBufferAddLit(buf, " </devices>\n");
|
virBufferAddLit(buf, " </devices>\n");
|
||||||
|
|
||||||
|
if (def->nseclabels && def->seclabels) {
|
||||||
virBufferAdjustIndent(buf, 2);
|
virBufferAdjustIndent(buf, 2);
|
||||||
virSecurityLabelDefFormat(buf, &def->seclabel);
|
virSecurityLabelDefFormat(buf, def->seclabels[0]);
|
||||||
virBufferAdjustIndent(buf, -2);
|
virBufferAdjustIndent(buf, -2);
|
||||||
|
}
|
||||||
|
|
||||||
if (def->namespaceData && def->ns.format) {
|
if (def->namespaceData && def->ns.format) {
|
||||||
if ((def->ns.format)(buf, def->namespaceData) < 0)
|
if ((def->ns.format)(buf, def->namespaceData) < 0)
|
||||||
|
|||||||
@ -296,6 +296,7 @@ struct _virSecurityLabelDef {
|
|||||||
typedef struct _virSecurityDeviceLabelDef virSecurityDeviceLabelDef;
|
typedef struct _virSecurityDeviceLabelDef virSecurityDeviceLabelDef;
|
||||||
typedef virSecurityDeviceLabelDef *virSecurityDeviceLabelDefPtr;
|
typedef virSecurityDeviceLabelDef *virSecurityDeviceLabelDefPtr;
|
||||||
struct _virSecurityDeviceLabelDef {
|
struct _virSecurityDeviceLabelDef {
|
||||||
|
char *model;
|
||||||
char *label; /* image label string */
|
char *label; /* image label string */
|
||||||
bool norelabel;
|
bool norelabel;
|
||||||
};
|
};
|
||||||
@ -540,7 +541,6 @@ struct _virDomainDiskDef {
|
|||||||
int device;
|
int device;
|
||||||
int bus;
|
int bus;
|
||||||
char *src;
|
char *src;
|
||||||
virSecurityDeviceLabelDefPtr seclabel;
|
|
||||||
char *dst;
|
char *dst;
|
||||||
int tray_status;
|
int tray_status;
|
||||||
int protocol;
|
int protocol;
|
||||||
@ -580,6 +580,9 @@ struct _virDomainDiskDef {
|
|||||||
virStorageEncryptionPtr encryption;
|
virStorageEncryptionPtr encryption;
|
||||||
bool rawio_specified;
|
bool rawio_specified;
|
||||||
int rawio; /* no = 0, yes = 1 */
|
int rawio; /* no = 0, yes = 1 */
|
||||||
|
|
||||||
|
size_t nseclabels;
|
||||||
|
virSecurityDeviceLabelDefPtr *seclabels;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
@ -1658,8 +1661,10 @@ struct _virDomainDef {
|
|||||||
int nhubs;
|
int nhubs;
|
||||||
virDomainHubDefPtr *hubs;
|
virDomainHubDefPtr *hubs;
|
||||||
|
|
||||||
|
size_t nseclabels;
|
||||||
|
virSecurityLabelDefPtr *seclabels;
|
||||||
|
|
||||||
/* Only 1 */
|
/* Only 1 */
|
||||||
virSecurityLabelDef seclabel;
|
|
||||||
virDomainWatchdogDefPtr watchdog;
|
virDomainWatchdogDefPtr watchdog;
|
||||||
virDomainMemballoonDefPtr memballoon;
|
virDomainMemballoonDefPtr memballoon;
|
||||||
virCPUDefPtr cpu;
|
virCPUDefPtr cpu;
|
||||||
@ -1925,7 +1930,7 @@ void virDomainRemoveInactive(virDomainObjListPtr doms,
|
|||||||
virDomainObjPtr dom);
|
virDomainObjPtr dom);
|
||||||
|
|
||||||
virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps,
|
virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps,
|
||||||
const virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
const char *xmlStr,
|
const char *xmlStr,
|
||||||
unsigned int flags);
|
unsigned int flags);
|
||||||
virDomainDefPtr virDomainDefParseString(virCapsPtr caps,
|
virDomainDefPtr virDomainDefParseString(virCapsPtr caps,
|
||||||
|
|||||||
@ -134,9 +134,13 @@ virCapsPtr lxcCapsInit(virLXCDriverPtr driver)
|
|||||||
doi = virSecurityManagerGetDOI(driver->securityManager);
|
doi = virSecurityManagerGetDOI(driver->securityManager);
|
||||||
model = virSecurityManagerGetModel(driver->securityManager);
|
model = virSecurityManagerGetModel(driver->securityManager);
|
||||||
if (STRNEQ(model, "none")) {
|
if (STRNEQ(model, "none")) {
|
||||||
if (!(caps->host.secModel.model = strdup(model)))
|
/* Allocate just the primary security driver for LXC. */
|
||||||
|
if (VIR_ALLOC(caps->host.secModels) < 0)
|
||||||
goto no_memory;
|
goto no_memory;
|
||||||
if (!(caps->host.secModel.doi = strdup(doi)))
|
caps->host.nsecModels = 1;
|
||||||
|
if (!(caps->host.secModels[0].model = strdup(model)))
|
||||||
|
goto no_memory;
|
||||||
|
if (!(caps->host.secModels[0].doi = strdup(doi)))
|
||||||
goto no_memory;
|
goto no_memory;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -1602,10 +1602,10 @@ int main(int argc, char *argv[])
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
VIR_DEBUG("Security model %s type %s label %s imagelabel %s",
|
VIR_DEBUG("Security model %s type %s label %s imagelabel %s",
|
||||||
NULLSTR(ctrl->def->seclabel.model),
|
NULLSTR(ctrl->def->seclabels[0]->model),
|
||||||
virDomainSeclabelTypeToString(ctrl->def->seclabel.type),
|
virDomainSeclabelTypeToString(ctrl->def->seclabels[0]->type),
|
||||||
NULLSTR(ctrl->def->seclabel.label),
|
NULLSTR(ctrl->def->seclabels[0]->label),
|
||||||
NULLSTR(ctrl->def->seclabel.imagelabel));
|
NULLSTR(ctrl->def->seclabels[0]->imagelabel));
|
||||||
|
|
||||||
ctrl->veths = veths;
|
ctrl->veths = veths;
|
||||||
ctrl->nveths = nveths;
|
ctrl->nveths = nveths;
|
||||||
|
|||||||
@ -964,7 +964,6 @@ cleanup:
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* lxcDomainStartWithFlags:
|
* lxcDomainStartWithFlags:
|
||||||
* @dom: domain to start
|
* @dom: domain to start
|
||||||
@ -1182,12 +1181,12 @@ static int lxcNodeGetSecurityModel(virConnectPtr conn,
|
|||||||
lxcDriverLock(driver);
|
lxcDriverLock(driver);
|
||||||
memset(secmodel, 0, sizeof(*secmodel));
|
memset(secmodel, 0, sizeof(*secmodel));
|
||||||
|
|
||||||
/* NULL indicates no driver, which we treat as
|
/* we treat no driver as success, but simply return no data in *secmodel */
|
||||||
* success, but simply return no data in *secmodel */
|
if (driver->caps->host.nsecModels == 0
|
||||||
if (driver->caps->host.secModel.model == NULL)
|
|| driver->caps->host.secModels[0].model == NULL)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (!virStrcpy(secmodel->model, driver->caps->host.secModel.model,
|
if (!virStrcpy(secmodel->model, driver->caps->host.secModels[0].model,
|
||||||
VIR_SECURITY_MODEL_BUFLEN)) {
|
VIR_SECURITY_MODEL_BUFLEN)) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
_("security model string exceeds max %d bytes"),
|
_("security model string exceeds max %d bytes"),
|
||||||
@ -1196,7 +1195,7 @@ static int lxcNodeGetSecurityModel(virConnectPtr conn,
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!virStrcpy(secmodel->doi, driver->caps->host.secModel.doi,
|
if (!virStrcpy(secmodel->doi, driver->caps->host.secModels[0].doi,
|
||||||
VIR_SECURITY_DOI_BUFLEN)) {
|
VIR_SECURITY_DOI_BUFLEN)) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
_("security DOI string exceeds max %d bytes"),
|
_("security DOI string exceeds max %d bytes"),
|
||||||
|
|||||||
@ -706,10 +706,11 @@ int virLXCProcessStop(virLXCDriverPtr driver,
|
|||||||
vm->def, false);
|
vm->def, false);
|
||||||
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
|
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
|
||||||
/* Clear out dynamically assigned labels */
|
/* Clear out dynamically assigned labels */
|
||||||
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
if (vm->def->nseclabels &&
|
||||||
VIR_FREE(vm->def->seclabel.model);
|
vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
||||||
VIR_FREE(vm->def->seclabel.label);
|
VIR_FREE(vm->def->seclabels[0]->model);
|
||||||
VIR_FREE(vm->def->seclabel.imagelabel);
|
VIR_FREE(vm->def->seclabels[0]->label);
|
||||||
|
VIR_FREE(vm->def->seclabels[0]->imagelabel);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (virCgroupForDomain(driver->cgroup, vm->def->name, &group, 0) == 0) {
|
if (virCgroupForDomain(driver->cgroup, vm->def->name, &group, 0) == 0) {
|
||||||
@ -1001,8 +1002,9 @@ int virLXCProcessStart(virConnectPtr conn,
|
|||||||
/* If you are using a SecurityDriver with dynamic labelling,
|
/* If you are using a SecurityDriver with dynamic labelling,
|
||||||
then generate a security label for isolation */
|
then generate a security label for isolation */
|
||||||
VIR_DEBUG("Generating domain security label (if required)");
|
VIR_DEBUG("Generating domain security label (if required)");
|
||||||
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT)
|
if (vm->def->nseclabels &&
|
||||||
vm->def->seclabel.type = VIR_DOMAIN_SECLABEL_NONE;
|
vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT)
|
||||||
|
vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
|
||||||
|
|
||||||
if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) {
|
if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) {
|
||||||
virDomainAuditSecurityLabel(vm, false);
|
virDomainAuditSecurityLabel(vm, false);
|
||||||
@ -1207,10 +1209,11 @@ cleanup:
|
|||||||
vm->def, false);
|
vm->def, false);
|
||||||
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
|
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
|
||||||
/* Clear out dynamically assigned labels */
|
/* Clear out dynamically assigned labels */
|
||||||
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
if (vm->def->nseclabels &&
|
||||||
VIR_FREE(vm->def->seclabel.model);
|
vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
||||||
VIR_FREE(vm->def->seclabel.label);
|
VIR_FREE(vm->def->seclabels[0]->model);
|
||||||
VIR_FREE(vm->def->seclabel.imagelabel);
|
VIR_FREE(vm->def->seclabels[0]->label);
|
||||||
|
VIR_FREE(vm->def->seclabels[0]->imagelabel);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for (i = 0 ; i < nttyFDs ; i++)
|
for (i = 0 ; i < nttyFDs ; i++)
|
||||||
|
|||||||
@ -321,10 +321,15 @@ qemuCreateCapabilities(virCapsPtr oldcaps,
|
|||||||
|
|
||||||
doi = virSecurityManagerGetDOI(driver->securityManager);
|
doi = virSecurityManagerGetDOI(driver->securityManager);
|
||||||
model = virSecurityManagerGetModel(driver->securityManager);
|
model = virSecurityManagerGetModel(driver->securityManager);
|
||||||
if (STRNEQ(model, "none")) {
|
|
||||||
if (!(caps->host.secModel.model = strdup(model)))
|
if (VIR_ALLOC(caps->host.secModels) < 0) {
|
||||||
goto no_memory;
|
goto no_memory;
|
||||||
if (!(caps->host.secModel.doi = strdup(doi)))
|
}
|
||||||
|
|
||||||
|
if (STRNEQ(model, "none")) {
|
||||||
|
if (!(caps->host.secModels[0].model = strdup(model)))
|
||||||
|
goto no_memory;
|
||||||
|
if (!(caps->host.secModels[0].doi = strdup(doi)))
|
||||||
goto no_memory;
|
goto no_memory;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4060,10 +4065,10 @@ static int qemudNodeGetSecurityModel(virConnectPtr conn,
|
|||||||
|
|
||||||
/* NULL indicates no driver, which we treat as
|
/* NULL indicates no driver, which we treat as
|
||||||
* success, but simply return no data in *secmodel */
|
* success, but simply return no data in *secmodel */
|
||||||
if (driver->caps->host.secModel.model == NULL)
|
if (driver->caps->host.secModels[0].model == NULL)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
p = driver->caps->host.secModel.model;
|
p = driver->caps->host.secModels[0].model;
|
||||||
if (strlen(p) >= VIR_SECURITY_MODEL_BUFLEN-1) {
|
if (strlen(p) >= VIR_SECURITY_MODEL_BUFLEN-1) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
_("security model string exceeds max %d bytes"),
|
_("security model string exceeds max %d bytes"),
|
||||||
@ -4073,7 +4078,7 @@ static int qemudNodeGetSecurityModel(virConnectPtr conn,
|
|||||||
}
|
}
|
||||||
strcpy(secmodel->model, p);
|
strcpy(secmodel->model, p);
|
||||||
|
|
||||||
p = driver->caps->host.secModel.doi;
|
p = driver->caps->host.secModels[0].doi;
|
||||||
if (strlen(p) >= VIR_SECURITY_DOI_BUFLEN-1) {
|
if (strlen(p) >= VIR_SECURITY_DOI_BUFLEN-1) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
_("security DOI string exceeds max %d bytes"),
|
_("security DOI string exceeds max %d bytes"),
|
||||||
|
|||||||
@ -4079,12 +4079,12 @@ void qemuProcessStop(struct qemud_driver *driver,
|
|||||||
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
|
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
|
||||||
|
|
||||||
/* Clear out dynamically assigned labels */
|
/* Clear out dynamically assigned labels */
|
||||||
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
if (vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
||||||
if (!vm->def->seclabel.baselabel)
|
if (!vm->def->seclabels[0]->baselabel)
|
||||||
VIR_FREE(vm->def->seclabel.model);
|
VIR_FREE(vm->def->seclabels[0]->model);
|
||||||
VIR_FREE(vm->def->seclabel.label);
|
VIR_FREE(vm->def->seclabels[0]->label);
|
||||||
}
|
}
|
||||||
VIR_FREE(vm->def->seclabel.imagelabel);
|
VIR_FREE(vm->def->seclabels[0]->imagelabel);
|
||||||
|
|
||||||
virDomainDefClearDeviceAliases(vm->def);
|
virDomainDefClearDeviceAliases(vm->def);
|
||||||
if (!priv->persistentAddrs) {
|
if (!priv->persistentAddrs) {
|
||||||
@ -4227,16 +4227,16 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED,
|
|||||||
goto no_memory;
|
goto no_memory;
|
||||||
|
|
||||||
VIR_DEBUG("Detect security driver config");
|
VIR_DEBUG("Detect security driver config");
|
||||||
vm->def->seclabel.type = VIR_DOMAIN_SECLABEL_STATIC;
|
vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_STATIC;
|
||||||
if (VIR_ALLOC(seclabel) < 0)
|
if (VIR_ALLOC(seclabel) < 0)
|
||||||
goto no_memory;
|
goto no_memory;
|
||||||
if (virSecurityManagerGetProcessLabel(driver->securityManager,
|
if (virSecurityManagerGetProcessLabel(driver->securityManager,
|
||||||
vm->def, vm->pid, seclabel) < 0)
|
vm->def, vm->pid, seclabel) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
if (driver->caps->host.secModel.model &&
|
if (driver->caps->host.secModels[0].model &&
|
||||||
!(vm->def->seclabel.model = strdup(driver->caps->host.secModel.model)))
|
!(vm->def->seclabels[0]->model = strdup(driver->caps->host.secModels[0].model)))
|
||||||
goto no_memory;
|
goto no_memory;
|
||||||
if (!(vm->def->seclabel.label = strdup(seclabel->label)))
|
if (!(vm->def->seclabels[0]->label = strdup(seclabel->label)))
|
||||||
goto no_memory;
|
goto no_memory;
|
||||||
|
|
||||||
VIR_DEBUG("Creating domain log file");
|
VIR_DEBUG("Creating domain log file");
|
||||||
|
|||||||
@ -308,16 +308,16 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
|
|||||||
int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
|
int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm)
|
virDomainDefPtr vm)
|
||||||
{
|
{
|
||||||
if (vm->seclabel.type == VIR_DOMAIN_SECLABEL_DEFAULT) {
|
if (vm->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
|
||||||
if (mgr->defaultConfined) {
|
if (mgr->defaultConfined) {
|
||||||
vm->seclabel.type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
vm->seclabels[0]->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
|
||||||
} else {
|
} else {
|
||||||
vm->seclabel.type = VIR_DOMAIN_SECLABEL_NONE;
|
vm->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
|
||||||
vm->seclabel.norelabel = true;
|
vm->seclabels[0]->norelabel = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((vm->seclabel.type == VIR_DOMAIN_SECLABEL_NONE) &&
|
if ((vm->seclabels[0]->type == VIR_DOMAIN_SECLABEL_NONE) &&
|
||||||
mgr->requireConfined) {
|
mgr->requireConfined) {
|
||||||
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
|
||||||
_("Unconfined guests are not allowed on this host"));
|
_("Unconfined guests are not allowed on this host"));
|
||||||
@ -399,7 +399,7 @@ int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
|
|||||||
int virSecurityManagerVerify(virSecurityManagerPtr mgr,
|
int virSecurityManagerVerify(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def)
|
virDomainDefPtr def)
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
/* NULL model == dynamic labelling, with whatever driver
|
/* NULL model == dynamic labelling, with whatever driver
|
||||||
* is active, so we can short circuit verify check to
|
* is active, so we can short circuit verify check to
|
||||||
* avoid drivers de-referencing NULLs by accident
|
* avoid drivers de-referencing NULLs by accident
|
||||||
|
|||||||
@ -366,43 +366,43 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
|
||||||
VIR_DEBUG("driver=%s", virSecurityManagerGetDriver(mgr));
|
VIR_DEBUG("driver=%s", virSecurityManagerGetDriver(mgr));
|
||||||
if ((def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
|
if ((def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
|
||||||
!def->seclabel.baselabel &&
|
!def->seclabels[0]->baselabel &&
|
||||||
def->seclabel.model) {
|
def->seclabels[0]->model) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
"%s", _("security model already defined for VM"));
|
"%s", _("security model already defined for VM"));
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
|
if (def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
|
||||||
def->seclabel.label) {
|
def->seclabels[0]->label) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
"%s", _("security label already defined for VM"));
|
"%s", _("security label already defined for VM"));
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (def->seclabel.imagelabel) {
|
if (def->seclabels[0]->imagelabel) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
"%s", _("security image label already defined for VM"));
|
"%s", _("security image label already defined for VM"));
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (def->seclabel.model &&
|
if (def->seclabels[0]->model &&
|
||||||
STRNEQ(def->seclabel.model, SECURITY_SELINUX_NAME)) {
|
STRNEQ(def->seclabels[0]->model, SECURITY_SELINUX_NAME)) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
_("security label model %s is not supported with selinux"),
|
_("security label model %s is not supported with selinux"),
|
||||||
def->seclabel.model);
|
def->seclabels[0]->model);
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
VIR_DEBUG("type=%d", def->seclabel.type);
|
VIR_DEBUG("type%d", def->seclabels[0]->type);
|
||||||
|
|
||||||
switch (def->seclabel.type) {
|
switch (def->seclabels[0]->type) {
|
||||||
case VIR_DOMAIN_SECLABEL_STATIC:
|
case VIR_DOMAIN_SECLABEL_STATIC:
|
||||||
if (!(ctx = context_new(def->seclabel.label)) ) {
|
if (!(ctx = context_new(def->seclabels[0]->label)) ) {
|
||||||
virReportSystemError(errno,
|
virReportSystemError(errno,
|
||||||
_("unable to allocate socket security context '%s'"),
|
_("unable to allocate socket security context '%s'"),
|
||||||
def->seclabel.label);
|
def->seclabels[0]->label);
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -421,12 +421,15 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
if (virSecuritySELinuxMCSAdd(mgr, mcs) < 0)
|
if (virSecuritySELinuxMCSAdd(mgr, mcs) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (!(def->seclabel.label =
|
def->seclabels[0]->label =
|
||||||
virSecuritySELinuxGenNewContext(def->seclabel.baselabel ?
|
virSecuritySELinuxGenNewContext(def->seclabels[0]->baselabel ?
|
||||||
def->seclabel.baselabel :
|
def->seclabels[0]->baselabel :
|
||||||
data->domain_context,
|
data->domain_context, mcs, false);
|
||||||
mcs, false)))
|
if (! def->seclabels[0]->label) {
|
||||||
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
|
_("cannot generate selinux context for %s"), mcs);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case VIR_DOMAIN_SECLABEL_NONE:
|
case VIR_DOMAIN_SECLABEL_NONE:
|
||||||
@ -436,18 +439,23 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
default:
|
default:
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
_("unexpected security label type '%s'"),
|
_("unexpected security label type '%s'"),
|
||||||
virDomainSeclabelTypeToString(def->seclabel.type));
|
virDomainSeclabelTypeToString(def->seclabels[0]->type));
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!def->seclabel.norelabel) {
|
if (!def->seclabels[0]->norelabel) {
|
||||||
if (!(def->seclabel.imagelabel =
|
def->seclabels[0]->imagelabel = virSecuritySELinuxGenNewContext(data->file_context,
|
||||||
virSecuritySELinuxGenNewContext(data->file_context, mcs, true)))
|
mcs,
|
||||||
|
true);
|
||||||
|
if (!def->seclabels[0]->imagelabel) {
|
||||||
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
|
_("cannot generate selinux context for %s"), mcs);
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!def->seclabel.model &&
|
if (!def->seclabels[0]->model &&
|
||||||
!(def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
|
!(def->seclabels[0]->model = strdup(SECURITY_SELINUX_NAME))) {
|
||||||
virReportOOMError();
|
virReportOOMError();
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
@ -456,12 +464,12 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
if (rc != 0) {
|
if (rc != 0) {
|
||||||
if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
|
if (def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC)
|
||||||
VIR_FREE(def->seclabel.label);
|
VIR_FREE(def->seclabels[0]->label);
|
||||||
VIR_FREE(def->seclabel.imagelabel);
|
VIR_FREE(def->seclabels[0]->imagelabel);
|
||||||
if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
|
if (def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
|
||||||
!def->seclabel.baselabel)
|
!def->seclabels[0]->baselabel)
|
||||||
VIR_FREE(def->seclabel.model);
|
VIR_FREE(def->seclabels[0]->model);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ctx)
|
if (ctx)
|
||||||
@ -470,16 +478,16 @@ cleanup:
|
|||||||
VIR_FREE(mcs);
|
VIR_FREE(mcs);
|
||||||
|
|
||||||
VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
|
VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
|
||||||
NULLSTR(def->seclabel.model),
|
NULLSTR(def->seclabels[0]->model),
|
||||||
NULLSTR(def->seclabel.label),
|
NULLSTR(def->seclabels[0]->label),
|
||||||
NULLSTR(def->seclabel.imagelabel),
|
NULLSTR(def->seclabels[0]->imagelabel),
|
||||||
NULLSTR(def->seclabel.baselabel));
|
NULLSTR(def->seclabels[0]->baselabel));
|
||||||
|
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
pid_t pid)
|
pid_t pid)
|
||||||
{
|
{
|
||||||
@ -488,7 +496,7 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSE
|
|||||||
const char *mcs;
|
const char *mcs;
|
||||||
int rv;
|
int rv;
|
||||||
|
|
||||||
if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
|
if (def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_STATIC)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (getpidcon(pid, &pctx) == -1) {
|
if (getpidcon(pid, &pctx) == -1) {
|
||||||
@ -792,9 +800,9 @@ virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBU
|
|||||||
virDomainDiskDefPtr disk,
|
virDomainDiskDefPtr disk,
|
||||||
int migrated)
|
int migrated)
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
|
|
||||||
if (secdef->norelabel || (disk->seclabel && disk->seclabel->norelabel))
|
if (secdef->norelabel || (disk->seclabels[0] && disk->seclabels[0]->norelabel))
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* Don't restore labels on readoly/shared disks, because
|
/* Don't restore labels on readoly/shared disks, because
|
||||||
@ -851,12 +859,12 @@ virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
|
|||||||
int ret;
|
int ret;
|
||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(cbdata->manager);
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(cbdata->manager);
|
||||||
|
|
||||||
if (disk->seclabel && disk->seclabel->norelabel)
|
if (disk->seclabels[0] && disk->seclabels[0]->norelabel)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (disk->seclabel && !disk->seclabel->norelabel &&
|
if (disk->seclabels[0] && !disk->seclabels[0]->norelabel &&
|
||||||
disk->seclabel->label) {
|
disk->seclabels[0]->label) {
|
||||||
ret = virSecuritySELinuxSetFilecon(path, disk->seclabel->label);
|
ret = virSecuritySELinuxSetFilecon(path, disk->seclabels[0]->label);
|
||||||
} else if (depth == 0) {
|
} else if (depth == 0) {
|
||||||
|
|
||||||
if (disk->shared) {
|
if (disk->shared) {
|
||||||
@ -871,14 +879,14 @@ virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
|
|||||||
} else {
|
} else {
|
||||||
ret = virSecuritySELinuxSetFileconOptional(path, data->content_context);
|
ret = virSecuritySELinuxSetFileconOptional(path, data->content_context);
|
||||||
}
|
}
|
||||||
if (ret == 1 && !disk->seclabel) {
|
if (ret == 1 && !disk->seclabels[0]) {
|
||||||
/* If we failed to set a label, but virt_use_nfs let us
|
/* If we failed to set a label, but virt_use_nfs let us
|
||||||
* proceed anyway, then we don't need to relabel later. */
|
* proceed anyway, then we don't need to relabel later. */
|
||||||
if (VIR_ALLOC(disk->seclabel) < 0) {
|
if (VIR_ALLOC(disk->seclabels[0]) < 0) {
|
||||||
virReportOOMError();
|
virReportOOMError();
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
disk->seclabel->norelabel = true;
|
disk->seclabels[0]->norelabel = true;
|
||||||
ret = 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
return ret;
|
return ret;
|
||||||
@ -891,7 +899,7 @@ virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
|
|||||||
|
|
||||||
{
|
{
|
||||||
virSecuritySELinuxCallbackData cbdata;
|
virSecuritySELinuxCallbackData cbdata;
|
||||||
cbdata.secdef = &def->seclabel;
|
cbdata.secdef = def->seclabels[0];
|
||||||
cbdata.manager = mgr;
|
cbdata.manager = mgr;
|
||||||
|
|
||||||
bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
|
bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
|
||||||
@ -922,7 +930,7 @@ virSecuritySELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
|
|||||||
const char *file, void *opaque)
|
const char *file, void *opaque)
|
||||||
{
|
{
|
||||||
virDomainDefPtr def = opaque;
|
virDomainDefPtr def = opaque;
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
|
|
||||||
return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
|
return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
|
||||||
}
|
}
|
||||||
@ -932,7 +940,7 @@ virSecuritySELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
|
|||||||
const char *file, void *opaque)
|
const char *file, void *opaque)
|
||||||
{
|
{
|
||||||
virDomainDefPtr def = opaque;
|
virDomainDefPtr def = opaque;
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
|
|
||||||
return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
|
return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
|
||||||
}
|
}
|
||||||
@ -943,7 +951,7 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
|
|||||||
virDomainHostdevDefPtr dev)
|
virDomainHostdevDefPtr dev)
|
||||||
|
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
|
||||||
if (secdef->norelabel)
|
if (secdef->norelabel)
|
||||||
@ -1012,7 +1020,7 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUT
|
|||||||
virDomainHostdevDefPtr dev)
|
virDomainHostdevDefPtr dev)
|
||||||
|
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
|
||||||
if (secdef->norelabel)
|
if (secdef->norelabel)
|
||||||
@ -1065,7 +1073,7 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
|
|||||||
virDomainChrSourceDefPtr dev)
|
virDomainChrSourceDefPtr dev)
|
||||||
|
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
char *in = NULL, *out = NULL;
|
char *in = NULL, *out = NULL;
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
|
||||||
@ -1111,7 +1119,7 @@ virSecuritySELinuxRestoreSecurityChardevLabel(virDomainDefPtr def,
|
|||||||
virDomainChrSourceDefPtr dev)
|
virDomainChrSourceDefPtr dev)
|
||||||
|
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
char *in = NULL, *out = NULL;
|
char *in = NULL, *out = NULL;
|
||||||
int ret = -1;
|
int ret = -1;
|
||||||
|
|
||||||
@ -1204,7 +1212,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
|
|||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
int migrated ATTRIBUTE_UNUSED)
|
int migrated ATTRIBUTE_UNUSED)
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
int i;
|
int i;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
@ -1254,7 +1262,7 @@ static int
|
|||||||
virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
|
virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def)
|
virDomainDefPtr def)
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
|
|
||||||
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
||||||
if (secdef->label != NULL) {
|
if (secdef->label != NULL) {
|
||||||
@ -1279,7 +1287,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
const char *savefile)
|
const char *savefile)
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
|
|
||||||
if (secdef->norelabel)
|
if (secdef->norelabel)
|
||||||
return 0;
|
return 0;
|
||||||
@ -1293,7 +1301,7 @@ virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNU
|
|||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
const char *savefile)
|
const char *savefile)
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
|
|
||||||
if (secdef->norelabel)
|
if (secdef->norelabel)
|
||||||
return 0;
|
return 0;
|
||||||
@ -1306,7 +1314,7 @@ static int
|
|||||||
virSecuritySELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
virSecuritySELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
virDomainDefPtr def)
|
virDomainDefPtr def)
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
||||||
virReportError(VIR_ERR_INTERNAL_ERROR,
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
_("security label driver mismatch: "
|
_("security label driver mismatch: "
|
||||||
@ -1331,10 +1339,10 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr def)
|
virDomainDefPtr def)
|
||||||
{
|
{
|
||||||
/* TODO: verify DOI */
|
/* TODO: verify DOI */
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
VIR_DEBUG("label=%s", secdef->label);
|
VIR_DEBUG("label=%s", secdef->label);
|
||||||
|
|
||||||
if (def->seclabel.label == NULL)
|
if (def->seclabels[0]->label == NULL)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
||||||
@ -1363,13 +1371,13 @@ virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr def)
|
virDomainDefPtr def)
|
||||||
{
|
{
|
||||||
/* TODO: verify DOI */
|
/* TODO: verify DOI */
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
context_t execcon = NULL;
|
context_t execcon = NULL;
|
||||||
context_t proccon = NULL;
|
context_t proccon = NULL;
|
||||||
security_context_t scon = NULL;
|
security_context_t scon = NULL;
|
||||||
int rc = -1;
|
int rc = -1;
|
||||||
|
|
||||||
if (def->seclabel.label == NULL)
|
if (def->seclabels[0]->label == NULL)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
||||||
@ -1433,7 +1441,7 @@ static int
|
|||||||
virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
|
virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm)
|
virDomainDefPtr vm)
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &vm->seclabel;
|
const virSecurityLabelDefPtr secdef = vm->seclabels[0];
|
||||||
int rc = -1;
|
int rc = -1;
|
||||||
|
|
||||||
if (secdef->label == NULL)
|
if (secdef->label == NULL)
|
||||||
@ -1471,9 +1479,9 @@ virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr def)
|
virDomainDefPtr def)
|
||||||
{
|
{
|
||||||
/* TODO: verify DOI */
|
/* TODO: verify DOI */
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
|
|
||||||
if (def->seclabel.label == NULL)
|
if (def->seclabels[0]->label == NULL)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
||||||
@ -1550,7 +1558,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
|
|||||||
const char *stdin_path)
|
const char *stdin_path)
|
||||||
{
|
{
|
||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
if (secdef->norelabel)
|
if (secdef->norelabel)
|
||||||
@ -1611,7 +1619,7 @@ virSecuritySELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
int fd)
|
int fd)
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
|
|
||||||
if (secdef->imagelabel == NULL)
|
if (secdef->imagelabel == NULL)
|
||||||
return 0;
|
return 0;
|
||||||
@ -1623,7 +1631,7 @@ static char *
|
|||||||
virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
|
virSecuritySELinuxGenImageLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def)
|
virDomainDefPtr def)
|
||||||
{
|
{
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
|
||||||
const char *range;
|
const char *range;
|
||||||
context_t ctx = NULL;
|
context_t ctx = NULL;
|
||||||
@ -1660,7 +1668,7 @@ virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr def)
|
virDomainDefPtr def)
|
||||||
{
|
{
|
||||||
char *opts = NULL;
|
char *opts = NULL;
|
||||||
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
const virSecurityLabelDefPtr secdef = def->seclabels[0];
|
||||||
|
|
||||||
if (! secdef->imagelabel)
|
if (! secdef->imagelabel)
|
||||||
secdef->imagelabel = virSecuritySELinuxGenImageLabel(mgr,def);
|
secdef->imagelabel = virSecuritySELinuxGenImageLabel(mgr,def);
|
||||||
|
|||||||
@ -206,12 +206,15 @@ testBuildCapabilities(virConnectPtr conn) {
|
|||||||
caps->privateDataAllocFunc = testDomainObjPrivateAlloc;
|
caps->privateDataAllocFunc = testDomainObjPrivateAlloc;
|
||||||
caps->privateDataFreeFunc = testDomainObjPrivateFree;
|
caps->privateDataFreeFunc = testDomainObjPrivateFree;
|
||||||
|
|
||||||
caps->host.secModel.model = strdup("testSecurity");
|
caps->host.nsecModels = 1;
|
||||||
if (!caps->host.secModel.model)
|
if (VIR_ALLOC_N(caps->host.secModels, caps->host.nsecModels) < 0)
|
||||||
|
goto no_memory;
|
||||||
|
caps->host.secModels[0].model = strdup("testSecurity");
|
||||||
|
if (!caps->host.secModels[0].model)
|
||||||
goto no_memory;
|
goto no_memory;
|
||||||
|
|
||||||
caps->host.secModel.doi = strdup("");
|
caps->host.secModels[0].doi = strdup("");
|
||||||
if (!caps->host.secModel.doi)
|
if (!caps->host.secModels[0].doi)
|
||||||
goto no_memory;
|
goto no_memory;
|
||||||
|
|
||||||
return caps;
|
return caps;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user