NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add security driver APIs for getting mount options

Browse Source 
Some security drivers require special options to be passed to
the mount system call. Add a security driver API for handling
this data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel Walsh 2012-05-01 15:16:04 +01:00 committed by Daniel P. Berrange
parent 6844ceadb4
commit abf2ebbd27
9 changed files with 98 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/libvirt_private.syms
View File

@ -963,6 +963,7 @@ virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel; virSecurityManagerSetSavedStateLabel;
virSecurityManagerSetSocketLabel; virSecurityManagerSetSocketLabel;
virSecurityManagerVerify; virSecurityManagerVerify;
virSecurityManagerGetMountOptions;
# sexpr.h # sexpr.h
sexpr_append; sexpr_append;

7
src/security/security_dac.c
View File

@ -717,6 +717,11 @@ virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return 0; return 0;
} }
static char *virSecurityDACGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr vm ATTRIBUTE_UNUSED) {
return NULL;
}
virSecurityDriver virSecurityDriverDAC = { virSecurityDriver virSecurityDriverDAC = {
sizeof(virSecurityDACData), sizeof(virSecurityDACData),
"virDAC", "virDAC",
@ -754,4 +759,6 @@ virSecurityDriver virSecurityDriverDAC = {
virSecurityDACRestoreSavedStateLabel, virSecurityDACRestoreSavedStateLabel,
virSecurityDACSetImageFDLabel, virSecurityDACSetImageFDLabel,
virSecurityDACGetMountOptions,
}; };

3
src/security/security_driver.c
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (C) 2008 Red Hat, Inc. * Copyright (C) 2008-2012 Red Hat, Inc.
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public * modify it under the terms of the GNU Lesser General Public
@ -8,6 +8,7 @@
* *
* Authors: * Authors:
* James Morris <jmorris@namei.org> * James Morris <jmorris@namei.org>
* Dan Walsh <dwalsh@redhat.com>
* *
*/ */
#include <config.h> #include <config.h>

4
src/security/security_driver.h
View File

@ -86,6 +86,8 @@ typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
int fd); int fd);
typedef char *(*virSecurityDomainGetMountOptions) (virSecurityManagerPtr mgr,
virDomainDefPtr def);
struct _virSecurityDriver { struct _virSecurityDriver {
size_t privateDataLen; size_t privateDataLen;
@ -123,6 +125,8 @@ struct _virSecurityDriver {
virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel; virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel; virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
}; };
virSecurityDriverPtr virSecurityDriverLookup(const char *name, virSecurityDriverPtr virSecurityDriverLookup(const char *name,

14
src/security/security_manager.c
View File

@ -149,7 +149,6 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
requireConfined); requireConfined);
} }
void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr) void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr)
{ {
/* This accesses the memory just beyond mgr, which was allocated /* This accesses the memory just beyond mgr, which was allocated
@ -423,3 +422,16 @@ int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1; return -1;
} }
char *virSecurityManagerGetMountOptions(virSecurityManagerPtr mgr,
virDomainDefPtr vm)
{
if (mgr->drv->domainGetSecurityMountOptions)
return mgr->drv->domainGetSecurityMountOptions(mgr, vm);
/*
I don't think this is an error, these should be optional
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
*/
return NULL;
}

3
src/security/security_manager.h
View File

@ -107,5 +107,6 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
int fd); int fd);
char *virSecurityManagerGetMountOptions(virSecurityManagerPtr mgr,
virDomainDefPtr vm);
#endif /* VIR_SECURITY_MANAGER_H__ */ #endif /* VIR_SECURITY_MANAGER_H__ */

7
src/security/security_nop.c
View File

@ -164,6 +164,11 @@ static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UN
return 0; return 0;
} }
static char *virSecurityDomainGetMountOptionsNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr vm ATTRIBUTE_UNUSED) {
return NULL;
}
virSecurityDriver virSecurityDriverNop = { virSecurityDriver virSecurityDriverNop = {
0, 0,
"none", "none",
@ -200,4 +205,6 @@ virSecurityDriver virSecurityDriverNop = {
virSecurityDomainRestoreSavedStateLabelNop, virSecurityDomainRestoreSavedStateLabelNop,
virSecurityDomainSetFDLabelNop, virSecurityDomainSetFDLabelNop,
virSecurityDomainGetMountOptionsNop,
}; };

56
src/security/security_selinux.c
View File

@ -1523,6 +1523,60 @@ SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return SELinuxFSetFilecon(fd, secdef->imagelabel); return SELinuxFSetFilecon(fd, secdef->imagelabel);
} }
static char *genImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def) {
const virSecurityLabelDefPtr secdef = &def->seclabel;
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
const char *range;
context_t ctx = NULL;
char *label = NULL;
const char *mcs = NULL;
if (secdef->label) {
ctx = context_new(secdef->label);
if (!ctx) {
virReportOOMError();
goto cleanup;
}
range = context_range_get(ctx);
if (range) {
mcs = strdup(range);
if (!mcs) {
virReportOOMError();
goto cleanup;
}
label = SELinuxGenNewContext(data->file_context, mcs);
if (!label) {
virReportOOMError();
goto cleanup;
}
}
}
cleanup:
context_free(ctx);
VIR_FREE(mcs);
return label;
}
static char *SELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr,
virDomainDefPtr def) {
char *opts = NULL;
const virSecurityLabelDefPtr secdef = &def->seclabel;
if (! secdef->imagelabel)
secdef->imagelabel = genImageLabel(mgr,def);
if (secdef->imagelabel) {
virAsprintf(&opts,
",context=\"%s\"",
(const char*) secdef->imagelabel);
}
VIR_DEBUG("SELinuxGetSecurityMountOptions imageLabel %s", secdef->imagelabel);
return opts;
}
virSecurityDriver virSecurityDriverSELinux = { virSecurityDriver virSecurityDriverSELinux = {
sizeof(virSecuritySELinuxData), sizeof(virSecuritySELinuxData),
SECURITY_SELINUX_NAME, SECURITY_SELINUX_NAME,
@ -1559,4 +1613,6 @@ virSecurityDriver virSecurityDriverSELinux = {
SELinuxRestoreSavedStateLabel, SELinuxRestoreSavedStateLabel,
SELinuxSetImageFDLabel, SELinuxSetImageFDLabel,
SELinuxGetSecurityMountOptions,
}; };

6
src/security/security_stack.c
View File

@ -403,6 +403,10 @@ virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
return rc; return rc;
} }
static char *virSecurityStackGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr vm ATTRIBUTE_UNUSED) {
return NULL;
}
virSecurityDriver virSecurityDriverStack = { virSecurityDriver virSecurityDriverStack = {
sizeof(virSecurityStackData), sizeof(virSecurityStackData),
@ -440,4 +444,6 @@ virSecurityDriver virSecurityDriverStack = {
virSecurityStackRestoreSavedStateLabel, virSecurityStackRestoreSavedStateLabel,
virSecurityStackSetImageFDLabel, virSecurityStackSetImageFDLabel,
virSecurityStackGetMountOptions,
}; };