1059 lines
46 KiB
Diff
1059 lines
46 KiB
Diff
>From 38d7c5a26e4c12a784619f1ed4fc993d9af82032 Mon Sep 17 00:00:00 2001
|
|
From: Daniel P. Berrange <berrange@redhat.com>
|
|
Date: Tue, 15 Jun 2010 17:44:19 +0100
|
|
Subject: [PATCH 07/10] Security driver params
|
|
|
|
---
|
|
src/qemu/qemu_driver.c | 85 +++++++++++++++++++-----------
|
|
src/qemu/qemu_security_dac.c | 44 +++++++++++-----
|
|
src/qemu/qemu_security_stacked.c | 107 +++++++++++++++++++++++++-------------
|
|
src/security/security_apparmor.c | 57 +++++++++++++-------
|
|
src/security/security_driver.h | 40 ++++++++++----
|
|
src/security/security_selinux.c | 56 +++++++++++++------
|
|
6 files changed, 258 insertions(+), 131 deletions(-)
|
|
|
|
Index: libvirt-0.8.1/src/qemu/qemu_driver.c
|
|
===================================================================
|
|
--- libvirt-0.8.1.orig/src/qemu/qemu_driver.c
|
|
+++ libvirt-0.8.1/src/qemu/qemu_driver.c
|
|
@@ -1245,7 +1245,8 @@ qemuReconnectDomain(void *payload, const
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainReserveSecurityLabel &&
|
|
- driver->securityDriver->domainReserveSecurityLabel(obj) < 0)
|
|
+ driver->securityDriver->domainReserveSecurityLabel(driver->securityDriver,
|
|
+ obj) < 0)
|
|
goto error;
|
|
|
|
if (obj->def->id >= driver->nextvmid)
|
|
@@ -3207,13 +3208,15 @@ static int qemudStartVMDaemon(virConnect
|
|
DEBUG0("Generating domain security label (if required)");
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainGenSecurityLabel &&
|
|
- driver->securityDriver->domainGenSecurityLabel(vm) < 0)
|
|
+ driver->securityDriver->domainGenSecurityLabel(driver->securityDriver,
|
|
+ vm) < 0)
|
|
return -1;
|
|
|
|
DEBUG0("Generating setting domain security labels (if required)");
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainSetSecurityAllLabel &&
|
|
- driver->securityDriver->domainSetSecurityAllLabel(vm) < 0)
|
|
+ driver->securityDriver->domainSetSecurityAllLabel(driver->securityDriver,
|
|
+ vm) < 0)
|
|
goto cleanup;
|
|
|
|
/* Ensure no historical cgroup for this VM is lying around bogus
|
|
@@ -3489,10 +3492,12 @@ cleanup:
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSecurityAllLabel)
|
|
- driver->securityDriver->domainRestoreSecurityAllLabel(vm);
|
|
+ driver->securityDriver->domainRestoreSecurityAllLabel(driver->securityDriver,
|
|
+ vm);
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainReleaseSecurityLabel)
|
|
- driver->securityDriver->domainReleaseSecurityLabel(vm);
|
|
+ driver->securityDriver->domainReleaseSecurityLabel(driver->securityDriver,
|
|
+ vm);
|
|
qemuRemoveCgroup(driver, vm, 1);
|
|
if ((vm->def->ngraphics == 1) &&
|
|
vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
|
|
@@ -3585,10 +3590,12 @@ static void qemudShutdownVMDaemon(struct
|
|
/* Reset Security Labels */
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSecurityAllLabel)
|
|
- driver->securityDriver->domainRestoreSecurityAllLabel(vm);
|
|
+ driver->securityDriver->domainRestoreSecurityAllLabel(driver->securityDriver,
|
|
+ vm);
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainReleaseSecurityLabel)
|
|
- driver->securityDriver->domainReleaseSecurityLabel(vm);
|
|
+ driver->securityDriver->domainReleaseSecurityLabel(driver->securityDriver,
|
|
+ vm);
|
|
|
|
/* Clear out dynamically assigned labels */
|
|
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
|
@@ -4991,7 +4998,8 @@ static int qemudDomainSaveFlag(virDomain
|
|
if ((!bypassSecurityDriver) &&
|
|
driver->securityDriver &&
|
|
driver->securityDriver->domainSetSavedStateLabel &&
|
|
- driver->securityDriver->domainSetSavedStateLabel(vm, path) == -1)
|
|
+ driver->securityDriver->domainSetSavedStateLabel(driver->securityDriver,
|
|
+ vm, path) == -1)
|
|
goto endjob;
|
|
|
|
if (header.compressed == QEMUD_SAVE_FORMAT_RAW) {
|
|
@@ -5022,7 +5030,8 @@ static int qemudDomainSaveFlag(virDomain
|
|
if ((!bypassSecurityDriver) &&
|
|
driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSavedStateLabel &&
|
|
- driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1)
|
|
+ driver->securityDriver->domainRestoreSavedStateLabel(driver->securityDriver,
|
|
+ vm, path) == -1)
|
|
VIR_WARN("failed to restore save state label on %s", path);
|
|
|
|
if (cgroup != NULL) {
|
|
@@ -5069,7 +5078,8 @@ endjob:
|
|
if ((!bypassSecurityDriver) &&
|
|
driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSavedStateLabel &&
|
|
- driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1)
|
|
+ driver->securityDriver->domainRestoreSavedStateLabel(driver->securityDriver,
|
|
+ vm, path) == -1)
|
|
VIR_WARN("failed to restore save state label on %s", path);
|
|
}
|
|
|
|
@@ -5304,7 +5314,8 @@ static int qemudDomainCoreDump(virDomain
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainSetSavedStateLabel &&
|
|
- driver->securityDriver->domainSetSavedStateLabel(vm, path) == -1)
|
|
+ driver->securityDriver->domainSetSavedStateLabel(driver->securityDriver,
|
|
+ vm, path) == -1)
|
|
goto endjob;
|
|
|
|
/* Migrate will always stop the VM, so the resume condition is
|
|
@@ -5340,7 +5351,8 @@ static int qemudDomainCoreDump(virDomain
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSavedStateLabel &&
|
|
- driver->securityDriver->domainRestoreSavedStateLabel(vm, path) == -1)
|
|
+ driver->securityDriver->domainRestoreSavedStateLabel(driver->securityDriver,
|
|
+ vm, path) == -1)
|
|
goto endjob;
|
|
|
|
endjob:
|
|
@@ -5724,12 +5736,13 @@ static int qemudDomainGetSecurityLabel(v
|
|
* QEMU monitor hasn't seen SIGHUP/ERR on poll().
|
|
*/
|
|
if (virDomainObjIsActive(vm)) {
|
|
- if (driver->securityDriver && driver->securityDriver->domainGetSecurityProcessLabel) {
|
|
- if (driver->securityDriver->domainGetSecurityProcessLabel(vm, seclabel) == -1) {
|
|
- qemuReportError(VIR_ERR_INTERNAL_ERROR,
|
|
- "%s", _("Failed to get security label"));
|
|
- goto cleanup;
|
|
- }
|
|
+ if (driver->securityDriver &&
|
|
+ driver->securityDriver->domainGetSecurityProcessLabel &&
|
|
+ driver->securityDriver->domainGetSecurityProcessLabel(driver->securityDriver,
|
|
+ vm, seclabel) < 0) {
|
|
+ qemuReportError(VIR_ERR_INTERNAL_ERROR,
|
|
+ "%s", _("Failed to get security label"));
|
|
+ goto cleanup;
|
|
}
|
|
}
|
|
|
|
@@ -6731,7 +6744,8 @@ static int qemudDomainChangeEjectableMed
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainSetSecurityImageLabel &&
|
|
- driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securityDriver->domainSetSecurityImageLabel(driver->securityDriver,
|
|
+ vm, disk) < 0)
|
|
return -1;
|
|
|
|
if (!(driveAlias = qemuDeviceDriveHostAlias(origdisk, qemuCmdFlags)))
|
|
@@ -6760,7 +6774,8 @@ static int qemudDomainChangeEjectableMed
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSecurityImageLabel &&
|
|
- driver->securityDriver->domainRestoreSecurityImageLabel(vm, origdisk) < 0)
|
|
+ driver->securityDriver->domainRestoreSecurityImageLabel(driver->securityDriver,
|
|
+ vm, origdisk) < 0)
|
|
VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src);
|
|
|
|
VIR_FREE(origdisk->src);
|
|
@@ -6778,7 +6793,8 @@ error:
|
|
VIR_FREE(driveAlias);
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSecurityImageLabel &&
|
|
- driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securityDriver->domainRestoreSecurityImageLabel(driver->securityDriver,
|
|
+ vm, disk) < 0)
|
|
VIR_WARN("Unable to restore security label on new media %s", disk->src);
|
|
return -1;
|
|
}
|
|
@@ -6805,7 +6821,8 @@ static int qemudDomainAttachPciDiskDevic
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainSetSecurityImageLabel &&
|
|
- driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securityDriver->domainSetSecurityImageLabel(driver->securityDriver,
|
|
+ vm, disk) < 0)
|
|
return -1;
|
|
|
|
if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) {
|
|
@@ -6866,7 +6883,8 @@ error:
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSecurityImageLabel &&
|
|
- driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securityDriver->domainRestoreSecurityImageLabel(driver->securityDriver,
|
|
+ vm, disk) < 0)
|
|
VIR_WARN("Unable to restore security label on %s", disk->src);
|
|
|
|
return -1;
|
|
@@ -6998,7 +7016,8 @@ static int qemudDomainAttachSCSIDisk(str
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainSetSecurityImageLabel &&
|
|
- driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securityDriver->domainSetSecurityImageLabel(driver->securityDriver,
|
|
+ vm, disk) < 0)
|
|
return -1;
|
|
|
|
/* We should have an address already, so make sure */
|
|
@@ -7080,7 +7099,8 @@ error:
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSecurityImageLabel &&
|
|
- driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securityDriver->domainRestoreSecurityImageLabel(driver->securityDriver,
|
|
+ vm, disk) < 0)
|
|
VIR_WARN("Unable to restore security label on %s", disk->src);
|
|
|
|
return -1;
|
|
@@ -7107,7 +7127,8 @@ static int qemudDomainAttachUsbMassstora
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainSetSecurityImageLabel &&
|
|
- driver->securityDriver->domainSetSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securityDriver->domainSetSecurityImageLabel(driver->securityDriver,
|
|
+ vm, disk) < 0)
|
|
return -1;
|
|
|
|
if (!disk->src) {
|
|
@@ -7159,7 +7180,8 @@ error:
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSecurityImageLabel &&
|
|
- driver->securityDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securityDriver->domainRestoreSecurityImageLabel(driver->securityDriver,
|
|
+ vm, disk) < 0)
|
|
VIR_WARN("Unable to restore security label on %s", disk->src);
|
|
|
|
return -1;
|
|
@@ -7503,7 +7525,8 @@ static int qemudDomainAttachHostDevice(s
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainSetSecurityHostdevLabel &&
|
|
- driver->securityDriver->domainSetSecurityHostdevLabel(vm, hostdev) < 0)
|
|
+ driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
|
|
+ vm, hostdev) < 0)
|
|
return -1;
|
|
|
|
switch (hostdev->source.subsys.type) {
|
|
@@ -7531,7 +7554,8 @@ static int qemudDomainAttachHostDevice(s
|
|
error:
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSecurityHostdevLabel &&
|
|
- driver->securityDriver->domainRestoreSecurityHostdevLabel(vm, hostdev) < 0)
|
|
+ driver->securityDriver->domainRestoreSecurityHostdevLabel(driver->securityDriver,
|
|
+ vm, hostdev) < 0)
|
|
VIR_WARN0("Unable to restore host device labelling on hotplug fail");
|
|
|
|
return -1;
|
|
@@ -7962,7 +7986,8 @@ static int qemudDomainDetachPciDiskDevic
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSecurityImageLabel &&
|
|
- driver->securityDriver->domainRestoreSecurityImageLabel(vm, dev->data.disk) < 0)
|
|
+ driver->securityDriver->domainRestoreSecurityImageLabel(driver->securityDriver,
|
|
+ vm, dev->data.disk) < 0)
|
|
VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
|
|
|
|
ret = 0;
|
|
@@ -8367,7 +8392,8 @@ static int qemudDomainDetachHostDevice(s
|
|
|
|
if (driver->securityDriver &&
|
|
driver->securityDriver->domainRestoreSecurityHostdevLabel &&
|
|
- driver->securityDriver->domainRestoreSecurityHostdevLabel(vm, dev->data.hostdev) < 0)
|
|
+ driver->securityDriver->domainRestoreSecurityHostdevLabel(driver->securityDriver,
|
|
+ vm, dev->data.hostdev) < 0)
|
|
VIR_WARN0("Failed to restore host device labelling");
|
|
|
|
return ret;
|
|
Index: libvirt-0.8.1/src/qemu/qemu_security_dac.c
|
|
===================================================================
|
|
--- libvirt-0.8.1.orig/src/qemu/qemu_security_dac.c
|
|
+++ libvirt-0.8.1/src/qemu/qemu_security_dac.c
|
|
@@ -109,7 +109,8 @@ qemuSecurityDACSetSecurityFileLabel(virD
|
|
|
|
|
|
static int
|
|
-qemuSecurityDACSetSecurityImageLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
|
+qemuSecurityDACSetSecurityImageLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
|
virDomainDiskDefPtr disk)
|
|
|
|
{
|
|
@@ -125,7 +126,8 @@ qemuSecurityDACSetSecurityImageLabel(vir
|
|
|
|
|
|
static int
|
|
-qemuSecurityDACRestoreSecurityImageLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
|
+qemuSecurityDACRestoreSecurityImageLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
|
virDomainDiskDefPtr disk)
|
|
{
|
|
if (!driver->privileged || !driver->dynamicOwnership)
|
|
@@ -168,7 +170,8 @@ qemuSecurityDACSetSecurityUSBLabel(usbDe
|
|
|
|
|
|
static int
|
|
-qemuSecurityDACSetSecurityHostdevLabel(virDomainObjPtr vm,
|
|
+qemuSecurityDACSetSecurityHostdevLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev)
|
|
|
|
{
|
|
@@ -237,7 +240,8 @@ qemuSecurityDACRestoreSecurityUSBLabel(u
|
|
|
|
|
|
static int
|
|
-qemuSecurityDACRestoreSecurityHostdevLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
|
+qemuSecurityDACRestoreSecurityHostdevLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
|
virDomainHostdevDefPtr dev)
|
|
|
|
{
|
|
@@ -289,7 +293,8 @@ done:
|
|
|
|
|
|
static int
|
|
-qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm)
|
|
+qemuSecurityDACRestoreSecurityAllLabel(virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
int i;
|
|
int rc = 0;
|
|
@@ -300,12 +305,14 @@ qemuSecurityDACRestoreSecurityAllLabel(v
|
|
VIR_DEBUG("Restoring security label on %s", vm->def->name);
|
|
|
|
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
|
|
- if (qemuSecurityDACRestoreSecurityHostdevLabel(vm,
|
|
+ if (qemuSecurityDACRestoreSecurityHostdevLabel(drv,
|
|
+ vm,
|
|
vm->def->hostdevs[i]) < 0)
|
|
rc = -1;
|
|
}
|
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
|
- if (qemuSecurityDACRestoreSecurityImageLabel(vm,
|
|
+ if (qemuSecurityDACRestoreSecurityImageLabel(drv,
|
|
+ vm,
|
|
vm->def->disks[i]) < 0)
|
|
rc = -1;
|
|
}
|
|
@@ -323,7 +330,8 @@ qemuSecurityDACRestoreSecurityAllLabel(v
|
|
|
|
|
|
static int
|
|
-qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm)
|
|
+qemuSecurityDACSetSecurityAllLabel(virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
int i;
|
|
|
|
@@ -334,11 +342,15 @@ qemuSecurityDACSetSecurityAllLabel(virDo
|
|
/* XXX fixme - we need to recursively label the entriy tree :-( */
|
|
if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
|
|
continue;
|
|
- if (qemuSecurityDACSetSecurityImageLabel(vm, vm->def->disks[i]) < 0)
|
|
+ if (qemuSecurityDACSetSecurityImageLabel(drv,
|
|
+ vm,
|
|
+ vm->def->disks[i]) < 0)
|
|
return -1;
|
|
}
|
|
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
|
|
- if (qemuSecurityDACSetSecurityHostdevLabel(vm, vm->def->hostdevs[i]) < 0)
|
|
+ if (qemuSecurityDACSetSecurityHostdevLabel(drv,
|
|
+ vm,
|
|
+ vm->def->hostdevs[i]) < 0)
|
|
return -1;
|
|
}
|
|
|
|
@@ -359,7 +371,8 @@ qemuSecurityDACSetSecurityAllLabel(virDo
|
|
|
|
|
|
static int
|
|
-qemuSecurityDACSetSavedStateLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
|
+qemuSecurityDACSetSavedStateLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
|
const char *savefile)
|
|
{
|
|
if (!driver->privileged || !driver->dynamicOwnership)
|
|
@@ -370,7 +383,8 @@ qemuSecurityDACSetSavedStateLabel(virDom
|
|
|
|
|
|
static int
|
|
-qemuSecurityDACRestoreSavedStateLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
|
+qemuSecurityDACRestoreSavedStateLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
|
const char *savefile)
|
|
{
|
|
if (!driver->privileged || !driver->dynamicOwnership)
|
|
Index: libvirt-0.8.1/src/qemu/qemu_security_stacked.c
|
|
===================================================================
|
|
--- libvirt-0.8.1.orig/src/qemu/qemu_security_stacked.c
|
|
+++ libvirt-0.8.1/src/qemu/qemu_security_stacked.c
|
|
@@ -57,18 +57,21 @@ qemuSecurityStackedVerify(virDomainDefPt
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedGenLabel(virDomainObjPtr vm)
|
|
+qemuSecurityStackedGenLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainGenSecurityLabel &&
|
|
- driver->securitySecondaryDriver->domainGenSecurityLabel(vm) < 0)
|
|
+ driver->securitySecondaryDriver->domainGenSecurityLabel(driver->securitySecondaryDriver,
|
|
+ vm) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainGenSecurityLabel &&
|
|
- driver->securityPrimaryDriver->domainGenSecurityLabel(vm) < 0)
|
|
+ driver->securityPrimaryDriver->domainGenSecurityLabel(driver->securityPrimaryDriver,
|
|
+ vm) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -76,18 +79,21 @@ qemuSecurityStackedGenLabel(virDomainObj
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedReleaseLabel(virDomainObjPtr vm)
|
|
+qemuSecurityStackedReleaseLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainReleaseSecurityLabel &&
|
|
- driver->securitySecondaryDriver->domainReleaseSecurityLabel(vm) < 0)
|
|
+ driver->securitySecondaryDriver->domainReleaseSecurityLabel(driver->securitySecondaryDriver,
|
|
+ vm) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainReleaseSecurityLabel &&
|
|
- driver->securityPrimaryDriver->domainReleaseSecurityLabel(vm) < 0)
|
|
+ driver->securityPrimaryDriver->domainReleaseSecurityLabel(driver->securityPrimaryDriver,
|
|
+ vm) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -95,18 +101,21 @@ qemuSecurityStackedReleaseLabel(virDomai
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedReserveLabel(virDomainObjPtr vm)
|
|
+qemuSecurityStackedReserveLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainReserveSecurityLabel &&
|
|
- driver->securitySecondaryDriver->domainReserveSecurityLabel(vm) < 0)
|
|
+ driver->securitySecondaryDriver->domainReserveSecurityLabel(driver->securitySecondaryDriver,
|
|
+ vm) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainReserveSecurityLabel &&
|
|
- driver->securityPrimaryDriver->domainReserveSecurityLabel(vm) < 0)
|
|
+ driver->securityPrimaryDriver->domainReserveSecurityLabel(driver->securityPrimaryDriver,
|
|
+ vm) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -114,19 +123,22 @@ qemuSecurityStackedReserveLabel(virDomai
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedSetSecurityImageLabel(virDomainObjPtr vm,
|
|
+qemuSecurityStackedSetSecurityImageLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainDiskDefPtr disk)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainSetSecurityImageLabel &&
|
|
- driver->securitySecondaryDriver->domainSetSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securitySecondaryDriver->domainSetSecurityImageLabel(driver->securitySecondaryDriver,
|
|
+ vm, disk) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainSetSecurityImageLabel &&
|
|
- driver->securityPrimaryDriver->domainSetSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securityPrimaryDriver->domainSetSecurityImageLabel(driver->securityPrimaryDriver,
|
|
+ vm, disk) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -134,19 +146,22 @@ qemuSecurityStackedSetSecurityImageLabel
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedRestoreSecurityImageLabel(virDomainObjPtr vm,
|
|
+qemuSecurityStackedRestoreSecurityImageLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainDiskDefPtr disk)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainRestoreSecurityImageLabel &&
|
|
- driver->securitySecondaryDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securitySecondaryDriver->domainRestoreSecurityImageLabel(driver->securitySecondaryDriver,
|
|
+ vm, disk) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainRestoreSecurityImageLabel &&
|
|
- driver->securityPrimaryDriver->domainRestoreSecurityImageLabel(vm, disk) < 0)
|
|
+ driver->securityPrimaryDriver->domainRestoreSecurityImageLabel(driver->securityPrimaryDriver,
|
|
+ vm, disk) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -154,7 +169,8 @@ qemuSecurityStackedRestoreSecurityImageL
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedSetSecurityHostdevLabel(virDomainObjPtr vm,
|
|
+qemuSecurityStackedSetSecurityHostdevLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev)
|
|
|
|
{
|
|
@@ -162,12 +178,14 @@ qemuSecurityStackedSetSecurityHostdevLab
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainSetSecurityHostdevLabel &&
|
|
- driver->securitySecondaryDriver->domainSetSecurityHostdevLabel(vm, dev) < 0)
|
|
+ driver->securitySecondaryDriver->domainSetSecurityHostdevLabel(driver->securitySecondaryDriver,
|
|
+ vm, dev) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainSetSecurityHostdevLabel &&
|
|
- driver->securityPrimaryDriver->domainSetSecurityHostdevLabel(vm, dev) < 0)
|
|
+ driver->securityPrimaryDriver->domainSetSecurityHostdevLabel(driver->securityPrimaryDriver,
|
|
+ vm, dev) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -175,20 +193,22 @@ qemuSecurityStackedSetSecurityHostdevLab
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedRestoreSecurityHostdevLabel(virDomainObjPtr vm,
|
|
+qemuSecurityStackedRestoreSecurityHostdevLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev)
|
|
-
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel &&
|
|
- driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel(vm, dev) < 0)
|
|
+ driver->securitySecondaryDriver->domainRestoreSecurityHostdevLabel(driver->securitySecondaryDriver,
|
|
+ vm, dev) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel &&
|
|
- driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel(vm, dev) < 0)
|
|
+ driver->securityPrimaryDriver->domainRestoreSecurityHostdevLabel(driver->securityPrimaryDriver,
|
|
+ vm, dev) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -196,18 +216,21 @@ qemuSecurityStackedRestoreSecurityHostde
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedSetSecurityAllLabel(virDomainObjPtr vm)
|
|
+qemuSecurityStackedSetSecurityAllLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainSetSecurityAllLabel &&
|
|
- driver->securitySecondaryDriver->domainSetSecurityAllLabel(vm) < 0)
|
|
+ driver->securitySecondaryDriver->domainSetSecurityAllLabel(driver->securitySecondaryDriver,
|
|
+ vm) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainSetSecurityAllLabel &&
|
|
- driver->securityPrimaryDriver->domainSetSecurityAllLabel(vm) < 0)
|
|
+ driver->securityPrimaryDriver->domainSetSecurityAllLabel(driver->securityPrimaryDriver,
|
|
+ vm) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -215,18 +238,21 @@ qemuSecurityStackedSetSecurityAllLabel(v
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedRestoreSecurityAllLabel(virDomainObjPtr vm)
|
|
+qemuSecurityStackedRestoreSecurityAllLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainRestoreSecurityAllLabel &&
|
|
- driver->securitySecondaryDriver->domainRestoreSecurityAllLabel(vm) < 0)
|
|
+ driver->securitySecondaryDriver->domainRestoreSecurityAllLabel(driver->securitySecondaryDriver,
|
|
+ vm) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainRestoreSecurityAllLabel &&
|
|
- driver->securityPrimaryDriver->domainRestoreSecurityAllLabel(vm) < 0)
|
|
+ driver->securityPrimaryDriver->domainRestoreSecurityAllLabel(driver->securityPrimaryDriver,
|
|
+ vm) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -234,19 +260,22 @@ qemuSecurityStackedRestoreSecurityAllLab
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedSetSavedStateLabel(virDomainObjPtr vm,
|
|
+qemuSecurityStackedSetSavedStateLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
const char *savefile)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainSetSavedStateLabel &&
|
|
- driver->securitySecondaryDriver->domainSetSavedStateLabel(vm, savefile) < 0)
|
|
+ driver->securitySecondaryDriver->domainSetSavedStateLabel(driver->securitySecondaryDriver,
|
|
+ vm, savefile) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainSetSavedStateLabel &&
|
|
- driver->securityPrimaryDriver->domainSetSavedStateLabel(vm, savefile) < 0)
|
|
+ driver->securityPrimaryDriver->domainSetSavedStateLabel(driver->securityPrimaryDriver,
|
|
+ vm, savefile) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -254,19 +283,22 @@ qemuSecurityStackedSetSavedStateLabel(vi
|
|
|
|
|
|
static int
|
|
-qemuSecurityStackedRestoreSavedStateLabel(virDomainObjPtr vm,
|
|
+qemuSecurityStackedRestoreSavedStateLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
const char *savefile)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securitySecondaryDriver &&
|
|
driver->securitySecondaryDriver->domainRestoreSavedStateLabel &&
|
|
- driver->securitySecondaryDriver->domainRestoreSavedStateLabel(vm, savefile) < 0)
|
|
+ driver->securitySecondaryDriver->domainRestoreSavedStateLabel(driver->securitySecondaryDriver,
|
|
+ vm, savefile) < 0)
|
|
rc = -1;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainRestoreSavedStateLabel &&
|
|
- driver->securityPrimaryDriver->domainRestoreSavedStateLabel(vm, savefile) < 0)
|
|
+ driver->securityPrimaryDriver->domainRestoreSavedStateLabel(driver->securityPrimaryDriver,
|
|
+ vm, savefile) < 0)
|
|
rc = -1;
|
|
|
|
return rc;
|
|
@@ -295,14 +327,16 @@ qemuSecurityStackedSetProcessLabel(virSe
|
|
}
|
|
|
|
static int
|
|
-qemuSecurityStackedGetProcessLabel(virDomainObjPtr vm,
|
|
+qemuSecurityStackedGetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virSecurityLabelPtr seclabel)
|
|
{
|
|
int rc = 0;
|
|
|
|
if (driver->securityPrimaryDriver &&
|
|
driver->securityPrimaryDriver->domainGetSecurityProcessLabel &&
|
|
- driver->securityPrimaryDriver->domainGetSecurityProcessLabel(vm,
|
|
+ driver->securityPrimaryDriver->domainGetSecurityProcessLabel(driver->securityPrimaryDriver,
|
|
+ vm,
|
|
seclabel) < 0)
|
|
rc = -1;
|
|
|
|
Index: libvirt-0.8.1/src/security/security_apparmor.c
|
|
===================================================================
|
|
--- libvirt-0.8.1.orig/src/security/security_apparmor.c
|
|
+++ libvirt-0.8.1/src/security/security_apparmor.c
|
|
@@ -148,7 +148,8 @@ profile_status_file(const char *str)
|
|
* load (add) a profile. Will create one if necessary
|
|
*/
|
|
static int
|
|
-load_profile(const char *profile, virDomainObjPtr vm,
|
|
+load_profile(virSecurityDriverPtr drv,
|
|
+ const char *profile, virDomainObjPtr vm,
|
|
virDomainDiskDefPtr disk)
|
|
{
|
|
int rc = -1, status, ret;
|
|
@@ -323,7 +324,8 @@ AppArmorSecurityDriverOpen(virSecurityDr
|
|
* called on shutdown.
|
|
*/
|
|
static int
|
|
-AppArmorGenSecurityLabel(virDomainObjPtr vm)
|
|
+AppArmorGenSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
int rc = -1;
|
|
char *profile_name = NULL;
|
|
@@ -377,14 +379,15 @@ AppArmorGenSecurityLabel(virDomainObjPtr
|
|
}
|
|
|
|
static int
|
|
-AppArmorSetSecurityAllLabel(virDomainObjPtr vm)
|
|
+AppArmorSetSecurityAllLabel(virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
|
|
return 0;
|
|
|
|
/* if the profile is not already loaded, then load one */
|
|
if (profile_loaded(vm->def->seclabel.label) < 0) {
|
|
- if (load_profile(vm->def->seclabel.label, vm, NULL) < 0) {
|
|
+ if (load_profile(drv, vm->def->seclabel.label, vm, NULL) < 0) {
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
_("cannot generate AppArmor profile "
|
|
"\'%s\'"), vm->def->seclabel.label);
|
|
@@ -399,7 +402,9 @@ AppArmorSetSecurityAllLabel(virDomainObj
|
|
* running.
|
|
*/
|
|
static int
|
|
-AppArmorGetSecurityProcessLabel(virDomainObjPtr vm, virSecurityLabelPtr sec)
|
|
+AppArmorGetSecurityProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
+ virSecurityLabelPtr sec)
|
|
{
|
|
int rc = -1;
|
|
char *profile_name = NULL;
|
|
@@ -431,7 +436,8 @@ AppArmorGetSecurityProcessLabel(virDomai
|
|
* more details. Currently called via qemudShutdownVMDaemon.
|
|
*/
|
|
static int
|
|
-AppArmorReleaseSecurityLabel(virDomainObjPtr vm)
|
|
+AppArmorReleaseSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
@@ -444,7 +450,8 @@ AppArmorReleaseSecurityLabel(virDomainOb
|
|
|
|
|
|
static int
|
|
-AppArmorRestoreSecurityAllLabel(virDomainObjPtr vm)
|
|
+AppArmorRestoreSecurityAllLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
int rc = 0;
|
|
@@ -498,7 +505,8 @@ AppArmorSetSecurityProcessLabel(virSecur
|
|
|
|
/* Called when hotplugging */
|
|
static int
|
|
-AppArmorRestoreSecurityImageLabel(virDomainObjPtr vm,
|
|
+AppArmorRestoreSecurityImageLabel(virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm,
|
|
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
@@ -513,7 +521,7 @@ AppArmorRestoreSecurityImageLabel(virDom
|
|
|
|
/* Update the profile only if it is loaded */
|
|
if (profile_loaded(secdef->imagelabel) >= 0) {
|
|
- if (load_profile(secdef->imagelabel, vm, NULL) < 0) {
|
|
+ if (load_profile(drv, secdef->imagelabel, vm, NULL) < 0) {
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
_("cannot update AppArmor profile "
|
|
"\'%s\'"),
|
|
@@ -531,7 +539,8 @@ AppArmorRestoreSecurityImageLabel(virDom
|
|
|
|
/* Called when hotplugging */
|
|
static int
|
|
-AppArmorSetSecurityImageLabel(virDomainObjPtr vm, virDomainDiskDefPtr disk)
|
|
+AppArmorSetSecurityImageLabel(virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm, virDomainDiskDefPtr disk)
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
int rc = -1;
|
|
@@ -556,7 +565,7 @@ AppArmorSetSecurityImageLabel(virDomainO
|
|
|
|
/* update the profile only if it is loaded */
|
|
if (profile_loaded(secdef->imagelabel) >= 0) {
|
|
- if (load_profile(secdef->imagelabel, vm, disk) < 0) {
|
|
+ if (load_profile(drv, secdef->imagelabel, vm, disk) < 0) {
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
_("cannot update AppArmor profile "
|
|
"\'%s\'"),
|
|
@@ -590,14 +599,16 @@ AppArmorSecurityVerify(virDomainDefPtr d
|
|
}
|
|
|
|
static int
|
|
-AppArmorReserveSecurityLabel(virDomainObjPtr vm ATTRIBUTE_UNUSED)
|
|
+AppArmorReserveSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm ATTRIBUTE_UNUSED)
|
|
{
|
|
/* NOOP. Nothing to reserve with AppArmor */
|
|
return 0;
|
|
}
|
|
|
|
static int
|
|
-AppArmorSetSecurityHostdevLabel(virDomainObjPtr vm,
|
|
+AppArmorSetSecurityHostdevLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
|
|
|
|
{
|
|
@@ -611,7 +622,8 @@ AppArmorSetSecurityHostdevLabel(virDomai
|
|
}
|
|
|
|
static int
|
|
-AppArmorRestoreSecurityHostdevLabel(virDomainObjPtr vm,
|
|
+AppArmorRestoreSecurityHostdevLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
|
|
|
|
{
|
|
Index: libvirt-0.8.1/src/security/security_driver.h
|
|
===================================================================
|
|
--- libvirt-0.8.1.orig/src/security/security_driver.h
|
|
+++ libvirt-0.8.1/src/security/security_driver.h
|
|
@@ -28,26 +28,42 @@ typedef enum {
|
|
|
|
typedef struct _virSecurityDriver virSecurityDriver;
|
|
typedef virSecurityDriver *virSecurityDriverPtr;
|
|
+
|
|
+typedef struct _virSecurityDriverState virSecurityDriverState;
|
|
+typedef virSecurityDriverState *virSecurityDriverStatePtr;
|
|
+
|
|
typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
|
|
typedef int (*virSecurityDriverOpen) (virSecurityDriverPtr drv);
|
|
-typedef int (*virSecurityDomainRestoreImageLabel) (virDomainObjPtr vm,
|
|
+typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm,
|
|
virDomainDiskDefPtr disk);
|
|
-typedef int (*virSecurityDomainSetImageLabel) (virDomainObjPtr vm,
|
|
+typedef int (*virSecurityDomainSetImageLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm,
|
|
virDomainDiskDefPtr disk);
|
|
-typedef int (*virSecurityDomainRestoreHostdevLabel) (virDomainObjPtr vm,
|
|
+typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev);
|
|
-typedef int (*virSecurityDomainSetHostdevLabel) (virDomainObjPtr vm,
|
|
+typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev);
|
|
-typedef int (*virSecurityDomainSetSavedStateLabel) (virDomainObjPtr vm,
|
|
+typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm,
|
|
const char *savefile);
|
|
-typedef int (*virSecurityDomainRestoreSavedStateLabel) (virDomainObjPtr vm,
|
|
+typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm,
|
|
const char *savefile);
|
|
-typedef int (*virSecurityDomainGenLabel) (virDomainObjPtr sec);
|
|
-typedef int (*virSecurityDomainReserveLabel) (virDomainObjPtr sec);
|
|
-typedef int (*virSecurityDomainReleaseLabel) (virDomainObjPtr sec);
|
|
-typedef int (*virSecurityDomainSetAllLabel) (virDomainObjPtr sec);
|
|
-typedef int (*virSecurityDomainRestoreAllLabel) (virDomainObjPtr vm);
|
|
-typedef int (*virSecurityDomainGetProcessLabel) (virDomainObjPtr vm,
|
|
+typedef int (*virSecurityDomainGenLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr sec);
|
|
+typedef int (*virSecurityDomainReserveLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr sec);
|
|
+typedef int (*virSecurityDomainReleaseLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr sec);
|
|
+typedef int (*virSecurityDomainSetAllLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr sec);
|
|
+typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm);
|
|
+typedef int (*virSecurityDomainGetProcessLabel) (virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm,
|
|
virSecurityLabelPtr sec);
|
|
typedef int (*virSecurityDomainSetProcessLabel) (virSecurityDriverPtr drv,
|
|
virDomainObjPtr vm);
|
|
Index: libvirt-0.8.1/src/security/security_selinux.c
|
|
===================================================================
|
|
--- libvirt-0.8.1.orig/src/security/security_selinux.c
|
|
+++ libvirt-0.8.1/src/security/security_selinux.c
|
|
@@ -156,7 +156,8 @@ SELinuxInitialize(void)
|
|
}
|
|
|
|
static int
|
|
-SELinuxGenSecurityLabel(virDomainObjPtr vm)
|
|
+SELinuxGenSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
int rc = -1;
|
|
char mcs[1024];
|
|
@@ -220,7 +221,8 @@ done:
|
|
}
|
|
|
|
static int
|
|
-SELinuxReserveSecurityLabel(virDomainObjPtr vm)
|
|
+SELinuxReserveSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
security_context_t pctx;
|
|
context_t ctx = NULL;
|
|
@@ -275,7 +277,8 @@ SELinuxSecurityDriverOpen(virSecurityDri
|
|
}
|
|
|
|
static int
|
|
-SELinuxGetSecurityProcessLabel(virDomainObjPtr vm,
|
|
+SELinuxGetSecurityProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virSecurityLabelPtr sec)
|
|
{
|
|
security_context_t ctx;
|
|
@@ -385,7 +388,8 @@ err:
|
|
}
|
|
|
|
static int
|
|
-SELinuxRestoreSecurityImageLabel(virDomainObjPtr vm,
|
|
+SELinuxRestoreSecurityImageLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainDiskDefPtr disk)
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
@@ -434,7 +438,8 @@ SELinuxSetSecurityFileLabel(virDomainDis
|
|
}
|
|
|
|
static int
|
|
-SELinuxSetSecurityImageLabel(virDomainObjPtr vm,
|
|
+SELinuxSetSecurityImageLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainDiskDefPtr disk)
|
|
|
|
{
|
|
@@ -472,7 +477,8 @@ SELinuxSetSecurityUSBLabel(usbDevice *de
|
|
}
|
|
|
|
static int
|
|
-SELinuxSetSecurityHostdevLabel(virDomainObjPtr vm,
|
|
+SELinuxSetSecurityHostdevLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev)
|
|
|
|
{
|
|
@@ -540,7 +546,8 @@ SELinuxRestoreSecurityUSBLabel(usbDevice
|
|
}
|
|
|
|
static int
|
|
-SELinuxRestoreSecurityHostdevLabel(virDomainObjPtr vm,
|
|
+SELinuxRestoreSecurityHostdevLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
virDomainHostdevDefPtr dev)
|
|
|
|
{
|
|
@@ -592,7 +599,8 @@ done:
|
|
}
|
|
|
|
static int
|
|
-SELinuxRestoreSecurityAllLabel(virDomainObjPtr vm)
|
|
+SELinuxRestoreSecurityAllLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
int i;
|
|
@@ -604,11 +612,14 @@ SELinuxRestoreSecurityAllLabel(virDomain
|
|
return 0;
|
|
|
|
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
|
|
- if (SELinuxRestoreSecurityHostdevLabel(vm, vm->def->hostdevs[i]) < 0)
|
|
+ if (SELinuxRestoreSecurityHostdevLabel(drv,
|
|
+ vm,
|
|
+ vm->def->hostdevs[i]) < 0)
|
|
rc = -1;
|
|
}
|
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
|
- if (SELinuxRestoreSecurityImageLabel(vm,
|
|
+ if (SELinuxRestoreSecurityImageLabel(drv,
|
|
+ vm,
|
|
vm->def->disks[i]) < 0)
|
|
rc = -1;
|
|
}
|
|
@@ -625,7 +636,8 @@ SELinuxRestoreSecurityAllLabel(virDomain
|
|
}
|
|
|
|
static int
|
|
-SELinuxReleaseSecurityLabel(virDomainObjPtr vm)
|
|
+SELinuxReleaseSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
@@ -648,7 +660,8 @@ SELinuxReleaseSecurityLabel(virDomainObj
|
|
|
|
|
|
static int
|
|
-SELinuxSetSavedStateLabel(virDomainObjPtr vm,
|
|
+SELinuxSetSavedStateLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
const char *savefile)
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
@@ -661,7 +674,8 @@ SELinuxSetSavedStateLabel(virDomainObjPt
|
|
|
|
|
|
static int
|
|
-SELinuxRestoreSavedStateLabel(virDomainObjPtr vm,
|
|
+SELinuxRestoreSavedStateLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
|
|
+ virDomainObjPtr vm,
|
|
const char *savefile)
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
@@ -719,7 +733,8 @@ SELinuxSetSecurityProcessLabel(virSecuri
|
|
}
|
|
|
|
static int
|
|
-SELinuxSetSecurityAllLabel(virDomainObjPtr vm)
|
|
+SELinuxSetSecurityAllLabel(virSecurityDriverPtr drv,
|
|
+ virDomainObjPtr vm)
|
|
{
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
int i;
|
|
@@ -734,11 +749,14 @@ SELinuxSetSecurityAllLabel(virDomainObjP
|
|
vm->def->disks[i]->src, vm->def->disks[i]->dst);
|
|
continue;
|
|
}
|
|
- if (SELinuxSetSecurityImageLabel(vm, vm->def->disks[i]) < 0)
|
|
+ if (SELinuxSetSecurityImageLabel(drv,
|
|
+ vm, vm->def->disks[i]) < 0)
|
|
return -1;
|
|
}
|
|
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
|
|
- if (SELinuxSetSecurityHostdevLabel(vm, vm->def->hostdevs[i]) < 0)
|
|
+ if (SELinuxSetSecurityHostdevLabel(drv,
|
|
+ vm,
|
|
+ vm->def->hostdevs[i]) < 0)
|
|
return -1;
|
|
}
|
|
|