[libvirt] [PATCH 2/2] security: Driver 'none' cannot create confined guests
Jiri Denemark
jdenemar at redhat.com
Wed Feb 8 11:29:55 UTC 2012
On Tue, Feb 07, 2012 at 13:39:17 -0700, Eric Blake wrote:
> On 02/07/2012 01:10 PM, Jiri Denemark wrote:
> > In case the caller specifies that confined guests are required but the
> > security driver turns out to be 'none', we should return an error since
> > this driver clearly cannot meet that requirement. As a result of this
> > error, libvirtd fails to start when the host admin explicitly sets
> > confined guests are required but there is no security driver available.
> >
> > Since security driver 'none' cannot create confined guests, we override
> > default confined setting so that hypervisor drivers do not thing they
>
> s/thing/think/
Oops, I mistakenly pushed this without fixing the typo.
> > should create confined guests.
> > ---
> > src/security/security_manager.c | 20 ++++++++++++++++++++
> > tests/seclabeltest.c | 2 +-
> > 2 files changed, 21 insertions(+), 1 deletions(-)
>
> ACK that this fixes the issue, but I'm wondering whether we should move
> the logic that rejects requireConfig out of security_manager.c and into
> security_nop.c:virSecurityDriverOpenNop(). That is, the special casing
> is a property of the 'none' security manager. Is it worth a v2 patch
> that moves the error messages in that manner?
I went ahead and pushed this version (see my other email for reasons). We can
refactor the whole thing later if we feel like it's a good idea.
Jirka
More information about the libvir-list
mailing list