[libvirt] [PATCH 4/6] Support relabelling of USB and PCI devices

Daniel P. Berrange berrange at redhat.com
Thu Sep 3 12:12:19 UTC 2009 

On Thu, Sep 03, 2009 at 01:04:30PM +0100, Mark McLoughlin wrote:
> Apart from DV's comments, ACK to patches 1-3
> 
> On Tue, 2009-09-01 at 16:28 +0100, Daniel P. Berrange wrote:
> > * src/security.h: Driver API for relabelling host devices
> > * src/security_selinux.c: Implement relabelling of PCI and USB
> >   devices
> > * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
> > ---
> >  src/qemu_driver.c      |   12 ++-
> >  src/security.h         |    7 ++
> >  src/security_selinux.c |  175 +++++++++++++++++++++++++++++++++++++++++++-----
> >  3 files changed, 174 insertions(+), 20 deletions(-)
> > 
> > diff --git a/src/qemu_driver.c b/src/qemu_driver.c
> > index e9a09df..d75e28e 100644
> > --- a/src/qemu_driver.c
> > +++ b/src/qemu_driver.c
> > @@ -5498,6 +5498,9 @@ static int qemudDomainAttachHostDevice(virConnectPtr conn,
> >  
> >      if (qemuDomainSetDeviceOwnership(conn, driver, dev, 0) < 0)
> >          return -1;
> > +    if (driver->securityDriver &&
> > +        driver->securityDriver->domainSetSecurityHostdevLabel(conn, vm, dev->data.hostdev) < 0)
> > +        return -1;
> >  
> >      switch (hostdev->source.subsys.type) {
> >      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI:
> > @@ -5566,9 +5569,6 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
> >              }
> >          }
> >  
> > -        if (driver->securityDriver)
> > -            driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk);
> 
> What's this about?

The very same call is issued a few lines later :-)

> > diff --git a/src/security_selinux.c b/src/security_selinux.c
> > index 3b2e88f..5b7b038 100644
> > --- a/src/security_selinux.c
> > +++ b/src/security_selinux.c
> ...
> > @@ -414,6 +427,126 @@ SELinuxSetSecurityImageLabel(virConnectPtr conn,
> >      return 0;
> >  }
> >  
> > +
> > +static int
> > +SELinuxSetSecurityPCILabel(virConnectPtr conn,
> > +                           pciDevice *dev ATTRIBUTE_UNUSED,
> > +                           const char *file, void *opaque)
> > +{
> > +    virDomainObjPtr vm = opaque;
> > +    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
> > +
> > +    return SELinuxSetFilecon(conn, file, secdef->imagelabel);
> > +}
> > +
> > +static int
> > +SELinuxSetSecurityHostdevLabel(virConnectPtr conn,
> > +                               virDomainObjPtr vm,
> > +                               virDomainHostdevDefPtr dev)
> > +
> > +{
> > +    int ret = -1;
> > +
> > +    if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
> > +        return 0;
> > +
> > +    switch (dev->source.subsys.type) {
> > +    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB:
> > +        break;
> 
> Either you're missing some code here, or I'm missing some
> understanding :-)

Bizarrely the code secretly moved itself into the next patch while I
wasn't looking :-)

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

More information about the libvir-list mailing list