[libvirt] [PATCH v2 1/5] conf: add XML schema for capability XML

Osier Yang jyang at redhat.com
Fri Dec 30 05:05:08 UTC 2011


On 2011年12月22日 15:02, Taku Izumi wrote:
>
> This patch introduces XML schema for capability XML.
> "process" and "cap" element are added.
> The list of "cap" elements represents process capabilities host supports.
>
>
> <capabilities>
>    <host>
>      ...
>      <process>
>        <cap name='chown'/>
>        <cap name='dac_override'/>
>        ...
>      </process>
>    </host>
>    ...
> </capabilities>
>
>
> Signed-off-by: Taku Izumi<izumi.taku at jp.fujitsu.com>
> ---
>   docs/schemas/capability.rng  |   50 +++++++++++++++++++++++++++++++
>   include/libvirt/libvirt.h.in |   45 ++++++++++++++++++++++++++++
>   src/conf/capabilities.c      |   69 +++++++++++++++++++++++++++++++++++++++++++
>   src/conf/capabilities.h      |    5 +++
>   4 files changed, 169 insertions(+)
>
> Index: libvirt/src/conf/capabilities.h
> ===================================================================
> --- libvirt.orig/src/conf/capabilities.h
> +++ libvirt/src/conf/capabilities.h
> @@ -119,6 +119,10 @@ struct _virCapsHost {
>       virCapsHostSecModel secModel;
>       virCPUDefPtr cpu;
>       unsigned char host_uuid[VIR_UUID_BUFLEN];
> +
> +    unsigned long long processCaps; /* Bitmask of the Process capabilities
> +                                     * see enum vir
> +                                     */
>   };
>
>   typedef int (*virDomainDefNamespaceParse)(xmlDocPtr, xmlNodePtr,
> @@ -263,5 +267,6 @@ virCapabilitiesDefaultGuestEmulator(virC
>   extern char *
>   virCapabilitiesFormatXML(virCapsPtr caps);
>
> +VIR_ENUM_DECL(virCapsProcessCaps)
>
>   #endif /* __VIR_CAPABILITIES_H */
> Index: libvirt/src/conf/capabilities.c
> ===================================================================
> --- libvirt.orig/src/conf/capabilities.c
> +++ libvirt/src/conf/capabilities.c
> @@ -33,6 +33,9 @@
>   #include "cpu_conf.h"
>   #include "virterror_internal.h"
>
> +#if HAVE_CAPNG
> +# include<cap-ng.h>
> +#endif
>
>   #define VIR_FROM_THIS VIR_FROM_CAPABILITIES
>
> @@ -40,6 +43,42 @@ VIR_ENUM_DECL(virCapsHostPMTarget)
>   VIR_ENUM_IMPL(virCapsHostPMTarget, VIR_NODE_SUSPEND_TARGET_LAST,
>                 "suspend_mem", "suspend_disk", "suspend_hybrid");
>
> +VIR_ENUM_IMPL(virCapsProcessCaps, VIR_PROCESS_CAPABILITY_LAST,
> +              "chown",
> +              "dac_override",
> +              "dac_read_search",
> +              "fowner",
> +              "fsetid",
> +              "kill",
> +              "setgid",
> +              "setuid",
> +              "setpcap",
> +              "linux_immutable",
> +              "net_bind_service",
> +              "net_broadcast",
> +              "net_admin",
> +              "net_raw",
> +              "ipc_lock",
> +              "ipc_owner",
> +              "sys_module",
> +              "sys_rawio",
> +              "sys_chroot",
> +              "sys_ptrace",
> +              "sys_pacct",
> +              "sys_admin",
> +              "sys_boot",
> +              "sys_nice",
> +              "sys_resource",
> +              "sys_time",
> +              "sys_tty_config",
> +              "mknod",
> +              "lease",
> +              "audit_write",
> +              "audit_control",
> +              "setfcap",
> +              "mac_override",
> +              "mac_admin")
> +
>   /**
>    * virCapabilitiesNew:
>    * @arch: host machine architecture
> @@ -63,6 +102,8 @@ virCapabilitiesNew(const char *arch,
>       caps->host.offlineMigrate = offlineMigrate;
>       caps->host.liveMigrate = liveMigrate;
>
> +    virCapabilitiesInitProcessCaps(caps);
> +
>       return caps;
>
>    no_memory:
> @@ -754,6 +795,18 @@ virCapabilitiesFormatXML(virCapsPtr caps
>           virBufferAddLit(&xml, "</secmodel>\n");
>       }
>
> +    if (caps->host.processCaps) {
> +        virBufferAddLit(&xml, "<process>\n");
> +        for (i = 0; i<  VIR_PROCESS_CAPABILITY_LAST; i++) {
> +            if (caps->host.processCaps&  (1ULL<<  i)) {
> +                const char *name = virCapsProcessCapsTypeToString(i);
> +                if (name)
> +                    virBufferAsprintf(&xml, "<cap name='%s'/>\n", name);
> +            }
> +        }
> +        virBufferAddLit(&xml, "</process>\n");
> +    }
> +
>       virBufferAddLit(&xml, "</host>\n\n");
>
>
> @@ -837,6 +890,22 @@ virCapabilitiesFormatXML(virCapsPtr caps
>       return virBufferContentAndReset(&xml);
>   }
>
> +#ifdef HAVE_CAPNG
> +void
> +virCapabilitiesInitProcessCaps(virCapsPtr caps)
> +{
> +    caps->host.processCaps |= (1ULL<<  (CAP_LAST_CAP + 1)) - 1;
> +}
> +
> +#else
> +void
> +virCapabilitiesInitProcessCaps(virCapsPtr caps)
> +{
> +    caps->host.processCaps = 0;
> +}
> +
> +#endif
> +
>   extern void
>   virCapabilitiesSetMacPrefix(virCapsPtr caps,
>                               unsigned char *prefix)
> Index: libvirt/docs/schemas/capability.rng
> ===================================================================
> --- libvirt.orig/docs/schemas/capability.rng
> +++ libvirt/docs/schemas/capability.rng
> @@ -46,6 +46,56 @@
>         <optional>
>           <ref name='secmodel'/>
>         </optional>
> +<optional>
> +<ref name='process'/>
> +</optional>
> +</element>
> +</define>
> +
> +<define name='process'>
> +<element name='process'>
> +<zeroOrMore>
> +<element name='cap'>
> +<attribute name='name'>
> +<choice>
> +<value>chown</value>
> +<value>dac_override</value>
> +<value>dac_read_search</value>
> +<value>fowner</value>
> +<value>fsetid</value>
> +<value>kill</value>
> +<value>setgid</value>
> +<value>setuid</value>
> +<value>setpcap</value>
> +<value>linux_immutable</value>
> +<value>net_bind_service</value>
> +<value>net_broadcast</value>
> +<value>net_admin</value>
> +<value>net_raw</value>
> +<value>ipc_lock</value>
> +<value>ipc_owner</value>
> +<value>sys_module</value>
> +<value>sys_rawio</value>
> +<value>sys_chroot</value>
> +<value>sys_ptrace</value>
> +<value>sys_pacct</value>
> +<value>sys_admin</value>
> +<value>sys_boot</value>
> +<value>sys_nice</value>
> +<value>sys_resource</value>
> +<value>sys_time</value>
> +<value>sys_tty_config</value>
> +<value>mknod</value>
> +<value>lease</value>
> +<value>audit_write</value>
> +<value>audit_control</value>
> +<value>setfcap</value>
> +<value>mac_override</value>
> +<value>mac_admin</value>
> +</choice>
> +</attribute>
> +</element>
> +</zeroOrMore>
>       </element>
>     </define>
>
> Index: libvirt/include/libvirt/libvirt.h.in
> ===================================================================
> --- libvirt.orig/include/libvirt/libvirt.h.in
> +++ libvirt/include/libvirt/libvirt.h.in
> @@ -3540,6 +3540,51 @@ int virConnectSetKeepAlive(virConnectPtr
>                              int interval,
>                              unsigned int count);
>
> +
> +/*
> + * virProcessCapabilityType
> + *
> + * A process capability Type
> + */
> +typedef enum {
> +    VIR_PROCESS_CAPABILITY_CHOWN,
> +    VIR_PROCESS_CAPABILITY_DAC_OVERRIDE,
> +    VIR_PROCESS_CAPABILITY_DAC_READ_SEARCH,
> +    VIR_PROCESS_CAPABILITY_FOWNER,
> +    VIR_PROCESS_CAPABILITY_FSETID,
> +    VIR_PROCESS_CAPABILITY_KILL,
> +    VIR_PROCESS_CAPABILITY_SETGID,
> +    VIR_PROCESS_CAPABILITY_SETUID,
> +    VIR_PROCESS_CAPABILITY_SETPCAP,
> +    VIR_PROCESS_CAPABILITY_LINUX_IMMUTABLE,
> +    VIR_PROCESS_CAPABILITY_NET_BIND_SERVICE,
> +    VIR_PROCESS_CAPABILITY_NET_BROADCAST,
> +    VIR_PROCESS_CAPABILITY_NET_ADMIN,
> +    VIR_PROCESS_CAPABILITY_NET_RAW,
> +    VIR_PROCESS_CAPABILITY_IPC_LOCK,
> +    VIR_PROCESS_CAPABILITY_IPC_OWNER,
> +    VIR_PROCESS_CAPABILITY_SYS_MODULE,
> +    VIR_PROCESS_CAPABILITY_SYS_RAWIO,
> +    VIR_PROCESS_CAPABILITY_SYS_CHROOT,
> +    VIR_PROCESS_CAPABILITY_SYS_PTRACE,
> +    VIR_PROCESS_CAPABILITY_SYS_PACCT,
> +    VIR_PROCESS_CAPABILITY_SYS_ADMIN,
> +    VIR_PROCESS_CAPABILITY_SYS_BOOT,
> +    VIR_PROCESS_CAPABILITY_SYS_NICE,
> +    VIR_PROCESS_CAPABILITY_SYS_RESOURCE,
> +    VIR_PROCESS_CAPABILITY_SYS_TIME,
> +    VIR_PROCESS_CAPABILITY_SYS_TTY_CONFIG,
> +    VIR_PROCESS_CAPABILITY_MKNOD,
> +    VIR_PROCESS_CAPABILITY_LEASE,
> +    VIR_PROCESS_CAPABILITY_AUDIT_WRITE,
> +    VIR_PROCESS_CAPABILITY_AUDIT_CONTROL,
> +    VIR_PROCESS_CAPABILITY_SETFCAP,
> +    VIR_PROCESS_CAPABILITY_MAC_OVERRIDE,
> +    VIR_PROCESS_CAPABILITY_MAC_ADMIN,
> +
> +    VIR_PROCESS_CAPABILITY_LAST
> +} virProcessCapabilityType;
> +
>   #ifdef __cplusplus
>   }
>   #endif

Also we might want to update docs/formatcaps.html.in, though
it's not updated for long time.

Regards,
Osier




More information about the libvir-list mailing list