[libvirt] [PATCH v2 1/5] conf: add XML schema for capability XML
Osier Yang
jyang at redhat.com
Fri Dec 30 05:05:08 UTC 2011
On 2011年12月22日 15:02, Taku Izumi wrote:
>
> This patch introduces XML schema for capability XML.
> "process" and "cap" element are added.
> The list of "cap" elements represents process capabilities host supports.
>
>
> <capabilities>
> <host>
> ...
> <process>
> <cap name='chown'/>
> <cap name='dac_override'/>
> ...
> </process>
> </host>
> ...
> </capabilities>
>
>
> Signed-off-by: Taku Izumi<izumi.taku at jp.fujitsu.com>
> ---
> docs/schemas/capability.rng | 50 +++++++++++++++++++++++++++++++
> include/libvirt/libvirt.h.in | 45 ++++++++++++++++++++++++++++
> src/conf/capabilities.c | 69 +++++++++++++++++++++++++++++++++++++++++++
> src/conf/capabilities.h | 5 +++
> 4 files changed, 169 insertions(+)
>
> Index: libvirt/src/conf/capabilities.h
> ===================================================================
> --- libvirt.orig/src/conf/capabilities.h
> +++ libvirt/src/conf/capabilities.h
> @@ -119,6 +119,10 @@ struct _virCapsHost {
> virCapsHostSecModel secModel;
> virCPUDefPtr cpu;
> unsigned char host_uuid[VIR_UUID_BUFLEN];
> +
> + unsigned long long processCaps; /* Bitmask of the Process capabilities
> + * see enum vir
> + */
> };
>
> typedef int (*virDomainDefNamespaceParse)(xmlDocPtr, xmlNodePtr,
> @@ -263,5 +267,6 @@ virCapabilitiesDefaultGuestEmulator(virC
> extern char *
> virCapabilitiesFormatXML(virCapsPtr caps);
>
> +VIR_ENUM_DECL(virCapsProcessCaps)
>
> #endif /* __VIR_CAPABILITIES_H */
> Index: libvirt/src/conf/capabilities.c
> ===================================================================
> --- libvirt.orig/src/conf/capabilities.c
> +++ libvirt/src/conf/capabilities.c
> @@ -33,6 +33,9 @@
> #include "cpu_conf.h"
> #include "virterror_internal.h"
>
> +#if HAVE_CAPNG
> +# include<cap-ng.h>
> +#endif
>
> #define VIR_FROM_THIS VIR_FROM_CAPABILITIES
>
> @@ -40,6 +43,42 @@ VIR_ENUM_DECL(virCapsHostPMTarget)
> VIR_ENUM_IMPL(virCapsHostPMTarget, VIR_NODE_SUSPEND_TARGET_LAST,
> "suspend_mem", "suspend_disk", "suspend_hybrid");
>
> +VIR_ENUM_IMPL(virCapsProcessCaps, VIR_PROCESS_CAPABILITY_LAST,
> + "chown",
> + "dac_override",
> + "dac_read_search",
> + "fowner",
> + "fsetid",
> + "kill",
> + "setgid",
> + "setuid",
> + "setpcap",
> + "linux_immutable",
> + "net_bind_service",
> + "net_broadcast",
> + "net_admin",
> + "net_raw",
> + "ipc_lock",
> + "ipc_owner",
> + "sys_module",
> + "sys_rawio",
> + "sys_chroot",
> + "sys_ptrace",
> + "sys_pacct",
> + "sys_admin",
> + "sys_boot",
> + "sys_nice",
> + "sys_resource",
> + "sys_time",
> + "sys_tty_config",
> + "mknod",
> + "lease",
> + "audit_write",
> + "audit_control",
> + "setfcap",
> + "mac_override",
> + "mac_admin")
> +
> /**
> * virCapabilitiesNew:
> * @arch: host machine architecture
> @@ -63,6 +102,8 @@ virCapabilitiesNew(const char *arch,
> caps->host.offlineMigrate = offlineMigrate;
> caps->host.liveMigrate = liveMigrate;
>
> + virCapabilitiesInitProcessCaps(caps);
> +
> return caps;
>
> no_memory:
> @@ -754,6 +795,18 @@ virCapabilitiesFormatXML(virCapsPtr caps
> virBufferAddLit(&xml, "</secmodel>\n");
> }
>
> + if (caps->host.processCaps) {
> + virBufferAddLit(&xml, "<process>\n");
> + for (i = 0; i< VIR_PROCESS_CAPABILITY_LAST; i++) {
> + if (caps->host.processCaps& (1ULL<< i)) {
> + const char *name = virCapsProcessCapsTypeToString(i);
> + if (name)
> + virBufferAsprintf(&xml, "<cap name='%s'/>\n", name);
> + }
> + }
> + virBufferAddLit(&xml, "</process>\n");
> + }
> +
> virBufferAddLit(&xml, "</host>\n\n");
>
>
> @@ -837,6 +890,22 @@ virCapabilitiesFormatXML(virCapsPtr caps
> return virBufferContentAndReset(&xml);
> }
>
> +#ifdef HAVE_CAPNG
> +void
> +virCapabilitiesInitProcessCaps(virCapsPtr caps)
> +{
> + caps->host.processCaps |= (1ULL<< (CAP_LAST_CAP + 1)) - 1;
> +}
> +
> +#else
> +void
> +virCapabilitiesInitProcessCaps(virCapsPtr caps)
> +{
> + caps->host.processCaps = 0;
> +}
> +
> +#endif
> +
> extern void
> virCapabilitiesSetMacPrefix(virCapsPtr caps,
> unsigned char *prefix)
> Index: libvirt/docs/schemas/capability.rng
> ===================================================================
> --- libvirt.orig/docs/schemas/capability.rng
> +++ libvirt/docs/schemas/capability.rng
> @@ -46,6 +46,56 @@
> <optional>
> <ref name='secmodel'/>
> </optional>
> +<optional>
> +<ref name='process'/>
> +</optional>
> +</element>
> +</define>
> +
> +<define name='process'>
> +<element name='process'>
> +<zeroOrMore>
> +<element name='cap'>
> +<attribute name='name'>
> +<choice>
> +<value>chown</value>
> +<value>dac_override</value>
> +<value>dac_read_search</value>
> +<value>fowner</value>
> +<value>fsetid</value>
> +<value>kill</value>
> +<value>setgid</value>
> +<value>setuid</value>
> +<value>setpcap</value>
> +<value>linux_immutable</value>
> +<value>net_bind_service</value>
> +<value>net_broadcast</value>
> +<value>net_admin</value>
> +<value>net_raw</value>
> +<value>ipc_lock</value>
> +<value>ipc_owner</value>
> +<value>sys_module</value>
> +<value>sys_rawio</value>
> +<value>sys_chroot</value>
> +<value>sys_ptrace</value>
> +<value>sys_pacct</value>
> +<value>sys_admin</value>
> +<value>sys_boot</value>
> +<value>sys_nice</value>
> +<value>sys_resource</value>
> +<value>sys_time</value>
> +<value>sys_tty_config</value>
> +<value>mknod</value>
> +<value>lease</value>
> +<value>audit_write</value>
> +<value>audit_control</value>
> +<value>setfcap</value>
> +<value>mac_override</value>
> +<value>mac_admin</value>
> +</choice>
> +</attribute>
> +</element>
> +</zeroOrMore>
> </element>
> </define>
>
> Index: libvirt/include/libvirt/libvirt.h.in
> ===================================================================
> --- libvirt.orig/include/libvirt/libvirt.h.in
> +++ libvirt/include/libvirt/libvirt.h.in
> @@ -3540,6 +3540,51 @@ int virConnectSetKeepAlive(virConnectPtr
> int interval,
> unsigned int count);
>
> +
> +/*
> + * virProcessCapabilityType
> + *
> + * A process capability Type
> + */
> +typedef enum {
> + VIR_PROCESS_CAPABILITY_CHOWN,
> + VIR_PROCESS_CAPABILITY_DAC_OVERRIDE,
> + VIR_PROCESS_CAPABILITY_DAC_READ_SEARCH,
> + VIR_PROCESS_CAPABILITY_FOWNER,
> + VIR_PROCESS_CAPABILITY_FSETID,
> + VIR_PROCESS_CAPABILITY_KILL,
> + VIR_PROCESS_CAPABILITY_SETGID,
> + VIR_PROCESS_CAPABILITY_SETUID,
> + VIR_PROCESS_CAPABILITY_SETPCAP,
> + VIR_PROCESS_CAPABILITY_LINUX_IMMUTABLE,
> + VIR_PROCESS_CAPABILITY_NET_BIND_SERVICE,
> + VIR_PROCESS_CAPABILITY_NET_BROADCAST,
> + VIR_PROCESS_CAPABILITY_NET_ADMIN,
> + VIR_PROCESS_CAPABILITY_NET_RAW,
> + VIR_PROCESS_CAPABILITY_IPC_LOCK,
> + VIR_PROCESS_CAPABILITY_IPC_OWNER,
> + VIR_PROCESS_CAPABILITY_SYS_MODULE,
> + VIR_PROCESS_CAPABILITY_SYS_RAWIO,
> + VIR_PROCESS_CAPABILITY_SYS_CHROOT,
> + VIR_PROCESS_CAPABILITY_SYS_PTRACE,
> + VIR_PROCESS_CAPABILITY_SYS_PACCT,
> + VIR_PROCESS_CAPABILITY_SYS_ADMIN,
> + VIR_PROCESS_CAPABILITY_SYS_BOOT,
> + VIR_PROCESS_CAPABILITY_SYS_NICE,
> + VIR_PROCESS_CAPABILITY_SYS_RESOURCE,
> + VIR_PROCESS_CAPABILITY_SYS_TIME,
> + VIR_PROCESS_CAPABILITY_SYS_TTY_CONFIG,
> + VIR_PROCESS_CAPABILITY_MKNOD,
> + VIR_PROCESS_CAPABILITY_LEASE,
> + VIR_PROCESS_CAPABILITY_AUDIT_WRITE,
> + VIR_PROCESS_CAPABILITY_AUDIT_CONTROL,
> + VIR_PROCESS_CAPABILITY_SETFCAP,
> + VIR_PROCESS_CAPABILITY_MAC_OVERRIDE,
> + VIR_PROCESS_CAPABILITY_MAC_ADMIN,
> +
> + VIR_PROCESS_CAPABILITY_LAST
> +} virProcessCapabilityType;
> +
> #ifdef __cplusplus
> }
> #endif
Also we might want to update docs/formatcaps.html.in, though
it's not updated for long time.
Regards,
Osier
More information about the libvir-list
mailing list