[libvirt] [PATCH 07/23] Refactor SELinux security driver hostdev labelling
Osier Yang
jyang at redhat.com
Fri Dec 14 09:54:48 UTC 2012
On 2012年12月01日 04:26, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange"<berrange at redhat.com>
>
> Prepare to support different types of hostdevs by refactoring
> the current SELinux security driver code
>
> Signed-off-by: Daniel P. Berrange<berrange at redhat.com>
> ---
> src/security/security_selinux.c | 89 +++++++++++++++++++++++++++--------------
> 1 file changed, 59 insertions(+), 30 deletions(-)
>
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 9070ff9..ad13490 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -1118,26 +1118,15 @@ virSecuritySELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
> return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
> }
>
> +
> static int
> -virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> - virDomainDefPtr def,
> - virDomainHostdevDefPtr dev,
> - const char *vroot)
> +virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
> + virDomainHostdevDefPtr dev,
> + const char *vroot)
>
> {
> - virSecurityLabelDefPtr secdef;
> int ret = -1;
>
> - secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
> - if (secdef == NULL)
> - return -1;
> -
> - if (secdef->norelabel)
> - return 0;
> -
> - if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
> - return 0;
> -
> switch (dev->source.subsys.type) {
> case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
> usbDevice *usb;
> @@ -1182,6 +1171,32 @@ done:
>
>
> static int
> +virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> + virDomainDefPtr def,
> + virDomainHostdevDefPtr dev,
> + const char *vroot)
> +
> +{
> + virSecurityLabelDefPtr secdef;
> +
> + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
> + if (secdef == NULL)
> + return -1;
> +
> + if (secdef->norelabel)
> + return 0;
> +
> + switch (dev->mode) {
> + case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
> + return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);
> +
> + default:
> + return 0;
> + }
> +}
> +
> +
> +static int
> virSecuritySELinuxRestoreSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
> const char *file,
> void *opaque ATTRIBUTE_UNUSED)
> @@ -1197,26 +1212,14 @@ virSecuritySELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
> return virSecuritySELinuxRestoreSecurityFileLabel(file);
> }
>
> +
> static int
> -virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> - virDomainDefPtr def,
> - virDomainHostdevDefPtr dev,
> - const char *vroot)
> +virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virDomainHostdevDefPtr dev,
> + const char *vroot)
>
> {
> - virSecurityLabelDefPtr secdef;
> int ret = -1;
>
> - secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
> - if (secdef == NULL)
> - return -1;
> -
> - if (secdef->norelabel)
> - return 0;
> -
> - if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
> - return 0;
> -
> switch (dev->source.subsys.type) {
> case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
> usbDevice *usb;
> @@ -1262,6 +1265,32 @@ done:
>
>
> static int
> +virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> + virDomainDefPtr def,
> + virDomainHostdevDefPtr dev,
> + const char *vroot)
> +
> +{
> + virSecurityLabelDefPtr secdef;
> +
> + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
> + if (secdef == NULL)
> + return -1;
> +
> + if (secdef->norelabel)
> + return 0;
> +
> + switch (dev->mode) {
> + case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
> + return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(dev, vroot);
> +
> + default:
> + return 0;
> + }
> +}
> +
> +
> +static int
> virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
> virDomainChrDefPtr dev,
> virDomainChrSourceDefPtr dev_source)
ACK
More information about the libvir-list
mailing list