[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 2/2] security: Driver 'none' cannot create confined guests

On 02/07/2012 01:10 PM, Jiri Denemark wrote:
> In case the caller specifies that confined guests are required but the
> security driver turns out to be 'none', we should return an error since
> this driver clearly cannot meet that requirement.  As a result of this
> error, libvirtd fails to start when the host admin explicitly sets
> confined guests are required but there is no security driver available.
> Since security driver 'none' cannot create confined guests, we override
> default confined setting so that hypervisor drivers do not thing they


> should create confined guests.
> ---
>  src/security/security_manager.c |   20 ++++++++++++++++++++
>  tests/seclabeltest.c            |    2 +-
>  2 files changed, 21 insertions(+), 1 deletions(-)

ACK that this fixes the issue, but I'm wondering whether we should move
the logic that rejects requireConfig out of security_manager.c and into
security_nop.c:virSecurityDriverOpenNop().  That is, the special casing
is a property of the 'none' security manager.  Is it worth a v2 patch
that moves the error messages in that manner?

> +++ b/tests/seclabeltest.c
> @@ -13,7 +13,7 @@ main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED)
>      virSecurityManagerPtr mgr;
>      const char *doi, *model;
> -    mgr = virSecurityManagerNew(NULL, false, true, true);
> +    mgr = virSecurityManagerNew(NULL, false, true, false);

And here's a classic example that proves Laine's point that any
interface with more than one bool parameter is hard to read (you have to
check the implementation), compared to consolidating those into a flags
argument.  But no need to change the signature for this particular patch.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]