[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 1/6] Pass the virt driver name into security drivers



From: Daniel Walsh <dwalsh redhat com>

To allow the security drivers to apply different configuration
information per hypervisor, pass the virtualization driver name
into the security manager constructor.

Signed-off-by: Daniel P. Berrange <berrange redhat com>
---
 src/lxc/lxc_conf.h               |    2 ++
 src/lxc/lxc_controller.c         |    8 ++++++--
 src/lxc/lxc_driver.c             |    7 ++++---
 src/qemu/qemu_driver.c           |   10 +++++++---
 src/security/security_apparmor.c |    2 +-
 src/security/security_dac.c      |    2 +-
 src/security/security_driver.c   |    5 +++--
 src/security/security_driver.h   |    5 +++--
 src/security/security_manager.c  |   18 ++++++++++++++++--
 src/security/security_manager.h  |    5 ++++-
 src/security/security_nop.c      |    2 +-
 src/security/security_selinux.c  |    2 +-
 src/security/security_stack.c    |    2 +-
 tests/seclabeltest.c             |    2 +-
 14 files changed, 51 insertions(+), 21 deletions(-)

diff --git a/src/lxc/lxc_conf.h b/src/lxc/lxc_conf.h
index ebdc173..cc279b2 100644
--- a/src/lxc/lxc_conf.h
+++ b/src/lxc/lxc_conf.h
@@ -36,6 +36,8 @@
 # include "security/security_manager.h"
 # include "configmake.h"
 
+# define LXC_DRIVER_NAME "LXC"
+
 # define LXC_CONFIG_DIR SYSCONFDIR "/libvirt/lxc"
 # define LXC_STATE_DIR LOCALSTATEDIR "/run/libvirt/lxc"
 # define LXC_LOG_DIR LOCALSTATEDIR "/log/libvirt/lxc"
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index 26b3115..1292751 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -1723,7 +1723,9 @@ int main(int argc, char *argv[])
             break;
 
         case 'S':
-            if (!(securityDriver = virSecurityManagerNew(optarg, false, false, false))) {
+            if (!(securityDriver = virSecurityManagerNew(optarg,
+                                                         LXC_DRIVER_NAME,
+                                                         false, false, false))) {
                 fprintf(stderr, "Cannot create security manager '%s'",
                         optarg);
                 goto cleanup;
@@ -1750,7 +1752,9 @@ int main(int argc, char *argv[])
     }
 
     if (securityDriver == NULL) {
-        if (!(securityDriver = virSecurityManagerNew("none", false, false, false))) {
+        if (!(securityDriver = virSecurityManagerNew("none",
+                                                     LXC_DRIVER_NAME,
+                                                     false, false, false))) {
             fprintf(stderr, "%s: cannot initialize nop security manager", argv[0]);
             goto cleanup;
         }
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 03783ff..42d1d94 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -2533,7 +2533,8 @@ error:
 static int
 lxcSecurityInit(lxc_driver_t *driver)
 {
-    virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName,
+    virSecurityManagerPtr mgr = virSecurityManagerNew(LXC_DRIVER_NAME,
+                                                      driver->securityDriverName,
                                                       false,
                                                       driver->securityDefaultConfined,
                                                       driver->securityRequireConfined);
@@ -3851,7 +3852,7 @@ static virNWFilterCallbackDriver lxcCallbackDriver = {
 /* Function Tables */
 static virDriver lxcDriver = {
     .no = VIR_DRV_LXC,
-    .name = "LXC",
+    .name = LXC_DRIVER_NAME,
     .open = lxcOpen, /* 0.4.2 */
     .close = lxcClose, /* 0.4.2 */
     .version = lxcVersion, /* 0.4.6 */
@@ -3915,7 +3916,7 @@ static virDriver lxcDriver = {
 };
 
 static virStateDriver lxcStateDriver = {
-    .name = "LXC",
+    .name = LXC_DRIVER_NAME,
     .initialize = lxcStartup,
     .cleanup = lxcShutdown,
     .active = lxcActive,
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 2bec617..aed1daa 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -95,6 +95,8 @@
 
 #define VIR_FROM_THIS VIR_FROM_QEMU
 
+#define QEMU_DRIVER_NAME "QEMU"
+
 #define QEMU_NB_MEM_PARAM  3
 
 #define QEMU_NB_BLOCK_IO_TUNE_PARAM  6
@@ -213,6 +215,7 @@ static int
 qemuSecurityInit(struct qemud_driver *driver)
 {
     virSecurityManagerPtr mgr = virSecurityManagerNew(driver->securityDriverName,
+                                                      QEMU_DRIVER_NAME,
                                                       driver->allowDiskFormatProbing,
                                                       driver->securityDefaultConfined,
                                                       driver->securityRequireConfined);
@@ -221,7 +224,8 @@ qemuSecurityInit(struct qemud_driver *driver)
         goto error;
 
     if (driver->privileged) {
-        virSecurityManagerPtr dac = virSecurityManagerNewDAC(driver->user,
+        virSecurityManagerPtr dac = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
+                                                             driver->user,
                                                              driver->group,
                                                              driver->allowDiskFormatProbing,
                                                              driver->securityDefaultConfined,
@@ -12784,7 +12788,7 @@ cleanup:
 
 static virDriver qemuDriver = {
     .no = VIR_DRV_QEMU,
-    .name = "QEMU",
+    .name = QEMU_DRIVER_NAME,
     .open = qemudOpen, /* 0.2.0 */
     .close = qemudClose, /* 0.2.0 */
     .supports_feature = qemudSupportsFeature, /* 0.5.0 */
@@ -12975,7 +12979,7 @@ qemuVMFilterRebuild(virConnectPtr conn ATTRIBUTE_UNUSED,
 }
 
 static virNWFilterCallbackDriver qemuCallbackDriver = {
-    .name = "QEMU",
+    .name = QEMU_DRIVER_NAME,
     .vmFilterRebuild = qemuVMFilterRebuild,
     .vmDriverLock = qemuVMDriverLock,
     .vmDriverUnlock = qemuVMDriverUnlock,
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 8f8b200..d638d1f 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -328,7 +328,7 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
 
 /* Called on libvirtd startup to see if AppArmor is available */
 static int
-AppArmorSecurityManagerProbe(void)
+AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED)
 {
     char *template = NULL;
     int rc = SECURITY_DRIVER_DISABLE;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index e71dc20..8201022 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -65,7 +65,7 @@ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
 }
 
 static virSecurityDriverStatus
-virSecurityDACProbe(void)
+virSecurityDACProbe(const char *virtDriver ATTRIBUTE_UNUSED)
 {
     return SECURITY_DRIVER_ENABLE;
 }
diff --git a/src/security/security_driver.c b/src/security/security_driver.c
index fd2c01a..39736cf 100644
--- a/src/security/security_driver.c
+++ b/src/security/security_driver.c
@@ -37,7 +37,8 @@ static virSecurityDriverPtr security_drivers[] = {
     &virSecurityDriverNop, /* Must always be last, since it will always probe */
 };
 
-virSecurityDriverPtr virSecurityDriverLookup(const char *name)
+virSecurityDriverPtr virSecurityDriverLookup(const char *name,
+                                             const char *virtDriver)
 {
     virSecurityDriverPtr drv = NULL;
     int i;
@@ -51,7 +52,7 @@ virSecurityDriverPtr virSecurityDriverLookup(const char *name)
             STRNEQ(tmp->name, name))
             continue;
 
-        switch (tmp->probe()) {
+        switch (tmp->probe(virtDriver)) {
         case SECURITY_DRIVER_ENABLE:
             VIR_DEBUG("Probed name=%s", tmp->name);
             drv = tmp;
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index f0ace1c..d24304c 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -31,7 +31,7 @@ typedef enum {
 typedef struct _virSecurityDriver virSecurityDriver;
 typedef virSecurityDriver *virSecurityDriverPtr;
 
-typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
+typedef virSecurityDriverStatus (*virSecurityDriverProbe) (const char *virtDriver);
 typedef int (*virSecurityDriverOpen) (virSecurityManagerPtr mgr);
 typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr);
 
@@ -125,6 +125,7 @@ struct _virSecurityDriver {
     virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
 };
 
-virSecurityDriverPtr virSecurityDriverLookup(const char *name);
+virSecurityDriverPtr virSecurityDriverLookup(const char *name,
+                                             const char *virtDriver);
 
 #endif /* __VIR_SECURITY_H__ */
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 0a43458..e0dd165 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -38,9 +38,11 @@ struct _virSecurityManager {
     bool allowDiskFormatProbing;
     bool defaultConfined;
     bool requireConfined;
+    const char *virtDriver;
 };
 
 static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr drv,
+                                                         const char *virtDriver,
                                                          bool allowDiskFormatProbing,
                                                          bool defaultConfined,
                                                          bool requireConfined)
@@ -56,6 +58,7 @@ static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr dr
     mgr->allowDiskFormatProbing = allowDiskFormatProbing;
     mgr->defaultConfined = defaultConfined;
     mgr->requireConfined = requireConfined;
+    mgr->virtDriver = virtDriver;
 
     if (drv->open(mgr) < 0) {
         virSecurityManagerFree(mgr);
@@ -70,6 +73,7 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary,
 {
     virSecurityManagerPtr mgr =
         virSecurityManagerNewDriver(&virSecurityDriverStack,
+                                    virSecurityManagerGetDriver(primary),
                                     virSecurityManagerGetAllowDiskFormatProbing(primary),
                                     virSecurityManagerGetDefaultConfined(primary),
                                     virSecurityManagerGetRequireConfined(primary));
@@ -83,7 +87,8 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary,
     return mgr;
 }
 
-virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
+virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
+                                               uid_t user,
                                                gid_t group,
                                                bool allowDiskFormatProbing,
                                                bool defaultConfined,
@@ -92,6 +97,7 @@ virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
 {
     virSecurityManagerPtr mgr =
         virSecurityManagerNewDriver(&virSecurityDriverDAC,
+                                    virtDriver,
                                     allowDiskFormatProbing,
                                     defaultConfined,
                                     requireConfined);
@@ -107,11 +113,12 @@ virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
 }
 
 virSecurityManagerPtr virSecurityManagerNew(const char *name,
+                                            const char *virtDriver,
                                             bool allowDiskFormatProbing,
                                             bool defaultConfined,
                                             bool requireConfined)
 {
-    virSecurityDriverPtr drv = virSecurityDriverLookup(name);
+    virSecurityDriverPtr drv = virSecurityDriverLookup(name, virtDriver);
     if (!drv)
         return NULL;
 
@@ -136,6 +143,7 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
     }
 
     return virSecurityManagerNewDriver(drv,
+                                       virtDriver,
                                        allowDiskFormatProbing,
                                        defaultConfined,
                                        requireConfined);
@@ -162,6 +170,12 @@ void virSecurityManagerFree(virSecurityManagerPtr mgr)
 }
 
 const char *
+virSecurityManagerGetDriver(virSecurityManagerPtr mgr)
+{
+    return mgr->virtDriver;
+}
+
+const char *
 virSecurityManagerGetDOI(virSecurityManagerPtr mgr)
 {
     if (mgr->drv->getDOI)
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 32c8c3b..ca27bc6 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -32,6 +32,7 @@ typedef struct _virSecurityManager virSecurityManager;
 typedef virSecurityManager *virSecurityManagerPtr;
 
 virSecurityManagerPtr virSecurityManagerNew(const char *name,
+                                            const char *virtDriver,
                                             bool allowDiskFormatProbing,
                                             bool defaultConfined,
                                             bool requireConfined);
@@ -39,7 +40,8 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
 virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary,
                                                  virSecurityManagerPtr secondary);
 
-virSecurityManagerPtr virSecurityManagerNewDAC(uid_t user,
+virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
+                                               uid_t user,
                                                gid_t group,
                                                bool allowDiskFormatProbing,
                                                bool defaultConfined,
@@ -50,6 +52,7 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr);
 
 void virSecurityManagerFree(virSecurityManagerPtr mgr);
 
+const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
 bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index c3bd426..e979b54 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -21,7 +21,7 @@
 
 #include "security_nop.h"
 
-static virSecurityDriverStatus virSecurityDriverProbeNop(void)
+static virSecurityDriverStatus virSecurityDriverProbeNop(const char *virtDriver ATTRIBUTE_UNUSED)
 {
     return SECURITY_DRIVER_ENABLE;
 }
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 1e27e10..4bd33a5 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -346,7 +346,7 @@ err:
 
 
 static int
-SELinuxSecurityDriverProbe(void)
+SELinuxSecurityDriverProbe(const char *virtDriver ATTRIBUTE_UNUSED)
 {
     return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE;
 }
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index c82865f..2eab38c 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -49,7 +49,7 @@ void virSecurityStackSetSecondary(virSecurityManagerPtr mgr,
 }
 
 static virSecurityDriverStatus
-virSecurityStackProbe(void)
+virSecurityStackProbe(const char *virtDriver ATTRIBUTE_UNUSED)
 {
     return SECURITY_DRIVER_ENABLE;
 }
diff --git a/tests/seclabeltest.c b/tests/seclabeltest.c
index fca76b9..2f65ec1 100644
--- a/tests/seclabeltest.c
+++ b/tests/seclabeltest.c
@@ -13,7 +13,7 @@ main (int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED)
     virSecurityManagerPtr mgr;
     const char *doi, *model;
 
-    mgr = virSecurityManagerNew(NULL, false, true, false);
+    mgr = virSecurityManagerNew(NULL, "QEMU", false, true, false);
     if (mgr == NULL) {
         fprintf (stderr, "Failed to start security driver");
         exit (-1);
-- 
1.7.10.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]