[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 08/23] Add support for SELinux labelling of hostdev storage/misc devices



From: "Daniel P. Berrange" <berrange redhat com>

The SELinux security driver needs to learn to label storage/misc
hostdev devices for LXC

Signed-off-by: Daniel P. Berrange <berrange redhat com>
---
 src/security/security_selinux.c | 118 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 118 insertions(+)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index ad13490..6f0cd4d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1171,6 +1171,65 @@ done:
 
 
 static int
+virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
+                                              virDomainHostdevDefPtr dev,
+                                              const char *vroot)
+{
+    int ret = -1;
+    virSecurityLabelDefPtr secdef;
+    char *path;
+
+    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+    if (secdef == NULL)
+        return -1;
+
+    switch (dev->source.caps.type) {
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.storage.block) < 0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.storage.block))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
+        VIR_FREE(path);
+        break;
+    }
+
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.misc.chardev) < 0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
+        VIR_FREE(path);
+        break;
+    }
+
+    default:
+        ret = 0;
+        break;
+    }
+
+    return ret;
+}
+
+
+static int
 virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                           virDomainDefPtr def,
                                           virDomainHostdevDefPtr dev,
@@ -1190,6 +1249,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
     case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
         return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);
 
+    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
+        return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);
+
     default:
         return 0;
     }
@@ -1265,6 +1327,59 @@ done:
 
 
 static int
+virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev,
+                                                  const char *vroot)
+{
+    int ret = -1;
+    char *path;
+
+    switch (dev->source.caps.type) {
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.storage.block) < 0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.storage.block))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
+        VIR_FREE(path);
+        break;
+    }
+
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.misc.chardev) < 0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
+        VIR_FREE(path);
+        break;
+    }
+
+    default:
+        ret = 0;
+        break;
+    }
+
+    return ret;
+}
+
+
+static int
 virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                               virDomainDefPtr def,
                                               virDomainHostdevDefPtr dev,
@@ -1284,6 +1399,9 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUT
     case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
         return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(dev, vroot);
 
+    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
+        return virSecuritySELinuxRestoreSecurityHostdevCapsLabel(dev, vroot);
+
     default:
         return 0;
     }
-- 
1.8.0.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]