[libvirt] [PATCH v3 1/2] security: also parse user/group names instead of just IDs for DAC labels
Peter Krempa
pkrempa at redhat.com
Wed Oct 3 10:13:05 UTC 2012
On 10/02/12 19:57, Marcelo Cerri wrote:
> The DAC driver is missing parsing of group and user names for DAC labels
> and currently just parses uid and gid. This patch extends it to support
> names, so the following security label definition is now valid:
>
> <seclabel type='static' model='dac' relabel='yes'>
> <label>qemu:qemu</label>
> <imagelabel>qemu:qemu</imagelabel>
> </seclabel>
>
> When it tries to parse an owner or a group, it first tries to resolve it as
> a name, if it fails or it's an invalid user/group name then it tries to
> parse it as an UID or GID. A leading '+' can also be used for both owner and
> group to force it to be parsed as IDs, so the following example is also
> valid:
>
> <seclabel type='static' model='dac' relabel='yes'>
> <label>+101:+101</label>
> <imagelabel>+101:+101</imagelabel>
> </seclabel>
>
> This ensures that UID 101 and GUI 101 will be used instead of an user or
> group named "101".
> ---
> src/security/security_dac.c | 92 ++++++++++++++++++++++++++++++++++-----------
> 1 file changed, 70 insertions(+), 22 deletions(-)
>
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 0fa66ce..bb2c6be 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -68,26 +68,79 @@ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
> static
> int parseIds(const char *label, uid_t *uidPtr, gid_t *gidPtr)
> {
>
> /* returns 1 if label isn't found, 0 on success, -1 on error */
> @@ -103,16 +156,14 @@ int virSecurityDACParseIds(virDomainDefPtr def, uid_t *uidPtr, gid_t *gidPtr)
>
> seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
> if (seclabel == NULL || seclabel->label == NULL) {
> - VIR_DEBUG("DAC seclabel for domain '%s' wasn't found", def->name);
> + virReportError(VIR_ERR_INVALID_ARG,
> + _("DAC seclabel for domain '%s' wasn't found"),
> + def->name);
This error will be masked so the VIR_DEBUG statement was fine here.
> return 1;
> }
>
> - if (seclabel->label && parseIds(seclabel->label, &uid, &gid)) {
> - virReportError(VIR_ERR_INVALID_ARG,
> - _("failed to parse DAC seclabel '%s' for domain '%s'"),
> - seclabel->label, def->name);
> + if (parseIds(seclabel->label, &uid, &gid) < 0)
> return -1;
> - }
>
> if (uidPtr)
> *uidPtr = uid;
> @@ -168,17 +219,14 @@ int virSecurityDACParseImageIds(virDomainDefPtr def,
>
> seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
> if (seclabel == NULL || seclabel->imagelabel == NULL) {
> - VIR_DEBUG("DAC imagelabel for domain '%s' wasn't found", def->name);
> + virReportError(VIR_ERR_INVALID_ARG,
> + _("DAC imagelabel for domain '%s' wasn't found"),
> + def->name);
And same here.
> return 1;
> }
>
> - if (seclabel->imagelabel
> - && parseIds(seclabel->imagelabel, &uid, &gid)) {
> - virReportError(VIR_ERR_INVALID_ARG,
> - _("failed to parse DAC imagelabel '%s' for domain '%s'"),
> - seclabel->imagelabel, def->name);
> + if (parseIds(seclabel->imagelabel, &uid, &gid) < 0)
> return -1;
> - }
Otherwise looks good. So I'm going to push this with following changes
squashed in:
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index bb2c6be..a427e9d 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -156,9 +156,7 @@ int virSecurityDACParseIds(virDomainDefPtr def, uid_t *uidPtr, gid_t *gidPtr)
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
if (seclabel == NULL || seclabel->label == NULL) {
- virReportError(VIR_ERR_INVALID_ARG,
- _("DAC seclabel for domain '%s' wasn't found"),
- def->name);
+ VIR_DEBUG("DAC seclabel for domain '%s' wasn't found", def->name);
return 1;
}
@@ -219,9 +217,7 @@ int virSecurityDACParseImageIds(virDomainDefPtr def,
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
if (seclabel == NULL || seclabel->imagelabel == NULL) {
- virReportError(VIR_ERR_INVALID_ARG,
- _("DAC imagelabel for domain '%s' wasn't found"),
- def->name);
+ VIR_DEBUG("DAC imagelabel for domain '%s' wasn't found", def->name);
return 1;
}
Peter
More information about the libvir-list
mailing list