[libvirt] [PATCH 8/9] Support seclabels for volume type disk
John Ferlan
jferlan at redhat.com
Thu Jan 31 18:07:15 UTC 2013
On 01/30/2013 01:11 PM, Osier Yang wrote:
> "seclabels" is only valid for 'file' or 'block' type storage volume.
> ---
> docs/formatdomain.html.in | 31 ++++++++++++++++---------------
> docs/schemas/domaincommon.rng | 3 +++
> src/conf/domain_conf.c | 12 ++++++++++--
> src/storage/storage_driver.c | 9 +++++++++
> 4 files changed, 38 insertions(+), 17 deletions(-)
>
> diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
> index 8186f3b..93c56d8 100644
> --- a/docs/formatdomain.html.in
> +++ b/docs/formatdomain.html.in
> @@ -1434,24 +1434,25 @@
> path to the file holding the disk. If the disk
> <code>type</code> is "block", then the <code>dev</code>
> attribute specifies the path to the host device to serve as
> - the disk. With both "file" and "block", one or more optional
> + the disk. With "file", "block" or "volume", one or more optional
> sub-elements <code>seclabel</code>, <a href="#seclabel">described
> below</a> (and <span class="since">since 0.9.9</span>), can be
> used to override the domain security labeling policy for just
> - that source file. If the disk <code>type</code> is "dir", then the
> - <code>dir</code> attribute specifies the fully-qualified path
> - to the directory to use as the disk. If the disk <code>type</code>
> - is "network", then the <code>protocol</code> attribute specifies
> - the protocol to access to the requested image; possible values
> - are "nbd", "rbd", "sheepdog" or "gluster". If the
> - <code>protocol</code> attribute is "rbd", "sheepdog" or "gluster", an
> - additional attribute <code>name</code> is mandatory to specify which
> - volume/image will be used. When the disk <code>type</code> is
> - "network", the <code>source</code> may have zero or
> - more <code>host</code> sub-elements used to specify the hosts
> - to connect. If the disk <code>type</code> is "volume", the underlying
> - disk source is represented by attributes <code>pool</code> and
> - <code>volume</code>. Attribute <code>pool</code> specifies the
> + that source file. (NB, <code>seclable</code> is not valid unless
s/seclable/seclabel
> + the specified storage volume is of 'file' or 'block' type).
> + If the disk <code>type</code> is "dir", then the <code>dir</code>
> + attribute specifies the fully-qualified path to the directory to
> + use as the disk. If the disk <code>type</code> is "network", then
> + the <code>protocol</code> attribute specifies the protocol to access
> + to the requested image; possible values are "nbd", "rbd", "sheepdog"
> + or "gluster". If the <code>protocol</code> attribute is "rbd",
> + "sheepdog" or "gluster", an additional attribute <code>name</code>
> + is mandatory to specify which volume/image will be used. When the
> + disk <code>type</code> is "network", the <code>source</code> may
> + have zero or more <code>host</code> sub-elements used to specify
> + the hosts to connect. If the disk <code>type</code> is "volume",
> + the underlying disk source is represented by attributes <code>pool</code>
> + and <code>volume</code>. Attribute <code>pool</code> specifies the
> name of storage pool (managed by libvirt) where the disk source resides,
> and attribute <code>volume</code> specifies the name of storage volume
> (managed by libvirt) used as the disk source.
> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
> index 6d426ac..820f10d 100644
> --- a/docs/schemas/domaincommon.rng
> +++ b/docs/schemas/domaincommon.rng
> @@ -1097,6 +1097,9 @@
> <optional>
> <ref name="startupPolicy"/>
> </optional>
> + <optional>
> + <ref name='devSeclabel'/>
> + </optional>
> </element>
> </optional>
> <ref name="diskspec"/>
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index 7b08b69..00ddae3 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -12322,7 +12322,7 @@ virDomainDiskSourceDefFormat(virBufferPtr buf,
> }
> break;
> case VIR_DOMAIN_DISK_TYPE_VOLUME:
> - if (def->srcpool || def->startupPolicy)
> + if (def->srcpool || def->startupPolicy || def->nseclabels)
> virBufferAddLit(buf, " <source");
>
> if (def->srcpool)
> @@ -12331,8 +12331,16 @@ virDomainDiskSourceDefFormat(virBufferPtr buf,
> if (def->startupPolicy)
> virBufferEscapeString(buf, " startupPolicy='%s'", startupPolicy);
>
> - if (def->srcpool || def->startupPolicy)
> + if (def->nseclabels) {
> + virBufferAddLit(buf, ">\n");
> + virBufferAdjustIndent(buf, 8);
> + for (n = 0; n < def->nseclabels; n++)
> + virSecurityDeviceLabelDefFormat(buf, def->seclabels[n]);
> + virBufferAdjustIndent(buf, -8);
> + virBufferAddLit(buf, " </source>\n");
> + } else if (def->srcpool || def->startupPolicy) {
> virBufferAddLit(buf, "/>\n");
> + }
> break;
> default:
> virReportError(VIR_ERR_INTERNAL_ERROR,
> diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
> index 3e710ef..f2ca310 100644
> --- a/src/storage/storage_driver.c
> +++ b/src/storage/storage_driver.c
> @@ -2433,6 +2433,15 @@ storageTranslateDomainDiskSourcePool(virConnectPtr conn,
> goto cleanup;
> }
>
> + if (disk->nseclabels &&
> + vol->type != VIR_STORAGE_VOL_FILE &&
> + vol->type != VIR_STORAGE_VOL_BLOCK) {
> + virReportError(VIR_ERR_XML_ERROR, "%s",
> + _("'seclabels' is only valid for 'file' or "
> + "'block' type volume"));
> + goto cleanup;
> + }
> +
> switch (vol->type) {
> case VIR_STORAGE_VOL_FILE:
> case VIR_STORAGE_VOL_BLOCK:
>
ACK w/ the minor edit
More information about the libvir-list
mailing list