[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 4/6] security: Ignore to manage the volume type disk if its mode is uri



It's straightforward to not manage security labels for remote URI
like "iscsi://example.org:6000/iqn.1992-01.com.example/1".
---
 src/security/security_apparmor.c | 10 ++++++++--
 src/security/security_dac.c      | 10 ++++++++--
 src/security/security_selinux.c  | 10 ++++++++--
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 87c2777..b8a5be2 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -682,7 +682,10 @@ AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
                                   virDomainDefPtr def,
                                   virDomainDiskDefPtr disk)
 {
-    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+        (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+         disk->srcpool &&
+         disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
         return 0;
 
     return reload_profile(mgr, def, NULL, false);
@@ -704,7 +707,10 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
     if (secdef->norelabel)
         return 0;
 
-    if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+    if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+        (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+         disk->srcpool &&
+         disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
         return 0;
 
     if (secdef->imagelabel) {
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index b8d1a92..881101a 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -368,7 +368,10 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
     if (!priv->dynamicOwnership)
         return 0;
 
-    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+        (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+         disk->srcpool &&
+         disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
         return 0;
 
     params[0] = mgr;
@@ -391,7 +394,10 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
     if (!priv->dynamicOwnership)
         return 0;
 
-    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+        (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+         disk->srcpool &&
+         disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
         return 0;
 
     /* Don't restore labels on readoly/shared disks, because
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b862fbf..829bd89 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1148,7 +1148,10 @@ virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
     if (disk->readonly || disk->shared)
         return 0;
 
-    if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+    if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+        (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+         disk->srcpool &&
+         disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
         return 0;
 
     /* If we have a shared FS & doing migrated, we must not
@@ -1248,7 +1251,10 @@ virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
     if (cbdata.secdef->norelabel)
         return 0;
 
-    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK ||
+        (disk->type == VIR_DOMAIN_DISK_TYPE_VOLUME &&
+         disk->srcpool &&
+         disk->srcpool->mode == VIR_DOMAIN_DISK_SOURCE_POOL_MODE_URI))
         return 0;
 
     return virDomainDiskDefForeachPath(disk,
-- 
1.8.1.4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]