[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 3/4] security: Introduce method for labeling file descriptors of created files



On Wed, Jun 26, 2013 at 03:01:49PM +0200, Peter Krempa wrote:
> The method labels the file descriptor even if dynamic labeling/relabeling
> is turned off. This is needed for files created by libvirt and then
> passed along to qemu as a FD.
> ---
>  src/libvirt_private.syms        |  1 +
>  src/security/security_dac.c     |  9 +++++++++
>  src/security/security_driver.h  |  4 ++++
>  src/security/security_manager.c | 16 ++++++++++++++++
>  src/security/security_manager.h |  3 +++
>  src/security/security_nop.c     |  1 +
>  src/security/security_selinux.c | 21 +++++++++++++++++++++
>  src/security/security_stack.c   | 19 +++++++++++++++++++
>  8 files changed, 74 insertions(+)
> 

> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index 7802dda..5894259 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -2446,6 +2446,26 @@ virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr,
>      return opts;
>  }
> 
> +static int
> +virSecuritySELinuxSetCreatedFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> +                                    virDomainDefPtr def,
> +                                    int fd)
> +{
> +    virSecurityLabelDefPtr secdef;
> +
> +    if ((secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME))) {
> +        if (!secdef->imagelabel)
> +            secdef->imagelabel = virSecuritySELinuxGenImageLabel(mgr, def);

This is really dubious. None of the methods except for GenSecurityLabel
should be making changes to the secdef state.

> +    } else {
> +        return -1;
> +    }

The style with nested if()s here is not following the pattern used in other
methods here either.

> +
> +    if (secdef->imagelabel == NULL)
> +        return 0;
> +
> +    return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
> +}


In general I'm not really convinced we should be adding a new method
here, as opposed to making the existing SetImageFDLabel do the right
thing.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]