[libvirt] [PATCH v1 03/19] security: Allow a vhost protocol for scsi hostdev

Eric Farman farman at linux.vnet.ibm.com
Mon Jul 25 20:48:04 UTC 2016


Make sure that the new vhost protocol does not drive the existing
virtio SCSI code.

Signed-off-by: Eric Farman <farman at linux.vnet.ibm.com>
Reviewed-by: Bjoern Walk <bwalk at linux.vnet.ibm.com>
Reviewed-by: Marc Hartmayer <mhartmay at linux.vnet.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy at linux.vnet.ibm.com>
---
 src/security/security_apparmor.c |  5 +++--
 src/security/security_dac.c      | 10 ++++++----
 src/security/security_selinux.c  | 10 ++++++----
 3 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index af2b639..e3fcc58 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -842,10 +842,11 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
         return 0;
 
     /* Like AppArmorRestoreSecurityImageLabel() for a networked disk,
-     * do nothing for an iSCSI hostdev
+     * do nothing for an iSCSI or vhost-scsi hostdev
      */
     if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
-        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+        (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI ||
+         scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_VHOST))
         return 0;
 
     if (profile_loaded(secdef->imagelabel) < 0)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 442ce70..75b5819 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -601,10 +601,11 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
         return 0;
 
     /* Like virSecurityDACSetImageLabel() for a networked disk,
-     * do nothing for an iSCSI hostdev
+     * do nothing for an iSCSI or vhost-scsi hostdev
      */
     if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
-        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+        (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI ||
+         scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_VHOST))
         return 0;
 
     cbdata.manager = mgr;
@@ -742,10 +743,11 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
         return 0;
 
     /* Like virSecurityDACRestoreImageLabelInt() for a networked disk,
-     * do nothing for an iSCSI hostdev
+     * do nothing for an iSCSI or vhost-scsi hostdev
      */
     if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
-        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+        (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI ||
+         scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_VHOST))
         return 0;
 
     switch ((virDomainHostdevSubsysType) dev->source.subsys.type) {
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 4be946d..8632d0f 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1430,10 +1430,11 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
     int ret = -1;
 
     /* Like virSecuritySELinuxSetImageLabelInternal() for a networked
-     * disk, do nothing for an iSCSI hostdev
+     * disk, do nothing for an iSCSI or vhost-scsi hostdev
      */
     if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
-        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+        (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI ||
+         scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_VHOST))
         return 0;
 
     switch (dev->source.subsys.type) {
@@ -1634,10 +1635,11 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
     int ret = -1;
 
     /* Like virSecuritySELinuxRestoreImageLabelInt() for a networked
-     * disk, do nothing for an iSCSI hostdev
+     * disk, do nothing for an iSCSI or vhost-scsi hostdev
      */
     if (dev->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
-        scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI)
+        (scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI ||
+         scsisrc->protocol == VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_VHOST))
         return 0;
 
     switch (dev->source.subsys.type) {
-- 
1.9.1




More information about the libvir-list mailing list