[libvirt] [PATCH 02/11] syntax-check: Enforce qemuSecurity

Michal Privoznik mprivozn at redhat.com
Wed Feb 8 14:40:56 UTC 2017


On 02/08/2017 02:32 PM, Peter Krempa wrote:
> On Wed, Feb 08, 2017 at 11:37:05 +0100, Michal Privoznik wrote:
>> Now that we have some qemuSecurity wrappers over
>> virSecurityManager APIs, lets make sure everybody sticks with
>> them. We have them for a reason and calling virSecurityManager
>> API directly instead of wrapper may lead into accidentally
>> labelling a file on the host instead of namespace.
>>
>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>> ---
>>  cfg.mk | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/cfg.mk b/cfg.mk
>> index 69e3f3a1a..6fb2fc961 100644
>> --- a/cfg.mk
>> +++ b/cfg.mk
>> @@ -585,6 +585,14 @@ sc_prohibit_unsigned_pid:
>>  	halt='use signed type for pid values'				\
>>  	  $(_sc_search_regexp)
>>  
>> +sc_prohibit_direct_secdriver:
>> +	@for i in $$(grep -i ^WRAP.\( src/qemu/qemu_security.c | 			\
>> +	awk 'BEGIN {FS = "[^[:alnum:]]"} {print "virSecurityManager" $$2 }'); do	\
>> +	  grep -n $$i $$($(VC_LIST_EXCEPT) | grep -E '^src/qemu/') && \
>> +	  { echo "$(ME): prefer qemuSecurity$${i#virSecurityManager} over $$i" 1>&2; exit 1; }	\
>> +    done || :
> 
> This won't work without the "WRAP" stuff so you'll need to come up with
> something else.
> 

Without WRAP it's going to be super tricky as I'd have try to match
functions from qemu_security.h with those from security_manager.h. If
you have some bright idea, please do share it, because frankly I'm out
of them.

Michal




More information about the libvir-list mailing list