From 52568bd61d6fcf0ac32fea4db57527f9fe28c9a5 Mon Sep 17 00:00:00 2001
Message-Id: <52568bd61d6fcf0ac32fea4db57527f9fe28c9a5@dist-git>
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Mon, 27 Nov 2017 14:20:59 +0100
Subject: [PATCH] security: Introduce functions for input device hot(un)plug
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Export the existing DAC and SELinux for separate use and introduce
functions for stack, nop and the security manager.
(cherry picked from commit d8116b5a0a6364b29e9774323d9aa442ad8c561d)
https://bugzilla.redhat.com/show_bug.cgi?id=1509866
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
src/libvirt_private.syms | 2 ++
src/security/security_dac.c | 3 +++
src/security/security_driver.h | 9 +++++++++
src/security/security_manager.c | 36 ++++++++++++++++++++++++++++++++++++
src/security/security_manager.h | 8 ++++++++
src/security/security_nop.c | 11 +++++++++++
src/security/security_selinux.c | 3 +++
src/security/security_stack.c | 38 ++++++++++++++++++++++++++++++++++++++
8 files changed, 110 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 3e0bc8730c..65b1143c9b 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1267,6 +1267,7 @@ virSecurityManagerRestoreAllLabel;
virSecurityManagerRestoreDiskLabel;
virSecurityManagerRestoreHostdevLabel;
virSecurityManagerRestoreImageLabel;
+virSecurityManagerRestoreInputLabel;
virSecurityManagerRestoreMemoryLabel;
virSecurityManagerRestoreSavedStateLabel;
virSecurityManagerSetAllLabel;
@@ -1276,6 +1277,7 @@ virSecurityManagerSetDiskLabel;
virSecurityManagerSetHostdevLabel;
virSecurityManagerSetImageFDLabel;
virSecurityManagerSetImageLabel;
+virSecurityManagerSetInputLabel;
virSecurityManagerSetMemoryLabel;
virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 244b300a9f..24d9264216 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2103,6 +2103,9 @@ virSecurityDriver virSecurityDriverDAC = {
.domainSetSecurityMemoryLabel = virSecurityDACSetMemoryLabel,
.domainRestoreSecurityMemoryLabel = virSecurityDACRestoreMemoryLabel,
+ .domainSetSecurityInputLabel = virSecurityDACSetInputLabel,
+ .domainRestoreSecurityInputLabel = virSecurityDACRestoreInputLabel,
+
.domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecurityDACSetSocketLabel,
.domainClearSecuritySocketLabel = virSecurityDACClearSocketLabel,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 0b3b452486..1b3070d06d 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -131,6 +131,12 @@ typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
typedef int (*virSecurityDomainRestoreMemoryLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainMemoryDefPtr mem);
+typedef int (*virSecurityDomainSetInputLabel) (virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainInputDefPtr input);
+typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainInputDefPtr input);
typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
const char *path);
@@ -163,6 +169,9 @@ struct _virSecurityDriver {
virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
+ virSecurityDomainSetInputLabel domainSetSecurityInputLabel;
+ virSecurityDomainRestoreInputLabel domainRestoreSecurityInputLabel;
+
virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 60cfc92e77..3cf12188a0 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1116,3 +1116,39 @@ virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
virReportUnsupportedError();
return -1;
}
+
+
+int
+virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input)
+{
+ if (mgr->drv->domainSetSecurityInputLabel) {
+ int ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->domainSetSecurityInputLabel(mgr, vm, input);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ virReportUnsupportedError();
+ return -1;
+}
+
+
+int
+virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input)
+{
+ if (mgr->drv->domainRestoreSecurityInputLabel) {
+ int ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->domainRestoreSecurityInputLabel(mgr, vm, input);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ virReportUnsupportedError();
+ return -1;
+}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 08fb89203a..87fe890692 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -172,6 +172,14 @@ int virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
virDomainMemoryDefPtr mem);
+int virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input);
+int virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input);
+
+
int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
const char *path);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 527be11e5a..cfb032c686 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -254,6 +254,14 @@ virSecurityDomainRestoreMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSE
return 0;
}
+static int
+virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ virDomainInputDefPtr input ATTRIBUTE_UNUSED)
+{
+ return 0;
+}
+
virSecurityDriver virSecurityDriverNop = {
.privateDataLen = 0,
@@ -276,6 +284,9 @@ virSecurityDriver virSecurityDriverNop = {
.domainSetSecurityMemoryLabel = virSecurityDomainSetMemoryLabelNop,
.domainRestoreSecurityMemoryLabel = virSecurityDomainRestoreMemoryLabelNop,
+ .domainSetSecurityInputLabel = virSecurityDomainInputLabelNop,
+ .domainRestoreSecurityInputLabel = virSecurityDomainInputLabelNop,
+
.domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop,
.domainSetSecuritySocketLabel = virSecurityDomainSetSocketLabelNop,
.domainClearSecuritySocketLabel = virSecurityDomainClearSocketLabelNop,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index cd3e411931..d44de72e02 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3058,6 +3058,9 @@ virSecurityDriver virSecurityDriverSELinux = {
.domainSetSecurityMemoryLabel = virSecuritySELinuxSetMemoryLabel,
.domainRestoreSecurityMemoryLabel = virSecuritySELinuxRestoreMemoryLabel,
+ .domainSetSecurityInputLabel = virSecuritySELinuxSetInputLabel,
+ .domainRestoreSecurityInputLabel = virSecuritySELinuxRestoreInputLabel,
+
.domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecuritySELinuxSetSocketLabel,
.domainClearSecuritySocketLabel = virSecuritySELinuxClearSocketLabel,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 53eee1692f..cd916382b2 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -666,6 +666,41 @@ virSecurityStackRestoreMemoryLabel(virSecurityManagerPtr mgr,
return rc;
}
+static int
+virSecurityStackSetInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr item = priv->itemsHead;
+ int rc = 0;
+
+ for (; item; item = item->next) {
+ if (virSecurityManagerSetInputLabel(item->securityManager, vm, input) < 0)
+ rc = -1;
+ }
+
+ return rc;
+}
+
+static int
+virSecurityStackRestoreInputLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ virDomainInputDefPtr input)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr item = priv->itemsHead;
+ int rc = 0;
+
+ for (; item; item = item->next) {
+ if (virSecurityManagerRestoreInputLabel(item->securityManager,
+ vm, input) < 0)
+ rc = -1;
+ }
+
+ return rc;
+}
+
static int
virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
@@ -711,6 +746,9 @@ virSecurityDriver virSecurityDriverStack = {
.domainSetSecurityMemoryLabel = virSecurityStackSetMemoryLabel,
.domainRestoreSecurityMemoryLabel = virSecurityStackRestoreMemoryLabel,
+ .domainSetSecurityInputLabel = virSecurityStackSetInputLabel,
+ .domainRestoreSecurityInputLabel = virSecurityStackRestoreInputLabel,
+
.domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecurityStackSetSocketLabel,
.domainClearSecuritySocketLabel = virSecurityStackClearSocketLabel,
--
2.15.1