|
|
c1c534 |
From 093bf98d1a85c1032228bb5bc2089bdd67949e48 Mon Sep 17 00:00:00 2001
|
|
|
c1c534 |
Message-Id: <093bf98d1a85c1032228bb5bc2089bdd67949e48@dist-git>
|
|
|
c1c534 |
From: Pavel Hrdina <phrdina@redhat.com>
|
|
|
c1c534 |
Date: Tue, 5 Dec 2017 14:02:33 +0100
|
|
|
c1c534 |
Subject: [PATCH] security: introduce
|
|
|
c1c534 |
virSecurityManager(Set|Restore)ChardevLabel
|
|
|
c1c534 |
|
|
|
c1c534 |
SELinux and DAC drivers already have both functions but they were not
|
|
|
c1c534 |
exported as public API of security manager.
|
|
|
c1c534 |
|
|
|
c1c534 |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
c1c534 |
(cherry picked from commit 1b4f66ec80d7751d4f4c858ffc8d5e3b936e72de)
|
|
|
c1c534 |
|
|
|
c1c534 |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1465833
|
|
|
c1c534 |
|
|
|
c1c534 |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
c1c534 |
Reviewed-by: Erik Skultety <eskultet@redhat.com>
|
|
|
c1c534 |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
c1c534 |
---
|
|
|
c1c534 |
src/libvirt_private.syms | 2 ++
|
|
|
c1c534 |
src/security/security_dac.c | 3 +++
|
|
|
c1c534 |
src/security/security_driver.h | 11 +++++++++++
|
|
|
c1c534 |
src/security/security_manager.c | 40 ++++++++++++++++++++++++++++++++++++++
|
|
|
c1c534 |
src/security/security_manager.h | 10 ++++++++++
|
|
|
c1c534 |
src/security/security_nop.c | 20 +++++++++++++++++++
|
|
|
c1c534 |
src/security/security_selinux.c | 3 +++
|
|
|
c1c534 |
src/security/security_stack.c | 43 +++++++++++++++++++++++++++++++++++++++++
|
|
|
c1c534 |
8 files changed, 132 insertions(+)
|
|
|
c1c534 |
|
|
|
c1c534 |
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
|
|
|
c1c534 |
index 19c1ecc408..cb76bbac87 100644
|
|
|
c1c534 |
--- a/src/libvirt_private.syms
|
|
|
c1c534 |
+++ b/src/libvirt_private.syms
|
|
|
c1c534 |
@@ -1273,6 +1273,7 @@ virSecurityManagerPreFork;
|
|
|
c1c534 |
virSecurityManagerReleaseLabel;
|
|
|
c1c534 |
virSecurityManagerReserveLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreAllLabel;
|
|
|
c1c534 |
+virSecurityManagerRestoreChardevLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreDiskLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreHostdevLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreImageLabel;
|
|
|
c1c534 |
@@ -1280,6 +1281,7 @@ virSecurityManagerRestoreInputLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreMemoryLabel;
|
|
|
c1c534 |
virSecurityManagerRestoreSavedStateLabel;
|
|
|
c1c534 |
virSecurityManagerSetAllLabel;
|
|
|
c1c534 |
+virSecurityManagerSetChardevLabel;
|
|
|
c1c534 |
virSecurityManagerSetChildProcessLabel;
|
|
|
c1c534 |
virSecurityManagerSetDaemonSocketLabel;
|
|
|
c1c534 |
virSecurityManagerSetDiskLabel;
|
|
|
c1c534 |
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
|
|
|
c1c534 |
index 24d9264216..4e787fb038 100644
|
|
|
c1c534 |
--- a/src/security/security_dac.c
|
|
|
c1c534 |
+++ b/src/security/security_dac.c
|
|
|
c1c534 |
@@ -2135,4 +2135,7 @@ virSecurityDriver virSecurityDriverDAC = {
|
|
|
c1c534 |
.getBaseLabel = virSecurityDACGetBaseLabel,
|
|
|
c1c534 |
|
|
|
c1c534 |
.domainSetPathLabel = virSecurityDACDomainSetPathLabel,
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ .domainSetSecurityChardevLabel = virSecurityDACSetChardevLabel,
|
|
|
c1c534 |
+ .domainRestoreSecurityChardevLabel = virSecurityDACRestoreChardevLabel,
|
|
|
c1c534 |
};
|
|
|
c1c534 |
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
|
|
|
c1c534 |
index 1b3070d06d..47dad8ba20 100644
|
|
|
c1c534 |
--- a/src/security/security_driver.h
|
|
|
c1c534 |
+++ b/src/security/security_driver.h
|
|
|
c1c534 |
@@ -140,6 +140,14 @@ typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr,
|
|
|
c1c534 |
typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
|
|
|
c1c534 |
virDomainDefPtr def,
|
|
|
c1c534 |
const char *path);
|
|
|
c1c534 |
+typedef int (*virSecurityDomainSetChardevLabel) (virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr def,
|
|
|
c1c534 |
+ virDomainChrSourceDefPtr dev_source,
|
|
|
c1c534 |
+ bool chardevStdioLogd);
|
|
|
c1c534 |
+typedef int (*virSecurityDomainRestoreChardevLabel) (virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr def,
|
|
|
c1c534 |
+ virDomainChrSourceDefPtr dev_source,
|
|
|
c1c534 |
+ bool chardevStdioLogd);
|
|
|
c1c534 |
|
|
|
c1c534 |
|
|
|
c1c534 |
struct _virSecurityDriver {
|
|
|
c1c534 |
@@ -201,6 +209,9 @@ struct _virSecurityDriver {
|
|
|
c1c534 |
virSecurityDriverGetBaseLabel getBaseLabel;
|
|
|
c1c534 |
|
|
|
c1c534 |
virSecurityDomainSetPathLabel domainSetPathLabel;
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ virSecurityDomainSetChardevLabel domainSetSecurityChardevLabel;
|
|
|
c1c534 |
+ virSecurityDomainRestoreChardevLabel domainRestoreSecurityChardevLabel;
|
|
|
c1c534 |
};
|
|
|
c1c534 |
|
|
|
c1c534 |
virSecurityDriverPtr virSecurityDriverLookup(const char *name,
|
|
|
c1c534 |
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
|
|
|
c1c534 |
index 3cf12188a0..9249aba1fa 100644
|
|
|
c1c534 |
--- a/src/security/security_manager.c
|
|
|
c1c534 |
+++ b/src/security/security_manager.c
|
|
|
c1c534 |
@@ -1152,3 +1152,43 @@ virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
virReportUnsupportedError();
|
|
|
c1c534 |
return -1;
|
|
|
c1c534 |
}
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+int
|
|
|
c1c534 |
+virSecurityManagerSetChardevLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr def,
|
|
|
c1c534 |
+ virDomainChrSourceDefPtr dev_source,
|
|
|
c1c534 |
+ bool chardevStdioLogd)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ if (mgr->drv->domainSetSecurityChardevLabel) {
|
|
|
c1c534 |
+ int ret;
|
|
|
c1c534 |
+ virObjectLock(mgr);
|
|
|
c1c534 |
+ ret = mgr->drv->domainSetSecurityChardevLabel(mgr, def, dev_source,
|
|
|
c1c534 |
+ chardevStdioLogd);
|
|
|
c1c534 |
+ virObjectUnlock(mgr);
|
|
|
c1c534 |
+ return ret;
|
|
|
c1c534 |
+ }
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ virReportUnsupportedError();
|
|
|
c1c534 |
+ return -1;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+int
|
|
|
c1c534 |
+virSecurityManagerRestoreChardevLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr def,
|
|
|
c1c534 |
+ virDomainChrSourceDefPtr dev_source,
|
|
|
c1c534 |
+ bool chardevStdioLogd)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ if (mgr->drv->domainRestoreSecurityChardevLabel) {
|
|
|
c1c534 |
+ int ret;
|
|
|
c1c534 |
+ virObjectLock(mgr);
|
|
|
c1c534 |
+ ret = mgr->drv->domainRestoreSecurityChardevLabel(mgr, def, dev_source,
|
|
|
c1c534 |
+ chardevStdioLogd);
|
|
|
c1c534 |
+ virObjectUnlock(mgr);
|
|
|
c1c534 |
+ return ret;
|
|
|
c1c534 |
+ }
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ virReportUnsupportedError();
|
|
|
c1c534 |
+ return -1;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
|
|
|
c1c534 |
index 87fe890692..acc0dab374 100644
|
|
|
c1c534 |
--- a/src/security/security_manager.h
|
|
|
c1c534 |
+++ b/src/security/security_manager.h
|
|
|
c1c534 |
@@ -184,4 +184,14 @@ int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
virDomainDefPtr vm,
|
|
|
c1c534 |
const char *path);
|
|
|
c1c534 |
|
|
|
c1c534 |
+int virSecurityManagerSetChardevLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr def,
|
|
|
c1c534 |
+ virDomainChrSourceDefPtr dev_source,
|
|
|
c1c534 |
+ bool chardevStdioLogd);
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+int virSecurityManagerRestoreChardevLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr def,
|
|
|
c1c534 |
+ virDomainChrSourceDefPtr dev_source,
|
|
|
c1c534 |
+ bool chardevStdioLogd);
|
|
|
c1c534 |
+
|
|
|
c1c534 |
#endif /* VIR_SECURITY_MANAGER_H__ */
|
|
|
c1c534 |
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
|
|
|
c1c534 |
index cfb032c686..ff739f8199 100644
|
|
|
c1c534 |
--- a/src/security/security_nop.c
|
|
|
c1c534 |
+++ b/src/security/security_nop.c
|
|
|
c1c534 |
@@ -262,6 +262,23 @@ virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|
|
c1c534 |
return 0;
|
|
|
c1c534 |
}
|
|
|
c1c534 |
|
|
|
c1c534 |
+static int
|
|
|
c1c534 |
+virSecurityDomainSetChardevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|
|
c1c534 |
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
|
|
|
c1c534 |
+ virDomainChrSourceDefPtr dev_source ATTRIBUTE_UNUSED,
|
|
|
c1c534 |
+ bool chardevStdioLogd ATTRIBUTE_UNUSED)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ return 0;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+static int
|
|
|
c1c534 |
+virSecurityDomainRestoreChardevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|
|
c1c534 |
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
|
|
|
c1c534 |
+ virDomainChrSourceDefPtr dev_source ATTRIBUTE_UNUSED,
|
|
|
c1c534 |
+ bool chardevStdioLogd ATTRIBUTE_UNUSED)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ return 0;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
|
|
|
c1c534 |
virSecurityDriver virSecurityDriverNop = {
|
|
|
c1c534 |
.privateDataLen = 0,
|
|
|
c1c534 |
@@ -314,4 +331,7 @@ virSecurityDriver virSecurityDriverNop = {
|
|
|
c1c534 |
.domainGetSecurityMountOptions = virSecurityDomainGetMountOptionsNop,
|
|
|
c1c534 |
|
|
|
c1c534 |
.getBaseLabel = virSecurityGetBaseLabel,
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ .domainSetSecurityChardevLabel = virSecurityDomainSetChardevLabelNop,
|
|
|
c1c534 |
+ .domainRestoreSecurityChardevLabel = virSecurityDomainRestoreChardevLabelNop,
|
|
|
c1c534 |
};
|
|
|
c1c534 |
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
|
c1c534 |
index d44de72e02..0121b22da5 100644
|
|
|
c1c534 |
--- a/src/security/security_selinux.c
|
|
|
c1c534 |
+++ b/src/security/security_selinux.c
|
|
|
c1c534 |
@@ -3089,4 +3089,7 @@ virSecurityDriver virSecurityDriverSELinux = {
|
|
|
c1c534 |
.getBaseLabel = virSecuritySELinuxGetBaseLabel,
|
|
|
c1c534 |
|
|
|
c1c534 |
.domainSetPathLabel = virSecuritySELinuxDomainSetPathLabel,
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ .domainSetSecurityChardevLabel = virSecuritySELinuxSetChardevLabel,
|
|
|
c1c534 |
+ .domainRestoreSecurityChardevLabel = virSecuritySELinuxRestoreChardevLabel,
|
|
|
c1c534 |
};
|
|
|
c1c534 |
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
|
|
|
c1c534 |
index cd916382b2..0375e7d89d 100644
|
|
|
c1c534 |
--- a/src/security/security_stack.c
|
|
|
c1c534 |
+++ b/src/security/security_stack.c
|
|
|
c1c534 |
@@ -719,6 +719,46 @@ virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
return rc;
|
|
|
c1c534 |
}
|
|
|
c1c534 |
|
|
|
c1c534 |
+static int
|
|
|
c1c534 |
+virSecurityStackDomainSetChardevLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr def,
|
|
|
c1c534 |
+ virDomainChrSourceDefPtr dev_source,
|
|
|
c1c534 |
+ bool chardevStdioLogd)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
|
|
c1c534 |
+ virSecurityStackItemPtr item = priv->itemsHead;
|
|
|
c1c534 |
+ int rc = 0;
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ for (; item; item = item->next) {
|
|
|
c1c534 |
+ if (virSecurityManagerSetChardevLabel(item->securityManager,
|
|
|
c1c534 |
+ def, dev_source,
|
|
|
c1c534 |
+ chardevStdioLogd) < 0)
|
|
|
c1c534 |
+ rc = -1;
|
|
|
c1c534 |
+ }
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ return rc;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+static int
|
|
|
c1c534 |
+virSecurityStackDomainRestoreChardevLabel(virSecurityManagerPtr mgr,
|
|
|
c1c534 |
+ virDomainDefPtr def,
|
|
|
c1c534 |
+ virDomainChrSourceDefPtr dev_source,
|
|
|
c1c534 |
+ bool chardevStdioLogd)
|
|
|
c1c534 |
+{
|
|
|
c1c534 |
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
|
|
c1c534 |
+ virSecurityStackItemPtr item = priv->itemsHead;
|
|
|
c1c534 |
+ int rc = 0;
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ for (; item; item = item->next) {
|
|
|
c1c534 |
+ if (virSecurityManagerRestoreChardevLabel(item->securityManager,
|
|
|
c1c534 |
+ def, dev_source,
|
|
|
c1c534 |
+ chardevStdioLogd) < 0)
|
|
|
c1c534 |
+ rc = -1;
|
|
|
c1c534 |
+ }
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ return rc;
|
|
|
c1c534 |
+}
|
|
|
c1c534 |
+
|
|
|
c1c534 |
virSecurityDriver virSecurityDriverStack = {
|
|
|
c1c534 |
.privateDataLen = sizeof(virSecurityStackData),
|
|
|
c1c534 |
.name = "stack",
|
|
|
c1c534 |
@@ -778,4 +818,7 @@ virSecurityDriver virSecurityDriverStack = {
|
|
|
c1c534 |
.getBaseLabel = virSecurityStackGetBaseLabel,
|
|
|
c1c534 |
|
|
|
c1c534 |
.domainSetPathLabel = virSecurityStackDomainSetPathLabel,
|
|
|
c1c534 |
+
|
|
|
c1c534 |
+ .domainSetSecurityChardevLabel = virSecurityStackDomainSetChardevLabel,
|
|
|
c1c534 |
+ .domainRestoreSecurityChardevLabel = virSecurityStackDomainRestoreChardevLabel,
|
|
|
c1c534 |
};
|
|
|
c1c534 |
--
|
|
|
c1c534 |
2.15.1
|
|
|
c1c534 |
|