Blame SOURCES/libvirt-security-introduce-virSecurityManager-Set-Restore-ChardevLabel.patch

c1c534
From 093bf98d1a85c1032228bb5bc2089bdd67949e48 Mon Sep 17 00:00:00 2001
c1c534
Message-Id: <093bf98d1a85c1032228bb5bc2089bdd67949e48@dist-git>
c1c534
From: Pavel Hrdina <phrdina@redhat.com>
c1c534
Date: Tue, 5 Dec 2017 14:02:33 +0100
c1c534
Subject: [PATCH] security: introduce
c1c534
 virSecurityManager(Set|Restore)ChardevLabel
c1c534
c1c534
SELinux and DAC drivers already have both functions but they were not
c1c534
exported as public API of security manager.
c1c534
c1c534
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
c1c534
(cherry picked from commit 1b4f66ec80d7751d4f4c858ffc8d5e3b936e72de)
c1c534
c1c534
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1465833
c1c534
c1c534
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
c1c534
Reviewed-by: Erik Skultety <eskultet@redhat.com>
c1c534
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
c1c534
---
c1c534
 src/libvirt_private.syms        |  2 ++
c1c534
 src/security/security_dac.c     |  3 +++
c1c534
 src/security/security_driver.h  | 11 +++++++++++
c1c534
 src/security/security_manager.c | 40 ++++++++++++++++++++++++++++++++++++++
c1c534
 src/security/security_manager.h | 10 ++++++++++
c1c534
 src/security/security_nop.c     | 20 +++++++++++++++++++
c1c534
 src/security/security_selinux.c |  3 +++
c1c534
 src/security/security_stack.c   | 43 +++++++++++++++++++++++++++++++++++++++++
c1c534
 8 files changed, 132 insertions(+)
c1c534
c1c534
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
c1c534
index 19c1ecc408..cb76bbac87 100644
c1c534
--- a/src/libvirt_private.syms
c1c534
+++ b/src/libvirt_private.syms
c1c534
@@ -1273,6 +1273,7 @@ virSecurityManagerPreFork;
c1c534
 virSecurityManagerReleaseLabel;
c1c534
 virSecurityManagerReserveLabel;
c1c534
 virSecurityManagerRestoreAllLabel;
c1c534
+virSecurityManagerRestoreChardevLabel;
c1c534
 virSecurityManagerRestoreDiskLabel;
c1c534
 virSecurityManagerRestoreHostdevLabel;
c1c534
 virSecurityManagerRestoreImageLabel;
c1c534
@@ -1280,6 +1281,7 @@ virSecurityManagerRestoreInputLabel;
c1c534
 virSecurityManagerRestoreMemoryLabel;
c1c534
 virSecurityManagerRestoreSavedStateLabel;
c1c534
 virSecurityManagerSetAllLabel;
c1c534
+virSecurityManagerSetChardevLabel;
c1c534
 virSecurityManagerSetChildProcessLabel;
c1c534
 virSecurityManagerSetDaemonSocketLabel;
c1c534
 virSecurityManagerSetDiskLabel;
c1c534
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
c1c534
index 24d9264216..4e787fb038 100644
c1c534
--- a/src/security/security_dac.c
c1c534
+++ b/src/security/security_dac.c
c1c534
@@ -2135,4 +2135,7 @@ virSecurityDriver virSecurityDriverDAC = {
c1c534
     .getBaseLabel                       = virSecurityDACGetBaseLabel,
c1c534
 
c1c534
     .domainSetPathLabel                 = virSecurityDACDomainSetPathLabel,
c1c534
+
c1c534
+    .domainSetSecurityChardevLabel      = virSecurityDACSetChardevLabel,
c1c534
+    .domainRestoreSecurityChardevLabel  = virSecurityDACRestoreChardevLabel,
c1c534
 };
c1c534
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
c1c534
index 1b3070d06d..47dad8ba20 100644
c1c534
--- a/src/security/security_driver.h
c1c534
+++ b/src/security/security_driver.h
c1c534
@@ -140,6 +140,14 @@ typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr,
c1c534
 typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
c1c534
                                               virDomainDefPtr def,
c1c534
                                               const char *path);
c1c534
+typedef int (*virSecurityDomainSetChardevLabel) (virSecurityManagerPtr mgr,
c1c534
+                                                 virDomainDefPtr def,
c1c534
+                                                 virDomainChrSourceDefPtr dev_source,
c1c534
+                                                 bool chardevStdioLogd);
c1c534
+typedef int (*virSecurityDomainRestoreChardevLabel) (virSecurityManagerPtr mgr,
c1c534
+                                                     virDomainDefPtr def,
c1c534
+                                                     virDomainChrSourceDefPtr dev_source,
c1c534
+                                                     bool chardevStdioLogd);
c1c534
 
c1c534
 
c1c534
 struct _virSecurityDriver {
c1c534
@@ -201,6 +209,9 @@ struct _virSecurityDriver {
c1c534
     virSecurityDriverGetBaseLabel getBaseLabel;
c1c534
 
c1c534
     virSecurityDomainSetPathLabel domainSetPathLabel;
c1c534
+
c1c534
+    virSecurityDomainSetChardevLabel domainSetSecurityChardevLabel;
c1c534
+    virSecurityDomainRestoreChardevLabel domainRestoreSecurityChardevLabel;
c1c534
 };
c1c534
 
c1c534
 virSecurityDriverPtr virSecurityDriverLookup(const char *name,
c1c534
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
c1c534
index 3cf12188a0..9249aba1fa 100644
c1c534
--- a/src/security/security_manager.c
c1c534
+++ b/src/security/security_manager.c
c1c534
@@ -1152,3 +1152,43 @@ virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
c1c534
     virReportUnsupportedError();
c1c534
     return -1;
c1c534
 }
c1c534
+
c1c534
+
c1c534
+int
c1c534
+virSecurityManagerSetChardevLabel(virSecurityManagerPtr mgr,
c1c534
+                                  virDomainDefPtr def,
c1c534
+                                  virDomainChrSourceDefPtr dev_source,
c1c534
+                                  bool chardevStdioLogd)
c1c534
+{
c1c534
+    if (mgr->drv->domainSetSecurityChardevLabel) {
c1c534
+        int ret;
c1c534
+        virObjectLock(mgr);
c1c534
+        ret = mgr->drv->domainSetSecurityChardevLabel(mgr, def, dev_source,
c1c534
+                                                      chardevStdioLogd);
c1c534
+        virObjectUnlock(mgr);
c1c534
+        return ret;
c1c534
+    }
c1c534
+
c1c534
+    virReportUnsupportedError();
c1c534
+    return -1;
c1c534
+}
c1c534
+
c1c534
+
c1c534
+int
c1c534
+virSecurityManagerRestoreChardevLabel(virSecurityManagerPtr mgr,
c1c534
+                                      virDomainDefPtr def,
c1c534
+                                      virDomainChrSourceDefPtr dev_source,
c1c534
+                                      bool chardevStdioLogd)
c1c534
+{
c1c534
+    if (mgr->drv->domainRestoreSecurityChardevLabel) {
c1c534
+        int ret;
c1c534
+        virObjectLock(mgr);
c1c534
+        ret = mgr->drv->domainRestoreSecurityChardevLabel(mgr, def, dev_source,
c1c534
+                                                          chardevStdioLogd);
c1c534
+        virObjectUnlock(mgr);
c1c534
+        return ret;
c1c534
+    }
c1c534
+
c1c534
+    virReportUnsupportedError();
c1c534
+    return -1;
c1c534
+}
c1c534
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
c1c534
index 87fe890692..acc0dab374 100644
c1c534
--- a/src/security/security_manager.h
c1c534
+++ b/src/security/security_manager.h
c1c534
@@ -184,4 +184,14 @@ int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
c1c534
                                          virDomainDefPtr vm,
c1c534
                                          const char *path);
c1c534
 
c1c534
+int virSecurityManagerSetChardevLabel(virSecurityManagerPtr mgr,
c1c534
+                                      virDomainDefPtr def,
c1c534
+                                      virDomainChrSourceDefPtr dev_source,
c1c534
+                                      bool chardevStdioLogd);
c1c534
+
c1c534
+int virSecurityManagerRestoreChardevLabel(virSecurityManagerPtr mgr,
c1c534
+                                          virDomainDefPtr def,
c1c534
+                                          virDomainChrSourceDefPtr dev_source,
c1c534
+                                          bool chardevStdioLogd);
c1c534
+
c1c534
 #endif /* VIR_SECURITY_MANAGER_H__ */
c1c534
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
c1c534
index cfb032c686..ff739f8199 100644
c1c534
--- a/src/security/security_nop.c
c1c534
+++ b/src/security/security_nop.c
c1c534
@@ -262,6 +262,23 @@ virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
c1c534
     return 0;
c1c534
 }
c1c534
 
c1c534
+static int
c1c534
+virSecurityDomainSetChardevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
c1c534
+                                    virDomainDefPtr def ATTRIBUTE_UNUSED,
c1c534
+                                    virDomainChrSourceDefPtr dev_source ATTRIBUTE_UNUSED,
c1c534
+                                    bool chardevStdioLogd ATTRIBUTE_UNUSED)
c1c534
+{
c1c534
+    return 0;
c1c534
+}
c1c534
+
c1c534
+static int
c1c534
+virSecurityDomainRestoreChardevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
c1c534
+                                        virDomainDefPtr def ATTRIBUTE_UNUSED,
c1c534
+                                        virDomainChrSourceDefPtr dev_source ATTRIBUTE_UNUSED,
c1c534
+                                        bool chardevStdioLogd ATTRIBUTE_UNUSED)
c1c534
+{
c1c534
+    return 0;
c1c534
+}
c1c534
 
c1c534
 virSecurityDriver virSecurityDriverNop = {
c1c534
     .privateDataLen                     = 0,
c1c534
@@ -314,4 +331,7 @@ virSecurityDriver virSecurityDriverNop = {
c1c534
     .domainGetSecurityMountOptions      = virSecurityDomainGetMountOptionsNop,
c1c534
 
c1c534
     .getBaseLabel                       = virSecurityGetBaseLabel,
c1c534
+
c1c534
+    .domainSetSecurityChardevLabel      = virSecurityDomainSetChardevLabelNop,
c1c534
+    .domainRestoreSecurityChardevLabel  = virSecurityDomainRestoreChardevLabelNop,
c1c534
 };
c1c534
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
c1c534
index d44de72e02..0121b22da5 100644
c1c534
--- a/src/security/security_selinux.c
c1c534
+++ b/src/security/security_selinux.c
c1c534
@@ -3089,4 +3089,7 @@ virSecurityDriver virSecurityDriverSELinux = {
c1c534
     .getBaseLabel                       = virSecuritySELinuxGetBaseLabel,
c1c534
 
c1c534
     .domainSetPathLabel                 = virSecuritySELinuxDomainSetPathLabel,
c1c534
+
c1c534
+    .domainSetSecurityChardevLabel      = virSecuritySELinuxSetChardevLabel,
c1c534
+    .domainRestoreSecurityChardevLabel  = virSecuritySELinuxRestoreChardevLabel,
c1c534
 };
c1c534
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
c1c534
index cd916382b2..0375e7d89d 100644
c1c534
--- a/src/security/security_stack.c
c1c534
+++ b/src/security/security_stack.c
c1c534
@@ -719,6 +719,46 @@ virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
c1c534
     return rc;
c1c534
 }
c1c534
 
c1c534
+static int
c1c534
+virSecurityStackDomainSetChardevLabel(virSecurityManagerPtr mgr,
c1c534
+                                      virDomainDefPtr def,
c1c534
+                                      virDomainChrSourceDefPtr dev_source,
c1c534
+                                      bool chardevStdioLogd)
c1c534
+{
c1c534
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
c1c534
+    virSecurityStackItemPtr item = priv->itemsHead;
c1c534
+    int rc = 0;
c1c534
+
c1c534
+    for (; item; item = item->next) {
c1c534
+        if (virSecurityManagerSetChardevLabel(item->securityManager,
c1c534
+                                              def, dev_source,
c1c534
+                                              chardevStdioLogd) < 0)
c1c534
+            rc = -1;
c1c534
+    }
c1c534
+
c1c534
+    return rc;
c1c534
+}
c1c534
+
c1c534
+static int
c1c534
+virSecurityStackDomainRestoreChardevLabel(virSecurityManagerPtr mgr,
c1c534
+                                          virDomainDefPtr def,
c1c534
+                                          virDomainChrSourceDefPtr dev_source,
c1c534
+                                          bool chardevStdioLogd)
c1c534
+{
c1c534
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
c1c534
+    virSecurityStackItemPtr item = priv->itemsHead;
c1c534
+    int rc = 0;
c1c534
+
c1c534
+    for (; item; item = item->next) {
c1c534
+        if (virSecurityManagerRestoreChardevLabel(item->securityManager,
c1c534
+                                                  def, dev_source,
c1c534
+                                                  chardevStdioLogd) < 0)
c1c534
+            rc = -1;
c1c534
+    }
c1c534
+
c1c534
+    return rc;
c1c534
+}
c1c534
+
c1c534
 virSecurityDriver virSecurityDriverStack = {
c1c534
     .privateDataLen                     = sizeof(virSecurityStackData),
c1c534
     .name                               = "stack",
c1c534
@@ -778,4 +818,7 @@ virSecurityDriver virSecurityDriverStack = {
c1c534
     .getBaseLabel                       = virSecurityStackGetBaseLabel,
c1c534
 
c1c534
     .domainSetPathLabel                 = virSecurityStackDomainSetPathLabel,
c1c534
+
c1c534
+    .domainSetSecurityChardevLabel      = virSecurityStackDomainSetChardevLabel,
c1c534
+    .domainRestoreSecurityChardevLabel  = virSecurityStackDomainRestoreChardevLabel,
c1c534
 };
c1c534
-- 
c1c534
2.15.1
c1c534