Blob Blame History Raw
From 52568bd61d6fcf0ac32fea4db57527f9fe28c9a5 Mon Sep 17 00:00:00 2001
Message-Id: <52568bd61d6fcf0ac32fea4db57527f9fe28c9a5@dist-git>
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Mon, 27 Nov 2017 14:20:59 +0100
Subject: [PATCH] security: Introduce functions for input device hot(un)plug
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Export the existing DAC and SELinux for separate use and introduce
functions for stack, nop and the security manager.

(cherry picked from commit d8116b5a0a6364b29e9774323d9aa442ad8c561d)

https://bugzilla.redhat.com/show_bug.cgi?id=1509866

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
---
 src/libvirt_private.syms        |  2 ++
 src/security/security_dac.c     |  3 +++
 src/security/security_driver.h  |  9 +++++++++
 src/security/security_manager.c | 36 ++++++++++++++++++++++++++++++++++++
 src/security/security_manager.h |  8 ++++++++
 src/security/security_nop.c     | 11 +++++++++++
 src/security/security_selinux.c |  3 +++
 src/security/security_stack.c   | 38 ++++++++++++++++++++++++++++++++++++++
 8 files changed, 110 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 3e0bc8730c..65b1143c9b 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1267,6 +1267,7 @@ virSecurityManagerRestoreAllLabel;
 virSecurityManagerRestoreDiskLabel;
 virSecurityManagerRestoreHostdevLabel;
 virSecurityManagerRestoreImageLabel;
+virSecurityManagerRestoreInputLabel;
 virSecurityManagerRestoreMemoryLabel;
 virSecurityManagerRestoreSavedStateLabel;
 virSecurityManagerSetAllLabel;
@@ -1276,6 +1277,7 @@ virSecurityManagerSetDiskLabel;
 virSecurityManagerSetHostdevLabel;
 virSecurityManagerSetImageFDLabel;
 virSecurityManagerSetImageLabel;
+virSecurityManagerSetInputLabel;
 virSecurityManagerSetMemoryLabel;
 virSecurityManagerSetProcessLabel;
 virSecurityManagerSetSavedStateLabel;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 244b300a9f..24d9264216 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2103,6 +2103,9 @@ virSecurityDriver virSecurityDriverDAC = {
     .domainSetSecurityMemoryLabel       = virSecurityDACSetMemoryLabel,
     .domainRestoreSecurityMemoryLabel   = virSecurityDACRestoreMemoryLabel,
 
+    .domainSetSecurityInputLabel        = virSecurityDACSetInputLabel,
+    .domainRestoreSecurityInputLabel    = virSecurityDACRestoreInputLabel,
+
     .domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,
     .domainSetSecuritySocketLabel       = virSecurityDACSetSocketLabel,
     .domainClearSecuritySocketLabel     = virSecurityDACClearSocketLabel,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 0b3b452486..1b3070d06d 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -131,6 +131,12 @@ typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
 typedef int (*virSecurityDomainRestoreMemoryLabel) (virSecurityManagerPtr mgr,
                                                     virDomainDefPtr def,
                                                     virDomainMemoryDefPtr mem);
+typedef int (*virSecurityDomainSetInputLabel) (virSecurityManagerPtr mgr,
+                                               virDomainDefPtr def,
+                                               virDomainInputDefPtr input);
+typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr,
+                                                   virDomainDefPtr def,
+                                                   virDomainInputDefPtr input);
 typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
                                               virDomainDefPtr def,
                                               const char *path);
@@ -163,6 +169,9 @@ struct _virSecurityDriver {
     virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
     virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
 
+    virSecurityDomainSetInputLabel domainSetSecurityInputLabel;
+    virSecurityDomainRestoreInputLabel domainRestoreSecurityInputLabel;
+
     virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
     virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
     virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 60cfc92e77..3cf12188a0 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1116,3 +1116,39 @@ virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
     virReportUnsupportedError();
     return -1;
 }
+
+
+int
+virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
+                                virDomainDefPtr vm,
+                                virDomainInputDefPtr input)
+{
+    if (mgr->drv->domainSetSecurityInputLabel) {
+        int ret;
+        virObjectLock(mgr);
+        ret = mgr->drv->domainSetSecurityInputLabel(mgr, vm, input);
+        virObjectUnlock(mgr);
+        return ret;
+    }
+
+    virReportUnsupportedError();
+    return -1;
+}
+
+
+int
+virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
+                                    virDomainDefPtr vm,
+                                    virDomainInputDefPtr input)
+{
+    if (mgr->drv->domainRestoreSecurityInputLabel) {
+        int ret;
+        virObjectLock(mgr);
+        ret = mgr->drv->domainRestoreSecurityInputLabel(mgr, vm, input);
+        virObjectUnlock(mgr);
+        return ret;
+    }
+
+    virReportUnsupportedError();
+    return -1;
+}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 08fb89203a..87fe890692 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -172,6 +172,14 @@ int virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
                                         virDomainDefPtr vm,
                                         virDomainMemoryDefPtr mem);
 
+int virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
+                                    virDomainDefPtr vm,
+                                    virDomainInputDefPtr input);
+int virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
+                                        virDomainDefPtr vm,
+                                        virDomainInputDefPtr input);
+
+
 int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
                                          virDomainDefPtr vm,
                                          const char *path);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 527be11e5a..cfb032c686 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -254,6 +254,14 @@ virSecurityDomainRestoreMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSE
     return 0;
 }
 
+static int
+virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                               virDomainDefPtr def ATTRIBUTE_UNUSED,
+                               virDomainInputDefPtr input ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
 
 virSecurityDriver virSecurityDriverNop = {
     .privateDataLen                     = 0,
@@ -276,6 +284,9 @@ virSecurityDriver virSecurityDriverNop = {
     .domainSetSecurityMemoryLabel       = virSecurityDomainSetMemoryLabelNop,
     .domainRestoreSecurityMemoryLabel   = virSecurityDomainRestoreMemoryLabelNop,
 
+    .domainSetSecurityInputLabel        = virSecurityDomainInputLabelNop,
+    .domainRestoreSecurityInputLabel    = virSecurityDomainInputLabelNop,
+
     .domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop,
     .domainSetSecuritySocketLabel       = virSecurityDomainSetSocketLabelNop,
     .domainClearSecuritySocketLabel     = virSecurityDomainClearSocketLabelNop,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index cd3e411931..d44de72e02 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3058,6 +3058,9 @@ virSecurityDriver virSecurityDriverSELinux = {
     .domainSetSecurityMemoryLabel       = virSecuritySELinuxSetMemoryLabel,
     .domainRestoreSecurityMemoryLabel   = virSecuritySELinuxRestoreMemoryLabel,
 
+    .domainSetSecurityInputLabel        = virSecuritySELinuxSetInputLabel,
+    .domainRestoreSecurityInputLabel    = virSecuritySELinuxRestoreInputLabel,
+
     .domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetDaemonSocketLabel,
     .domainSetSecuritySocketLabel       = virSecuritySELinuxSetSocketLabel,
     .domainClearSecuritySocketLabel     = virSecuritySELinuxClearSocketLabel,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 53eee1692f..cd916382b2 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -666,6 +666,41 @@ virSecurityStackRestoreMemoryLabel(virSecurityManagerPtr mgr,
     return rc;
 }
 
+static int
+virSecurityStackSetInputLabel(virSecurityManagerPtr mgr,
+                              virDomainDefPtr vm,
+                              virDomainInputDefPtr input)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityStackItemPtr item = priv->itemsHead;
+    int rc = 0;
+
+    for (; item; item = item->next) {
+        if (virSecurityManagerSetInputLabel(item->securityManager, vm, input) < 0)
+            rc = -1;
+    }
+
+    return rc;
+}
+
+static int
+virSecurityStackRestoreInputLabel(virSecurityManagerPtr mgr,
+                                  virDomainDefPtr vm,
+                                  virDomainInputDefPtr input)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityStackItemPtr item = priv->itemsHead;
+    int rc = 0;
+
+    for (; item; item = item->next) {
+        if (virSecurityManagerRestoreInputLabel(item->securityManager,
+                                                vm, input) < 0)
+            rc = -1;
+    }
+
+    return rc;
+}
+
 static int
 virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
                                    virDomainDefPtr vm,
@@ -711,6 +746,9 @@ virSecurityDriver virSecurityDriverStack = {
     .domainSetSecurityMemoryLabel       = virSecurityStackSetMemoryLabel,
     .domainRestoreSecurityMemoryLabel   = virSecurityStackRestoreMemoryLabel,
 
+    .domainSetSecurityInputLabel        = virSecurityStackSetInputLabel,
+    .domainRestoreSecurityInputLabel    = virSecurityStackRestoreInputLabel,
+
     .domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel,
     .domainSetSecuritySocketLabel       = virSecurityStackSetSocketLabel,
     .domainClearSecuritySocketLabel     = virSecurityStackClearSocketLabel,
-- 
2.15.1