security_stack.c 12.0 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
/*
 * Copyright (C) 2010-2011 Red Hat, Inc.
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
 *
 * Stacked security driver
 */

#include <config.h>

#include "security_stack.h"

#include "virterror_internal.h"

#define VIR_FROM_THIS VIR_FROM_SECURITY

typedef struct _virSecurityStackData virSecurityStackData;
typedef virSecurityStackData *virSecurityStackDataPtr;

struct _virSecurityStackData {
    virSecurityManagerPtr primary;
    virSecurityManagerPtr secondary;
};

void virSecurityStackSetPrimary(virSecurityManagerPtr mgr,
                                virSecurityManagerPtr primary)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    priv->primary = primary;
}

void virSecurityStackSetSecondary(virSecurityManagerPtr mgr,
                                  virSecurityManagerPtr secondary)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    priv->secondary = secondary;
}

static virSecurityDriverStatus
52
virSecurityStackProbe(const char *virtDriver ATTRIBUTE_UNUSED)
53 54 55 56 57 58 59 60 61 62 63
{
    return SECURITY_DRIVER_ENABLE;
}

static int
virSecurityStackOpen(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
{
    return 0;
}

static int
E
Eric Blake 已提交
64
virSecurityStackClose(virSecurityManagerPtr mgr)
65
{
E
Eric Blake 已提交
66 67 68 69 70
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);

    virSecurityManagerFree(priv->primary);
    virSecurityManagerFree(priv->secondary);

71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108
    return 0;
}

static const char *
virSecurityStackGetModel(virSecurityManagerPtr mgr)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);

    return virSecurityManagerGetModel(priv->primary);
}

static const char *
virSecurityStackGetDOI(virSecurityManagerPtr mgr)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);

    return virSecurityManagerGetDOI(priv->primary);
}

static int
virSecurityStackVerify(virSecurityManagerPtr mgr,
                       virDomainDefPtr def)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerVerify(priv->primary, def) < 0)
        rc = -1;

    if (virSecurityManagerVerify(priv->secondary, def) < 0)
        rc = -1;

    return rc;
}


static int
virSecurityStackGenLabel(virSecurityManagerPtr mgr,
109
                         virDomainDefPtr vm)
110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerGenLabel(priv->primary, vm) < 0)
        rc = -1;

#if 0
    /* We don't allow secondary drivers to generate labels.
     * This may have to change in the future, but requires
     * changes elsewhere in domain_conf.c and capabilities.c
     * XML formats first, to allow recording of multiple
     * labels
     */
    if (virSecurityManagerGenLabel(priv->secondary, vm) < 0)
        rc = -1;
#endif

    return rc;
}


static int
virSecurityStackReleaseLabel(virSecurityManagerPtr mgr,
134
                             virDomainDefPtr vm)
135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerReleaseLabel(priv->primary, vm) < 0)
        rc = -1;
#if 0
    /* XXX See note in GenLabel */
    if (virSecurityManagerReleaseLabel(priv->secondary, vm) < 0)
        rc = -1;
#endif

    return rc;
}


static int
virSecurityStackReserveLabel(virSecurityManagerPtr mgr,
153 154
                             virDomainDefPtr vm,
                             pid_t pid)
155 156 157 158
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

159
    if (virSecurityManagerReserveLabel(priv->primary, vm, pid) < 0)
160 161 162
        rc = -1;
#if 0
    /* XXX See note in GenLabel */
163
    if (virSecurityManagerReserveLabel(priv->secondary, vm, pid) < 0)
164 165 166 167 168 169 170 171 172
        rc = -1;
#endif

    return rc;
}


static int
virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr,
173
                                      virDomainDefPtr vm,
174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189
                                      virDomainDiskDefPtr disk)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerSetImageLabel(priv->secondary, vm, disk) < 0)
        rc = -1;
    if (virSecurityManagerSetImageLabel(priv->primary, vm, disk) < 0)
        rc = -1;

    return rc;
}


static int
virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
190
                                          virDomainDefPtr vm,
191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206
                                          virDomainDiskDefPtr disk)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerRestoreImageLabel(priv->secondary, vm, disk) < 0)
        rc = -1;
    if (virSecurityManagerRestoreImageLabel(priv->primary, vm, disk) < 0)
        rc = -1;

    return rc;
}


static int
virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
207
                                        virDomainDefPtr vm,
208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224
                                        virDomainHostdevDefPtr dev)

{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerSetHostdevLabel(priv->secondary, vm, dev) < 0)
        rc = -1;
    if (virSecurityManagerSetHostdevLabel(priv->primary, vm, dev) < 0)
        rc = -1;

    return rc;
}


static int
virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
225
                                            virDomainDefPtr vm,
226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241
                                            virDomainHostdevDefPtr dev)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerRestoreHostdevLabel(priv->secondary, vm, dev) < 0)
        rc = -1;
    if (virSecurityManagerRestoreHostdevLabel(priv->primary, vm, dev) < 0)
        rc = -1;

    return rc;
}


static int
virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr,
242
                                    virDomainDefPtr vm,
243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258
                                    const char *stdin_path)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerSetAllLabel(priv->secondary, vm, stdin_path) < 0)
        rc = -1;
    if (virSecurityManagerSetAllLabel(priv->primary, vm, stdin_path) < 0)
        rc = -1;

    return rc;
}


static int
virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
259
                                        virDomainDefPtr vm,
260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275
                                        int migrated)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerRestoreAllLabel(priv->secondary, vm, migrated) < 0)
        rc = -1;
    if (virSecurityManagerRestoreAllLabel(priv->primary, vm, migrated) < 0)
        rc = -1;

    return rc;
}


static int
virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr,
276
                                   virDomainDefPtr vm,
277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292
                                   const char *savefile)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerSetSavedStateLabel(priv->secondary, vm, savefile) < 0)
        rc = -1;
    if (virSecurityManagerSetSavedStateLabel(priv->primary, vm, savefile) < 0)
        rc = -1;

    return rc;
}


static int
virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr,
293
                                       virDomainDefPtr vm,
294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309
                                       const char *savefile)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerRestoreSavedStateLabel(priv->secondary, vm, savefile) < 0)
        rc = -1;
    if (virSecurityManagerRestoreSavedStateLabel(priv->primary, vm, savefile) < 0)
        rc = -1;

    return rc;
}


static int
virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr,
310
                                virDomainDefPtr vm)
311 312 313 314 315 316 317 318 319 320 321 322 323 324
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerSetProcessLabel(priv->secondary, vm) < 0)
        rc = -1;
    if (virSecurityManagerSetProcessLabel(priv->primary, vm) < 0)
        rc = -1;

    return rc;
}

static int
virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr,
325 326
                                virDomainDefPtr vm,
                                pid_t pid,
327 328 329 330 331 332
                                virSecurityLabelPtr seclabel)
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

#if 0
333
    if (virSecurityManagerGetProcessLabel(priv->secondary, vm, pid, seclabel) < 0)
334 335
        rc = -1;
#endif
336
    if (virSecurityManagerGetProcessLabel(priv->primary, vm, pid, seclabel) < 0)
337 338 339 340 341 342 343
        rc = -1;

    return rc;
}


static int
344
virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
345
                                     virDomainDefPtr vm)
346 347 348 349
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

350
    if (virSecurityManagerSetDaemonSocketLabel(priv->secondary, vm) < 0)
351
        rc = -1;
352
    if (virSecurityManagerSetDaemonSocketLabel(priv->primary, vm) < 0)
353 354 355 356 357 358
        rc = -1;

    return rc;
}


359 360
static int
virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
361
                               virDomainDefPtr vm)
362 363 364 365 366 367 368 369 370 371 372 373 374
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0)
        rc = -1;
    if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0)
        rc = -1;

    return rc;
}


375 376
static int
virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
377
                                 virDomainDefPtr vm)
378 379 380 381 382 383 384 385 386 387 388 389
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

    if (virSecurityManagerClearSocketLabel(priv->secondary, vm) < 0)
        rc = -1;
    if (virSecurityManagerClearSocketLabel(priv->primary, vm) < 0)
        rc = -1;

    return rc;
}

390
static int
391
virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
392
                                virDomainDefPtr vm,
393
                                int fd)
394 395 396 397
{
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    int rc = 0;

398
    if (virSecurityManagerSetImageFDLabel(priv->secondary, vm, fd) < 0)
399
        rc = -1;
400
    if (virSecurityManagerSetImageFDLabel(priv->primary, vm, fd) < 0)
401 402 403 404 405
        rc = -1;

    return rc;
}

406 407 408 409
static char *virSecurityStackGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                             virDomainDefPtr vm ATTRIBUTE_UNUSED) {
    return NULL;
}
410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425

virSecurityDriver virSecurityDriverStack = {
    sizeof(virSecurityStackData),
    "stack",
    virSecurityStackProbe,
    virSecurityStackOpen,
    virSecurityStackClose,

    virSecurityStackGetModel,
    virSecurityStackGetDOI,

    virSecurityStackVerify,

    virSecurityStackSetSecurityImageLabel,
    virSecurityStackRestoreSecurityImageLabel,

426
    virSecurityStackSetDaemonSocketLabel,
427
    virSecurityStackSetSocketLabel,
428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444
    virSecurityStackClearSocketLabel,

    virSecurityStackGenLabel,
    virSecurityStackReserveLabel,
    virSecurityStackReleaseLabel,

    virSecurityStackGetProcessLabel,
    virSecurityStackSetProcessLabel,

    virSecurityStackSetSecurityAllLabel,
    virSecurityStackRestoreSecurityAllLabel,

    virSecurityStackSetSecurityHostdevLabel,
    virSecurityStackRestoreSecurityHostdevLabel,

    virSecurityStackSetSavedStateLabel,
    virSecurityStackRestoreSavedStateLabel,
445

446
    virSecurityStackSetImageFDLabel,
447 448

    virSecurityStackGetMountOptions,
449
};