Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
libvirt
提交
49839317
L
libvirt
项目概览
openeuler
/
libvirt
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
L
libvirt
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
49839317
编写于
6月 24, 2014
作者:
P
Peter Krempa
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
security: selinux: Implement per-image seclabel set
Refactor the code and reuse it to implement the functionality.
上级
b2790e33
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
53 addition
and
38 deletion
+53
-38
src/security/security_selinux.c
src/security/security_selinux.c
+53
-38
未找到文件。
src/security/security_selinux.c
浏览文件 @
49839317
...
...
@@ -56,9 +56,6 @@ VIR_LOG_INIT("security.security_selinux");
typedef
struct
_virSecuritySELinuxData
virSecuritySELinuxData
;
typedef
virSecuritySELinuxData
*
virSecuritySELinuxDataPtr
;
typedef
struct
_virSecuritySELinuxCallbackData
virSecuritySELinuxCallbackData
;
typedef
virSecuritySELinuxCallbackData
*
virSecuritySELinuxCallbackDataPtr
;
struct
_virSecuritySELinuxData
{
char
*
domain_context
;
char
*
alt_domain_context
;
...
...
@@ -71,11 +68,6 @@ struct _virSecuritySELinuxData {
#endif
};
struct
_virSecuritySELinuxCallbackData
{
virSecurityManagerPtr
manager
;
virSecurityLabelDefPtr
secdef
;
};
#define SECURITY_SELINUX_VOID_DOI "0"
#define SECURITY_SELINUX_NAME "selinux"
...
...
@@ -1196,40 +1188,49 @@ virSecuritySELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
static
int
virSecuritySELinuxSetSecurity
FileLabel
(
virDomainDiskDefPtr
disk
,
const
char
*
path
,
size_t
depth
,
void
*
opaque
)
virSecuritySELinuxSetSecurity
ImageLabelInternal
(
virSecurityManagerPtr
mgr
,
virDomainDefPtr
def
,
virStorageSourcePtr
src
,
bool
first
)
{
int
ret
;
virSecuritySELinuxDataPtr
data
=
virSecurityManagerGetPrivateData
(
mgr
);
virSecurityLabelDefPtr
secdef
;
virSecurityDeviceLabelDefPtr
disk_seclabel
;
virSecuritySELinuxCallbackDataPtr
cbdata
=
opaque
;
virSecurityLabelDefPtr
secdef
=
cbdata
->
secdef
;
virSecuritySELinuxDataPtr
data
=
virSecurityManagerGetPrivateData
(
cbdata
->
manager
);
int
ret
;
disk_seclabel
=
virStorageSourceGetSecurityLabelDef
(
disk
->
src
,
if
(
!
src
->
path
||
!
virStorageSourceIsLocalStorage
(
src
))
return
0
;
secdef
=
virDomainDefGetSecurityLabelDef
(
def
,
SECURITY_SELINUX_NAME
);
if
(
!
secdef
||
secdef
->
norelabel
)
return
0
;
disk_seclabel
=
virStorageSourceGetSecurityLabelDef
(
src
,
SECURITY_SELINUX_NAME
);
if
(
disk_seclabel
&&
disk_seclabel
->
norelabel
)
return
0
;
if
(
disk_seclabel
&&
!
disk_seclabel
->
norelabel
&&
disk_seclabel
->
label
)
{
ret
=
virSecuritySELinuxSetFilecon
(
path
,
disk_seclabel
->
label
);
}
else
if
(
depth
==
0
)
{
if
(
disk
->
src
->
shared
)
{
ret
=
virSecuritySELinuxSetFileconOptional
(
path
,
data
->
file_context
);
}
else
if
(
disk
->
src
->
readonly
)
{
ret
=
virSecuritySELinuxSetFileconOptional
(
path
,
data
->
content_context
);
if
(
disk_seclabel
&&
!
disk_seclabel
->
norelabel
&&
disk_seclabel
->
label
)
{
ret
=
virSecuritySELinuxSetFilecon
(
src
->
path
,
disk_seclabel
->
label
);
}
else
if
(
first
)
{
if
(
src
->
shared
)
{
ret
=
virSecuritySELinuxSetFileconOptional
(
src
->
path
,
data
->
file_context
);
}
else
if
(
src
->
readonly
)
{
ret
=
virSecuritySELinuxSetFileconOptional
(
src
->
path
,
data
->
content_context
);
}
else
if
(
secdef
->
imagelabel
)
{
ret
=
virSecuritySELinuxSetFileconOptional
(
path
,
secdef
->
imagelabel
);
ret
=
virSecuritySELinuxSetFileconOptional
(
src
->
path
,
secdef
->
imagelabel
);
}
else
{
ret
=
0
;
}
}
else
{
ret
=
virSecuritySELinuxSetFileconOptional
(
path
,
data
->
content_context
);
ret
=
virSecuritySELinuxSetFileconOptional
(
src
->
path
,
data
->
content_context
);
}
if
(
ret
==
1
&&
!
disk_seclabel
)
{
/* If we failed to set a label, but virt_use_nfs let us
* proceed anyway, then we don't need to relabel later. */
...
...
@@ -1237,35 +1238,48 @@ virSecuritySELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
if
(
!
disk_seclabel
)
return
-
1
;
disk_seclabel
->
labelskip
=
true
;
if
(
VIR_APPEND_ELEMENT
(
disk
->
src
->
seclabels
,
disk
->
src
->
nseclabels
,
if
(
VIR_APPEND_ELEMENT
(
src
->
seclabels
,
src
->
nseclabels
,
disk_seclabel
)
<
0
)
{
virSecurityDeviceLabelDefFree
(
disk_seclabel
);
return
-
1
;
}
ret
=
0
;
}
return
ret
;
}
static
int
virSecuritySELinuxSetSecurityImageLabel
(
virSecurityManagerPtr
mgr
,
virDomainDefPtr
def
,
virStorageSourcePtr
src
)
{
return
virSecuritySELinuxSetSecurityImageLabelInternal
(
mgr
,
def
,
src
,
true
);
}
static
int
virSecuritySELinuxSetSecurityDiskLabel
(
virSecurityManagerPtr
mgr
,
virDomainDefPtr
def
,
virDomainDiskDefPtr
disk
)
{
virSecuritySELinuxCallbackData
cbdata
;
cbdata
.
manager
=
mgr
;
cbdata
.
secdef
=
virDomainDefGetSecurityLabelDef
(
def
,
SECURITY_SELINUX_NAME
);
bool
first
=
true
;
virStorageSourcePtr
next
;
if
(
!
cbdata
.
secdef
||
cbdata
.
secdef
->
norelabel
)
return
0
;
for
(
next
=
disk
->
src
;
next
;
next
=
next
->
backingStore
)
{
if
(
virSecuritySELinuxSetSecurityImageLabelInternal
(
mgr
,
def
,
next
,
first
)
<
0
)
return
-
1
;
return
virDomainDiskDefForeachPath
(
disk
,
true
,
virSecuritySELinuxSetSecurityFileLabel
,
&
cbdata
)
;
first
=
false
;
}
return
0
;
}
static
int
virSecuritySELinuxSetSecurityHostdevLabelHelper
(
const
char
*
file
,
void
*
opaque
)
{
...
...
@@ -2434,6 +2448,7 @@ virSecurityDriver virSecurityDriverSELinux = {
.
domainSetSecurityDiskLabel
=
virSecuritySELinuxSetSecurityDiskLabel
,
.
domainRestoreSecurityDiskLabel
=
virSecuritySELinuxRestoreSecurityDiskLabel
,
.
domainSetSecurityImageLabel
=
virSecuritySELinuxSetSecurityImageLabel
,
.
domainRestoreSecurityImageLabel
=
virSecuritySELinuxRestoreSecurityImageLabel
,
.
domainSetSecurityDaemonSocketLabel
=
virSecuritySELinuxSetSecurityDaemonSocketLabel
,
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录