Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
libvirt
提交
61796bdb
L
libvirt
项目概览
openeuler
/
libvirt
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
L
libvirt
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
61796bdb
编写于
3月 03, 2009
作者:
D
Daniel P. Berrange
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Explicitly track static declared vs dynamically generated security labels
上级
e4818895
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
84 addition
and
15 deletion
+84
-15
ChangeLog
ChangeLog
+8
-0
src/domain_conf.c
src/domain_conf.c
+57
-12
src/domain_conf.h
src/domain_conf.h
+9
-0
src/qemu_driver.c
src/qemu_driver.c
+10
-3
未找到文件。
ChangeLog
浏览文件 @
61796bdb
Tue Mar 3 16:43:13 GMT 2009 Daniel P. Berrange <berrange@redhat.com>
Explicitly track static declared vs dynamically generated
security labels for VMs
* src/domain_conf.c, src/domain_conf.h: Add type='static|dynamic'
for <seclabel> to determine whether to auto-generate labels
* src/qemu_driver.c: Only generate security labels for type=dynamic
Tue Mar 3 14:58:13 GMT 2009 Daniel P. Berrange <berrange@redhat.com>
Misc sVirt bug fixes
...
...
src/domain_conf.c
浏览文件 @
61796bdb
...
...
@@ -168,6 +168,10 @@ VIR_ENUM_IMPL(virDomainState, VIR_DOMAIN_CRASHED+1,
"shutoff"
,
"crashed"
)
VIR_ENUM_IMPL
(
virDomainSeclabel
,
VIR_DOMAIN_SECLABEL_LAST
,
"dynamic"
,
"static"
)
#define virDomainReportError(conn, code, fmt...) \
virReportErrorHelper(conn, VIR_FROM_DOMAIN, code, __FILE__, \
__FUNCTION__, __LINE__, fmt)
...
...
@@ -1847,24 +1851,49 @@ static int virDomainLifecycleParseXML(virConnectPtr conn,
static
int
virSecurityLabelDefParseXML
(
virConnectPtr
conn
,
const
virDomainDefPtr
def
,
xmlXPathContextPtr
ctxt
)
xmlXPathContextPtr
ctxt
,
int
flags
)
{
char
*
p
;
if
(
virXPathNode
(
conn
,
"./seclabel"
,
ctxt
)
==
NULL
)
return
0
;
p
=
virXPathStringLimit
(
conn
,
"string(./seclabel/
label[1]
)"
,
p
=
virXPathStringLimit
(
conn
,
"string(./seclabel/
@type
)"
,
VIR_SECURITY_LABEL_BUFLEN
-
1
,
ctxt
);
if
(
p
==
NULL
)
goto
error
;
def
->
seclabel
.
label
=
p
;
p
=
virXPathStringLimit
(
conn
,
"string(./seclabel/@model)"
,
VIR_SECURITY_MODEL_BUFLEN
-
1
,
ctxt
);
if
(
p
==
NULL
)
if
((
def
->
seclabel
.
type
=
virDomainSeclabelTypeFromString
(
p
))
<
0
)
goto
error
;
def
->
seclabel
.
model
=
p
;
VIR_FREE
(
p
);
/* Only parse details, if using static labels, or
* if the 'live' VM XML is requested
*/
if
(
def
->
seclabel
.
type
==
VIR_DOMAIN_SECLABEL_STATIC
||
!
(
flags
&
VIR_DOMAIN_XML_INACTIVE
))
{
p
=
virXPathStringLimit
(
conn
,
"string(./seclabel/@model)"
,
VIR_SECURITY_MODEL_BUFLEN
-
1
,
ctxt
);
if
(
p
==
NULL
)
goto
error
;
def
->
seclabel
.
model
=
p
;
p
=
virXPathStringLimit
(
conn
,
"string(./seclabel/label[1])"
,
VIR_SECURITY_LABEL_BUFLEN
-
1
,
ctxt
);
if
(
p
==
NULL
)
goto
error
;
def
->
seclabel
.
label
=
p
;
}
/* Only parse imagelabel, if requested live XML for dynamic label */
if
(
def
->
seclabel
.
type
==
VIR_DOMAIN_SECLABEL_DYNAMIC
&&
!
(
flags
&
VIR_DOMAIN_XML_INACTIVE
))
{
p
=
virXPathStringLimit
(
conn
,
"string(./seclabel/imagelabel[1])"
,
VIR_SECURITY_LABEL_BUFLEN
-
1
,
ctxt
);
if
(
p
==
NULL
)
goto
error
;
def
->
seclabel
.
imagelabel
=
p
;
}
return
0
;
...
...
@@ -2458,7 +2487,7 @@ static virDomainDefPtr virDomainDefParseXML(virConnectPtr conn,
VIR_FREE
(
nodes
);
/* analysis of security label */
if
(
virSecurityLabelDefParseXML
(
conn
,
def
,
ctxt
)
==
-
1
)
if
(
virSecurityLabelDefParseXML
(
conn
,
def
,
ctxt
,
flags
)
==
-
1
)
goto
error
;
return
def
;
...
...
@@ -3480,9 +3509,25 @@ char *virDomainDefFormat(virConnectPtr conn,
virBufferAddLit
(
&
buf
,
" </devices>
\n
"
);
if
(
def
->
seclabel
.
model
)
{
virBufferEscapeString
(
&
buf
,
" <seclabel model='%s'>
\n
"
,
def
->
seclabel
.
model
);
virBufferEscapeString
(
&
buf
,
" <label>%s</label>
\n
"
,
def
->
seclabel
.
label
);
virBufferAddLit
(
&
buf
,
" </seclabel>
\n
"
);
const
char
*
sectype
=
virDomainSeclabelTypeToString
(
def
->
seclabel
.
type
);
if
(
!
sectype
)
goto
cleanup
;
if
(
!
def
->
seclabel
.
label
||
(
def
->
seclabel
.
type
==
VIR_DOMAIN_SECLABEL_DYNAMIC
&&
(
flags
&
VIR_DOMAIN_XML_INACTIVE
)))
{
virBufferVSprintf
(
&
buf
,
" <seclabel type='%s' model='%s'/>
\n
"
,
sectype
,
def
->
seclabel
.
model
);
}
else
{
virBufferVSprintf
(
&
buf
,
" <seclabel type='%s' model='%s'>
\n
"
,
sectype
,
def
->
seclabel
.
model
);
virBufferEscapeString
(
&
buf
,
" <label>%s</label>
\n
"
,
def
->
seclabel
.
label
);
if
(
def
->
seclabel
.
imagelabel
&&
def
->
seclabel
.
type
==
VIR_DOMAIN_SECLABEL_DYNAMIC
)
virBufferEscapeString
(
&
buf
,
" <imagelabel>%s</imagelabel>
\n
"
,
def
->
seclabel
.
imagelabel
);
virBufferAddLit
(
&
buf
,
" </seclabel>
\n
"
);
}
}
virBufferAddLit
(
&
buf
,
"</domain>
\n
"
);
...
...
src/domain_conf.h
浏览文件 @
61796bdb
...
...
@@ -410,6 +410,13 @@ struct _virDomainOSDef {
char
*
bootloaderArgs
;
};
enum
virDomainSeclabelType
{
VIR_DOMAIN_SECLABEL_DYNAMIC
,
VIR_DOMAIN_SECLABEL_STATIC
,
VIR_DOMAIN_SECLABEL_LAST
,
};
/* Security configuration for domain */
typedef
struct
_virSecurityLabelDef
virSecurityLabelDef
;
typedef
virSecurityLabelDef
*
virSecurityLabelDefPtr
;
...
...
@@ -417,6 +424,7 @@ struct _virSecurityLabelDef {
char
*
model
;
/* name of security model */
char
*
label
;
/* security label string */
char
*
imagelabel
;
/* security image label string */
int
type
;
};
#define VIR_DOMAIN_CPUMASK_LEN 1024
...
...
@@ -650,5 +658,6 @@ VIR_ENUM_DECL(virDomainInputBus)
VIR_ENUM_DECL
(
virDomainGraphics
)
/* from libvirt.h */
VIR_ENUM_DECL
(
virDomainState
)
VIR_ENUM_DECL
(
virDomainSeclabel
)
#endif
/* __DOMAIN_CONF_H */
src/qemu_driver.c
浏览文件 @
61796bdb
...
...
@@ -1314,9 +1314,9 @@ static int qemudStartVMDaemon(virConnectPtr conn,
hookData
.
vm
=
vm
;
hookData
.
driver
=
driver
;
/* If you are using a SecurityDriver
and there was no security label in
database,
then generate a security label for isolation */
if
(
vm
->
def
->
seclabel
.
label
==
NULL
&&
/* If you are using a SecurityDriver
with dynamic labelling,
then generate a security label for isolation */
if
(
vm
->
def
->
seclabel
.
type
==
VIR_DOMAIN_SECLABEL_DYNAMIC
&&
driver
->
securityDriver
&&
driver
->
securityDriver
->
domainGenSecurityLabel
&&
driver
->
securityDriver
->
domainGenSecurityLabel
(
conn
,
vm
)
<
0
)
...
...
@@ -1525,6 +1525,13 @@ static void qemudShutdownVMDaemon(virConnectPtr conn ATTRIBUTE_UNUSED,
if
(
driver
->
securityDriver
)
driver
->
securityDriver
->
domainRestoreSecurityLabel
(
conn
,
vm
);
/* Clear out dynamically assigned labels */
if
(
vm
->
def
->
seclabel
.
type
==
VIR_DOMAIN_SECLABEL_DYNAMIC
)
{
VIR_FREE
(
vm
->
def
->
seclabel
.
model
);
VIR_FREE
(
vm
->
def
->
seclabel
.
label
);
VIR_FREE
(
vm
->
def
->
seclabel
.
imagelabel
);
}
if
(
qemudRemoveDomainStatus
(
conn
,
driver
,
vm
)
<
0
)
{
VIR_WARN
(
_
(
"Failed to remove domain status for %s"
),
vm
->
def
->
name
);
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录