security: add new internal function "virSecurityManagerGetBaseLabel"

virSecurityManagerGetBaseLabel queries the default settings used by a security model. Signed-off-by: N Giuseppe Scrivano <gscrivan@redhat.com>

security: add new internal function "virSecurityManagerGetBaseLabel"
virSecurityManagerGetBaseLabel queries the default settings used by a security model. Signed-off-by: N Giuseppe Scrivano <gscrivan@redhat.com>
64a68a4a · Giuseppe Scrivano · Eric Blake · 4387132f · 64a68a4a · 64a68a4a
9 changed file
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -842,6 +842,7 @@ virSecurityDriverLookup;
 # security/security_manager.h
 virSecurityManagerClearSocketLabel;
 virSecurityManagerGenLabel;
+virSecurityManagerGetBaseLabel;
 virSecurityManagerGetDOI;
 virSecurityManagerGetModel;
 virSecurityManagerGetMountOptions;

--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -931,6 +931,12 @@ AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
    return opts;
 }

+static const char *
+AppArmorGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                     int virtType ATTRIBUTE_UNUSED)
+{
+    return NULL;
+}

 virSecurityDriver virAppArmorSecurityDriver = {
    .privateDataLen                     = 0,
@@ -972,4 +978,6 @@ virSecurityDriver virAppArmorSecurityDriver = {
    .domainSetSecurityTapFDLabel        = AppArmorSetFDLabel,

    .domainGetSecurityMountOptions      = AppArmorGetMountOptions,
+
+    .getBaseLabel                       = AppArmoryGetBaseLabel,
 };
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1174,6 +1174,14 @@ virSecurityDACGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
    return NULL;
 }

+static const char *
+virSecurityDACGetBaseLabel(virSecurityManagerPtr mgr,
+                           int virt ATTRIBUTE_UNUSED)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    return priv->baselabel;
+}
+
 virSecurityDriver virSecurityDriverDAC = {
    .privateDataLen                     = sizeof(virSecurityDACData),
    .name                               = SECURITY_DAC_NAME,
@@ -1216,4 +1224,6 @@ virSecurityDriver virSecurityDriverDAC = {
    .domainSetSecurityTapFDLabel        = virSecurityDACSetTapFDLabel,

    .domainGetSecurityMountOptions      = virSecurityDACGetMountOptions,
+
+    .getBaseLabel                       = virSecurityDACGetBaseLabel,
 };
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -46,6 +46,8 @@ typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr);

 typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr);
 typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr);
+typedef const char *(*virSecurityDriverGetBaseLabel) (virSecurityManagerPtr mgr,
+                                                      int virtType);

 typedef int (*virSecurityDriverPreFork) (virSecurityManagerPtr mgr);

@@ -154,6 +156,8 @@ struct _virSecurityDriver {

    virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
    virSecurityDomainSetHugepages domainSetSecurityHugepages;
+
+    virSecurityDriverGetBaseLabel getBaseLabel;
 };

 virSecurityDriverPtr virSecurityDriverLookup(const char *name,

--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -275,6 +275,21 @@ virSecurityManagerGetModel(virSecurityManagerPtr mgr)
    return NULL;
 }

+/* return NULL if a base label is not present */
+const char *
+virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+    if (mgr->drv->getBaseLabel) {
+        const char *ret;
+        virObjectLock(mgr);
+        ret = mgr->drv->getBaseLabel(mgr, virtType);
+        virObjectUnlock(mgr);
+        return ret;
+    }
+
+    return NULL;
+}
+
 bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
 {
    return mgr->allowDiskFormatProbing;

--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -55,6 +55,8 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr);
 const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
+const char *virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr, int virtType);
+
 bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
 bool virSecurityManagerGetDefaultConfined(virSecurityManagerPtr mgr);
 bool virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr);

--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -186,6 +186,14 @@ static char *virSecurityDomainGetMountOptionsNop(virSecurityManagerPtr mgr ATTRI
    return opts;
 }

+static const char *
+virSecurityGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                        int virtType ATTRIBUTE_UNUSED)
+{
+    return NULL;
+}
+
+
 virSecurityDriver virSecurityDriverNop = {
    .privateDataLen                     = 0,
    .name                               = "none",
@@ -226,4 +234,6 @@ virSecurityDriver virSecurityDriverNop = {
    .domainSetSecurityTapFDLabel        = virSecurityDomainSetFDLabelNop,

    .domainGetSecurityMountOptions      = virSecurityDomainGetMountOptionsNop,
+
+    .getBaseLabel                       = virSecurityGetBaseLabel,
 };
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1830,6 +1830,17 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
 }


+static const char *
+virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+    virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    if (virtType == VIR_DOMAIN_VIRT_QEMU && priv->alt_domain_context)
+        return priv->alt_domain_context;
+    else
+        return priv->domain_context;
+}
+
+
 static int
 virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
                                          virDomainDefPtr def,
@@ -2477,4 +2488,5 @@ virSecurityDriver virSecurityDriverSELinux = {
    .domainSetSecurityTapFDLabel        = virSecuritySELinuxSetTapFDLabel,

    .domainGetSecurityMountOptions      = virSecuritySELinuxGetSecurityMountOptions,
+    .getBaseLabel                       = virSecuritySELinuxGetBaseLabel,
 };
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -555,6 +555,13 @@ virSecurityStackGetNested(virSecurityManagerPtr mgr)
    return list;
 }

+static const char *
+virSecurityStackGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+    return virSecurityManagerGetBaseLabel(virSecurityStackGetPrimary(mgr),
+                                          virtType);
+}
+
 virSecurityDriver virSecurityDriverStack = {
    .privateDataLen                     = sizeof(virSecurityStackData),
    .name                               = "stack",
@@ -599,4 +606,6 @@ virSecurityDriver virSecurityDriverStack = {
    .domainGetSecurityMountOptions      = virSecurityStackGetMountOptions,

    .domainSetSecurityHugepages         = virSecurityStackSetHugepages,
+
+    .getBaseLabel                       = virSecurityStackGetBaseLabel,
 };