virSecurityManagerNew: Turn array of booleans into flags

So imagine you want to crate new security manager: if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true))); Hard to parse, right? What about this: if (!(mgr = virSecurityManagerNew("selinux", "QEMU", VIR_SECURITY_MANAGER_DEFAULT_CONFINED | VIR_SECURITY_MANAGER_PRIVILEGED))); Now that's better! This is what the commit does. Signed-off-by: N Michal Privoznik <mprivozn@redhat.com>

virSecurityManagerNew: Turn array of booleans into flags
So imagine you want to crate new security manager: if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true))); Hard to parse, right? What about this: if (!(mgr = virSecurityManagerNew("selinux", "QEMU", VIR_SECURITY_MANAGER_DEFAULT_CONFINED | VIR_SECURITY_MANAGER_PRIVILEGED))); Now that's better! This is what the commit does. Signed-off-by: N Michal Privoznik <mprivozn@redhat.com>
79bd55b3 · Michal Privoznik · a946c50d · 79bd55b3 · 79bd55b3 · 79bd55b3
9 changed file
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -2645,8 +2645,7 @@ int main(int argc, char *argv[])
    ctrl->handshakeFd = handshakeFd;
    if (!(ctrl->securityManager = virSecurityManagerNew(securityDriver,
-                                                        LXC_DRIVER_NAME,
+                                                        LXC_DRIVER_NAME, 0)))
-                                                        false, false, false, false)))
        goto cleanup;
    if (ctrl->def->seclabels) {

--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1556,13 +1556,17 @@ static int lxcCheckNetNsSupport(void)
 static virSecurityManagerPtr
 lxcSecurityInit(virLXCDriverConfigPtr cfg)
 {
+    unsigned int flags = VIR_SECURITY_MANAGER_PRIVILEGED;
    VIR_INFO("lxcSecurityInit %s", cfg->securityDriverName);
+    if (cfg->securityDefaultConfined)
+        flags |= VIR_SECURITY_MANAGER_DEFAULT_CONFINED;
+    if (cfg->securityRequireConfined)
+        flags |= VIR_SECURITY_MANAGER_REQUIRE_CONFINED;
    virSecurityManagerPtr mgr = virSecurityManagerNew(cfg->securityDriverName,
-                                                      LXC_DRIVER_NAME,
+                                                      LXC_DRIVER_NAME, flags);
-                                                      false,
-                                                      cfg->securityDefaultConfined,
-                                                      cfg->securityRequireConfined,
-                                                      true);
    if (!mgr)
        goto error;

--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -389,6 +389,16 @@ qemuSecurityInit(virQEMUDriverPtr driver)
    virSecurityManagerPtr mgr = NULL;
    virSecurityManagerPtr stack = NULL;
    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+    unsigned int flags = 0;
+    if (cfg->allowDiskFormatProbing)
+        flags |= VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE;
+    if (cfg->securityDefaultConfined)
+        flags |= VIR_SECURITY_MANAGER_DEFAULT_CONFINED;
+    if (cfg->securityRequireConfined)
+        flags |= VIR_SECURITY_MANAGER_REQUIRE_CONFINED;
+    if (virQEMUDriverIsPrivileged(driver))
+        flags |= VIR_SECURITY_MANAGER_PRIVILEGED;
    if (cfg->securityDriverNames &&
        cfg->securityDriverNames[0]) {
@@ -396,10 +406,7 @@ qemuSecurityInit(virQEMUDriverPtr driver)
        while (names && *names) {
            if (!(mgr = virSecurityManagerNew(*names,
                                              QEMU_DRIVER_NAME,
-                                              cfg->allowDiskFormatProbing,
+                                              flags)))
-                                              cfg->securityDefaultConfined,
-                                              cfg->securityRequireConfined,
-                                              virQEMUDriverIsPrivileged(driver))))
                goto error;
            if (!stack) {
                if (!(stack = virSecurityManagerNewStack(mgr)))
@@ -414,10 +421,7 @@ qemuSecurityInit(virQEMUDriverPtr driver)
    } else {
        if (!(mgr = virSecurityManagerNew(NULL,
                                          QEMU_DRIVER_NAME,
-                                          cfg->allowDiskFormatProbing,
+                                          flags)))
-                                          cfg->securityDefaultConfined,
-                                          cfg->securityRequireConfined,
-                                          virQEMUDriverIsPrivileged(driver))))
            goto error;
        if (!(stack = virSecurityManagerNewStack(mgr)))
            goto error;
@@ -425,14 +429,12 @@ qemuSecurityInit(virQEMUDriverPtr driver)
    }
    if (virQEMUDriverIsPrivileged(driver)) {
+        if (cfg->dynamicOwnership)
+            flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
        if (!(mgr = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
                                             cfg->user,
                                             cfg->group,
-                                             cfg->allowDiskFormatProbing,
+                                             flags,
-                                             cfg->securityDefaultConfined,
-                                             cfg->securityRequireConfined,
-                                             cfg->dynamicOwnership,
-                                             virQEMUDriverIsPrivileged(driver),
                                             qemuSecurityChownCallback)))
            goto error;
        if (!stack) {

--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -37,10 +37,7 @@ struct _virSecurityManager {
    virObjectLockable parent;
    virSecurityDriverPtr drv;
-    bool allowDiskFormatProbing;
+    unsigned int flags;
-    bool defaultConfined;
-    bool requireConfined;
-    bool privileged;
    const char *virtDriver;
    void *privateData;
 };
@@ -77,10 +74,7 @@ VIR_ONCE_GLOBAL_INIT(virSecurityManager);
 static virSecurityManagerPtr
 virSecurityManagerNewDriver(virSecurityDriverPtr drv,
                            const char *virtDriver,
-                            bool allowDiskFormatProbing,
+                            unsigned int flags)
-                            bool defaultConfined,
-                            bool requireConfined,
-                            bool privileged)
 {
    virSecurityManagerPtr mgr;
    char *privateData;
@@ -88,11 +82,10 @@ virSecurityManagerNewDriver(virSecurityDriverPtr drv,
    if (virSecurityManagerInitialize() < 0)
        return NULL;
-    VIR_DEBUG("drv=%p (%s) virtDriver=%s allowDiskFormatProbing=%d "
+    VIR_DEBUG("drv=%p (%s) virtDriver=%s flags=%x",
-              "defaultConfined=%d requireConfined=%d privileged=%d",
+              drv, drv->name, virtDriver, flags);
-              drv, drv->name, virtDriver,
-              allowDiskFormatProbing, defaultConfined,
+    virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK, NULL);
-              requireConfined, privileged);
    if (VIR_ALLOC_N(privateData, drv->privateDataLen) < 0)
        return NULL;
@@ -103,10 +96,7 @@ virSecurityManagerNewDriver(virSecurityDriverPtr drv,
    }
    mgr->drv = drv;
-    mgr->allowDiskFormatProbing = allowDiskFormatProbing;
+    mgr->flags = flags;
-    mgr->defaultConfined = defaultConfined;
-    mgr->requireConfined = requireConfined;
-    mgr->privileged = privileged;
    mgr->virtDriver = virtDriver;
    mgr->privateData = privateData;
@@ -125,10 +115,7 @@ virSecurityManagerNewStack(virSecurityManagerPtr primary)
    virSecurityManagerPtr mgr =
        virSecurityManagerNewDriver(&virSecurityDriverStack,
                                    virSecurityManagerGetDriver(primary),
-                                    virSecurityManagerGetAllowDiskFormatProbing(primary),
+                                    primary->flags);
-                                    virSecurityManagerGetDefaultConfined(primary),
-                                    virSecurityManagerGetRequireConfined(primary),
-                                    virSecurityManagerGetPrivileged(primary));
    if (!mgr)
        return NULL;
@@ -153,20 +140,17 @@ virSecurityManagerPtr
 virSecurityManagerNewDAC(const char *virtDriver,
                         uid_t user,
                         gid_t group,
-                         bool allowDiskFormatProbing,
+                         unsigned int flags,
-                         bool defaultConfined,
-                         bool requireConfined,
-                         bool dynamicOwnership,
-                         bool privileged,
                         virSecurityManagerDACChownCallback chownCallback)
 {
-    virSecurityManagerPtr mgr =
+    virSecurityManagerPtr mgr;
-        virSecurityManagerNewDriver(&virSecurityDriverDAC,
-                                    virtDriver,
+    virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK |
-                                    allowDiskFormatProbing,
+                  VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL);
-                                    defaultConfined,
-                                    requireConfined,
+    mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC,
-                                    privileged);
+                                      virtDriver,
+                                      flags & VIR_SECURITY_MANAGER_NEW_MASK);
    if (!mgr)
        return NULL;
@@ -176,7 +160,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
        return NULL;
    }
-    virSecurityDACSetDynamicOwnership(mgr, dynamicOwnership);
+    virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP);
    virSecurityDACSetChownCallback(mgr, chownCallback);
    return mgr;
@@ -186,10 +170,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
 virSecurityManagerPtr
 virSecurityManagerNew(const char *name,
                      const char *virtDriver,
-                      bool allowDiskFormatProbing,
+                      unsigned int flags)
-                      bool defaultConfined,
-                      bool requireConfined,
-                      bool privileged)
 {
    virSecurityDriverPtr drv = virSecurityDriverLookup(name, virtDriver);
    if (!drv)
@@ -197,13 +178,13 @@ virSecurityManagerNew(const char *name,
    /* driver "none" needs some special handling of *Confined bools */
    if (STREQ(drv->name, "none")) {
-        if (requireConfined) {
+        if (flags & VIR_SECURITY_MANAGER_REQUIRE_CONFINED) {
            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                           _("Security driver \"none\" cannot create confined guests"));
            return NULL;
        }
-        if (defaultConfined) {
+        if (flags & VIR_SECURITY_MANAGER_DEFAULT_CONFINED) {
            if (name != NULL) {
                VIR_WARN("Configured security driver \"none\" disables default"
                         " policy to create confined guests");
@@ -211,16 +192,13 @@ virSecurityManagerNew(const char *name,
                VIR_DEBUG("Auto-probed security driver is \"none\";"
                          " confined guests will not be created");
            }
-            defaultConfined = false;
+            flags &= ~VIR_SECURITY_MANAGER_DEFAULT_CONFINED;
        }
    }
    return virSecurityManagerNewDriver(drv,
                                       virtDriver,
-                                       allowDiskFormatProbing,
+                                       flags);
-                                       defaultConfined,
-                                       requireConfined,
-                                       privileged);
 }
@@ -323,28 +301,28 @@ virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr,
 bool
 virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
 {
-    return mgr->allowDiskFormatProbing;
+    return mgr->flags & VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE;
 }
 bool
 virSecurityManagerGetDefaultConfined(virSecurityManagerPtr mgr)
 {
-    return mgr->defaultConfined;
+    return mgr->flags & VIR_SECURITY_MANAGER_DEFAULT_CONFINED;
 }
 bool
 virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr)
 {
-    return mgr->requireConfined;
+    return mgr->flags & VIR_SECURITY_MANAGER_REQUIRE_CONFINED;
 }
 bool
 virSecurityManagerGetPrivileged(virSecurityManagerPtr mgr)
 {
-    return mgr->privileged;
+    return mgr->flags & VIR_SECURITY_MANAGER_PRIVILEGED;
 }
@@ -611,7 +589,7 @@ virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
        }
        if (seclabel->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
-            if (sec_managers[i]->defaultConfined) {
+            if (virSecurityManagerGetDefaultConfined(sec_managers[i])) {
                seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
            } else {
                seclabel->type = VIR_DOMAIN_SECLABEL_NONE;
@@ -620,7 +598,7 @@ virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
        }
        if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) {
-            if (sec_managers[i]->requireConfined) {
+            if (virSecurityManagerGetRequireConfined(sec_managers[i])) {
                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
                               _("Unconfined guests are not allowed on this host"));
                goto cleanup;

--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -30,12 +30,23 @@
 typedef struct _virSecurityManager virSecurityManager;
 typedef virSecurityManager *virSecurityManagerPtr;
+typedef enum {
+    VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE   = 1 << 0,
+    VIR_SECURITY_MANAGER_DEFAULT_CONFINED   = 1 << 1,
+    VIR_SECURITY_MANAGER_REQUIRE_CONFINED   = 1 << 2,
+    VIR_SECURITY_MANAGER_PRIVILEGED         = 1 << 3,
+    VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP  = 1 << 4,
+} virSecurityManagerNewFlags;
+# define VIR_SECURITY_MANAGER_NEW_MASK  \
+    (VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE  | \
+     VIR_SECURITY_MANAGER_DEFAULT_CONFINED  | \
+     VIR_SECURITY_MANAGER_REQUIRE_CONFINED  | \
+     VIR_SECURITY_MANAGER_PRIVILEGED)
 virSecurityManagerPtr virSecurityManagerNew(const char *name,
                                            const char *virtDriver,
-                                            bool allowDiskFormatProbing,
+                                            unsigned int flags);
-                                            bool defaultConfined,
-                                            bool requireConfined,
-                                            bool privileged);
 virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary);
 int virSecurityManagerStackAddNested(virSecurityManagerPtr stack,
@@ -59,11 +70,7 @@ typedef int
 virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
                                               uid_t user,
                                               gid_t group,
-                                               bool allowDiskFormatProbing,
+                                               unsigned int flags,
-                                               bool defaultConfined,
-                                               bool requireConfined,
-                                               bool dynamicOwnership,
-                                               bool privileged,
                                               virSecurityManagerDACChownCallback chownCallback);
 int virSecurityManagerPreFork(virSecurityManagerPtr mgr);

--- a/tests/qemuhotplugtest.c
+++ b/tests/qemuhotplugtest.c
@@ -364,7 +364,8 @@ mymain(void)
    if (!driver.lockManager)
        return EXIT_FAILURE;
-    if (!(mgr = virSecurityManagerNew("none", "qemu", false, false, false, true)))
+    if (!(mgr = virSecurityManagerNew("none", "qemu",
+                                      VIR_SECURITY_MANAGER_PRIVILEGED)))
        return EXIT_FAILURE;
    if (!(driver.securityManager = virSecurityManagerNewStack(mgr)))
        return EXIT_FAILURE;

--- a/tests/seclabeltest.c
+++ b/tests/seclabeltest.c
@@ -17,7 +17,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED)
    if (virThreadInitialize() < 0)
        return EXIT_FAILURE;
-    mgr = virSecurityManagerNew(NULL, "QEMU", false, true, false, false);
+    mgr = virSecurityManagerNew(NULL, "QEMU", VIR_SECURITY_MANAGER_DEFAULT_CONFINED);
    if (mgr == NULL) {
        fprintf(stderr, "Failed to start security driver");
        return EXIT_FAILURE;

--- a/tests/securityselinuxlabeltest.c
+++ b/tests/securityselinuxlabeltest.c
@@ -351,7 +351,9 @@ mymain(void)
    if (!rc)
        return EXIT_AM_SKIP;
-    if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true))) {
+    if (!(mgr = virSecurityManagerNew("selinux", "QEMU",
+                                      VIR_SECURITY_MANAGER_DEFAULT_CONFINED |
+                                      VIR_SECURITY_MANAGER_PRIVILEGED))) {
        virErrorPtr err = virGetLastError();
        VIR_TEST_VERBOSE("Unable to initialize security driver: %s\n",
                err->message);

--- a/tests/securityselinuxtest.c
+++ b/tests/securityselinuxtest.c
@@ -272,7 +272,9 @@ mymain(void)
    int ret = 0;
    virSecurityManagerPtr mgr;
-    if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true))) {
+    if (!(mgr = virSecurityManagerNew("selinux", "QEMU",
+                                      VIR_SECURITY_MANAGER_DEFAULT_CONFINED |
+                                      VIR_SECURITY_MANAGER_PRIVILEGED))) {
        virErrorPtr err = virGetLastError();
        fprintf(stderr, "Unable to initialize security driver: %s\n",
                err->message);