security: Include vhost-scsi in security labels

Ensure that the vhost-scsi wwpn information is passed to the different security policies. Signed-off-by: N Eric Farman <farman@linux.vnet.ibm.com>

security: Include vhost-scsi in security labels
Ensure that the vhost-scsi wwpn information is passed to the different security policies. Signed-off-by: N Eric Farman <farman@linux.vnet.ibm.com>
81a206f5 · Eric Farman · John Ferlan · 8c6d3653 · 81a206f5 · 81a206f5
Showing with 104 addition and 5 deletion

src/security/security_apparmor.c src/security/security_apparmor.c +19 -1

src/security/security_dac.c src/security/security_dac.c +44 -2

src/security/security_selinux.c src/security/security_selinux.c +41 -2

未找到文件。
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -44,6 +44,7 @@
 #include "viruuid.h"
 #include "virpci.h"
 #include "virusb.h"
+#include "virscsivhost.h"
 #include "virfile.h"
 #include "configmake.h"
 #include "vircommand.h"
@@ -357,6 +358,13 @@ AppArmorSetSecuritySCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
    return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
 }

+static int
+AppArmorSetSecurityHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED,
+                             const char *file, void *opaque)
+{
+    return AppArmorSetSecurityHostdevLabelHelper(file, opaque);
+}
+
 /* Called on libvirtd startup to see if AppArmor is available */
 static int
 AppArmorSecurityManagerProbe(const char *virtDriver ATTRIBUTE_UNUSED)
@@ -831,6 +839,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
    virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
    virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
    virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
+    virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;

    if (!secdef)
        return -1;
@@ -910,7 +919,16 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI_HOST: {
-        /* Fall through for now */
+        virSCSIVHostDevicePtr host = virSCSIVHostDeviceNew(hostsrc->wwpn);
+
+        if (!host)
+            goto done;
+
+        ret = virSCSIVHostDeviceFileIterate(host,
+                                            AppArmorSetSecurityHostLabel,
+                                            ptr);
+        virSCSIVHostDeviceFree(host);
+        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:

--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -36,6 +36,7 @@
 #include "virpci.h"
 #include "virusb.h"
 #include "virscsi.h"
+#include "virscsivhost.h"
 #include "virstoragefile.h"
 #include "virstring.h"
 #include "virutil.h"
@@ -581,6 +582,15 @@ virSecurityDACSetSCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
 }


+static int
+virSecurityDACSetHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED,
+                           const char *file,
+                           void *opaque)
+{
+    return virSecurityDACSetHostdevLabelHelper(file, opaque);
+}
+
+
 static int
 virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
                              virDomainDefPtr def,
@@ -592,6 +602,7 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
    virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
    virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
    virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
+    virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
    int ret = -1;

    if (!priv->dynamicOwnership)
@@ -677,7 +688,16 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI_HOST: {
-        /* Fall through for now */
+        virSCSIVHostDevicePtr host = virSCSIVHostDeviceNew(hostsrc->wwpn);
+
+        if (!host)
+            goto done;
+
+        ret = virSCSIVHostDeviceFileIterate(host,
+                                            virSecurityDACSetHostLabel,
+                                            &cbdata);
+        virSCSIVHostDeviceFree(host);
+        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
@@ -723,6 +743,17 @@ virSecurityDACRestoreSCSILabel(virSCSIDevicePtr dev ATTRIBUTE_UNUSED,
 }


+static int
+virSecurityDACRestoreHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED,
+                               const char *file,
+                               void *opaque)
+{
+    virSecurityManagerPtr mgr = opaque;
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    return virSecurityDACRestoreFileLabel(priv, file);
+}
+
+
 static int
 virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
                                  virDomainDefPtr def,
@@ -735,6 +766,7 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
    virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
    virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
    virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
+    virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
    int ret = -1;

    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
@@ -810,7 +842,17 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI_HOST: {
-        /* Fall through for now */
+        virSCSIVHostDevicePtr host = virSCSIVHostDeviceNew(hostsrc->wwpn);
+
+        if (!host)
+            goto done;
+
+        ret = virSCSIVHostDeviceFileIterate(host,
+                                            virSecurityDACRestoreHostLabel,
+                                            mgr);
+        virSCSIVHostDeviceFree(host);
+
+        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:

--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -39,6 +39,7 @@
 #include "virpci.h"
 #include "virusb.h"
 #include "virscsi.h"
+#include "virscsivhost.h"
 #include "virstoragefile.h"
 #include "virfile.h"
 #include "virhash.h"
@@ -1415,6 +1416,13 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev,
                                                    secdef->imagelabel);
 }

+static int
+virSecuritySELinuxSetHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED,
+                               const char *file, void *opaque)
+{
+    return virSecuritySELinuxSetHostdevLabelHelper(file, opaque);
+}
+
 static int
 virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
                                        virDomainDefPtr def,
@@ -1425,6 +1433,7 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
    virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
    virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
    virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
+    virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
    virSecuritySELinuxCallbackData data = {.mgr = mgr, .def = def};

    int ret = -1;
@@ -1499,7 +1508,16 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr,
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI_HOST: {
-        /* Fall through for now */
+        virSCSIVHostDevicePtr host = virSCSIVHostDeviceNew(hostsrc->wwpn);
+
+        if (!host)
+            goto done;
+
+        ret = virSCSIVHostDeviceFileIterate(host,
+                                            virSecuritySELinuxSetHostLabel,
+                                            &data);
+        virSCSIVHostDeviceFree(host);
+        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
@@ -1626,6 +1644,16 @@ virSecuritySELinuxRestoreSCSILabel(virSCSIDevicePtr dev,
    return virSecuritySELinuxRestoreFileLabel(mgr, file);
 }

+static int
+virSecuritySELinuxRestoreHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED,
+                                   const char *file,
+                                   void *opaque)
+{
+    virSecurityManagerPtr mgr = opaque;
+
+    return virSecuritySELinuxRestoreFileLabel(mgr, file);
+}
+
 static int
 virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
                                            virDomainHostdevDefPtr dev,
@@ -1635,6 +1663,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
    virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
    virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
    virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
+    virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
    int ret = -1;

    /* Like virSecuritySELinuxRestoreImageLabelInt() for a networked
@@ -1705,7 +1734,17 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI_HOST: {
-        /* Fall through for now */
+        virSCSIVHostDevicePtr host = virSCSIVHostDeviceNew(hostsrc->wwpn);
+
+        if (!host)
+            goto done;
+
+        ret = virSCSIVHostDeviceFileIterate(host,
+                                            virSecuritySELinuxRestoreHostLabel,
+                                            mgr);
+        virSCSIVHostDeviceFree(host);
+
+        break;
    }

    case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST: