提交 a0f82fd2 编写于 作者: J Jim Fehlig

security_dac: honor relabel='no' in chardev config

The DAC driver ignores the relabel='no' attribute in chardev config

  <serial type='file'>
    <source path='/tmp/jim/test.file'>
      <seclabel model='dac' relabel='no'/>
    </source>
    <target port='0'/>
  </serial>

This patch avoids labeling chardevs when relabel='no' is specified.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NJim Fehlig <jfehlig@suse.com>
上级 bb917a90
...@@ -693,11 +693,13 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, ...@@ -693,11 +693,13 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr, virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
virDomainChrSourceDefPtr dev) virDomainChrDefPtr dev,
virDomainChrSourceDefPtr dev_source)
{ {
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
virSecurityLabelDefPtr seclabel; virSecurityLabelDefPtr seclabel;
virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
char *in = NULL, *out = NULL; char *in = NULL, *out = NULL;
int ret = -1; int ret = -1;
uid_t user; uid_t user;
...@@ -705,25 +707,38 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr, ...@@ -705,25 +707,38 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL)) if (dev)
chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
SECURITY_DAC_NAME);
if (chr_seclabel && chr_seclabel->norelabel)
return 0;
if (chr_seclabel && chr_seclabel->label) {
if (virParseOwnershipIds(chr_seclabel->label, &user, &group) < 0)
return -1; return -1;
} else {
if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
return -1;
}
switch ((enum virDomainChrType) dev->type) { switch ((enum virDomainChrType) dev_source->type) {
case VIR_DOMAIN_CHR_TYPE_DEV: case VIR_DOMAIN_CHR_TYPE_DEV:
case VIR_DOMAIN_CHR_TYPE_FILE: case VIR_DOMAIN_CHR_TYPE_FILE:
ret = virSecurityDACSetOwnership(dev->data.file.path, user, group); ret = virSecurityDACSetOwnership(dev_source->data.file.path,
user, group);
break; break;
case VIR_DOMAIN_CHR_TYPE_PIPE: case VIR_DOMAIN_CHR_TYPE_PIPE:
if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) || if ((virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0) ||
(virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0))
goto done; goto done;
if (virFileExists(in) && virFileExists(out)) { if (virFileExists(in) && virFileExists(out)) {
if ((virSecurityDACSetOwnership(in, user, group) < 0) || if ((virSecurityDACSetOwnership(in, user, group) < 0) ||
(virSecurityDACSetOwnership(out, user, group) < 0)) { (virSecurityDACSetOwnership(out, user, group) < 0)) {
goto done; goto done;
} }
} else if (virSecurityDACSetOwnership(dev->data.file.path, } else if (virSecurityDACSetOwnership(dev_source->data.file.path,
user, group) < 0) { user, group) < 0) {
goto done; goto done;
} }
...@@ -753,27 +768,40 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr, ...@@ -753,27 +768,40 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainChrSourceDefPtr dev) virDomainDefPtr def,
virDomainChrDefPtr dev,
virDomainChrSourceDefPtr dev_source)
{ {
virSecurityLabelDefPtr seclabel;
virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
char *in = NULL, *out = NULL; char *in = NULL, *out = NULL;
int ret = -1; int ret = -1;
switch ((enum virDomainChrType) dev->type) { seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
if (dev)
chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
SECURITY_DAC_NAME);
if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel))
return 0;
switch ((enum virDomainChrType) dev_source->type) {
case VIR_DOMAIN_CHR_TYPE_DEV: case VIR_DOMAIN_CHR_TYPE_DEV:
case VIR_DOMAIN_CHR_TYPE_FILE: case VIR_DOMAIN_CHR_TYPE_FILE:
ret = virSecurityDACRestoreSecurityFileLabel(dev->data.file.path); ret = virSecurityDACRestoreSecurityFileLabel(dev_source->data.file.path);
break; break;
case VIR_DOMAIN_CHR_TYPE_PIPE: case VIR_DOMAIN_CHR_TYPE_PIPE:
if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) || if ((virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0) ||
(virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) (virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0))
goto done; goto done;
if (virFileExists(in) && virFileExists(out)) { if (virFileExists(in) && virFileExists(out)) {
if ((virSecurityDACRestoreSecurityFileLabel(out) < 0) || if ((virSecurityDACRestoreSecurityFileLabel(out) < 0) ||
(virSecurityDACRestoreSecurityFileLabel(in) < 0)) { (virSecurityDACRestoreSecurityFileLabel(in) < 0)) {
goto done; goto done;
} }
} else if (virSecurityDACRestoreSecurityFileLabel(dev->data.file.path) < 0) { } else if (virSecurityDACRestoreSecurityFileLabel(dev_source->data.file.path) < 0) {
goto done; goto done;
} }
ret = 0; ret = 0;
...@@ -802,13 +830,13 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, ...@@ -802,13 +830,13 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
static int static int
virSecurityDACRestoreChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED, virSecurityDACRestoreChardevCallback(virDomainDefPtr def,
virDomainChrDefPtr dev, virDomainChrDefPtr dev,
void *opaque) void *opaque)
{ {
virSecurityManagerPtr mgr = opaque; virSecurityManagerPtr mgr = opaque;
return virSecurityDACRestoreChardevLabel(mgr, &dev->source); return virSecurityDACRestoreChardevLabel(mgr, def, dev, &dev->source);
} }
...@@ -821,7 +849,7 @@ virSecurityDACSetSecurityTPMFileLabel(virSecurityManagerPtr mgr, ...@@ -821,7 +849,7 @@ virSecurityDACSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
switch (tpm->type) { switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
ret = virSecurityDACSetChardevLabel(mgr, def, ret = virSecurityDACSetChardevLabel(mgr, def, NULL,
&tpm->data.passthrough.source); &tpm->data.passthrough.source);
break; break;
case VIR_DOMAIN_TPM_TYPE_LAST: case VIR_DOMAIN_TPM_TYPE_LAST:
...@@ -834,13 +862,14 @@ virSecurityDACSetSecurityTPMFileLabel(virSecurityManagerPtr mgr, ...@@ -834,13 +862,14 @@ virSecurityDACSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
static int static int
virSecurityDACRestoreSecurityTPMFileLabel(virSecurityManagerPtr mgr, virSecurityDACRestoreSecurityTPMFileLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainTPMDefPtr tpm) virDomainTPMDefPtr tpm)
{ {
int ret = 0; int ret = 0;
switch (tpm->type) { switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
ret = virSecurityDACRestoreChardevLabel(mgr, ret = virSecurityDACRestoreChardevLabel(mgr, def, NULL,
&tpm->data.passthrough.source); &tpm->data.passthrough.source);
break; break;
case VIR_DOMAIN_TPM_TYPE_LAST: case VIR_DOMAIN_TPM_TYPE_LAST:
...@@ -892,6 +921,7 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr, ...@@ -892,6 +921,7 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
if (def->tpm) { if (def->tpm) {
if (virSecurityDACRestoreSecurityTPMFileLabel(mgr, if (virSecurityDACRestoreSecurityTPMFileLabel(mgr,
def,
def->tpm) < 0) def->tpm) < 0)
rc = -1; rc = -1;
} }
...@@ -919,7 +949,7 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def, ...@@ -919,7 +949,7 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def,
{ {
virSecurityManagerPtr mgr = opaque; virSecurityManagerPtr mgr = opaque;
return virSecurityDACSetChardevLabel(mgr, def, &dev->source); return virSecurityDACSetChardevLabel(mgr, def, dev, &dev->source);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册