Skip to content

L
libvirt

openeuler / libvirt

通知 3
Star 0
Fork 0
L
libvirt

体验新版 GitCode,发现更多精彩内容 >>

提交 a6cbdd7b 编写于 作者: D Daniel P. Berrange
浏览文件
操作

Add support for SELinux labelling of hostdev storage/misc devices 

The SELinux security driver needs to learn to label storage/misc
hostdev devices for LXC
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 570ad09e
隐藏空白更改
内联 并排
Showing with 118 addition and 0 deletion
src/security/security_selinux.c
浏览文件 @ a6cbdd7b
......@@ -1210,6 +1210,65 @@ done:
}
static int
virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
virDomainHostdevDefPtr dev,
const char *vroot)
{
int ret = -1;
virSecurityLabelDefPtr secdef;
char *path;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL)
return -1;
switch (dev->source.caps.type) {
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
if (vroot) {
if (virAsprintf(&path, "%s/%s", vroot,
dev->source.caps.u.storage.block) < 0) {
virReportOOMError();
return -1;
}
} else {
if (!(path = strdup(dev->source.caps.u.storage.block))) {
virReportOOMError();
return -1;
}
}
ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
VIR_FREE(path);
break;
}
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
if (vroot) {
if (virAsprintf(&path, "%s/%s", vroot,
dev->source.caps.u.misc.chardev) < 0) {
virReportOOMError();
return -1;
}
} else {
if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
virReportOOMError();
return -1;
}
}
ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
VIR_FREE(path);
break;
}
default:
ret = 0;
break;
}
return ret;
}
static int
virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def,
......@@ -1230,6 +1289,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);
case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);
default:
return 0;
}
......@@ -1304,6 +1366,59 @@ done:
}
static int
virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev,
const char *vroot)
{
int ret = -1;
char *path;
switch (dev->source.caps.type) {
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
if (vroot) {
if (virAsprintf(&path, "%s/%s", vroot,
dev->source.caps.u.storage.block) < 0) {
virReportOOMError();
return -1;
}
} else {
if (!(path = strdup(dev->source.caps.u.storage.block))) {
virReportOOMError();
return -1;
}
}
ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
VIR_FREE(path);
break;
}
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
if (vroot) {
if (virAsprintf(&path, "%s/%s", vroot,
dev->source.caps.u.misc.chardev) < 0) {
virReportOOMError();
return -1;
}
} else {
if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
virReportOOMError();
return -1;
}
}
ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
VIR_FREE(path);
break;
}
default:
ret = 0;
break;
}
return ret;
}
static int
virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def,
......@@ -1324,6 +1439,9 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUT
case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(dev, vroot);
case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
return virSecuritySELinuxRestoreSecurityHostdevCapsLabel(dev, vroot);
default:
return 0;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册