diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 961e01e504def88ceb8034a2a8d9df52b2a18c67..1f73fd2390118418590b795c9780721b935a1236 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1210,6 +1210,65 @@ done: } +static int +virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def, + virDomainHostdevDefPtr dev, + const char *vroot) +{ + int ret = -1; + virSecurityLabelDefPtr secdef; + char *path; + + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (secdef == NULL) + return -1; + + switch (dev->source.caps.type) { + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.storage.block) < 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.storage.block))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel); + VIR_FREE(path); + break; + } + + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.misc.chardev) < 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.misc.chardev))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel); + VIR_FREE(path); + break; + } + + default: + ret = 0; + break; + } + + return ret; +} + + static int virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr def, @@ -1230,6 +1289,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS: return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot); + case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES: + return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot); + default: return 0; } @@ -1304,6 +1366,59 @@ done: } +static int +virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev, + const char *vroot) +{ + int ret = -1; + char *path; + + switch (dev->source.caps.type) { + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.storage.block) < 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.storage.block))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxRestoreSecurityFileLabel(path); + VIR_FREE(path); + break; + } + + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.misc.chardev) < 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.misc.chardev))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxRestoreSecurityFileLabel(path); + VIR_FREE(path); + break; + } + + default: + ret = 0; + break; + } + + return ret; +} + + static int virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr def, @@ -1324,6 +1439,9 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUT case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS: return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(dev, vroot); + case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES: + return virSecuritySELinuxRestoreSecurityHostdevCapsLabel(dev, vroot); + default: return 0; }