提交 abf2ebbd 编写于 作者: D Daniel Walsh 提交者: Daniel P. Berrange

Add security driver APIs for getting mount options

Some security drivers require special options to be passed to
the mount system call. Add a security driver API for handling
this data.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 6844cead
...@@ -963,6 +963,7 @@ virSecurityManagerSetProcessLabel; ...@@ -963,6 +963,7 @@ virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel; virSecurityManagerSetSavedStateLabel;
virSecurityManagerSetSocketLabel; virSecurityManagerSetSocketLabel;
virSecurityManagerVerify; virSecurityManagerVerify;
virSecurityManagerGetMountOptions;
# sexpr.h # sexpr.h
sexpr_append; sexpr_append;
......
...@@ -717,6 +717,11 @@ virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, ...@@ -717,6 +717,11 @@ virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return 0; return 0;
} }
static char *virSecurityDACGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr vm ATTRIBUTE_UNUSED) {
return NULL;
}
virSecurityDriver virSecurityDriverDAC = { virSecurityDriver virSecurityDriverDAC = {
sizeof(virSecurityDACData), sizeof(virSecurityDACData),
"virDAC", "virDAC",
...@@ -754,4 +759,6 @@ virSecurityDriver virSecurityDriverDAC = { ...@@ -754,4 +759,6 @@ virSecurityDriver virSecurityDriverDAC = {
virSecurityDACRestoreSavedStateLabel, virSecurityDACRestoreSavedStateLabel,
virSecurityDACSetImageFDLabel, virSecurityDACSetImageFDLabel,
virSecurityDACGetMountOptions,
}; };
/* /*
* Copyright (C) 2008 Red Hat, Inc. * Copyright (C) 2008-2012 Red Hat, Inc.
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public * modify it under the terms of the GNU Lesser General Public
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
* *
* Authors: * Authors:
* James Morris <jmorris@namei.org> * James Morris <jmorris@namei.org>
* Dan Walsh <dwalsh@redhat.com>
* *
*/ */
#include <config.h> #include <config.h>
......
...@@ -86,6 +86,8 @@ typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr, ...@@ -86,6 +86,8 @@ typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
int fd); int fd);
typedef char *(*virSecurityDomainGetMountOptions) (virSecurityManagerPtr mgr,
virDomainDefPtr def);
struct _virSecurityDriver { struct _virSecurityDriver {
size_t privateDataLen; size_t privateDataLen;
...@@ -123,6 +125,8 @@ struct _virSecurityDriver { ...@@ -123,6 +125,8 @@ struct _virSecurityDriver {
virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel; virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel; virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
}; };
virSecurityDriverPtr virSecurityDriverLookup(const char *name, virSecurityDriverPtr virSecurityDriverLookup(const char *name,
......
...@@ -149,7 +149,6 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name, ...@@ -149,7 +149,6 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
requireConfined); requireConfined);
} }
void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr) void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr)
{ {
/* This accesses the memory just beyond mgr, which was allocated /* This accesses the memory just beyond mgr, which was allocated
...@@ -423,3 +422,16 @@ int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, ...@@ -423,3 +422,16 @@ int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1; return -1;
} }
char *virSecurityManagerGetMountOptions(virSecurityManagerPtr mgr,
virDomainDefPtr vm)
{
if (mgr->drv->domainGetSecurityMountOptions)
return mgr->drv->domainGetSecurityMountOptions(mgr, vm);
/*
I don't think this is an error, these should be optional
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
*/
return NULL;
}
...@@ -107,5 +107,6 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr, ...@@ -107,5 +107,6 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def, virDomainDefPtr def,
int fd); int fd);
char *virSecurityManagerGetMountOptions(virSecurityManagerPtr mgr,
virDomainDefPtr vm);
#endif /* VIR_SECURITY_MANAGER_H__ */ #endif /* VIR_SECURITY_MANAGER_H__ */
...@@ -164,6 +164,11 @@ static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UN ...@@ -164,6 +164,11 @@ static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UN
return 0; return 0;
} }
static char *virSecurityDomainGetMountOptionsNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr vm ATTRIBUTE_UNUSED) {
return NULL;
}
virSecurityDriver virSecurityDriverNop = { virSecurityDriver virSecurityDriverNop = {
0, 0,
"none", "none",
...@@ -200,4 +205,6 @@ virSecurityDriver virSecurityDriverNop = { ...@@ -200,4 +205,6 @@ virSecurityDriver virSecurityDriverNop = {
virSecurityDomainRestoreSavedStateLabelNop, virSecurityDomainRestoreSavedStateLabelNop,
virSecurityDomainSetFDLabelNop, virSecurityDomainSetFDLabelNop,
virSecurityDomainGetMountOptionsNop,
}; };
...@@ -1523,6 +1523,60 @@ SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, ...@@ -1523,6 +1523,60 @@ SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return SELinuxFSetFilecon(fd, secdef->imagelabel); return SELinuxFSetFilecon(fd, secdef->imagelabel);
} }
static char *genImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def) {
const virSecurityLabelDefPtr secdef = &def->seclabel;
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
const char *range;
context_t ctx = NULL;
char *label = NULL;
const char *mcs = NULL;
if (secdef->label) {
ctx = context_new(secdef->label);
if (!ctx) {
virReportOOMError();
goto cleanup;
}
range = context_range_get(ctx);
if (range) {
mcs = strdup(range);
if (!mcs) {
virReportOOMError();
goto cleanup;
}
label = SELinuxGenNewContext(data->file_context, mcs);
if (!label) {
virReportOOMError();
goto cleanup;
}
}
}
cleanup:
context_free(ctx);
VIR_FREE(mcs);
return label;
}
static char *SELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr,
virDomainDefPtr def) {
char *opts = NULL;
const virSecurityLabelDefPtr secdef = &def->seclabel;
if (! secdef->imagelabel)
secdef->imagelabel = genImageLabel(mgr,def);
if (secdef->imagelabel) {
virAsprintf(&opts,
",context=\"%s\"",
(const char*) secdef->imagelabel);
}
VIR_DEBUG("SELinuxGetSecurityMountOptions imageLabel %s", secdef->imagelabel);
return opts;
}
virSecurityDriver virSecurityDriverSELinux = { virSecurityDriver virSecurityDriverSELinux = {
sizeof(virSecuritySELinuxData), sizeof(virSecuritySELinuxData),
SECURITY_SELINUX_NAME, SECURITY_SELINUX_NAME,
...@@ -1559,4 +1613,6 @@ virSecurityDriver virSecurityDriverSELinux = { ...@@ -1559,4 +1613,6 @@ virSecurityDriver virSecurityDriverSELinux = {
SELinuxRestoreSavedStateLabel, SELinuxRestoreSavedStateLabel,
SELinuxSetImageFDLabel, SELinuxSetImageFDLabel,
SELinuxGetSecurityMountOptions,
}; };
...@@ -403,6 +403,10 @@ virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr, ...@@ -403,6 +403,10 @@ virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
return rc; return rc;
} }
static char *virSecurityStackGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr vm ATTRIBUTE_UNUSED) {
return NULL;
}
virSecurityDriver virSecurityDriverStack = { virSecurityDriver virSecurityDriverStack = {
sizeof(virSecurityStackData), sizeof(virSecurityStackData),
...@@ -440,4 +444,6 @@ virSecurityDriver virSecurityDriverStack = { ...@@ -440,4 +444,6 @@ virSecurityDriver virSecurityDriverStack = {
virSecurityStackRestoreSavedStateLabel, virSecurityStackRestoreSavedStateLabel,
virSecurityStackSetImageFDLabel, virSecurityStackSetImageFDLabel,
virSecurityStackGetMountOptions,
}; };
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册