diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 9a2525393d5a81eba0df9da5b522cbceff3a974c..374349a10907d56c22802bccc67f28cfe15e097c 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -249,119 +249,70 @@ static int qemuSecurityInit(struct qemud_driver *driver) { char **names; - char *primary = NULL; virSecurityManagerPtr mgr = NULL; - virSecurityManagerPtr nested = NULL; virSecurityManagerPtr stack = NULL; bool hasDAC = false; - /* set the name of the primary security driver */ - if (driver->securityDriverNames) - primary = driver->securityDriverNames[0]; - - /* add primary security driver */ - if ((primary == NULL && driver->privileged) || - STREQ_NULLABLE(primary, "dac")) { - if (!driver->privileged) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("DAC security driver usable only when " - "running privileged (as root)")); - goto error; - } - - mgr = virSecurityManagerNewDAC(QEMU_DRIVER_NAME, - driver->user, - driver->group, - driver->allowDiskFormatProbing, - driver->securityDefaultConfined, - driver->securityRequireConfined, - driver->dynamicOwnership); - hasDAC = true; - } else { - mgr = virSecurityManagerNew(primary, - QEMU_DRIVER_NAME, - driver->allowDiskFormatProbing, - driver->securityDefaultConfined, - driver->securityRequireConfined); - } - - if (!mgr) - goto error; - - /* We need a stack to group the security drivers if: - * - additional drivers are provived in configuration - * - the primary driver isn't DAC and we are running privileged - */ - if ((driver->privileged && !hasDAC) || - (driver->securityDriverNames && driver->securityDriverNames[1])) { - if (!(stack = virSecurityManagerNewStack(mgr))) - goto error; - mgr = stack; - } - - /* Loop through additional driver names and add them as nested */ if (driver->securityDriverNames) { - names = driver->securityDriverNames + 1; + names = driver->securityDriverNames; while (names && *names) { - if (STREQ("dac", *names)) { - /* A DAC driver has specific parameters */ - if (!driver->privileged) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("DAC security driver usable only when " - "running privileged (as root)")); - goto error; - } - - nested = virSecurityManagerNewDAC(QEMU_DRIVER_NAME, - driver->user, - driver->group, - driver->allowDiskFormatProbing, - driver->securityDefaultConfined, - driver->securityRequireConfined, - driver->dynamicOwnership); + if (STREQ("dac", *names)) hasDAC = true; - } else { - nested = virSecurityManagerNew(*names, - QEMU_DRIVER_NAME, - driver->allowDiskFormatProbing, - driver->securityDefaultConfined, - driver->securityRequireConfined); - } - - if (!nested) - goto error; - if (virSecurityManagerStackAddNested(stack, nested)) + if (!(mgr = virSecurityManagerNew(*names, + QEMU_DRIVER_NAME, + driver->allowDiskFormatProbing, + driver->securityDefaultConfined, + driver->securityRequireConfined))) goto error; - - nested = NULL; + if (!stack) { + if (!(stack = virSecurityManagerNewStack(mgr))) + goto error; + } else { + if (virSecurityManagerStackAddNested(stack, mgr) < 0) + goto error; + } + mgr = NULL; names++; } - } - - if (driver->privileged && !hasDAC) { - if (!(nested = virSecurityManagerNewDAC(QEMU_DRIVER_NAME, - driver->user, - driver->group, - driver->allowDiskFormatProbing, - driver->securityDefaultConfined, - driver->securityRequireConfined, - driver->dynamicOwnership))) + } else { + if (!(mgr = virSecurityManagerNew(NULL, + QEMU_DRIVER_NAME, + driver->allowDiskFormatProbing, + driver->securityDefaultConfined, + driver->securityRequireConfined))) goto error; - - if (virSecurityManagerStackAddNested(stack, nested)) + if (!(stack = virSecurityManagerNewStack(mgr))) goto error; + mgr = NULL; + } - nested = NULL; + if (!hasDAC && driver->privileged) { + if (!(mgr = virSecurityManagerNewDAC(QEMU_DRIVER_NAME, + driver->user, + driver->group, + driver->allowDiskFormatProbing, + driver->securityDefaultConfined, + driver->securityRequireConfined, + driver->dynamicOwnership))) + goto error; + if (!stack) { + if (!(stack = virSecurityManagerNewStack(mgr))) + goto error; + } else { + if (virSecurityManagerStackAddNested(stack, mgr) < 0) + goto error; + } + mgr = NULL; } - driver->securityManager = mgr; + driver->securityManager = stack; return 0; error: VIR_ERROR(_("Failed to initialize security drivers")); + virSecurityManagerFree(stack); virSecurityManagerFree(mgr); - virSecurityManagerFree(nested); return -1; } diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 0e106d5fe609840b385d4d8899d165b87cf407dc..367f7adff97d59305659c05ad8f8b36be08d0882 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -49,6 +49,12 @@ static virSecurityManagerPtr virSecurityManagerNewDriver(virSecurityDriverPtr dr { virSecurityManagerPtr mgr; + VIR_DEBUG("drv=%p (%s) virtDriver=%s allowDiskFormatProbing=%d " + "defaultConfined=%d requireConfined=%d", + drv, drv->name, virtDriver, + allowDiskFormatProbing, defaultConfined, + requireConfined); + if (VIR_ALLOC_VAR(mgr, char, drv->privateDataLen) < 0) { virReportOOMError(); return NULL; @@ -80,7 +86,7 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary) if (!mgr) return NULL; - virSecurityStackAddPrimary(mgr, primary); + virSecurityStackAddNested(mgr, primary); return mgr; } diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 7dcd626293ba42066e51f4aee122e9ef8cf71c2f..0eb7e7658d100dbfbd01e63e24e0881466f47389 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -38,35 +38,31 @@ struct _virSecurityStackItem { }; struct _virSecurityStackData { - virSecurityManagerPtr primary; virSecurityStackItemPtr itemsHead; }; -int -virSecurityStackAddPrimary(virSecurityManagerPtr mgr, - virSecurityManagerPtr primary) -{ - virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); - if (virSecurityStackAddNested(mgr, primary) < 0) - return -1; - priv->primary = primary; - return 0; -} - int virSecurityStackAddNested(virSecurityManagerPtr mgr, virSecurityManagerPtr nested) { virSecurityStackItemPtr item = NULL; virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityStackItemPtr tmp; + + tmp = priv->itemsHead; + while (tmp && tmp->next) + tmp = tmp->next; if (VIR_ALLOC(item) < 0) { virReportOOMError(); return -1; } item->securityManager = nested; - item->next = priv->itemsHead; - priv->itemsHead = item; + if (tmp) + tmp->next = item; + else + priv->itemsHead = item; + return 0; } @@ -74,19 +70,7 @@ virSecurityManagerPtr virSecurityStackGetPrimary(virSecurityManagerPtr mgr) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); - return (priv->primary) ? priv->primary : priv->itemsHead->securityManager; -} - -void virSecurityStackSetPrimary(virSecurityManagerPtr mgr, - virSecurityManagerPtr primary) -{ - virSecurityStackAddPrimary(mgr, primary); -} - -void virSecurityStackSetSecondary(virSecurityManagerPtr mgr, - virSecurityManagerPtr secondary) -{ - virSecurityStackAddNested(mgr, secondary); + return priv->itemsHead->securityManager; } static virSecurityDriverStatus diff --git a/src/security/security_stack.h b/src/security/security_stack.h index 6898c03b7f0922e53ff355d5e0f125d8d9ea84ea..5bb3be765cabb06e40945d820771eea1a4319994 100644 --- a/src/security/security_stack.h +++ b/src/security/security_stack.h @@ -26,20 +26,12 @@ extern virSecurityDriver virSecurityDriverStack; -int -virSecurityStackAddPrimary(virSecurityManagerPtr mgr, - virSecurityManagerPtr primary); int virSecurityStackAddNested(virSecurityManagerPtr mgr, virSecurityManagerPtr nested); virSecurityManagerPtr virSecurityStackGetPrimary(virSecurityManagerPtr mgr); -void virSecurityStackSetPrimary(virSecurityManagerPtr mgr, - virSecurityManagerPtr primary); -void virSecurityStackSetSecondary(virSecurityManagerPtr mgr, - virSecurityManagerPtr secondary); - virSecurityManagerPtr* virSecurityStackGetNested(virSecurityManagerPtr mgr);