Skip to content

L
libvirt

openeuler / libvirt

通知 3
Star 0
Fork 0
L
libvirt
提交 d87f363a 编写于 作者: M Michal Privoznik
浏览文件
操作

security_selinux: Allow caller to suppress owner remembering 

Just like previous commit allowed to enable or disable owner
remembering for each individual path, do the same for SELinux
driver. This is going to be needed in the next commit.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
Reviewed-by: NCole Robinson <crobinso@redhat.com>
Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
上级 377b4e0a
显示空白变更内容
内联 并排
Showing with 94 addition and 69 deletion
src/security/security_selinux.c
浏览文件 @ d87f363a
...@@ -82,6 +82,7 @@ struct _virSecuritySELinuxContextItem { ...@@ -82,6 +82,7 @@ struct _virSecuritySELinuxContextItem {
char *path; char *path;
char *tcon; char *tcon;
bool optional; bool optional;
bool remember; /* Whether owner remembering should be done for @path/@src */
bool restore; /* Whether current operation is 'set' or 'restore' */ bool restore; /* Whether current operation is 'set' or 'restore' */
}; };
...@@ -122,6 +123,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list, ...@@ -122,6 +123,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
const char *path, const char *path,
const char *tcon, const char *tcon,
bool optional, bool optional,
bool remember,
bool restore) bool restore)
{ {
int ret = -1; int ret = -1;
...@@ -134,6 +136,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list, ...@@ -134,6 +136,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
goto cleanup; goto cleanup;
item->optional = optional; item->optional = optional;
item->remember = remember;
item->restore = restore; item->restore = restore;
if (VIR_APPEND_ELEMENT(list->items, list->nItems, item) < 0) if (VIR_APPEND_ELEMENT(list->items, list->nItems, item) < 0)
...@@ -168,9 +171,12 @@ virSecuritySELinuxContextListFree(void *opaque) ...@@ -168,9 +171,12 @@ virSecuritySELinuxContextListFree(void *opaque)
* @path: Path to chown * @path: Path to chown
* @tcon: target context * @tcon: target context
* @optional: true if setting @tcon is optional * @optional: true if setting @tcon is optional
* @remember: if the original owner should be recorded/recalled
* @restore: if current operation is set or restore * @restore: if current operation is set or restore
* *
* Appends an entry onto transaction list. * Appends an entry onto transaction list.
* The @remember should be true if caller wishes to record/recall
* the original owner of @path/@src.
* The @restore should be true if the operation is restoring * The @restore should be true if the operation is restoring
* seclabel and false otherwise. * seclabel and false otherwise.
* *
...@@ -182,6 +188,7 @@ static int ...@@ -182,6 +188,7 @@ static int
virSecuritySELinuxTransactionAppend(const char *path, virSecuritySELinuxTransactionAppend(const char *path,
const char *tcon, const char *tcon,
bool optional, bool optional,
bool remember,
bool restore) bool restore)
{ {
virSecuritySELinuxContextListPtr list; virSecuritySELinuxContextListPtr list;
...@@ -190,7 +197,8 @@ virSecuritySELinuxTransactionAppend(const char *path, ...@@ -190,7 +197,8 @@ virSecuritySELinuxTransactionAppend(const char *path,
if (!list) if (!list)
return 0; return 0;
if (virSecuritySELinuxContextListAppend(list, path, tcon, optional, restore) < 0) if (virSecuritySELinuxContextListAppend(list, path, tcon,
optional, remember, restore) < 0)
return -1; return -1;
return 1; return 1;
...@@ -276,17 +284,18 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED, ...@@ -276,17 +284,18 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
rv = 0; rv = 0;
for (i = 0; i < list->nItems; i++) { for (i = 0; i < list->nItems; i++) {
virSecuritySELinuxContextItemPtr item = list->items[i]; virSecuritySELinuxContextItemPtr item = list->items[i];
const bool remember = item->remember && list->lock;
if (!item->restore) { if (!item->restore) {
rv = virSecuritySELinuxSetFileconHelper(list->manager, rv = virSecuritySELinuxSetFileconHelper(list->manager,
item->path, item->path,
item->tcon, item->tcon,
item->optional, item->optional,
list->lock); remember);
} else { } else {
rv = virSecuritySELinuxRestoreFileLabel(list->manager, rv = virSecuritySELinuxRestoreFileLabel(list->manager,
item->path, item->path,
list->lock); remember);
} }
if (rv < 0) if (rv < 0)
...@@ -295,11 +304,12 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED, ...@@ -295,11 +304,12 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
for (; rv < 0 && i > 0; i--) { for (; rv < 0 && i > 0; i--) {
virSecuritySELinuxContextItemPtr item = list->items[i - 1]; virSecuritySELinuxContextItemPtr item = list->items[i - 1];
const bool remember = item->remember && list->lock;
if (!item->restore) { if (!item->restore) {
virSecuritySELinuxRestoreFileLabel(list->manager, virSecuritySELinuxRestoreFileLabel(list->manager,
item->path, item->path,
list->lock); remember);
} else { } else {
VIR_WARN("Ignoring failed restore attempt on %s", item->path); VIR_WARN("Ignoring failed restore attempt on %s", item->path);
} }
...@@ -1326,7 +1336,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr, ...@@ -1326,7 +1336,8 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
int rc; int rc;
int ret = -1; int ret = -1;
if ((rc = virSecuritySELinuxTransactionAppend(path, tcon, optional, false)) < 0) if ((rc = virSecuritySELinuxTransactionAppend(path, tcon,
optional, remember, false)) < 0)
return -1; return -1;
else if (rc > 0) else if (rc > 0)
return 0; return 0;
...@@ -1389,16 +1400,20 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr, ...@@ -1389,16 +1400,20 @@ virSecuritySELinuxSetFileconHelper(virSecurityManagerPtr mgr,
static int static int
virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr, virSecuritySELinuxSetFileconOptional(virSecurityManagerPtr mgr,
const char *path, const char *tcon) const char *path,
const char *tcon,
bool remember)
{ {
return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, false); return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, true, remember);
} }
static int static int
virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr, virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
const char *path, const char *tcon) const char *path,
const char *tcon,
bool remember)
{ {
return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, false); return virSecuritySELinuxSetFileconHelper(mgr, path, tcon, false, remember);
} }
static int static int
...@@ -1484,7 +1499,8 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr, ...@@ -1484,7 +1499,8 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
goto cleanup; goto cleanup;
} }
if ((rc = virSecuritySELinuxTransactionAppend(path, NULL, false, true)) < 0) { if ((rc = virSecuritySELinuxTransactionAppend(path, NULL,
false, recall, true)) < 0) {
goto cleanup; goto cleanup;
} else if (rc > 0) { } else if (rc > 0) {
ret = 0; ret = 0;
...@@ -1545,7 +1561,7 @@ virSecuritySELinuxSetInputLabel(virSecurityManagerPtr mgr, ...@@ -1545,7 +1561,7 @@ virSecuritySELinuxSetInputLabel(virSecurityManagerPtr mgr,
switch ((virDomainInputType)input->type) { switch ((virDomainInputType)input->type) {
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH: case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
if (virSecuritySELinuxSetFilecon(mgr, input->source.evdev, if (virSecuritySELinuxSetFilecon(mgr, input->source.evdev,
seclabel->imagelabel) < 0) seclabel->imagelabel, true) < 0)
return -1; return -1;
break; break;
...@@ -1574,7 +1590,7 @@ virSecuritySELinuxRestoreInputLabel(virSecurityManagerPtr mgr, ...@@ -1574,7 +1590,7 @@ virSecuritySELinuxRestoreInputLabel(virSecurityManagerPtr mgr,
switch ((virDomainInputType)input->type) { switch ((virDomainInputType)input->type) {
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH: case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
rc = virSecuritySELinuxRestoreFileLabel(mgr, input->source.evdev, false); rc = virSecuritySELinuxRestoreFileLabel(mgr, input->source.evdev, true);
break; break;
case VIR_DOMAIN_INPUT_TYPE_MOUSE: case VIR_DOMAIN_INPUT_TYPE_MOUSE:
...@@ -1602,7 +1618,7 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManagerPtr mgr, ...@@ -1602,7 +1618,7 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManagerPtr mgr,
return 0; return 0;
if (virSecuritySELinuxSetFilecon(mgr, mem->nvdimmPath, if (virSecuritySELinuxSetFilecon(mgr, mem->nvdimmPath,
seclabel->imagelabel) < 0) seclabel->imagelabel, true) < 0)
return -1; return -1;
break; break;
...@@ -1630,7 +1646,7 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManagerPtr mgr, ...@@ -1630,7 +1646,7 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManagerPtr mgr,
if (!seclabel || !seclabel->relabel) if (!seclabel || !seclabel->relabel)
return 0; return 0;
ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, false); ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true);
break; break;
case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_DIMM:
...@@ -1661,14 +1677,14 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr, ...@@ -1661,14 +1677,14 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
switch (tpm->type) { switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
tpmdev = tpm->data.passthrough.source.data.file.path; tpmdev = tpm->data.passthrough.source.data.file.path;
rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel); rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, true);
if (rc < 0) if (rc < 0)
return -1; return -1;
if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) { if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
rc = virSecuritySELinuxSetFilecon(mgr, rc = virSecuritySELinuxSetFilecon(mgr,
cancel_path, cancel_path,
seclabel->imagelabel); seclabel->imagelabel, true);
VIR_FREE(cancel_path); VIR_FREE(cancel_path);
if (rc < 0) { if (rc < 0) {
virSecuritySELinuxRestoreTPMFileLabelInt(mgr, def, tpm); virSecuritySELinuxRestoreTPMFileLabelInt(mgr, def, tpm);
...@@ -1680,7 +1696,7 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr, ...@@ -1680,7 +1696,7 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
break; break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR: case VIR_DOMAIN_TPM_TYPE_EMULATOR:
tpmdev = tpm->data.emulator.source.data.nix.path; tpmdev = tpm->data.emulator.source.data.nix.path;
rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel); rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, true);
if (rc < 0) if (rc < 0)
return -1; return -1;
break; break;
...@@ -1709,10 +1725,10 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityManagerPtr mgr, ...@@ -1709,10 +1725,10 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityManagerPtr mgr,
switch (tpm->type) { switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
tpmdev = tpm->data.passthrough.source.data.file.path; tpmdev = tpm->data.passthrough.source.data.file.path;
rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, false); rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, true);
if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) { if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, false) < 0) if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, true) < 0)
rc = -1; rc = -1;
VIR_FREE(cancel_path); VIR_FREE(cancel_path);
} }
...@@ -1779,7 +1795,7 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManagerPtr mgr, ...@@ -1779,7 +1795,7 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManagerPtr mgr,
} }
} }
return virSecuritySELinuxRestoreFileLabel(mgr, src->path, false); return virSecuritySELinuxRestoreFileLabel(mgr, src->path, true);
} }
...@@ -1822,32 +1838,38 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr, ...@@ -1822,32 +1838,38 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
if (!disk_seclabel->relabel) if (!disk_seclabel->relabel)
return 0; return 0;
ret = virSecuritySELinuxSetFilecon(mgr, src->path, disk_seclabel->label); ret = virSecuritySELinuxSetFilecon(mgr, src->path,
disk_seclabel->label, true);
} else if (parent_seclabel && (!parent_seclabel->relabel || parent_seclabel->label)) { } else if (parent_seclabel && (!parent_seclabel->relabel || parent_seclabel->label)) {
if (!parent_seclabel->relabel) if (!parent_seclabel->relabel)
return 0; return 0;
ret = virSecuritySELinuxSetFilecon(mgr, src->path, parent_seclabel->label); ret = virSecuritySELinuxSetFilecon(mgr, src->path,
parent_seclabel->label, true);
} else if (!parent || parent == src) { } else if (!parent || parent == src) {
if (src->shared) { if (src->shared) {
ret = virSecuritySELinuxSetFileconOptional(mgr, ret = virSecuritySELinuxSetFileconOptional(mgr,
src->path, src->path,
data->file_context); data->file_context,
true);
} else if (src->readonly) { } else if (src->readonly) {
ret = virSecuritySELinuxSetFileconOptional(mgr, ret = virSecuritySELinuxSetFileconOptional(mgr,
src->path, src->path,
data->content_context); data->content_context,
true);
} else if (secdef->imagelabel) { } else if (secdef->imagelabel) {
ret = virSecuritySELinuxSetFileconOptional(mgr, ret = virSecuritySELinuxSetFileconOptional(mgr,
src->path, src->path,
secdef->imagelabel); secdef->imagelabel,
true);
} else { } else {
ret = 0; ret = 0;
} }
} else { } else {
ret = virSecuritySELinuxSetFileconOptional(mgr, ret = virSecuritySELinuxSetFileconOptional(mgr,
src->path, src->path,
data->content_context); data->content_context,
true);
} }
if (ret == 1 && !disk_seclabel) { if (ret == 1 && !disk_seclabel) {
...@@ -1900,7 +1922,7 @@ virSecuritySELinuxSetHostdevLabelHelper(const char *file, void *opaque) ...@@ -1900,7 +1922,7 @@ virSecuritySELinuxSetHostdevLabelHelper(const char *file, void *opaque)
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (secdef == NULL)
return 0; return 0;
return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel); return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel, true);
} }
static int static int
...@@ -1932,13 +1954,13 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev, ...@@ -1932,13 +1954,13 @@ virSecuritySELinuxSetSCSILabel(virSCSIDevicePtr dev,
if (virSCSIDeviceGetShareable(dev)) if (virSCSIDeviceGetShareable(dev))
return virSecuritySELinuxSetFileconOptional(mgr, file, return virSecuritySELinuxSetFileconOptional(mgr, file,
data->file_context); data->file_context, true);
else if (virSCSIDeviceGetReadonly(dev)) else if (virSCSIDeviceGetReadonly(dev))
return virSecuritySELinuxSetFileconOptional(mgr, file, return virSecuritySELinuxSetFileconOptional(mgr, file,
data->content_context); data->content_context, true);
else else
return virSecuritySELinuxSetFileconOptional(mgr, file, return virSecuritySELinuxSetFileconOptional(mgr, file,
secdef->imagelabel); secdef->imagelabel, true);
} }
static int static int
...@@ -2093,7 +2115,7 @@ virSecuritySELinuxSetHostdevCapsLabel(virSecurityManagerPtr mgr, ...@@ -2093,7 +2115,7 @@ virSecuritySELinuxSetHostdevCapsLabel(virSecurityManagerPtr mgr,
if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0) if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0)
return -1; return -1;
} }
ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel); ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel, true);
VIR_FREE(path); VIR_FREE(path);
break; break;
} }
...@@ -2107,7 +2129,7 @@ virSecuritySELinuxSetHostdevCapsLabel(virSecurityManagerPtr mgr, ...@@ -2107,7 +2129,7 @@ virSecuritySELinuxSetHostdevCapsLabel(virSecurityManagerPtr mgr,
if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0) if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0)
return -1; return -1;
} }
ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel); ret = virSecuritySELinuxSetFilecon(mgr, path, secdef->imagelabel, true);
VIR_FREE(path); VIR_FREE(path);
break; break;
} }
...@@ -2153,7 +2175,7 @@ virSecuritySELinuxRestorePCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED, ...@@ -2153,7 +2175,7 @@ virSecuritySELinuxRestorePCILabel(virPCIDevicePtr dev ATTRIBUTE_UNUSED,
{ {
virSecurityManagerPtr mgr = opaque; virSecurityManagerPtr mgr = opaque;
return virSecuritySELinuxRestoreFileLabel(mgr, file, false); return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
} }
static int static int
...@@ -2163,7 +2185,7 @@ virSecuritySELinuxRestoreUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED, ...@@ -2163,7 +2185,7 @@ virSecuritySELinuxRestoreUSBLabel(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
{ {
virSecurityManagerPtr mgr = opaque; virSecurityManagerPtr mgr = opaque;
return virSecuritySELinuxRestoreFileLabel(mgr, file, false); return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
} }
...@@ -2180,7 +2202,7 @@ virSecuritySELinuxRestoreSCSILabel(virSCSIDevicePtr dev, ...@@ -2180,7 +2202,7 @@ virSecuritySELinuxRestoreSCSILabel(virSCSIDevicePtr dev,
if (virSCSIDeviceGetShareable(dev) || virSCSIDeviceGetReadonly(dev)) if (virSCSIDeviceGetShareable(dev) || virSCSIDeviceGetReadonly(dev))
return 0; return 0;
return virSecuritySELinuxRestoreFileLabel(mgr, file, false); return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
} }
static int static int
...@@ -2190,7 +2212,7 @@ virSecuritySELinuxRestoreHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED, ...@@ -2190,7 +2212,7 @@ virSecuritySELinuxRestoreHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED,
{ {
virSecurityManagerPtr mgr = opaque; virSecurityManagerPtr mgr = opaque;
return virSecuritySELinuxRestoreFileLabel(mgr, file, false); return virSecuritySELinuxRestoreFileLabel(mgr, file, true);
} }
...@@ -2294,7 +2316,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr, ...@@ -2294,7 +2316,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr,
if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr))) if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
goto done; goto done;
ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, false); ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, true);
VIR_FREE(vfiodev); VIR_FREE(vfiodev);
break; break;
...@@ -2328,7 +2350,7 @@ virSecuritySELinuxRestoreHostdevCapsLabel(virSecurityManagerPtr mgr, ...@@ -2328,7 +2350,7 @@ virSecuritySELinuxRestoreHostdevCapsLabel(virSecurityManagerPtr mgr,
if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0) if (VIR_STRDUP(path, dev->source.caps.u.storage.block) < 0)
return -1; return -1;
} }
ret = virSecuritySELinuxRestoreFileLabel(mgr, path, false); ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true);
VIR_FREE(path); VIR_FREE(path);
break; break;
} }
...@@ -2342,7 +2364,7 @@ virSecuritySELinuxRestoreHostdevCapsLabel(virSecurityManagerPtr mgr, ...@@ -2342,7 +2364,7 @@ virSecuritySELinuxRestoreHostdevCapsLabel(virSecurityManagerPtr mgr,
if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0) if (VIR_STRDUP(path, dev->source.caps.u.misc.chardev) < 0)
return -1; return -1;
} }
ret = virSecuritySELinuxRestoreFileLabel(mgr, path, false); ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true);
VIR_FREE(path); VIR_FREE(path);
break; break;
} }
...@@ -2420,14 +2442,16 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr, ...@@ -2420,14 +2442,16 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
case VIR_DOMAIN_CHR_TYPE_FILE: case VIR_DOMAIN_CHR_TYPE_FILE:
ret = virSecuritySELinuxSetFilecon(mgr, ret = virSecuritySELinuxSetFilecon(mgr,
dev_source->data.file.path, dev_source->data.file.path,
imagelabel); imagelabel,
true);
break; break;
case VIR_DOMAIN_CHR_TYPE_UNIX: case VIR_DOMAIN_CHR_TYPE_UNIX:
if (!dev_source->data.nix.listen) { if (!dev_source->data.nix.listen) {
if (virSecuritySELinuxSetFilecon(mgr, if (virSecuritySELinuxSetFilecon(mgr,
dev_source->data.nix.path, dev_source->data.nix.path,
imagelabel) < 0) imagelabel,
true) < 0)
goto done; goto done;
} }
ret = 0; ret = 0;
...@@ -2438,13 +2462,14 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr, ...@@ -2438,13 +2462,14 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr,
(virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0)) (virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0))
goto done; goto done;
if (virFileExists(in) && virFileExists(out)) { if (virFileExists(in) && virFileExists(out)) {
if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel) < 0) || if ((virSecuritySELinuxSetFilecon(mgr, in, imagelabel, true) < 0) ||
(virSecuritySELinuxSetFilecon(mgr, out, imagelabel) < 0)) { (virSecuritySELinuxSetFilecon(mgr, out, imagelabel, true) < 0)) {
goto done; goto done;
} }
} else if (virSecuritySELinuxSetFilecon(mgr, } else if (virSecuritySELinuxSetFilecon(mgr,
dev_source->data.file.path, dev_source->data.file.path,
imagelabel) < 0) { imagelabel,
true) < 0) {
goto done; goto done;
} }
ret = 0; ret = 0;
...@@ -2492,7 +2517,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr, ...@@ -2492,7 +2517,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
case VIR_DOMAIN_CHR_TYPE_FILE: case VIR_DOMAIN_CHR_TYPE_FILE:
if (virSecuritySELinuxRestoreFileLabel(mgr, if (virSecuritySELinuxRestoreFileLabel(mgr,
dev_source->data.file.path, dev_source->data.file.path,
false) < 0) true) < 0)
goto done; goto done;
ret = 0; ret = 0;
break; break;
...@@ -2501,7 +2526,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr, ...@@ -2501,7 +2526,7 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
if (!dev_source->data.nix.listen) { if (!dev_source->data.nix.listen) {
if (virSecuritySELinuxRestoreFileLabel(mgr, if (virSecuritySELinuxRestoreFileLabel(mgr,
dev_source->data.file.path, dev_source->data.file.path,
false) < 0) true) < 0)
goto done; goto done;
} }
ret = 0; ret = 0;
...@@ -2512,13 +2537,13 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr, ...@@ -2512,13 +2537,13 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr,
(virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0)) (virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0))
goto done; goto done;
if (virFileExists(in) && virFileExists(out)) { if (virFileExists(in) && virFileExists(out)) {
if ((virSecuritySELinuxRestoreFileLabel(mgr, out, false) < 0) || if ((virSecuritySELinuxRestoreFileLabel(mgr, out, true) < 0) ||
(virSecuritySELinuxRestoreFileLabel(mgr, in, false) < 0)) { (virSecuritySELinuxRestoreFileLabel(mgr, in, true) < 0)) {
goto done; goto done;
} }
} else if (virSecuritySELinuxRestoreFileLabel(mgr, } else if (virSecuritySELinuxRestoreFileLabel(mgr,
dev_source->data.file.path, dev_source->data.file.path,
false) < 0) { true) < 0) {
goto done; goto done;
} }
ret = 0; ret = 0;
...@@ -2570,7 +2595,7 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def, ...@@ -2570,7 +2595,7 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
database = dev->data.cert.database; database = dev->data.cert.database;
if (!database) if (!database)
database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
return virSecuritySELinuxRestoreFileLabel(mgr, database, false); return virSecuritySELinuxRestoreFileLabel(mgr, database, true);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
return virSecuritySELinuxRestoreChardevLabel(mgr, def, return virSecuritySELinuxRestoreChardevLabel(mgr, def,
...@@ -2665,23 +2690,23 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr, ...@@ -2665,23 +2690,23 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
rc = -1; rc = -1;
if (def->os.loader && def->os.loader->nvram && if (def->os.loader && def->os.loader->nvram &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, false) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, true) < 0)
rc = -1; rc = -1;
if (def->os.kernel && if (def->os.kernel &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, false) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.kernel, true) < 0)
rc = -1; rc = -1;
if (def->os.initrd && if (def->os.initrd &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, false) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true) < 0)
rc = -1; rc = -1;
if (def->os.dtb && if (def->os.dtb &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, false) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true) < 0)
rc = -1; rc = -1;
if (def->os.slic_table && if (def->os.slic_table &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, false) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, true) < 0)
rc = -1; rc = -1;
return rc; return rc;
...@@ -2726,7 +2751,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr, ...@@ -2726,7 +2751,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr,
if (!secdef || !secdef->relabel) if (!secdef || !secdef->relabel)
return 0; return 0;
return virSecuritySELinuxSetFilecon(mgr, savefile, secdef->imagelabel); return virSecuritySELinuxSetFilecon(mgr, savefile, secdef->imagelabel, true);
} }
...@@ -2741,7 +2766,7 @@ virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr, ...@@ -2741,7 +2766,7 @@ virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr,
if (!secdef || !secdef->relabel) if (!secdef || !secdef->relabel)
return 0; return 0;
return virSecuritySELinuxRestoreFileLabel(mgr, savefile, false); return virSecuritySELinuxRestoreFileLabel(mgr, savefile, true);
} }
...@@ -2984,7 +3009,7 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def, ...@@ -2984,7 +3009,7 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
database = dev->data.cert.database; database = dev->data.cert.database;
if (!database) if (!database)
database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE; database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
return virSecuritySELinuxSetFilecon(mgr, database, data->content_context); return virSecuritySELinuxSetFilecon(mgr, database, data->content_context, true);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
return virSecuritySELinuxSetChardevLabel(mgr, def, return virSecuritySELinuxSetChardevLabel(mgr, def,
...@@ -3075,32 +3100,32 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr, ...@@ -3075,32 +3100,32 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
if (def->os.loader && def->os.loader->nvram && if (def->os.loader && def->os.loader->nvram &&
secdef && secdef->imagelabel && secdef && secdef->imagelabel &&
virSecuritySELinuxSetFilecon(mgr, def->os.loader->nvram, virSecuritySELinuxSetFilecon(mgr, def->os.loader->nvram,
secdef->imagelabel) < 0) secdef->imagelabel, true) < 0)
return -1; return -1;
if (def->os.kernel && if (def->os.kernel &&
virSecuritySELinuxSetFilecon(mgr, def->os.kernel, virSecuritySELinuxSetFilecon(mgr, def->os.kernel,
data->content_context) < 0) data->content_context, true) < 0)
return -1; return -1;
if (def->os.initrd && if (def->os.initrd &&
virSecuritySELinuxSetFilecon(mgr, def->os.initrd, virSecuritySELinuxSetFilecon(mgr, def->os.initrd,
data->content_context) < 0) data->content_context, true) < 0)
return -1; return -1;
if (def->os.dtb && if (def->os.dtb &&
virSecuritySELinuxSetFilecon(mgr, def->os.dtb, virSecuritySELinuxSetFilecon(mgr, def->os.dtb,
data->content_context) < 0) data->content_context, true) < 0)
return -1; return -1;
if (def->os.slic_table && if (def->os.slic_table &&
virSecuritySELinuxSetFilecon(mgr, def->os.slic_table, virSecuritySELinuxSetFilecon(mgr, def->os.slic_table,
data->content_context) < 0) data->content_context, true) < 0)
return -1; return -1;
if (stdin_path && if (stdin_path &&
virSecuritySELinuxSetFilecon(mgr, stdin_path, virSecuritySELinuxSetFilecon(mgr, stdin_path,
data->content_context) < 0) data->content_context, true) < 0)
return -1; return -1;
return 0; return 0;
...@@ -3259,7 +3284,7 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityManagerPtr mgr, ...@@ -3259,7 +3284,7 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityManagerPtr mgr,
if (!seclabel || !seclabel->relabel) if (!seclabel || !seclabel->relabel)
return 0; return 0;
return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel); return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, true);
} }
...@@ -3284,7 +3309,7 @@ virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr, ...@@ -3284,7 +3309,7 @@ virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr,
char *filename = NULL; char *filename = NULL;
DIR *dir; DIR *dir;
if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel))) if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, true)))
return ret; return ret;
if (!virFileIsDir(path)) if (!virFileIsDir(path))
...@@ -3299,7 +3324,7 @@ virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr, ...@@ -3299,7 +3324,7 @@ virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr,
break; break;
} }
ret = virSecuritySELinuxSetFilecon(mgr, filename, ret = virSecuritySELinuxSetFilecon(mgr, filename,
seclabel->imagelabel); seclabel->imagelabel, true);
VIR_FREE(filename); VIR_FREE(filename);
if (ret < 0) if (ret < 0)
break; break;
...@@ -3333,7 +3358,7 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr, ...@@ -3333,7 +3358,7 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr,
char *filename = NULL; char *filename = NULL;
DIR *dir; DIR *dir;
if ((ret = virSecuritySELinuxRestoreFileLabel(mgr, path, false))) if ((ret = virSecuritySELinuxRestoreFileLabel(mgr, path, true)))
return ret; return ret;
if (!virFileIsDir(path)) if (!virFileIsDir(path))
...@@ -3347,7 +3372,7 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr, ...@@ -3347,7 +3372,7 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr,
ret = -1; ret = -1;
break; break;
} }
ret = virSecuritySELinuxRestoreFileLabel(mgr, filename, false); ret = virSecuritySELinuxRestoreFileLabel(mgr, filename, true);
VIR_FREE(filename); VIR_FREE(filename);
if (ret < 0) if (ret < 0)
break; break;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册