From e595c4e916a665aff77436dcfbd7c07baac9dbe5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= Date: Thu, 8 Aug 2019 18:54:59 +0400 Subject: [PATCH] qemu-security: add qemuSecurityCommandRun() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a generic way to run a command through the security management. Signed-off-by: Marc-André Lureau Signed-off-by: Michal Privoznik Reviewed-by: Michal Privoznik --- src/qemu/qemu_security.c | 58 +++++++++++++++++++++++++++++++--------- src/qemu/qemu_security.h | 8 ++++++ 2 files changed, 54 insertions(+), 12 deletions(-) diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index 3cd6d9bd3d..91dd34f0e7 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -479,21 +479,10 @@ qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver, goto cleanup_abort; transactionStarted = false; - if (virSecurityManagerSetChildProcessLabel(driver->securityManager, - vm->def, cmd) < 0) - goto cleanup; - - if (virSecurityManagerPreFork(driver->securityManager) < 0) + if (qemuSecurityCommandRun(driver, vm, cmd, uid, gid, exitstatus, cmdret) < 0) goto cleanup; ret = 0; - /* make sure we run this with the appropriate user */ - virCommandSetUID(cmd, uid); - virCommandSetGID(cmd, gid); - - *cmdret = virCommandRun(cmd, exitstatus); - - virSecurityManagerPostFork(driver->securityManager); if (*cmdret < 0) goto cleanup; @@ -632,3 +621,48 @@ qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver, virSecurityManagerTransactionAbort(driver->securityManager); return ret; } + + +/** + * qemuSecurityCommandRun: + * @driver: the QEMU driver + * @vm: the domain object + * @cmd: the command to run + * @uid: the uid to force + * @gid: the gid to force + * @existstatus: pointer to int returning exit status of process + * @cmdret: pointer to int returning result of virCommandRun + * + * Run @cmd with seclabels set on it. If @uid and/or @gid are not + * -1 then their value is enforced. + * + * Returns: 0 on success, + * -1 otherwise. + */ +int +qemuSecurityCommandRun(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virCommandPtr cmd, + uid_t uid, + gid_t gid, + int *exitstatus, + int *cmdret) +{ + if (virSecurityManagerSetChildProcessLabel(driver->securityManager, + vm->def, cmd) < 0) + return -1; + + if (uid != (uid_t) -1) + virCommandSetUID(cmd, uid); + if (gid != (gid_t) -1) + virCommandSetGID(cmd, gid); + + if (virSecurityManagerPreFork(driver->securityManager) < 0) + return -1; + + *cmdret = virCommandRun(cmd, exitstatus); + + virSecurityManagerPostFork(driver->securityManager); + + return 0; +} diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h index 68e377f418..224a4d61c9 100644 --- a/src/qemu/qemu_security.h +++ b/src/qemu/qemu_security.h @@ -101,6 +101,14 @@ int qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, const char *savefile); +int qemuSecurityCommandRun(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virCommandPtr cmd, + uid_t uid, + gid_t gid, + int *exitstatus, + int *cmdret); + /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add * new APIs here. If an API can touch a file add a proper wrapper instead. */ -- GitLab