1. 04 9月, 2013 1 次提交
    • J
      libxl: Introduce libxl_domain.[ch] · 12315cd7
      Jim Fehlig 提交于
      Create libxl_domain.[ch] and move all functions operating on
      libxlDomainObjPrivate to these files.  This will be useful for
      future patches that e.g. add job support for libxlDomainObjPrivate.
      12315cd7
  2. 03 9月, 2013 1 次提交
  3. 22 8月, 2013 1 次提交
  4. 08 8月, 2013 1 次提交
  5. 02 8月, 2013 1 次提交
    • R
      bridge driver: extract platform specifics · 4ac708f2
      Roman Bogorodskiy 提交于
      * Move platform specific things (e.g. firewalling and route
        collision checks) into bridge_driver_platform
      * Create two platform specific implementations:
          - bridge_driver_linux: Linux implementation using iptables,
            it's actually the code moved from bridge_driver.c
          - bridge_driver_nop: dumb implementation that does nothing
      Signed-off-by: NEric Blake <eblake@redhat.com>
      4ac708f2
  6. 18 7月, 2013 2 次提交
  7. 10 7月, 2013 1 次提交
  8. 24 6月, 2013 2 次提交
    • D
      Add a policy kit access control driver · b904bba7
      Daniel P. Berrange 提交于
      Add an access control driver that uses the pkcheck command
      to check authorization requests. This is fairly inefficient,
      particularly for cases where an API returns a list of objects
      and needs to check permission for each object.
      
      It would be desirable to use the polkit API but this links
      to glib with abort-on-OOM behaviour, so can't be used. The
      other alternative is to speak to dbus directly
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      b904bba7
    • D
      Define basic internal API for access control · a93cd08f
      Daniel P. Berrange 提交于
      This patch introduces the virAccessManagerPtr class as the
      interface between virtualization drivers and the access
      control drivers. The viraccessperm.h file defines the
      various permissions that will be used for each type of object
      libvirt manages
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      a93cd08f
  9. 13 5月, 2013 1 次提交
  10. 13 4月, 2013 1 次提交
  11. 21 3月, 2013 1 次提交
    • P
      virsh: Introduce macros to reject mutually exclusive arguments · 7e437ee7
      Peter Krempa 提交于
      This patch adds three macros to the virsh source tree that help to
      easily check for mutually exclusive parameters.
      
      VSH_EXCLUSIVE_OPTIONS_EXPR has four arguments, two expressions to check
      and two names of the parameters to print in the message.
      
      VSH_EXCLUSIVE_OPTIONS is more specific and check the command structure
      for the parameters using vshCommandOptBool.
      
      VSH_EXCLUSIVE_OPTIONS_VAR is meant to check boolean variables with the
      same name as the parameters.
      7e437ee7
  12. 20 3月, 2013 1 次提交
  13. 19 3月, 2013 1 次提交
  14. 13 3月, 2013 1 次提交
    • D
      Apply security label when entering LXC namespaces · e4e69e89
      Daniel P. Berrange 提交于
      Add a new virDomainLxcEnterSecurityLabel() function as a
      counterpart to virDomainLxcEnterNamespaces(), which can
      change the current calling process to have a new security
      context. This call runs client side, not in libvirtd
      so we can't use the security driver infrastructure.
      
      When entering a namespace, the process spawned from virsh
      will default to running with the security label of virsh.
      The actual desired behaviour is to run with the security
      label of the container most of the time. So this changes
      virsh lxc-enter-namespace command to invoke the
      virDomainLxcEnterSecurityLabel method.
      
      The current behaviour is:
      
      LABEL                             PID TTY          TIME CMD
      system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
      system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
      system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
      system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient
      staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps
      
      Note the ps command is running as unconfined_t,  After this patch,
      
      The new behaviour is this:
      
      virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ
      LABEL                             PID TTY          TIME CMD
      system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
      system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
      system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
      system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient
      system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps
      
      The '--noseclabel' flag can be used to skip security labelling.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      e4e69e89
  15. 16 1月, 2013 3 次提交
  16. 05 1月, 2013 1 次提交
  17. 21 12月, 2012 18 次提交
  18. 18 12月, 2012 1 次提交
  19. 13 12月, 2012 1 次提交