1. 04 5月, 2018 1 次提交
  2. 13 3月, 2018 1 次提交
    • M
      virSecurityDACChownListFree: Don't leak list->items array · ca250269
      Michal Privoznik 提交于
      We're freeing individual items in it but not the array itself.
      
      ==19200== 40 bytes in 1 blocks are definitely lost in loss record 847 of 1,059
      ==19200==    at 0x4C2D12F: realloc (vg_replace_malloc.c:785)
      ==19200==    by 0x52C5532: virReallocN (viralloc.c:245)
      ==19200==    by 0x52C5628: virExpandN (viralloc.c:294)
      ==19200==    by 0x52C58FC: virInsertElementsN (viralloc.c:436)
      ==19200==    by 0x542856B: virSecurityDACChownListAppend (security_dac.c:115)
      ==19200==    by 0x54286B4: virSecurityDACTransactionAppend (security_dac.c:167)
      ==19200==    by 0x542902F: virSecurityDACSetOwnershipInternal (security_dac.c:560)
      ==19200==    by 0x54295D6: virSecurityDACSetOwnership (security_dac.c:650)
      ==19200==    by 0x542AEE0: virSecurityDACSetInputLabel (security_dac.c:1472)
      ==19200==    by 0x542B61D: virSecurityDACSetAllLabel (security_dac.c:1693)
      ==19200==    by 0x542DD67: virSecurityManagerSetAllLabel (security_manager.c:869)
      ==19200==    by 0x54279C2: virSecurityStackSetAllLabel (security_stack.c:361)
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      ca250269
  3. 10 1月, 2018 1 次提交
    • C
      security: full path option for DomainSetPathLabel · a5486e57
      Christian Ehrhardt 提交于
      virSecurityManagerDomainSetPathLabel is used to make a path known
      to the security modules, but today is used interchangably for
       - paths to files/dirs to be accessed directly
       - paths to a dir, but the access will actually be to files therein
      
      Depending on the security module it is important to know which of
      these types it will be.
      
      The argument allowSubtree augments the call to the implementations of
      DomainSetPathLabel that can - per security module - decide if extra
      actions shall be taken.
      
      For now dac/selinux handle this as before, but apparmor will make
      use of it to add a wildcard to the path that was passed.
      Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      a5486e57
  4. 05 12月, 2017 1 次提交
  5. 25 11月, 2017 1 次提交
  6. 03 11月, 2017 1 次提交
    • P
      security: dac: Take parent security label into account · 2742dfee
      Peter Krempa 提交于
      Until now we ignored user-provided backing chains and while detecting
      the code inherited labels of the parent device. With user provided
      chains we should keep this functionality, so label of the parent image
      in the backing chain will be applied if an image-specific label is not
      present.
      2742dfee
  7. 17 10月, 2017 1 次提交
    • P
      util: storagefile: Add helpers to check presence of backing store · 0a294a8e
      Peter Krempa 提交于
      Add helpers that will simplify checking if a backing file is valid or
      whether it has backing store. The helper virStorageSourceIsBacking
      returns true if the given virStorageSource is a valid backing store
      member. virStorageSourceHasBacking returns true if the virStorageSource
      has a backing store child.
      
      Adding these functions creates a central points for further refactors.
      0a294a8e
  8. 13 9月, 2017 2 次提交
  9. 22 6月, 2017 1 次提交
    • M
      security: Don't skip relabel for all chardevs · e0d1a378
      Michal Privoznik 提交于
      Our commit e13e8808 was way too generic. Currently, virtlogd is
      used only for chardevs type of file and nothing else. True, we
      must not relabel the path in this case, but we have to in all
      other cases. For instance, if you want to have a physical console
      attached to your guest:
      
          <console type='dev'>
            <source path='/dev/ttyS0'/>
            <target type='virtio' port='1'/>
          </console>
      
      Starting such domain fails because qemu doesn't have access to
      /dev/ttyS0 because we haven't relabelled the path.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      e0d1a378
  10. 16 6月, 2017 2 次提交
  11. 18 5月, 2017 1 次提交
  12. 27 3月, 2017 2 次提交
    • E
      security: Enable labeling of vfio mediated devices · 606afafb
      Erik Skultety 提交于
      This patch updates all of our security driver to start labeling the
      VFIO IOMMU devices under /dev/vfio/ as well.
      Signed-off-by: NErik Skultety <eskultet@redhat.com>
      606afafb
    • E
      conf: Introduce new hostdev device type mdev · ec783d7c
      Erik Skultety 提交于
      A mediated device will be identified by a UUID (with 'model' now being
      a mandatory <hostdev> attribute to represent the mediated device API) of
      the user pre-created mediated device. We also need to make sure that if
      user explicitly provides a guest address for a mdev device, the address
      type will be matching the device API supported on that specific mediated
      device and error out with an incorrect XML message.
      
      The resulting device XML:
      <devices>
        <hostdev mode='subsystem' type='mdev' model='vfio-pci'>
          <source>
            <address uuid='c2177883-f1bb-47f0-914d-32a22e3a8804'>
          </source>
        </hostdev>
      </devices>
      Signed-off-by: NErik Skultety <eskultet@redhat.com>
      ec783d7c
  13. 15 3月, 2017 2 次提交
  14. 17 1月, 2017 1 次提交
  15. 10 1月, 2017 2 次提交
  16. 25 11月, 2016 2 次提交
  17. 22 10月, 2016 1 次提交
  18. 25 5月, 2016 1 次提交
  19. 19 4月, 2016 1 次提交
  20. 15 1月, 2016 2 次提交
  21. 15 12月, 2015 1 次提交
    • J
      security_dac: remove extra Security from function names · be33e965
      Ján Tomko 提交于
      Many of the functions follow the pattern:
      virSecurity.*Security.*Label
      
      Remove the second 'Security' from the names, it should be obvious
      that the virSecurity* functions deal with security labels even
      without it.
      be33e965
  22. 09 12月, 2015 1 次提交
  23. 30 11月, 2015 1 次提交
  24. 12 11月, 2015 1 次提交
  25. 16 10月, 2015 6 次提交
  26. 24 8月, 2015 2 次提交
  27. 11 12月, 2014 1 次提交