From 0ab49601a8d2900e940102a1cdfda6e15631bee4 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Mon, 11 Feb 2013 14:22:56 +0000 Subject: [PATCH] Remove re-entrant API call in SELinux/AppArmor security managers The security manager drivers are not allowed to call back out to top level security manager APIs, since that results in recursive mutex acquisition and thus deadlock. Remove calls to virSecurityManagerGetModel from SELinux / AppArmor drivers Signed-off-by: Daniel P. Berrange --- src/security/security_apparmor.c | 7 ++++--- src/security/security_selinux.c | 28 ++++++++++++++-------------- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index bf795b08c9..532b21b7e9 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -590,7 +590,8 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, * LOCALSTATEDIR/log/libvirt/qemu/.log */ static int -AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def) +AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainDefPtr def) { int rc = -1; char *profile_name = NULL; @@ -603,12 +604,12 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def) if ((profile_name = get_profile_name(def)) == NULL) return rc; - if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) { + if (STRNEQ(SECURITY_APPARMOR_NAME, secdef->model)) { virReportError(VIR_ERR_INTERNAL_ERROR, _("security label driver mismatch: " "\'%s\' model configured for domain, but " "hypervisor driver is \'%s\'."), - secdef->model, virSecurityManagerGetModel(mgr)); + secdef->model, SECURITY_APPARMOR_NAME); if (use_apparmor() > 0) goto clean; } diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 2f5012d8ad..2a9333cf88 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1803,12 +1803,12 @@ virSecuritySELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, if (secdef == NULL) return -1; - if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { + if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { virReportError(VIR_ERR_INTERNAL_ERROR, _("security label driver mismatch: " "'%s' model configured for domain, but " "hypervisor driver is '%s'."), - secdef->model, virSecurityManagerGetModel(mgr)); + secdef->model, SECURITY_SELINUX_NAME); return -1; } @@ -1823,7 +1823,7 @@ virSecuritySELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, } static int -virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, +virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr def) { /* TODO: verify DOI */ @@ -1837,12 +1837,12 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, return 0; VIR_DEBUG("label=%s", secdef->label); - if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { + if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { virReportError(VIR_ERR_INTERNAL_ERROR, _("security label driver mismatch: " "'%s' model configured for domain, but " "hypervisor driver is '%s'."), - secdef->model, virSecurityManagerGetModel(mgr)); + secdef->model, SECURITY_SELINUX_NAME); if (security_getenforce() == 1) return -1; } @@ -1859,7 +1859,7 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr, } static int -virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, +virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr def) { /* TODO: verify DOI */ @@ -1875,12 +1875,12 @@ virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr, if (secdef->label == NULL) return 0; - if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { + if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { virReportError(VIR_ERR_INTERNAL_ERROR, _("security label driver mismatch: " "'%s' model configured for domain, but " "hypervisor driver is '%s'."), - secdef->model, virSecurityManagerGetModel(mgr)); + secdef->model, SECURITY_SELINUX_NAME); goto done; } @@ -1912,7 +1912,7 @@ done: } static int -virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, +virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr vm) { virSecurityLabelDefPtr secdef; @@ -1925,12 +1925,12 @@ virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, if (secdef->label == NULL) return 0; - if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { + if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { virReportError(VIR_ERR_INTERNAL_ERROR, _("security label driver mismatch: " "'%s' model configured for domain, but " "hypervisor driver is '%s'."), - secdef->model, virSecurityManagerGetModel(mgr)); + secdef->model, SECURITY_SELINUX_NAME); goto done; } @@ -1953,7 +1953,7 @@ done: } static int -virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, +virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr def) { /* TODO: verify DOI */ @@ -1966,12 +1966,12 @@ virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, if (secdef->label == NULL) return 0; - if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { + if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { virReportError(VIR_ERR_INTERNAL_ERROR, _("security label driver mismatch: " "'%s' model configured for domain, but " "hypervisor driver is '%s'."), - secdef->model, virSecurityManagerGetModel(mgr)); + secdef->model, SECURITY_SELINUX_NAME); if (security_getenforce() == 1) return -1; } -- 2.47.3