git.ipfire.org Git - thirdparty/libvirt.git/commit

security: full path option for DomainSetPathLabel

virSecurityManagerDomainSetPathLabel is used to make a path known
to the security modules, but today is used interchangably for
- paths to files/dirs to be accessed directly
- paths to a dir, but the access will actually be to files therein

Depending on the security module it is important to know which of
these types it will be.

The argument allowSubtree augments the call to the implementations of
DomainSetPathLabel that can - per security module - decide if extra
actions shall be taken.

For now dac/selinux handle this as before, but apparmor will make
use of it to add a wildcard to the path that was passed.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

author	Christian Ehrhardt <christian.ehrhardt@canonical.com>
	Tue, 9 Jan 2018 15:04:03 +0000 (16:04 +0100)
committer	Michal Privoznik <mprivozn@redhat.com>
	Tue, 9 Jan 2018 16:29:52 +0000 (17:29 +0100)
commit	a5486e57f5b13454d6a1334675ba98075f179da7
tree	9823af8679090727a592fe36479c7a36c8f88038	tree
parent	f436a78239cf7c369c086db0d5f46640b328079f	commit \| diff

src/qemu/qemu_domain.c		diff \| blob \| blame \| history
src/qemu/qemu_process.c		diff \| blob \| blame \| history
src/security/security_apparmor.c		diff \| blob \| blame \| history
src/security/security_dac.c		diff \| blob \| blame \| history
src/security/security_driver.h		diff \| blob \| blame \| history
src/security/security_manager.c		diff \| blob \| blame \| history
src/security/security_manager.h		diff \| blob \| blame \| history
src/security/security_selinux.c		diff \| blob \| blame \| history
src/security/security_stack.c		diff \| blob \| blame \| history