goto error;
}
- if (obj->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
- driver->securityDriver &&
+ if (driver->securityDriver &&
driver->securityDriver->domainReserveSecurityLabel &&
driver->securityDriver->domainReserveSecurityLabel(NULL, obj) < 0)
goto error;
static int qemudDomainSetSecurityLabel(virConnectPtr conn, struct qemud_driver *driver, virDomainObjPtr vm)
{
- if (vm->def->seclabel.label != NULL)
- if (driver->securityDriver && driver->securityDriver->domainSetSecurityLabel)
- return driver->securityDriver->domainSetSecurityLabel(conn, driver->securityDriver,
- vm);
- return 0;
+ int rc = 0;
+
+ if (driver->securityDriver &&
+ driver->securityDriver->domainSetSecurityLabel &&
+ driver->securityDriver->domainSetSecurityLabel(conn, driver->securityDriver, vm) < 0)
+ rc = -1;
+
+ return rc;
}
/* If you are using a SecurityDriver with dynamic labelling,
then generate a security label for isolation */
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
- driver->securityDriver &&
+ if (driver->securityDriver &&
driver->securityDriver->domainGenSecurityLabel &&
driver->securityDriver->domainGenSecurityLabel(conn, vm) < 0)
return -1;
virKillProcess(vm->pid, SIGKILL);
/* Reset Security Labels */
- if (driver->securityDriver)
+ if (driver->securityDriver &&
+ driver->securityDriver->domainRestoreSecurityLabel)
driver->securityDriver->domainRestoreSecurityLabel(conn, vm);
/* Clear out dynamically assigned labels */
if (driver->securityDriver &&
driver->securityDriver->domainRestoreSavedStateLabel &&
- driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, path) == -1)
+ driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, vm, path) == -1)
goto endjob;
ret = 0;
if (driver->securityDriver &&
driver->securityDriver->domainRestoreSavedStateLabel &&
- driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, path) == -1)
+ driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, vm, path) == -1)
goto endjob;
endjob:
if (qemuDomainSetDeviceOwnership(conn, driver, dev, 0) < 0)
return -1;
if (driver->securityDriver &&
+ driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(conn, vm, dev->data.hostdev) < 0)
return -1;
switch (dev->data.disk->device) {
case VIR_DOMAIN_DISK_DEVICE_CDROM:
case VIR_DOMAIN_DISK_DEVICE_FLOPPY:
- if (driver->securityDriver)
+ if (driver->securityDriver &&
+ driver->securityDriver->domainSetSecurityImageLabel)
driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk);
if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 0) < 0)
break;
case VIR_DOMAIN_DISK_DEVICE_DISK:
- if (driver->securityDriver)
+ if (driver->securityDriver &&
+ driver->securityDriver->domainSetSecurityImageLabel)
driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk);
if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 0) < 0)
}
if (driver->securityDriver &&
+ driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(conn, vm, dev->data.hostdev) < 0)
VIR_WARN0("Failed to restore device labelling");
dev->data.disk->device == VIR_DOMAIN_DISK_DEVICE_DISK &&
dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO) {
ret = qemudDomainDetachPciDiskDevice(dom->conn, driver, vm, dev);
- if (driver->securityDriver)
+ if (driver->securityDriver &&
+ driver->securityDriver->domainRestoreSecurityImageLabel)
driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev->data.disk);
if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0)
VIR_WARN0("Fail to restore disk device ownership");
}
} else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV) {
ret = qemudDomainDetachHostDevice(dom->conn, driver, vm, dev);
+ if (driver->securityDriver &&
+ driver->securityDriver->domainRestoreSecurityHostdevLabel)
+ driver->securityDriver->domainRestoreSecurityHostdevLabel(dom->conn, vm, dev->data.hostdev);
} else {
qemudReportError(dom->conn, dom, NULL, VIR_ERR_NO_SUPPORT,
"%s", _("This type of device cannot be hot unplugged"));
int rc = -1;
char *profile_name = NULL;
+ if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
if ((vm->def->seclabel.label) ||
(vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR,
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int rc = 0;
- if (secdef->imagelabel) {
+ if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
if ((rc = remove_profile(secdef->label)) != 0) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR,
_("could not remove profile for \'%s\'"),
int rc = -1;
char *profile_name = NULL;
- if (secdef->imagelabel) {
- if ((profile_name = get_profile_name(conn, vm)) == NULL)
- return rc;
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
- /* Update the profile only if it is loaded */
- if (profile_loaded(secdef->imagelabel) >= 0) {
- if (load_profile(conn, secdef->imagelabel, vm, NULL) < 0) {
- virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR,
- _("cannot update AppArmor profile "
- "\'%s\'"),
- secdef->imagelabel);
- goto clean;
- }
+ if ((profile_name = get_profile_name(conn, vm)) == NULL)
+ return rc;
+
+ /* Update the profile only if it is loaded */
+ if (profile_loaded(secdef->imagelabel) >= 0) {
+ if (load_profile(conn, secdef->imagelabel, vm, NULL) < 0) {
+ virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR,
+ _("cannot update AppArmor profile "
+ "\'%s\'"),
+ secdef->imagelabel);
+ goto clean;
}
}
+
rc = 0;
clean:
VIR_FREE(profile_name);
int rc = -1;
char *profile_name;
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
if (!disk->src)
return 0;
static int
AppArmorSetSecurityHostdevLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
/* TODO: call load_profile with an update vm->def */
return 0;
}
static int
AppArmorRestoreSecurityHostdevLabel(virConnectPtr conn ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
/* TODO: call load_profile (needs virDomainObjPtr vm) */
return 0;
}
virDomainObjPtr vm,
virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainRestoreHostdevLabel) (virConnectPtr conn,
+ virDomainObjPtr vm,
virDomainHostdevDefPtr dev);
typedef int (*virSecurityDomainSetHostdevLabel) (virConnectPtr conn,
virDomainObjPtr vm,
virDomainObjPtr vm,
const char *savefile);
typedef int (*virSecurityDomainRestoreSavedStateLabel) (virConnectPtr conn,
+ virDomainObjPtr vm,
const char *savefile);
typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn,
virDomainObjPtr sec);
int c1 = 0;
int c2 = 0;
+ if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
if (vm->def->seclabel.label ||
vm->def->seclabel.model ||
vm->def->seclabel.imagelabel) {
context_t ctx = NULL;
const char *mcs;
+ if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
if (getpidcon(vm->pid, &pctx) == -1) {
virReportSystemError(conn, errno,
_("unable to get PID %d security context"), vm->pid);
static int
SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm,
virDomainDiskDefPtr disk)
{
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
/* Don't restore labels on readoly/shared disks, because
* other VMs may still be accessing these
* Alternatively we could iterate over all running
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
const char *path;
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
if (!disk->src)
return 0;
virDomainHostdevDefPtr dev)
{
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int ret = -1;
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
return 0;
static int
SELinuxRestoreSecurityHostdevLabel(virConnectPtr conn,
+ virDomainObjPtr vm,
virDomainHostdevDefPtr dev)
{
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int ret = -1;
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
return 0;
VIR_DEBUG("Restoring security label on %s", vm->def->name);
- if (secdef->imagelabel) {
- for (i = 0 ; i < vm->def->nhostdevs ; i++) {
- if (SELinuxRestoreSecurityHostdevLabel(conn, vm->def->hostdevs[i]) < 0)
- rc = -1;
- }
- for (i = 0 ; i < vm->def->ndisks ; i++) {
- if (SELinuxRestoreSecurityImageLabel(conn, vm,
- vm->def->disks[i]) < 0)
- rc = -1;
- }
- VIR_FREE(secdef->model);
- VIR_FREE(secdef->label);
- context_t con = context_new(secdef->imagelabel);
- if (con) {
- mcsRemove(context_range_get(con));
- context_free(con);
- }
- VIR_FREE(secdef->imagelabel);
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
+ for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+ if (SELinuxRestoreSecurityHostdevLabel(conn, vm, vm->def->hostdevs[i]) < 0)
+ rc = -1;
}
+ for (i = 0 ; i < vm->def->ndisks ; i++) {
+ if (SELinuxRestoreSecurityImageLabel(conn, vm,
+ vm->def->disks[i]) < 0)
+ rc = -1;
+ }
+ context_t con = context_new(secdef->label);
+ if (con) {
+ mcsRemove(context_range_get(con));
+ context_free(con);
+ }
+
+ VIR_FREE(secdef->model);
+ VIR_FREE(secdef->label);
+ VIR_FREE(secdef->imagelabel);
+
return rc;
}
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
return SELinuxSetFilecon(conn, savefile, secdef->imagelabel);
}
static int
SELinuxRestoreSavedStateLabel(virConnectPtr conn,
+ virDomainObjPtr vm,
const char *savefile)
{
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ return 0;
+
return SELinuxRestoreSecurityFileLabel(conn, savefile);
}
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int i;
+ if (vm->def->seclabel.label == NULL)
+ return 0;
+
if (!STREQ(drv->name, secdef->model)) {
virSecurityReportError(conn, VIR_ERR_INTERNAL_ERROR,
_("security label driver mismatch: "
return -1;
}
- if (secdef->imagelabel) {
+ if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
for (i = 0 ; i < vm->def->ndisks ; i++) {
/* XXX fixme - we need to recursively label the entriy tree :-( */
if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
projects / thirdparty / libvirt.git / commitdiff
