}
unlink_tmp = true;
- virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp);
+ virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp);
qemuDomainObjEnterMonitor(driver, vm);
if (qemuMonitorScreendump(priv->mon, tmp) < 0) {
*/
if (virDomainObjIsActive(vm)) {
if (virSecurityManagerGetProcessLabel(driver->securityManager,
- vm, seclabel) < 0) {
+ vm->def, vm->pid, seclabel) < 0) {
qemuReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("Failed to get security label"));
goto cleanup;
out:
virCommandFree(cmd);
if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
- vm, path) < 0)
+ vm->def, path) < 0)
VIR_WARN("failed to restore save state label on %s", path);
return ret;
goto endjob;
}
- virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp);
+ virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp);
priv = vm->privateData;
qemuDomainObjEnterMonitor(driver, vm);
if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0)
goto cleanup;
- if (virSecurityManagerSetImageLabel(driver->securityManager, vm,
+ if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def,
disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", source);
return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager,
- vm, disk) < 0) {
+ vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src);
return -1;
goto error;
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, origdisk) < 0)
+ vm->def, origdisk) < 0)
VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, origdisk) < 0)
VIR_FREE(driveAlias);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, disk) < 0)
+ vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on new media %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager,
- vm, disk) < 0) {
+ vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src);
return -1;
VIR_WARN("Unable to release PCI address on %s", disk->src);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, disk) < 0)
+ vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager,
- vm, disk) < 0) {
+ vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src);
return -1;
VIR_FREE(drivestr);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, disk) < 0)
+ vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
return -1;
if (virSecurityManagerSetImageLabel(driver->securityManager,
- vm, disk) < 0) {
+ vm->def, disk) < 0) {
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", disk->src);
return -1;
VIR_FREE(drivestr);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, disk) < 0)
+ vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", disk->src);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
if (virSecurityManagerSetHostdevLabel(driver->securityManager,
- vm, hostdev) < 0)
+ vm->def, hostdev) < 0)
return -1;
switch (hostdev->source.subsys.type) {
error:
if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
- vm, hostdev) < 0)
+ vm->def, hostdev) < 0)
VIR_WARN("Unable to restore host device labelling on hotplug fail");
return -1;
virDomainDiskDefFree(detach);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, dev->data.disk) < 0)
+ vm->def, dev->data.disk) < 0)
VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
if (cgroup != NULL) {
virDomainDiskDefFree(detach);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
- vm, dev->data.disk) < 0)
+ vm->def, dev->data.disk) < 0)
VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
if (cgroup != NULL) {
if (ret == 0 &&
virSecurityManagerRestoreHostdevLabel(driver->securityManager,
- vm, detach) < 0)
+ vm->def, detach) < 0)
VIR_WARN("Failed to restore host device labelling");
virDomainHostdevDefFree(detach);
virReportOOMError();
goto cleanup;
}
- if (virSecurityManagerSetSocketLabel(driver->securityManager, vm) < 0)
+ if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0)
goto cleanup;
if (virNetSocketNewConnectTCP(uribits->server, tmp, &sock) == 0) {
spec.dest.fd.qemu = virNetSocketDupFD(sock, true);
virNetSocketFree(sock);
}
- if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0 ||
+ if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0 ||
spec.dest.fd.qemu == -1)
goto cleanup;
} else {
spec.dest.fd.local = fds[0];
}
if (spec.dest.fd.qemu == -1 ||
- virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
+ virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
spec.dest.fd.qemu) < 0) {
virReportSystemError(errno, "%s",
_("cannot create pipe for tunnelled migration"));
* doesn't have to open() the file, so while we still have to
* grant SELinux access, we can do it on fd and avoid cleanup
* later, as well as skip futzing with cgroup. */
- if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
+ if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
compressor ? pipeFD[1] : fd) < 0)
goto cleanup;
bypassSecurityDriver = true;
}
if ((!bypassSecurityDriver) &&
virSecurityManagerSetSavedStateLabel(driver->securityManager,
- vm, path) < 0)
+ vm->def, path) < 0)
goto cleanup;
restoreLabel = true;
}
virCommandFree(cmd);
if (restoreLabel && (!bypassSecurityDriver) &&
virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
- vm, path) < 0)
+ vm->def, path) < 0)
VIR_WARN("failed to restore save state label on %s", path);
if (cgroup != NULL) {
qemuMonitorPtr mon = NULL;
if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager,
- vm) < 0) {
+ vm->def) < 0) {
VIR_ERROR(_("Failed to set security context for monitor for %s"),
vm->def->name);
goto error;
}
priv->mon = mon;
- if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0) {
+ if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) {
VIR_ERROR(_("Failed to clear security context for monitor for %s"),
vm->def->name);
goto error;
* sockets the lock driver opens that we don't want
* labelled. So far we're ok though.
*/
- if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm) < 0)
+ if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup;
if (virDomainLockProcessStart(h->driver->lockManager,
h->vm,
true,
&fd) < 0)
goto cleanup;
- if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm) < 0)
+ if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup;
if (qemuProcessLimits(h->driver) < 0)
return -1;
VIR_DEBUG("Setting up security labelling");
- if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm) < 0)
+ if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm->def) < 0)
goto cleanup;
ret = 0;
goto error;
}
- if (virSecurityManagerReserveLabel(driver->securityManager, obj) < 0)
+ if (virSecurityManagerReserveLabel(driver->securityManager, obj->def, obj->pid) < 0)
goto error;
if (qemuProcessNotifyNets(obj->def) < 0)
/* If you are using a SecurityDriver with dynamic labelling,
then generate a security label for isolation */
VIR_DEBUG("Generating domain security label (if required)");
- if (virSecurityManagerGenLabel(driver->securityManager, vm) < 0) {
+ if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) {
virDomainAuditSecurityLabel(vm, false);
goto cleanup;
}
VIR_DEBUG("Setting domain security labels");
if (virSecurityManagerSetAllLabel(driver->securityManager,
- vm, stdin_path) < 0)
+ vm->def, stdin_path) < 0)
goto cleanup;
if (stdin_fd != -1) {
goto cleanup;
}
if (S_ISFIFO(stdin_sb.st_mode) &&
- virSecurityManagerSetImageFDLabel(driver->securityManager, vm, stdin_fd) < 0)
+ virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, stdin_fd) < 0)
goto cleanup;
}
/* Reset Security Labels */
virSecurityManagerRestoreAllLabel(driver->securityManager,
- vm, migrated);
- virSecurityManagerReleaseLabel(driver->securityManager, vm);
+ vm->def, migrated);
+ virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
/* Clear out dynamically assigned labels */
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
if (VIR_ALLOC(seclabel) < 0)
goto no_memory;
if (virSecurityManagerGetProcessLabel(driver->securityManager,
- vm, seclabel) < 0)
+ vm->def, vm->pid, seclabel) < 0)
goto cleanup;
if (driver->caps->host.secModel.model &&
!(vm->def->seclabel.model = strdup(driver->caps->host.secModel.model)))
/* Data structure to pass to *FileIterate so we have everything we need */
struct SDPDOP {
virSecurityManagerPtr mgr;
- virDomainObjPtr vm;
+ virDomainDefPtr def;
};
/*
static int
load_profile(virSecurityManagerPtr mgr,
const char *profile,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *fn,
bool append)
{
const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr)
? "1" : "0";
- xml = virDomainDefFormat(vm->def, VIR_DOMAIN_XML_SECURE);
+ xml = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE);
if (!xml)
goto clean;
}
static char *
-get_profile_name(virDomainObjPtr vm)
+get_profile_name(virDomainDefPtr def)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
char *name = NULL;
- virUUIDFormat(vm->def->uuid, uuidstr);
+ virUUIDFormat(def->uuid, uuidstr);
if (virAsprintf(&name, "%s%s", AA_PREFIX, uuidstr) < 0) {
virReportOOMError();
return NULL;
*/
static int
reload_profile(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *fn,
bool append)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = -1;
char *profile_name = NULL;
if (secdef->norelabel)
return 0;
- if ((profile_name = get_profile_name(vm)) == NULL)
+ if ((profile_name = get_profile_name(def)) == NULL)
return rc;
/* Update the profile only if it is loaded */
if (profile_loaded(secdef->imagelabel) >= 0) {
- if (load_profile(mgr, secdef->imagelabel, vm, fn, append) < 0) {
+ if (load_profile(mgr, secdef->imagelabel, def, fn, append) < 0) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile "
"\'%s\'"),
const char *file, void *opaque)
{
struct SDPDOP *ptr = opaque;
- virDomainObjPtr vm = ptr->vm;
+ virDomainDefPtr def = ptr->def;
- if (reload_profile(ptr->mgr, vm, file, true) < 0) {
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ if (reload_profile(ptr->mgr, def, file, true) < 0) {
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile "
"\'%s\'"),
const char *file, void *opaque)
{
struct SDPDOP *ptr = opaque;
- virDomainObjPtr vm = ptr->vm;
+ virDomainDefPtr def = ptr->def;
- if (reload_profile(ptr->mgr, vm, file, true) < 0) {
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ if (reload_profile(ptr->mgr, def, file, true) < 0) {
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile "
"\'%s\'"),
*/
static int
AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
int rc = -1;
char *profile_name = NULL;
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
- if (vm->def->seclabel.baselabel) {
+ if (def->seclabel.baselabel) {
virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED,
"%s", _("Cannot set a base label with AppArmour"));
return rc;
}
- if ((vm->def->seclabel.label) ||
- (vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) {
+ if ((def->seclabel.label) ||
+ (def->seclabel.model) || (def->seclabel.imagelabel)) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s",
_("security label already defined for VM"));
return rc;
}
- if ((profile_name = get_profile_name(vm)) == NULL)
+ if ((profile_name = get_profile_name(def)) == NULL)
return rc;
- vm->def->seclabel.label = strndup(profile_name, strlen(profile_name));
- if (!vm->def->seclabel.label) {
+ def->seclabel.label = strndup(profile_name, strlen(profile_name));
+ if (!def->seclabel.label) {
virReportOOMError();
goto clean;
}
/* set imagelabel the same as label (but we won't use it) */
- vm->def->seclabel.imagelabel = strndup(profile_name,
+ def->seclabel.imagelabel = strndup(profile_name,
strlen(profile_name));
- if (!vm->def->seclabel.imagelabel) {
+ if (!def->seclabel.imagelabel) {
virReportOOMError();
goto err;
}
- vm->def->seclabel.model = strdup(SECURITY_APPARMOR_NAME);
- if (!vm->def->seclabel.model) {
+ def->seclabel.model = strdup(SECURITY_APPARMOR_NAME);
+ if (!def->seclabel.model) {
virReportOOMError();
goto err;
}
/* Now that we have a label, load the profile into the kernel. */
- if (load_profile(mgr, vm->def->seclabel.label, vm, NULL, false) < 0) {
+ if (load_profile(mgr, def->seclabel.label, def, NULL, false) < 0) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot load AppArmor profile "
- "\'%s\'"), vm->def->seclabel.label);
+ "\'%s\'"), def->seclabel.label);
goto err;
}
goto clean;
err:
- VIR_FREE(vm->def->seclabel.label);
- VIR_FREE(vm->def->seclabel.imagelabel);
- VIR_FREE(vm->def->seclabel.model);
+ VIR_FREE(def->seclabel.label);
+ VIR_FREE(def->seclabel.imagelabel);
+ VIR_FREE(def->seclabel.model);
clean:
VIR_FREE(profile_name);
static int
AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm, const char *stdin_path)
+ virDomainDefPtr def, const char *stdin_path)
{
- if (vm->def->seclabel.norelabel)
+ if (def->seclabel.norelabel)
return 0;
/* Reload the profile if stdin_path is specified. Note that
GenSecurityLabel() will have already been run. */
if (stdin_path)
- return reload_profile(mgr, vm, stdin_path, true);
+ return reload_profile(mgr, def, stdin_path, true);
return 0;
}
*/
static int
AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
+ pid_t pid,
virSecurityLabelPtr sec)
{
int rc = -1;
char *profile_name = NULL;
- if ((profile_name = get_profile_name(vm)) == NULL)
+ if ((profile_name = get_profile_name(def)) == NULL)
return rc;
if (virStrcpy(sec->label, profile_name,
*/
static int
AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
VIR_FREE(secdef->model);
VIR_FREE(secdef->label);
static int
AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int migrated ATTRIBUTE_UNUSED)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
* LOCALSTATEDIR/log/libvirt/qemu/<vm name>.log
*/
static int
-AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm)
+AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = -1;
char *profile_name = NULL;
- if ((profile_name = get_profile_name(vm)) == NULL)
+ if ((profile_name = get_profile_name(def)) == NULL)
return rc;
if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) {
static int
AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
static int
AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
static int
AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
/* Called when hotplugging */
static int
AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
- virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
+ virDomainDefPtr def,
+ virDomainDiskDefPtr disk)
{
if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
return 0;
- return reload_profile(mgr, vm, NULL, false);
+ return reload_profile(mgr, def, NULL, false);
}
/* Called when hotplugging */
static int
AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm, virDomainDiskDefPtr disk)
+ virDomainDefPtr def, virDomainDiskDefPtr disk)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int rc = -1;
char *profile_name;
return rc;
}
- if ((profile_name = get_profile_name(vm)) == NULL)
+ if ((profile_name = get_profile_name(def)) == NULL)
return rc;
/* update the profile only if it is loaded */
if (profile_loaded(secdef->imagelabel) >= 0) {
- if (load_profile(mgr, secdef->imagelabel, vm, disk->src,
+ if (load_profile(mgr, secdef->imagelabel, def, disk->src,
false) < 0) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot update AppArmor profile "
static int
AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ pid_t pid ATTRIBUTE_UNUSED)
{
/* NOOP. Nothing to reserve with AppArmor */
return 0;
static int
AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
struct SDPDOP *ptr;
int ret = -1;
if (VIR_ALLOC(ptr) < 0)
return -1;
ptr->mgr = mgr;
- ptr->vm = vm;
+ ptr->def = def;
switch (dev->source.subsys.type) {
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
static int
AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel)
return 0;
- return reload_profile(mgr, vm, NULL, false);
+ return reload_profile(mgr, def, NULL, false);
}
static int
AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile)
{
- return reload_profile(mgr, vm, savefile, true);
+ return reload_profile(mgr, def, savefile, true);
}
static int
AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile ATTRIBUTE_UNUSED)
{
- return reload_profile(mgr, vm, NULL, false);
+ return reload_profile(mgr, def, NULL, false);
}
static int
AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int fd)
{
int rc = -1;
char *proc = NULL;
char *fd_path = NULL;
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->imagelabel == NULL)
return 0;
return 0;
}
- return reload_profile(mgr, vm, fd_path, true);
+ return reload_profile(mgr, def, fd_path, true);
}
virSecurityDriver virAppArmorSecurityDriver = {
static int
virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk)
{
static int
virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk,
int migrated)
{
static int
virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
- return virSecurityDACRestoreSecurityImageLabelInt(mgr, vm, disk, 0);
+ return virSecurityDACRestoreSecurityImageLabelInt(mgr, def, disk, 0);
}
static int
virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
static int
virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev)
{
static int
virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int migrated)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
VIR_DEBUG("Restoring security label on %s migrated=%d",
- vm->def->name, migrated);
+ def->name, migrated);
- for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+ for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecurityDACRestoreSecurityHostdevLabel(mgr,
- vm,
- vm->def->hostdevs[i]) < 0)
+ def,
+ def->hostdevs[i]) < 0)
rc = -1;
}
- for (i = 0 ; i < vm->def->ndisks ; i++) {
+ for (i = 0 ; i < def->ndisks ; i++) {
if (virSecurityDACRestoreSecurityImageLabelInt(mgr,
- vm,
- vm->def->disks[i],
+ def,
+ def->disks[i],
migrated) < 0)
rc = -1;
}
- if (virDomainChrDefForeach(vm->def,
+ if (virDomainChrDefForeach(def,
false,
virSecurityDACRestoreChardevCallback,
mgr) < 0)
rc = -1;
- if (vm->def->os.kernel &&
- virSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
+ if (def->os.kernel &&
+ virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0)
rc = -1;
- if (vm->def->os.initrd &&
- virSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
+ if (def->os.initrd &&
+ virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0)
rc = -1;
return rc;
static int
virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *stdin_path ATTRIBUTE_UNUSED)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
if (!priv->dynamicOwnership)
return 0;
- for (i = 0 ; i < vm->def->ndisks ; i++) {
+ for (i = 0 ; i < def->ndisks ; i++) {
/* XXX fixme - we need to recursively label the entire tree :-( */
- if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
+ if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
continue;
if (virSecurityDACSetSecurityImageLabel(mgr,
- vm,
- vm->def->disks[i]) < 0)
+ def,
+ def->disks[i]) < 0)
return -1;
}
- for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+ for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecurityDACSetSecurityHostdevLabel(mgr,
- vm,
- vm->def->hostdevs[i]) < 0)
+ def,
+ def->hostdevs[i]) < 0)
return -1;
}
- if (virDomainChrDefForeach(vm->def,
+ if (virDomainChrDefForeach(def,
true,
virSecurityDACSetChardevCallback,
mgr) < 0)
return -1;
- if (vm->def->os.kernel &&
- virSecurityDACSetOwnership(vm->def->os.kernel,
+ if (def->os.kernel &&
+ virSecurityDACSetOwnership(def->os.kernel,
priv->user,
priv->group) < 0)
return -1;
- if (vm->def->os.initrd &&
- virSecurityDACSetOwnership(vm->def->os.initrd,
+ if (def->os.initrd &&
+ virSecurityDACSetOwnership(def->os.initrd,
priv->user,
priv->group) < 0)
return -1;
static int
virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
const char *savefile)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
static int
virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
const char *savefile)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
static int
virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
- VIR_DEBUG("Dropping privileges of VM to %u:%u",
+ VIR_DEBUG("Dropping privileges of DEF to %u:%u",
(unsigned int) priv->user, (unsigned int) priv->group);
if (virSetUIDGID(priv->user, priv->group) < 0)
static int
virSecurityDACGenLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDACReleaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ pid_t pid ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ pid_t pid ATTRIBUTE_UNUSED,
virSecurityLabelPtr seclabel ATTRIBUTE_UNUSED)
{
return 0;
static int
virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
{
return 0;
}
static int
virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
int fd ATTRIBUTE_UNUSED)
{
return 0;
}
-
virSecurityDriver virSecurityDriverDAC = {
sizeof(virSecurityDACData),
"virDAC",
typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr);
typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr vm);
typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev);
typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev);
typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile);
typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile);
typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec);
typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec,
+ pid_t pid);
typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec);
typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr sec,
+ virDomainDefPtr sec,
const char *stdin_path);
typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int migrated);
typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
+ pid_t pid,
virSecurityLabelPtr sec);
typedef int (*virSecurityDomainSetProcessLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
virDomainDefPtr def);
typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int fd);
struct _virSecurityDriver {
}
int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainDiskDefPtr disk)
{
if (mgr->drv->domainRestoreSecurityImageLabel)
}
int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainSetSecurityDaemonSocketLabel)
return mgr->drv->domainSetSecurityDaemonSocketLabel(mgr, vm);
}
int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainSetSecuritySocketLabel)
return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
}
int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainClearSecuritySocketLabel)
return mgr->drv->domainClearSecuritySocketLabel(mgr, vm);
}
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainDiskDefPtr disk)
{
if (mgr->drv->domainSetSecurityImageLabel)
}
int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainHostdevDefPtr dev)
{
if (mgr->drv->domainRestoreSecurityHostdevLabel)
}
int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainHostdevDefPtr dev)
{
if (mgr->drv->domainSetSecurityHostdevLabel)
}
int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *savefile)
{
if (mgr->drv->domainSetSavedStateLabel)
}
int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *savefile)
{
if (mgr->drv->domainRestoreSavedStateLabel)
}
int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainGenSecurityLabel)
return mgr->drv->domainGenSecurityLabel(mgr, vm);
}
int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm,
+ pid_t pid)
{
if (mgr->drv->domainReserveSecurityLabel)
- return mgr->drv->domainReserveSecurityLabel(mgr, vm);
+ return mgr->drv->domainReserveSecurityLabel(mgr, vm, pid);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
}
int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainReleaseSecurityLabel)
return mgr->drv->domainReleaseSecurityLabel(mgr, vm);
}
int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *stdin_path)
{
if (mgr->drv->domainSetSecurityAllLabel)
}
int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
int migrated)
{
if (mgr->drv->domainRestoreSecurityAllLabel)
}
int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
+ pid_t pid,
virSecurityLabelPtr sec)
{
if (mgr->drv->domainGetSecurityProcessLabel)
- return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, sec);
+ return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, pid, sec);
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
}
int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
if (mgr->drv->domainSetSecurityProcessLabel)
return mgr->drv->domainSetSecurityProcessLabel(mgr, vm);
}
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
int fd)
{
if (mgr->drv->domainSetSecurityImageFDLabel)
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk);
int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr vm);
int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk);
int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev);
int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev);
int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile);
int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile);
int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec);
int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec,
+ pid_t pid);
int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr sec);
+ virDomainDefPtr sec);
int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr sec,
+ virDomainDefPtr sec,
const char *stdin_path);
int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int migrated);
int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
+ pid_t pid,
virSecurityLabelPtr sec);
int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm);
+ virDomainDefPtr def);
int virSecurityManagerVerify(virSecurityManagerPtr mgr,
virDomainDefPtr def);
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int fd);
#endif /* VIR_SECURITY_MANAGER_H__ */
}
static int virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
const char *savefile ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainRestoreSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
const char *savefile ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainGenLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr sec ATTRIBUTE_UNUSED)
+ virDomainDefPtr sec ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainReserveLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr sec ATTRIBUTE_UNUSED)
+ virDomainDefPtr sec ATTRIBUTE_UNUSED,
+ pid_t pid ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainReleaseLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr sec ATTRIBUTE_UNUSED)
+ virDomainDefPtr sec ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr sec ATTRIBUTE_UNUSED,
+ virDomainDefPtr sec ATTRIBUTE_UNUSED,
const char *stdin_path ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
int migrated ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainGetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ virDomainDefPtr vm ATTRIBUTE_UNUSED,
+ pid_t pid ATTRIBUTE_UNUSED,
virSecurityLabelPtr sec ATTRIBUTE_UNUSED)
{
return 0;
}
static int virSecurityDomainSetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm ATTRIBUTE_UNUSED)
+ virDomainDefPtr vm ATTRIBUTE_UNUSED)
{
return 0;
}
}
static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr sec ATTRIBUTE_UNUSED,
+ virDomainDefPtr sec ATTRIBUTE_UNUSED,
int fd ATTRIBUTE_UNUSED)
{
return 0;
static int
SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
int rc = -1;
char *mcs = NULL;
int c2 = 0;
context_t ctx = NULL;
- if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
- !vm->def->seclabel.baselabel &&
- vm->def->seclabel.model) {
+ if ((def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
+ !def->seclabel.baselabel &&
+ def->seclabel.model) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security model already defined for VM"));
return rc;
}
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
- vm->def->seclabel.label) {
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+ def->seclabel.label) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security label already defined for VM"));
return rc;
}
- if (vm->def->seclabel.imagelabel) {
+ if (def->seclabel.imagelabel) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security image label already defined for VM"));
return rc;
}
- if (vm->def->seclabel.model &&
- STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) {
+ if (def->seclabel.model &&
+ STRNEQ(def->seclabel.model, SECURITY_SELINUX_NAME)) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("security label model %s is not supported with selinux"),
- vm->def->seclabel.model);
+ def->seclabel.model);
return rc;
}
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
- if (!(ctx = context_new(vm->def->seclabel.label)) ) {
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
+ if (!(ctx = context_new(def->seclabel.label)) ) {
virReportSystemError(errno,
_("unable to allocate socket security context '%s'"),
- vm->def->seclabel.label);
+ def->seclabel.label);
return rc;
}
}
} while (mcsAdd(mcs) == -1);
- vm->def->seclabel.label =
- SELinuxGenNewContext(vm->def->seclabel.baselabel ?
- vm->def->seclabel.baselabel :
+ def->seclabel.label =
+ SELinuxGenNewContext(def->seclabel.baselabel ?
+ def->seclabel.baselabel :
default_domain_context, mcs);
- if (! vm->def->seclabel.label) {
+ if (! def->seclabel.label) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs);
goto cleanup;
}
}
- vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
- if (!vm->def->seclabel.imagelabel) {
+ def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
+ if (!def->seclabel.imagelabel) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs);
goto cleanup;
}
- if (!vm->def->seclabel.model &&
- !(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
+ if (!def->seclabel.model &&
+ !(def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
virReportOOMError();
goto cleanup;
}
cleanup:
if (rc != 0) {
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
- VIR_FREE(vm->def->seclabel.label);
- VIR_FREE(vm->def->seclabel.imagelabel);
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
- !vm->def->seclabel.baselabel)
- VIR_FREE(vm->def->seclabel.model);
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
+ VIR_FREE(def->seclabel.label);
+ VIR_FREE(def->seclabel.imagelabel);
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+ !def->seclabel.baselabel)
+ VIR_FREE(def->seclabel.model);
}
if (ctx)
VIR_FREE(mcs);
VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
- NULLSTR(vm->def->seclabel.model),
- NULLSTR(vm->def->seclabel.label),
- NULLSTR(vm->def->seclabel.imagelabel),
- NULLSTR(vm->def->seclabel.baselabel));
+ NULLSTR(def->seclabel.model),
+ NULLSTR(def->seclabel.label),
+ NULLSTR(def->seclabel.imagelabel),
+ NULLSTR(def->seclabel.baselabel));
return rc;
}
static int
SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm)
+ virDomainDefPtr def,
+ pid_t pid)
{
security_context_t pctx;
context_t ctx = NULL;
const char *mcs;
- if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
+ if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
- if (getpidcon(vm->pid, &pctx) == -1) {
+ if (getpidcon(pid, &pctx) == -1) {
virReportSystemError(errno,
- _("unable to get PID %d security context"), vm->pid);
+ _("unable to get PID %d security context"), pid);
return -1;
}
static int
SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ pid_t pid,
virSecurityLabelPtr sec)
{
security_context_t ctx;
- if (getpidcon(vm->pid, &ctx) == -1) {
+ if (getpidcon(pid, &ctx) == -1) {
virReportSystemError(errno,
_("unable to get PID %d security context"),
- vm->pid);
+ pid);
return -1;
}
static int
SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk,
int migrated)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel || (disk->seclabel && disk->seclabel->norelabel))
return 0;
static int
SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
- return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0);
+ return SELinuxRestoreSecurityImageLabelInt(mgr, def, disk, 0);
}
static int
SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
if (secdef->norelabel)
SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
- virDomainObjPtr vm = opaque;
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ virDomainDefPtr def = opaque;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
return SELinuxSetFilecon(file, secdef->imagelabel);
}
SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{
- virDomainObjPtr vm = opaque;
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ virDomainDefPtr def = opaque;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
return SELinuxSetFilecon(file, secdef->imagelabel);
}
static int
SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int ret = -1;
if (secdef->norelabel)
if (!usb)
goto done;
- ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm);
+ ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, def);
usbFreeDevice(usb);
break;
}
if (!pci)
goto done;
- ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm);
+ ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, def);
pciFreeDevice(pci);
break;
static int
SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
virDomainHostdevDefPtr dev)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int ret = -1;
if (secdef->norelabel)
static int
-SELinuxSetSecurityChardevLabel(virDomainObjPtr vm,
+SELinuxSetSecurityChardevLabel(virDomainDefPtr def,
virDomainChrSourceDefPtr dev)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
char *in = NULL, *out = NULL;
int ret = -1;
}
static int
-SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
+SELinuxRestoreSecurityChardevLabel(virDomainDefPtr def,
virDomainChrSourceDefPtr dev)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
char *in = NULL, *out = NULL;
int ret = -1;
static int
-SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def,
virDomainChrDefPtr dev,
- void *opaque)
+ void *opaque ATTRIBUTE_UNUSED)
{
- virDomainObjPtr vm = opaque;
-
/* This is taken care of by processing of def->serials */
if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
return 0;
- return SELinuxRestoreSecurityChardevLabel(vm, &dev->source);
+ return SELinuxRestoreSecurityChardevLabel(def, &dev->source);
}
static int
-SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
virDomainSmartcardDefPtr dev,
- void *opaque)
+ void *opaque ATTRIBUTE_UNUSED)
{
- virDomainObjPtr vm = opaque;
const char *database;
switch (dev->type) {
return SELinuxRestoreSecurityFileLabel(database);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
- return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);
+ return SELinuxRestoreSecurityChardevLabel(def, &dev->data.passthru);
default:
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
static int
SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int migrated ATTRIBUTE_UNUSED)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int i;
int rc = 0;
- VIR_DEBUG("Restoring security label on %s", vm->def->name);
+ VIR_DEBUG("Restoring security label on %s", def->name);
if (secdef->norelabel)
return 0;
- for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+ for (i = 0 ; i < def->nhostdevs ; i++) {
if (SELinuxRestoreSecurityHostdevLabel(mgr,
- vm,
- vm->def->hostdevs[i]) < 0)
+ def,
+ def->hostdevs[i]) < 0)
rc = -1;
}
- for (i = 0 ; i < vm->def->ndisks ; i++) {
+ for (i = 0 ; i < def->ndisks ; i++) {
if (SELinuxRestoreSecurityImageLabelInt(mgr,
- vm,
- vm->def->disks[i],
+ def,
+ def->disks[i],
migrated) < 0)
rc = -1;
}
- if (virDomainChrDefForeach(vm->def,
+ if (virDomainChrDefForeach(def,
false,
SELinuxRestoreSecurityChardevCallback,
- vm) < 0)
+ NULL) < 0)
rc = -1;
- if (virDomainSmartcardDefForeach(vm->def,
+ if (virDomainSmartcardDefForeach(def,
false,
SELinuxRestoreSecuritySmartcardCallback,
- vm) < 0)
+ NULL) < 0)
rc = -1;
- if (vm->def->os.kernel &&
- SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
+ if (def->os.kernel &&
+ SELinuxRestoreSecurityFileLabel(def->os.kernel) < 0)
rc = -1;
- if (vm->def->os.initrd &&
- SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
+ if (def->os.initrd &&
+ SELinuxRestoreSecurityFileLabel(def->os.initrd) < 0)
rc = -1;
return rc;
static int
SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
if (secdef->label != NULL) {
static int
SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel)
return 0;
static int
SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *savefile)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->norelabel)
return 0;
static int
SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
/* TODO: verify DOI */
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
- if (vm->def->seclabel.label == NULL)
+ if (def->seclabel.label == NULL)
return 0;
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
static int
SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
/* TODO: verify DOI */
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
context_t execcon = NULL;
context_t proccon = NULL;
security_context_t scon = NULL;
int rc = -1;
- if (vm->def->seclabel.label == NULL)
+ if (def->seclabel.label == NULL)
return 0;
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
}
VIR_DEBUG("Setting VM %s socket context %s",
- vm->def->name, context_str(proccon));
+ def->name, context_str(proccon));
if (setsockcreatecon(context_str(proccon)) == -1) {
virReportSystemError(errno,
_("unable to set socket security context '%s'"),
static int
SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &vm->seclabel;
int rc = -1;
if (secdef->label == NULL)
}
VIR_DEBUG("Setting VM %s socket context %s",
- vm->def->name, secdef->label);
+ vm->name, secdef->label);
if (setsockcreatecon(secdef->label) == -1) {
virReportSystemError(errno,
_("unable to set socket security context '%s'"),
static int
SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr def)
{
/* TODO: verify DOI */
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
- if (vm->def->seclabel.label == NULL)
+ if (def->seclabel.label == NULL)
return 0;
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
static int
-SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxSetSecurityChardevCallback(virDomainDefPtr def,
virDomainChrDefPtr dev,
- void *opaque)
+ void *opaque ATTRIBUTE_UNUSED)
{
- virDomainObjPtr vm = opaque;
-
/* This is taken care of by processing of def->serials */
if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
return 0;
- return SELinuxSetSecurityChardevLabel(vm, &dev->source);
+ return SELinuxSetSecurityChardevLabel(def, &dev->source);
}
static int
-SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
virDomainSmartcardDefPtr dev,
- void *opaque)
+ void *opaque ATTRIBUTE_UNUSED)
{
- virDomainObjPtr vm = opaque;
const char *database;
switch (dev->type) {
return SELinuxSetFilecon(database, default_content_context);
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
- return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);
+ return SELinuxSetSecurityChardevLabel(def, &dev->data.passthru);
default:
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
static int
SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
const char *stdin_path)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
int i;
if (secdef->norelabel)
return 0;
- for (i = 0 ; i < vm->def->ndisks ; i++) {
+ for (i = 0 ; i < def->ndisks ; i++) {
/* XXX fixme - we need to recursively label the entire tree :-( */
- if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
+ if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
VIR_WARN("Unable to relabel directory tree %s for disk %s",
- vm->def->disks[i]->src, vm->def->disks[i]->dst);
+ def->disks[i]->src, def->disks[i]->dst);
continue;
}
if (SELinuxSetSecurityImageLabel(mgr,
- vm, vm->def->disks[i]) < 0)
+ def, def->disks[i]) < 0)
return -1;
}
- /* XXX fixme process vm->def->fss if relabel == true */
+ /* XXX fixme process def->fss if relabel == true */
- for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+ for (i = 0 ; i < def->nhostdevs ; i++) {
if (SELinuxSetSecurityHostdevLabel(mgr,
- vm,
- vm->def->hostdevs[i]) < 0)
+ def,
+ def->hostdevs[i]) < 0)
return -1;
}
- if (virDomainChrDefForeach(vm->def,
+ if (virDomainChrDefForeach(def,
true,
SELinuxSetSecurityChardevCallback,
- vm) < 0)
+ NULL) < 0)
return -1;
- if (virDomainSmartcardDefForeach(vm->def,
+ if (virDomainSmartcardDefForeach(def,
true,
SELinuxSetSecuritySmartcardCallback,
- vm) < 0)
+ NULL) < 0)
return -1;
- if (vm->def->os.kernel &&
- SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
+ if (def->os.kernel &&
+ SELinuxSetFilecon(def->os.kernel, default_content_context) < 0)
return -1;
- if (vm->def->os.initrd &&
- SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
+ if (def->os.initrd &&
+ SELinuxSetFilecon(def->os.initrd, default_content_context) < 0)
return -1;
if (stdin_path) {
static int
SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
- virDomainObjPtr vm,
+ virDomainDefPtr def,
int fd)
{
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->imagelabel == NULL)
return 0;
static int
virSecurityStackGenLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
static int
virSecurityStackReleaseLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
static int
virSecurityStackReserveLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm,
+ pid_t pid)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
- if (virSecurityManagerReserveLabel(priv->primary, vm) < 0)
+ if (virSecurityManagerReserveLabel(priv->primary, vm, pid) < 0)
rc = -1;
#if 0
/* XXX See note in GenLabel */
- if (virSecurityManagerReserveLabel(priv->secondary, vm) < 0)
+ if (virSecurityManagerReserveLabel(priv->secondary, vm, pid) < 0)
rc = -1;
#endif
static int
virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainDiskDefPtr disk)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
static int
virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainDiskDefPtr disk)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
static int
virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainHostdevDefPtr dev)
{
static int
virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
virDomainHostdevDefPtr dev)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
static int
virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *stdin_path)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
static int
virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
int migrated)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
static int
virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *savefile)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
static int
virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
const char *savefile)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
static int
virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
static int
virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
+ pid_t pid,
virSecurityLabelPtr seclabel)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
#if 0
- if (virSecurityManagerGetProcessLabel(priv->secondary, vm, seclabel) < 0)
+ if (virSecurityManagerGetProcessLabel(priv->secondary, vm, pid, seclabel) < 0)
rc = -1;
#endif
- if (virSecurityManagerGetProcessLabel(priv->primary, vm, seclabel) < 0)
+ if (virSecurityManagerGetProcessLabel(priv->primary, vm, pid, seclabel) < 0)
rc = -1;
return rc;
static int
virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
static int
virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
static int
virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm)
+ virDomainDefPtr vm)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
int rc = 0;
static int
virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
- virDomainObjPtr vm,
+ virDomainDefPtr vm,
int fd)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
projects / thirdparty / libvirt.git / commitdiff
