From: Daniel P. Berrange <berrange@redhat.com>
Date: Fri, 24 Jun 2011 13:50:36 +0000 (+0100)
Subject: Add a virSecurityManagerSetProcessFDLabel
X-Git-Tag: v0.9.3-rc2~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e3c6fbbe610ddc6401734cc3230b48785f25df0;p=thirdparty%2Flibvirt.git

Add a virSecurityManagerSetProcessFDLabel

Add a new security driver method for labelling an FD with
the process label, rather than the image label

* src/libvirt_private.syms, src/security/security_apparmor.c,
  src/security/security_dac.c, src/security/security_driver.h,
  src/security/security_manager.c, src/security/security_manager.h,
  src/security/security_selinux.c, src/security/security_stack.c:
  Add virSecurityManagerSetProcessFDLabel & impl
---

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 81fc7769b6..626ac6ccf8 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -851,6 +851,7 @@ virSecurityManagerSetAllLabel;
 virSecurityManagerSetImageFDLabel;
 virSecurityManagerSetImageLabel;
 virSecurityManagerSetHostdevLabel;
+virSecurityManagerSetProcessFDLabel;
 virSecurityManagerSetProcessLabel;
 virSecurityManagerSetSavedStateLabel;
 virSecurityManagerSetSocketLabel;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 02ed864dff..6795184c4c 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -786,6 +786,34 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
     return reload_profile(mgr, vm, fd_path, true);
 }
 
+static int
+AppArmorSetProcessFDLabel(virSecurityManagerPtr mgr,
+                          virDomainObjPtr vm,
+                          int fd)
+{
+    int rc = -1;
+    char *proc = NULL;
+    char *fd_path = NULL;
+
+    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+    if (secdef->imagelabel == NULL)
+        return 0;
+
+    if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1) {
+        virReportOOMError();
+        return rc;
+    }
+
+    if (virFileResolveLink(proc, &fd_path) < 0) {
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               "%s", _("could not find path for descriptor"));
+        return rc;
+    }
+
+    return reload_profile(mgr, vm, fd_path, true);
+}
+
 virSecurityDriver virAppArmorSecurityDriver = {
     0,
     SECURITY_APPARMOR_NAME,
@@ -821,4 +849,5 @@ virSecurityDriver virAppArmorSecurityDriver = {
     AppArmorRestoreSavedStateLabel,
 
     AppArmorSetImageFDLabel,
+    AppArmorSetProcessFDLabel,
 };
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 49bba5cbed..58d57ec212 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -689,6 +689,14 @@ virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return 0;
 }
 
+static int
+virSecurityDACSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                                virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                int fd ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
 
 virSecurityDriver virSecurityDriverDAC = {
     sizeof(virSecurityDACData),
@@ -726,4 +734,5 @@ virSecurityDriver virSecurityDriverDAC = {
     virSecurityDACRestoreSavedStateLabel,
 
     virSecurityDACSetImageFDLabel,
+    virSecurityDACSetProcessFDLabel,
 };
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 6c6db3e423..154f197a46 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -82,6 +82,9 @@ typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
 typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
                                                  virDomainObjPtr vm,
                                                  int fd);
+typedef int (*virSecurityDomainSetProcessFDLabel) (virSecurityManagerPtr mgr,
+                                                   virDomainObjPtr vm,
+                                                   int fd);
 
 struct _virSecurityDriver {
     size_t privateDataLen;
@@ -118,6 +121,7 @@ struct _virSecurityDriver {
     virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
 
     virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
+    virSecurityDomainSetProcessFDLabel domainSetSecurityProcessFDLabel;
 };
 
 virSecurityDriverPtr virSecurityDriverLookup(const char *name);
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 04159f4b19..6ae58dc816 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -336,3 +336,14 @@ int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
 }
+
+int virSecurityManagerSetProcessFDLabel(virSecurityManagerPtr mgr,
+                                        virDomainObjPtr vm,
+                                        int fd)
+{
+    if (mgr->drv->domainSetSecurityProcessFDLabel)
+        return mgr->drv->domainSetSecurityProcessFDLabel(mgr, vm, fd);
+
+    virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+    return -1;
+}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 581957c296..8c3b8b2e5f 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -94,5 +94,8 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
 int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
                                       virDomainObjPtr vm,
                                       int fd);
+int virSecurityManagerSetProcessFDLabel(virSecurityManagerPtr mgr,
+                                        virDomainObjPtr vm,
+                                        int fd);
 
 #endif /* VIR_SECURITY_MANAGER_H__ */
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index dc92ce6782..a022daa778 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1221,6 +1221,19 @@ SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return SELinuxFSetFilecon(fd, secdef->imagelabel);
 }
 
+static int
+SELinuxSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                         virDomainObjPtr vm,
+                         int fd)
+{
+    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+    if (secdef->label == NULL)
+        return 0;
+
+    return SELinuxFSetFilecon(fd, secdef->label);
+}
+
 virSecurityDriver virSecurityDriverSELinux = {
     0,
     SECURITY_SELINUX_NAME,
@@ -1256,4 +1269,5 @@ virSecurityDriver virSecurityDriverSELinux = {
     SELinuxRestoreSavedStateLabel,
 
     SELinuxSetImageFDLabel,
+    SELinuxSetProcessFDLabel,
 };
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index bec1626498..b63e4c8a3b 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -386,6 +386,23 @@ virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
 }
 
 
+static int
+virSecurityStackSetProcessFDLabel(virSecurityManagerPtr mgr,
+                                  virDomainObjPtr vm,
+                                  int fd)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    int rc = 0;
+
+    if (virSecurityManagerSetProcessFDLabel(priv->secondary, vm, fd) < 0)
+        rc = -1;
+    if (virSecurityManagerSetProcessFDLabel(priv->primary, vm, fd) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
 virSecurityDriver virSecurityDriverStack = {
     sizeof(virSecurityStackData),
     "stack",
@@ -421,4 +438,5 @@ virSecurityDriver virSecurityDriverStack = {
     virSecurityStackRestoreSavedStateLabel,
 
     virSecurityStackSetImageFDLabel,
+    virSecurityStackSetProcessFDLabel,
 };