Remove bogus virSecurityManagerSetProcessFDLabel method

The virSecurityManagerSetProcessFDLabel method was introduced
after a mis-understanding from a conversation about SELinux
socket labelling. The virSecurityManagerSetSocketLabel method
should have been used for all such scenarios.

* src/security/security_apparmor.c, src/security/security_apparmor.c,
  src/security/security_driver.h, src/security/security_manager.c,
  src/security/security_manager.h, src/security/security_selinux.c,
  src/security/security_stack.c: Remove SetProcessFDLabel driver

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index dbd12909f0b79db751f0d27402b9c4e6e1ee1c73..299dcc644b56c57af6910fff1d9ab93b57c1f9f8 100644 (file)
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -799,34 +799,6 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
     return reload_profile(mgr, vm, fd_path, true);
 }
 
-static int
-AppArmorSetProcessFDLabel(virSecurityManagerPtr mgr,
-                          virDomainObjPtr vm,
-                          int fd)
-{
-    int rc = -1;
-    char *proc = NULL;
-    char *fd_path = NULL;
-
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
-
-    if (secdef->imagelabel == NULL)
-        return 0;
-
-    if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1) {
-        virReportOOMError();
-        return rc;
-    }
-
-    if (virFileResolveLink(proc, &fd_path) < 0) {
-        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
-                               "%s", _("could not find path for descriptor"));
-        return rc;
-    }
-
-    return reload_profile(mgr, vm, fd_path, true);
-}
-
 virSecurityDriver virAppArmorSecurityDriver = {
     0,
     SECURITY_APPARMOR_NAME,
@@ -863,5 +835,4 @@ virSecurityDriver virAppArmorSecurityDriver = {
     AppArmorRestoreSavedStateLabel,
 
     AppArmorSetImageFDLabel,
-    AppArmorSetProcessFDLabel,
 };

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index e5465fc0db05d11ad7ad86eaa2a3c33659d17f49..af02236121805f2eabd4a526c2f0c81bc401980c 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -697,14 +697,6 @@ virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return 0;
 }
 
-static int
-virSecurityDACSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                virDomainObjPtr vm ATTRIBUTE_UNUSED,
-                                int fd ATTRIBUTE_UNUSED)
-{
-    return 0;
-}
-
 
 virSecurityDriver virSecurityDriverDAC = {
     sizeof(virSecurityDACData),
@@ -743,5 +735,4 @@ virSecurityDriver virSecurityDriverDAC = {
     virSecurityDACRestoreSavedStateLabel,
 
     virSecurityDACSetImageFDLabel,
-    virSecurityDACSetProcessFDLabel,
 };

diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 94f27f81d7a169981a5df35dcdbe18af729b7886..aea90b024ee2255bf10ff4684ad050990b5b3552 100644 (file)
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -84,9 +84,6 @@ typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
 typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
                                                  virDomainObjPtr vm,
                                                  int fd);
-typedef int (*virSecurityDomainSetProcessFDLabel) (virSecurityManagerPtr mgr,
-                                                   virDomainObjPtr vm,
-                                                   int fd);
 
 struct _virSecurityDriver {
     size_t privateDataLen;
@@ -124,7 +121,6 @@ struct _virSecurityDriver {
     virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
 
     virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
-    virSecurityDomainSetProcessFDLabel domainSetSecurityProcessFDLabel;
 };
 
 virSecurityDriverPtr virSecurityDriverLookup(const char *name);

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index b2fd0d043c495b50cfe342529e4d4c1491155abd..cae9b838c13baa8e993c919f73179624831d8af2 100644 (file)
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -346,14 +346,3 @@ int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
 }
-
-int virSecurityManagerSetProcessFDLabel(virSecurityManagerPtr mgr,
-                                        virDomainObjPtr vm,
-                                        int fd)
-{
-    if (mgr->drv->domainSetSecurityProcessFDLabel)
-        return mgr->drv->domainSetSecurityProcessFDLabel(mgr, vm, fd);
-
-    virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
-    return -1;
-}

diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 38342c28148ea43b3a9682674b1d42ac965673fc..12cd49833edace92af7b40977eba94f94c85d652 100644 (file)
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -96,8 +96,5 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
 int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
                                       virDomainObjPtr vm,
                                       int fd);
-int virSecurityManagerSetProcessFDLabel(virSecurityManagerPtr mgr,
-                                        virDomainObjPtr vm,
-                                        int fd);
 
 #endif /* VIR_SECURITY_MANAGER_H__ */

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index cddbed51a162ef246a3049415a869c6968bb1a27..ca54f9be7f49428314fb34b43ed2e8929ffb96e8 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1321,19 +1321,6 @@ SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return SELinuxFSetFilecon(fd, secdef->imagelabel);
 }
 
-static int
-SELinuxSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                         virDomainObjPtr vm,
-                         int fd)
-{
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
-
-    if (secdef->label == NULL)
-        return 0;
-
-    return SELinuxFSetFilecon(fd, secdef->label);
-}
-
 virSecurityDriver virSecurityDriverSELinux = {
     0,
     SECURITY_SELINUX_NAME,
@@ -1370,5 +1357,4 @@ virSecurityDriver virSecurityDriverSELinux = {
     SELinuxRestoreSavedStateLabel,
 
     SELinuxSetImageFDLabel,
-    SELinuxSetProcessFDLabel,
 };

diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index f263f5bcef2f86560ac36c2c445a6a1d108cbee6..3f601c140fdd11cf188ee9f2a82ea00cfbcb0d18 100644 (file)
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -402,23 +402,6 @@ virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
 }
 
 
-static int
-virSecurityStackSetProcessFDLabel(virSecurityManagerPtr mgr,
-                                  virDomainObjPtr vm,
-                                  int fd)
-{
-    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
-    int rc = 0;
-
-    if (virSecurityManagerSetProcessFDLabel(priv->secondary, vm, fd) < 0)
-        rc = -1;
-    if (virSecurityManagerSetProcessFDLabel(priv->primary, vm, fd) < 0)
-        rc = -1;
-
-    return rc;
-}
-
-
 virSecurityDriver virSecurityDriverStack = {
     sizeof(virSecurityStackData),
     "stack",
@@ -455,5 +438,4 @@ virSecurityDriver virSecurityDriverStack = {
     virSecurityStackRestoreSavedStateLabel,
 
     virSecurityStackSetImageFDLabel,
-    virSecurityStackSetProcessFDLabel,
 };