security: add MANAGER_MOUNT_NAMESPACE flag

author Cole Robinson <crobinso@redhat.com>

Sun, 27 Aug 2017 15:23:47 +0000 (11:23 -0400)

committer Cole Robinson <crobinso@redhat.com>

Tue, 12 Sep 2017 16:27:42 +0000 (12:27 -0400)
author Cole Robinson <crobinso@redhat.com>
Sun, 27 Aug 2017 15:23:47 +0000 (11:23 -0400)
committer Cole Robinson <crobinso@redhat.com>
Tue, 12 Sep 2017 16:27:42 +0000 (12:27 -0400)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c

index 70f62294864443307709613171fb5dcb987bf7d7..e95683965a536fb9d2c82727c48d6883546522ba 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -419,6 +419,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
      if (virQEMUDriverIsPrivileged(driver)) {
          if (cfg->dynamicOwnership)
              flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
+        if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT))
+            flags |= VIR_SECURITY_MANAGER_MOUNT_NAMESPACE;
          if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME,
                                         cfg->user,
                                         cfg->group,
diff --git a/src/security/security_dac.c b/src/security/security_dac.c

index ca7a6af6d46645852cf39ca3b2e5413f45114142..507be44a262a608b6818faa1fb9f8dd0382e2ef9 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -57,6 +57,7 @@ struct _virSecurityDACData {
      gid_t *groups;
      int ngroups;
      bool dynamicOwnership;
+    bool mountNamespace;
      char *baselabel;
      virSecurityManagerDACChownCallback chownCallback;
  };
@@ -237,6 +238,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
      priv->dynamicOwnership = dynamicOwnership;
  }
  
+void
+virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
+                                bool mountNamespace)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    priv->mountNamespace = mountNamespace;
+}
+
+
  void
  virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
                                 virSecurityManagerDACChownCallback chownCallback)
diff --git a/src/security/security_dac.h b/src/security/security_dac.h

index 846cefbb572d1bb8a72d03b71b8274708c6f2830..97681c96105d83f1ae01c10d2e13230afea1154e 100644 (file)
--- a/src/security/security_dac.h
+++ b/src/security/security_dac.h
@@ -32,6 +32,9 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
  void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
                                         bool dynamic);
  
+void virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
+                                     bool mountNamespace);
+
  void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
                                      virSecurityManagerDACChownCallback chownCallback);
  
diff --git a/src/security/security_manager.c b/src/security/security_manager.c

index 95b9952308fc46bafde54c1c137b35a56f921c12..e43c99d4f1786901048169433c3770636316572d 100644 (file)
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -146,7 +146,8 @@ virSecurityManagerNewDAC(const char *virtDriver,
      virSecurityManagerPtr mgr;
  
      virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK |
-                  VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL);
+                  VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP |
+                  VIR_SECURITY_MANAGER_MOUNT_NAMESPACE, NULL);
  
      mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC,
                                        virtDriver,
@@ -161,6 +162,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
      }
  
      virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP);
+    virSecurityDACSetMountNamespace(mgr, flags & VIR_SECURITY_MANAGER_MOUNT_NAMESPACE);
      virSecurityDACSetChownCallback(mgr, chownCallback);
  
      return mgr;
diff --git a/src/security/security_manager.h b/src/security/security_manager.h

index 01296d339efe9fdee49d24ef54c187cc8bea7e6e..08fb89203ac960524ad356992651662495017447 100644 (file)
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -36,6 +36,7 @@ typedef enum {
      VIR_SECURITY_MANAGER_REQUIRE_CONFINED   = 1 << 2,
      VIR_SECURITY_MANAGER_PRIVILEGED         = 1 << 3,
      VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP  = 1 << 4,
+    VIR_SECURITY_MANAGER_MOUNT_NAMESPACE    = 1 << 5,
  } virSecurityManagerNewFlags;
  
  # define VIR_SECURITY_MANAGER_NEW_MASK  \
author	Cole Robinson <crobinso@redhat.com>
	Sun, 27 Aug 2017 15:23:47 +0000 (11:23 -0400)
committer	Cole Robinson <crobinso@redhat.com>
	Tue, 12 Sep 2017 16:27:42 +0000 (12:27 -0400)
src/qemu/qemu_driver.c		patch \| blob \| blame \| history
src/security/security_dac.c		patch \| blob \| blame \| history
src/security/security_dac.h		patch \| blob \| blame \| history
src/security/security_manager.c		patch \| blob \| blame \| history
src/security/security_manager.h		patch \| blob \| blame \| history