security: DAC: Introduce callback to perform image chown

To integrate the security driver with the storage driver we need to
pass a callback for a function that will chown storage volumes.

Introduce and document the callback prototype.

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index ac7a65275ef2c4a878ecb564099f40af5e490d3c..7a9c89749e9889cb0ade27a69da505724d163f7f 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -374,7 +374,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
                                              cfg->allowDiskFormatProbing,
                                              cfg->securityDefaultConfined,
                                              cfg->securityRequireConfined,
-                                             cfg->dynamicOwnership)))
+                                             cfg->dynamicOwnership,
+                                             NULL)))
             goto error;
         if (!stack) {
             if (!(stack = virSecurityManagerNewStack(mgr)))

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index cdb2735badbb238bf0e5adca3146e10a2533ff7a..1fb0c86ea881c8092d7a36105d4ccdbed789ce0e 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -51,6 +51,7 @@ struct _virSecurityDACData {
     int ngroups;
     bool dynamicOwnership;
     char *baselabel;
+    virSecurityManagerDACChownCallback chownCallback;
 };
 
 typedef struct _virSecurityDACCallbackData virSecurityDACCallbackData;
@@ -87,6 +88,14 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
     priv->dynamicOwnership = dynamicOwnership;
 }
 
+void
+virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
+                               virSecurityManagerDACChownCallback chownCallback)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    priv->chownCallback = chownCallback;
+}
+
 /* returns 1 if label isn't found, 0 on success, -1 on error */
 static int
 ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)

diff --git a/src/security/security_dac.h b/src/security/security_dac.h
index dbcf56fdde5c3a262304d3a33e1909b02d5e9bf0..846cefbb572d1bb8a72d03b71b8274708c6f2830 100644 (file)
--- a/src/security/security_dac.h
+++ b/src/security/security_dac.h
@@ -32,4 +32,7 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
 void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
                                        bool dynamic);
 
+void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
+                                    virSecurityManagerDACChownCallback chownCallback);
+
 #endif /* __VIR_SECURITY_DAC */

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 8a45e0495873ce7d1ef99a0a7e194786c9e0e6bc..8671620bae568fae2702924c8ca154107de9cb3a 100644 (file)
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -152,7 +152,8 @@ virSecurityManagerNewDAC(const char *virtDriver,
                          bool allowDiskFormatProbing,
                          bool defaultConfined,
                          bool requireConfined,
-                         bool dynamicOwnership)
+                         bool dynamicOwnership,
+                         virSecurityManagerDACChownCallback chownCallback)
 {
     virSecurityManagerPtr mgr =
         virSecurityManagerNewDriver(&virSecurityDriverDAC,
@@ -170,6 +171,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
     }
 
     virSecurityDACSetDynamicOwnership(mgr, dynamicOwnership);
+    virSecurityDACSetChownCallback(mgr, chownCallback);
 
     return mgr;
 }

diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 97b6a2e67fcdd28acd2d5eb54458314b91bb2e2c..156f88291085205cc95c19540a745eca6897ba45 100644 (file)
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -25,6 +25,7 @@
 
 # include "domain_conf.h"
 # include "vircommand.h"
+# include "virstoragefile.h"
 
 typedef struct _virSecurityManager virSecurityManager;
 typedef virSecurityManager *virSecurityManagerPtr;
@@ -39,13 +40,29 @@ virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary);
 int virSecurityManagerStackAddNested(virSecurityManagerPtr stack,
                                      virSecurityManagerPtr nested);
 
+/**
+ * virSecurityManagerDACChownCallback:
+ * @src: Storage file to chown
+ * @uid: target uid
+ * @gid: target gid
+ *
+ * A function callback to chown image files described by the disk source struct
+ * @src. The callback shall return 0 on success, -1 on error and errno set (no
+ * libvirt error reported) OR -2 and a libvirt error reported. */
+typedef int
+(*virSecurityManagerDACChownCallback)(virStorageSourcePtr src,
+                                      uid_t uid,
+                                      gid_t gid);
+
+
 virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
                                                uid_t user,
                                                gid_t group,
                                                bool allowDiskFormatProbing,
                                                bool defaultConfined,
                                                bool requireConfined,
-                                               bool dynamicOwnership);
+                                               bool dynamicOwnership,
+                                               virSecurityManagerDACChownCallback chownCallback);
 
 int virSecurityManagerPreFork(virSecurityManagerPtr mgr);
 void virSecurityManagerPostFork(virSecurityManagerPtr mgr);