{
struct qemuFileOwner *owner = opaque;
+ VIR_DEBUG("Setting ownership on %s to %d:%d", file, owner->uid, owner->gid);
+
if (chown(file, owner->uid, owner->gid) < 0) {
virReportSystemError(conn, errno, _("cannot set ownership on %s"), file);
return -1;
{
struct qemuFileOwner *owner = opaque;
+ VIR_DEBUG("Setting ownership on %s to %d:%d", file, owner->uid, owner->gid);
+
if (chown(file, owner->uid, owner->gid) < 0) {
virReportSystemError(conn, errno, _("cannot set ownership on %s"), file);
return -1;
if (qemuAddToCgroup(h->driver, h->vm->def) < 0)
return -1;
- if (qemudDomainSetSecurityLabel(h->conn, h->driver, h->vm) < 0) {
- qemudReportError(h->conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
- "%s", _("Failed to set security label"));
+ if (qemudDomainSetSecurityLabel(h->conn, h->driver, h->vm) < 0)
return -1;
- }
if (h->driver->privileged) {
- DEBUG("Dropping privileges of VM to %d:%d", h->driver->user, h->driver->group);
-
if (qemuDomainSetAllDeviceOwnership(h->conn, h->driver, h->vm->def, 0) < 0)
return -1;
+ DEBUG("Dropping privileges of VM to %d:%d", h->driver->user, h->driver->group);
+
if (h->driver->group) {
if (setregid(h->driver->group, h->driver->group) < 0) {
virReportSystemError(NULL, errno,
{
char *ptr = NULL;
int fd = 0;
- char ebuf[1024];
virRandomInitialize(time(NULL) ^ getpid());
fd = open(selinux_virtual_domain_context_path(), O_RDONLY);
if (fd < 0) {
- virSecurityReportError(conn, VIR_ERR_ERROR,
- _("%s: cannot open SELinux virtual domain context file %s: %s"),
- __func__,selinux_virtual_domain_context_path(),
- virStrerror(errno, ebuf, sizeof ebuf));
+ virReportSystemError(conn, errno,
+ _("cannot open SELinux virtual domain context file '%s'"),
+ selinux_virtual_domain_context_path());
return -1;
}
if (saferead(fd, default_domain_context, sizeof(default_domain_context)) < 0) {
- virSecurityReportError(conn, VIR_ERR_ERROR,
- _("%s: cannot read SELinux virtual domain context file %s: %s"),
- __func__,selinux_virtual_domain_context_path(),
- virStrerror(errno, ebuf, sizeof ebuf));
+ virReportSystemError(conn, errno,
+ _("cannot read SELinux virtual domain context file %s"),
+ selinux_virtual_domain_context_path());
close(fd);
return -1;
}
*ptr = '\0';
if ((fd = open(selinux_virtual_image_context_path(), O_RDONLY)) < 0) {
- virSecurityReportError(conn, VIR_ERR_ERROR,
- _("%s: cannot open SELinux virtual image context file %s: %s"),
- __func__,selinux_virtual_image_context_path(),
- virStrerror(errno, ebuf, sizeof ebuf));
+ virReportSystemError(conn, errno,
+ _("cannot open SELinux virtual image context file %s"),
+ selinux_virtual_image_context_path());
return -1;
}
if (saferead(fd, default_image_context, sizeof(default_image_context)) < 0) {
- virSecurityReportError(conn, VIR_ERR_ERROR,
- _("%s: cannot read SELinux virtual image context file %s: %s"),
- __func__,selinux_virtual_image_context_path(),
- virStrerror(errno, ebuf, sizeof ebuf));
+ virReportSystemError(conn, errno,
+ _("cannot read SELinux virtual image context file %s"),
+ selinux_virtual_image_context_path());
close(fd);
return -1;
}
const char *mcs;
if (getpidcon(vm->pid, &pctx) == -1) {
- char ebuf[1024];
- virSecurityReportError(conn, VIR_ERR_ERROR, _("%s: error calling "
- "getpidcon(): %s"), __func__,
- virStrerror(errno, ebuf, sizeof ebuf));
+ virReportSystemError(conn, errno,
+ _("unable to get PID %d security context"), vm->pid);
return -1;
}
security_context_t ctx;
if (getpidcon(vm->pid, &ctx) == -1) {
- char ebuf[1024];
- virSecurityReportError(conn, VIR_ERR_ERROR, _("%s: error calling "
- "getpidcon(): %s"), __func__,
- virStrerror(errno, ebuf, sizeof ebuf));
+ virReportSystemError(conn, errno,
+ _("unable to get PID %d security context"),
+ vm->pid);
return -1;
}
if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
virSecurityReportError(conn, VIR_ERR_ERROR,
- _("%s: security label exceeds "
- "maximum lenth: %d"), __func__,
+ _("security label exceeds "
+ "maximum lenth: %d"),
VIR_SECURITY_LABEL_BUFLEN - 1);
return -1;
}
sec->enforcing = security_getenforce();
if (sec->enforcing == -1) {
- char ebuf[1024];
- virSecurityReportError(conn, VIR_ERR_ERROR, _("%s: error calling "
- "security_getenforce(): %s"), __func__,
- virStrerror(errno, ebuf, sizeof ebuf));
+ virReportSystemError(conn, errno, "%s",
+ _("error calling security_getenforce()"));
return -1;
}
static int
SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
{
- char ebuf[1024];
security_context_t econ;
VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
* virt_use_{nfs,usb,pci} boolean tunables to allow it...
*/
if (setfilecon_errno != EOPNOTSUPP) {
- virSecurityReportError(conn, VIR_ERR_ERROR,
- _("%s: unable to set security context "
- "'\%s\' on %s: %s."), __func__,
- tcon,
- path,
- virStrerror(errno, ebuf, sizeof ebuf));
+ virReportSystemError(conn, setfilecon_errno,
+ _("unable to set security context '%s' on '%s'"),
+ tcon, path);
if (security_getenforce() == 1)
return -1;
+ } else {
+ VIR_INFO("Setting security context '%s' on '%s' not supported",
+ tcon, path);
}
}
return 0;
int err;
char *newpath = NULL;
+ VIR_INFO("Restoring SELinux context on '%s'", path);
+
if ((err = virFileResolveLink(path, &newpath)) < 0) {
virReportSystemError(conn, err,
_("cannot resolve symlink %s"), path);
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int i;
int rc = 0;
+
+ VIR_DEBUG("Restoring security label on %s", vm->def->name);
+
if (secdef->imagelabel) {
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
if (SELinuxRestoreSecurityHostdevLabel(conn, vm->def->hostdevs[i]) < 0)
/* TODO: verify DOI */
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int i;
- char ebuf[1024];
if (!STREQ(drv->name, secdef->model)) {
virSecurityReportError(conn, VIR_ERR_ERROR,
- _("%s: security label driver mismatch: "
- "\'%s\' model configured for domain, but "
- "hypervisor driver is \'%s\'."),
- __func__, secdef->model, drv->name);
+ _("security label driver mismatch: "
+ "'%s' model configured for domain, but "
+ "hypervisor driver is '%s'."),
+ secdef->model, drv->name);
if (security_getenforce() == 1)
- return -1;
+ return -1;
}
if (setexeccon(secdef->label) == -1) {
- virSecurityReportError(conn, VIR_ERR_ERROR,
- _("%s: unable to set security context "
- "'\%s\': %s."), __func__, secdef->label,
- virStrerror(errno, ebuf, sizeof ebuf));
+ virReportSystemError(conn, errno,
+ _("unable to set security context '%s'"),
+ secdef->label);
if (security_getenforce() == 1)
- return -1;
+ return -1;
}
if (secdef->imagelabel) {
projects / people / liuw / libxenctrl-split / libvirt.git / commitdiff