ctrl->handshakeFd = handshakeFd;
if (!(ctrl->securityManager = virSecurityManagerNew(securityDriver,
- LXC_DRIVER_NAME,
- false, false, false, false)))
+ LXC_DRIVER_NAME, 0)))
goto cleanup;
if (ctrl->def->seclabels) {
static virSecurityManagerPtr
lxcSecurityInit(virLXCDriverConfigPtr cfg)
{
+ unsigned int flags = VIR_SECURITY_MANAGER_PRIVILEGED;
+
VIR_INFO("lxcSecurityInit %s", cfg->securityDriverName);
+
+ if (cfg->securityDefaultConfined)
+ flags |= VIR_SECURITY_MANAGER_DEFAULT_CONFINED;
+ if (cfg->securityRequireConfined)
+ flags |= VIR_SECURITY_MANAGER_REQUIRE_CONFINED;
+
virSecurityManagerPtr mgr = virSecurityManagerNew(cfg->securityDriverName,
- LXC_DRIVER_NAME,
- false,
- cfg->securityDefaultConfined,
- cfg->securityRequireConfined,
- true);
+ LXC_DRIVER_NAME, flags);
if (!mgr)
goto error;
virSecurityManagerPtr mgr = NULL;
virSecurityManagerPtr stack = NULL;
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+ unsigned int flags = 0;
+
+ if (cfg->allowDiskFormatProbing)
+ flags |= VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE;
+ if (cfg->securityDefaultConfined)
+ flags |= VIR_SECURITY_MANAGER_DEFAULT_CONFINED;
+ if (cfg->securityRequireConfined)
+ flags |= VIR_SECURITY_MANAGER_REQUIRE_CONFINED;
+ if (virQEMUDriverIsPrivileged(driver))
+ flags |= VIR_SECURITY_MANAGER_PRIVILEGED;
if (cfg->securityDriverNames &&
cfg->securityDriverNames[0]) {
while (names && *names) {
if (!(mgr = virSecurityManagerNew(*names,
QEMU_DRIVER_NAME,
- cfg->allowDiskFormatProbing,
- cfg->securityDefaultConfined,
- cfg->securityRequireConfined,
- virQEMUDriverIsPrivileged(driver))))
+ flags)))
goto error;
if (!stack) {
if (!(stack = virSecurityManagerNewStack(mgr)))
} else {
if (!(mgr = virSecurityManagerNew(NULL,
QEMU_DRIVER_NAME,
- cfg->allowDiskFormatProbing,
- cfg->securityDefaultConfined,
- cfg->securityRequireConfined,
- virQEMUDriverIsPrivileged(driver))))
+ flags)))
goto error;
if (!(stack = virSecurityManagerNewStack(mgr)))
goto error;
}
if (virQEMUDriverIsPrivileged(driver)) {
+ if (cfg->dynamicOwnership)
+ flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
if (!(mgr = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
cfg->user,
cfg->group,
- cfg->allowDiskFormatProbing,
- cfg->securityDefaultConfined,
- cfg->securityRequireConfined,
- cfg->dynamicOwnership,
- virQEMUDriverIsPrivileged(driver),
+ flags,
qemuSecurityChownCallback)))
goto error;
if (!stack) {
virObjectLockable parent;
virSecurityDriverPtr drv;
- bool allowDiskFormatProbing;
- bool defaultConfined;
- bool requireConfined;
- bool privileged;
+ unsigned int flags;
const char *virtDriver;
void *privateData;
};
static virSecurityManagerPtr
virSecurityManagerNewDriver(virSecurityDriverPtr drv,
const char *virtDriver,
- bool allowDiskFormatProbing,
- bool defaultConfined,
- bool requireConfined,
- bool privileged)
+ unsigned int flags)
{
virSecurityManagerPtr mgr;
char *privateData;
if (virSecurityManagerInitialize() < 0)
return NULL;
- VIR_DEBUG("drv=%p (%s) virtDriver=%s allowDiskFormatProbing=%d "
- "defaultConfined=%d requireConfined=%d privileged=%d",
- drv, drv->name, virtDriver,
- allowDiskFormatProbing, defaultConfined,
- requireConfined, privileged);
+ VIR_DEBUG("drv=%p (%s) virtDriver=%s flags=%x",
+ drv, drv->name, virtDriver, flags);
+
+ virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK, NULL);
if (VIR_ALLOC_N(privateData, drv->privateDataLen) < 0)
return NULL;
}
mgr->drv = drv;
- mgr->allowDiskFormatProbing = allowDiskFormatProbing;
- mgr->defaultConfined = defaultConfined;
- mgr->requireConfined = requireConfined;
- mgr->privileged = privileged;
+ mgr->flags = flags;
mgr->virtDriver = virtDriver;
mgr->privateData = privateData;
virSecurityManagerPtr mgr =
virSecurityManagerNewDriver(&virSecurityDriverStack,
virSecurityManagerGetDriver(primary),
- virSecurityManagerGetAllowDiskFormatProbing(primary),
- virSecurityManagerGetDefaultConfined(primary),
- virSecurityManagerGetRequireConfined(primary),
- virSecurityManagerGetPrivileged(primary));
+ primary->flags);
if (!mgr)
return NULL;
virSecurityManagerNewDAC(const char *virtDriver,
uid_t user,
gid_t group,
- bool allowDiskFormatProbing,
- bool defaultConfined,
- bool requireConfined,
- bool dynamicOwnership,
- bool privileged,
+ unsigned int flags,
virSecurityManagerDACChownCallback chownCallback)
{
- virSecurityManagerPtr mgr =
- virSecurityManagerNewDriver(&virSecurityDriverDAC,
- virtDriver,
- allowDiskFormatProbing,
- defaultConfined,
- requireConfined,
- privileged);
+ virSecurityManagerPtr mgr;
+
+ virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK |
+ VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL);
+
+ mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC,
+ virtDriver,
+ flags & VIR_SECURITY_MANAGER_NEW_MASK);
if (!mgr)
return NULL;
return NULL;
}
- virSecurityDACSetDynamicOwnership(mgr, dynamicOwnership);
+ virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP);
virSecurityDACSetChownCallback(mgr, chownCallback);
return mgr;
virSecurityManagerPtr
virSecurityManagerNew(const char *name,
const char *virtDriver,
- bool allowDiskFormatProbing,
- bool defaultConfined,
- bool requireConfined,
- bool privileged)
+ unsigned int flags)
{
virSecurityDriverPtr drv = virSecurityDriverLookup(name, virtDriver);
if (!drv)
/* driver "none" needs some special handling of *Confined bools */
if (STREQ(drv->name, "none")) {
- if (requireConfined) {
+ if (flags & VIR_SECURITY_MANAGER_REQUIRE_CONFINED) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("Security driver \"none\" cannot create confined guests"));
return NULL;
}
- if (defaultConfined) {
+ if (flags & VIR_SECURITY_MANAGER_DEFAULT_CONFINED) {
if (name != NULL) {
VIR_WARN("Configured security driver \"none\" disables default"
" policy to create confined guests");
VIR_DEBUG("Auto-probed security driver is \"none\";"
" confined guests will not be created");
}
- defaultConfined = false;
+ flags &= ~VIR_SECURITY_MANAGER_DEFAULT_CONFINED;
}
}
return virSecurityManagerNewDriver(drv,
virtDriver,
- allowDiskFormatProbing,
- defaultConfined,
- requireConfined,
- privileged);
+ flags);
}
bool
virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
{
- return mgr->allowDiskFormatProbing;
+ return mgr->flags & VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE;
}
bool
virSecurityManagerGetDefaultConfined(virSecurityManagerPtr mgr)
{
- return mgr->defaultConfined;
+ return mgr->flags & VIR_SECURITY_MANAGER_DEFAULT_CONFINED;
}
bool
virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr)
{
- return mgr->requireConfined;
+ return mgr->flags & VIR_SECURITY_MANAGER_REQUIRE_CONFINED;
}
bool
virSecurityManagerGetPrivileged(virSecurityManagerPtr mgr)
{
- return mgr->privileged;
+ return mgr->flags & VIR_SECURITY_MANAGER_PRIVILEGED;
}
}
if (seclabel->type == VIR_DOMAIN_SECLABEL_DEFAULT) {
- if (sec_managers[i]->defaultConfined) {
+ if (virSecurityManagerGetDefaultConfined(sec_managers[i])) {
seclabel->type = VIR_DOMAIN_SECLABEL_DYNAMIC;
} else {
seclabel->type = VIR_DOMAIN_SECLABEL_NONE;
}
if (seclabel->type == VIR_DOMAIN_SECLABEL_NONE) {
- if (sec_managers[i]->requireConfined) {
+ if (virSecurityManagerGetRequireConfined(sec_managers[i])) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("Unconfined guests are not allowed on this host"));
goto cleanup;
typedef struct _virSecurityManager virSecurityManager;
typedef virSecurityManager *virSecurityManagerPtr;
+typedef enum {
+ VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE = 1 << 0,
+ VIR_SECURITY_MANAGER_DEFAULT_CONFINED = 1 << 1,
+ VIR_SECURITY_MANAGER_REQUIRE_CONFINED = 1 << 2,
+ VIR_SECURITY_MANAGER_PRIVILEGED = 1 << 3,
+ VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP = 1 << 4,
+} virSecurityManagerNewFlags;
+
+# define VIR_SECURITY_MANAGER_NEW_MASK \
+ (VIR_SECURITY_MANAGER_ALLOW_DISK_PROBE | \
+ VIR_SECURITY_MANAGER_DEFAULT_CONFINED | \
+ VIR_SECURITY_MANAGER_REQUIRE_CONFINED | \
+ VIR_SECURITY_MANAGER_PRIVILEGED)
+
virSecurityManagerPtr virSecurityManagerNew(const char *name,
const char *virtDriver,
- bool allowDiskFormatProbing,
- bool defaultConfined,
- bool requireConfined,
- bool privileged);
+ unsigned int flags);
virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary);
int virSecurityManagerStackAddNested(virSecurityManagerPtr stack,
virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
uid_t user,
gid_t group,
- bool allowDiskFormatProbing,
- bool defaultConfined,
- bool requireConfined,
- bool dynamicOwnership,
- bool privileged,
+ unsigned int flags,
virSecurityManagerDACChownCallback chownCallback);
int virSecurityManagerPreFork(virSecurityManagerPtr mgr);
if (!driver.lockManager)
return EXIT_FAILURE;
- if (!(mgr = virSecurityManagerNew("none", "qemu", false, false, false, true)))
+ if (!(mgr = virSecurityManagerNew("none", "qemu",
+ VIR_SECURITY_MANAGER_PRIVILEGED)))
return EXIT_FAILURE;
if (!(driver.securityManager = virSecurityManagerNewStack(mgr)))
return EXIT_FAILURE;
if (virThreadInitialize() < 0)
return EXIT_FAILURE;
- mgr = virSecurityManagerNew(NULL, "QEMU", false, true, false, false);
+ mgr = virSecurityManagerNew(NULL, "QEMU", VIR_SECURITY_MANAGER_DEFAULT_CONFINED);
if (mgr == NULL) {
fprintf(stderr, "Failed to start security driver");
return EXIT_FAILURE;
if (!rc)
return EXIT_AM_SKIP;
- if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true))) {
+ if (!(mgr = virSecurityManagerNew("selinux", "QEMU",
+ VIR_SECURITY_MANAGER_DEFAULT_CONFINED |
+ VIR_SECURITY_MANAGER_PRIVILEGED))) {
virErrorPtr err = virGetLastError();
VIR_TEST_VERBOSE("Unable to initialize security driver: %s\n",
err->message);
int ret = 0;
virSecurityManagerPtr mgr;
- if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true))) {
+ if (!(mgr = virSecurityManagerNew("selinux", "QEMU",
+ VIR_SECURITY_MANAGER_DEFAULT_CONFINED |
+ VIR_SECURITY_MANAGER_PRIVILEGED))) {
virErrorPtr err = virGetLastError();
fprintf(stderr, "Unable to initialize security driver: %s\n",
err->message);
projects / libvirt.git / commitdiff