Add support for SELinux labelling of hostdev storage/misc devices

author Daniel P. Berrange <berrange@redhat.com>

Wed, 28 Nov 2012 16:07:27 +0000 (16:07 +0000)

committer Daniel P. Berrange <berrange@redhat.com>

Mon, 17 Dec 2012 17:50:51 +0000 (17:50 +0000)
author Daniel P. Berrange <berrange@redhat.com>
Wed, 28 Nov 2012 16:07:27 +0000 (16:07 +0000)
committer Daniel P. Berrange <berrange@redhat.com>
Mon, 17 Dec 2012 17:50:51 +0000 (17:50 +0000)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c

index 961e01e504def88ceb8034a2a8d9df52b2a18c67..1f73fd2390118418590b795c9780721b935a1236 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1210,6 +1210,65 @@ done:
  }
  
  
+static int
+virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
+                                              virDomainHostdevDefPtr dev,
+                                              const char *vroot)
+{
+    int ret = -1;
+    virSecurityLabelDefPtr secdef;
+    char *path;
+
+    secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+    if (secdef == NULL)
+        return -1;
+
+    switch (dev->source.caps.type) {
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.storage.block) < 0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.storage.block))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
+        VIR_FREE(path);
+        break;
+    }
+
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.misc.chardev) < 0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel);
+        VIR_FREE(path);
+        break;
+    }
+
+    default:
+        ret = 0;
+        break;
+    }
+
+    return ret;
+}
+
+
  static int
  virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                            virDomainDefPtr def,
@@ -1230,6 +1289,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
      case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
          return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot);
  
+    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
+        return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot);
+
      default:
          return 0;
      }
@@ -1304,6 +1366,59 @@ done:
  }
  
  
+static int
+virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev,
+                                                  const char *vroot)
+{
+    int ret = -1;
+    char *path;
+
+    switch (dev->source.caps.type) {
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.storage.block) < 0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.storage.block))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
+        VIR_FREE(path);
+        break;
+    }
+
+    case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: {
+        if (vroot) {
+            if (virAsprintf(&path, "%s/%s", vroot,
+                            dev->source.caps.u.misc.chardev) < 0) {
+                virReportOOMError();
+                return -1;
+            }
+        } else {
+            if (!(path = strdup(dev->source.caps.u.misc.chardev))) {
+                virReportOOMError();
+                return -1;
+            }
+        }
+        ret = virSecuritySELinuxRestoreSecurityFileLabel(path);
+        VIR_FREE(path);
+        break;
+    }
+
+    default:
+        ret = 0;
+        break;
+    }
+
+    return ret;
+}
+
+
  static int
  virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                                virDomainDefPtr def,
@@ -1324,6 +1439,9 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUT
      case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS:
          return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(dev, vroot);
  
+    case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES:
+        return virSecuritySELinuxRestoreSecurityHostdevCapsLabel(dev, vroot);
+
      default:
          return 0;
      }
author	Daniel P. Berrange <berrange@redhat.com>
	Wed, 28 Nov 2012 16:07:27 +0000 (16:07 +0000)
committer	Daniel P. Berrange <berrange@redhat.com>
	Mon, 17 Dec 2012 17:50:51 +0000 (17:50 +0000)