In case the caller specifies that confined guests are required but the
security driver turns out to be 'none', we should return an error since
this driver clearly cannot meet that requirement. As a result of this
error, libvirtd fails to start when the host admin explicitly sets
confined guests are required but there is no security driver available.
Since security driver 'none' cannot create confined guests, we override
default confined setting so that hypervisor drivers do not thing they
should create confined guests.
if (!drv)
return NULL;
+ /* driver "none" needs some special handling of *Confined bools */
+ if (STREQ(drv->name, "none")) {
+ if (requireConfined) {
+ virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Security driver \"none\" cannot create confined guests"));
+ return NULL;
+ }
+
+ if (defaultConfined) {
+ if (name != NULL) {
+ VIR_WARN("Configured security driver \"none\" disables default"
+ " policy to create confined guests");
+ } else {
+ VIR_DEBUG("Auto-probed security driver is \"none\";"
+ " confined guests will not be created");
+ }
+ defaultConfined = false;
+ }
+ }
+
return virSecurityManagerNewDriver(drv,
allowDiskFormatProbing,
defaultConfined,
virSecurityManagerPtr mgr;
const char *doi, *model;
- mgr = virSecurityManagerNew(NULL, false, true, true);
+ mgr = virSecurityManagerNew(NULL, false, true, false);
if (mgr == NULL) {
fprintf (stderr, "Failed to start security driver");
exit (-1);
projects / libvirt.git / commitdiff