<element name='doi'>
<text/>
</element>
+ <zeroOrMore>
+ <element name='baselabel'>
+ <attribute name='type'>
+ <text/>
+ </attribute>
+ <text/>
+ </element>
+ </zeroOrMore>
</interleave>
</element>
</define>
caps->host.nnumaCell = 0;
}
+static void
+virCapabilitiesClearSecModel(virCapsHostSecModelPtr secmodel)
+{
+ size_t i;
+ for (i = 0; i < secmodel->nlabels; i++) {
+ VIR_FREE(secmodel->labels[i].type);
+ VIR_FREE(secmodel->labels[i].label);
+ }
+
+ VIR_FREE(secmodel->labels);
+ VIR_FREE(secmodel->model);
+ VIR_FREE(secmodel->doi);
+}
+
static void
virCapabilitiesDispose(void *object)
{
VIR_FREE(caps->host.migrateTrans);
for (i = 0; i < caps->host.nsecModels; i++) {
- VIR_FREE(caps->host.secModels[i].model);
- VIR_FREE(caps->host.secModels[i].doi);
+ virCapabilitiesClearSecModel(&caps->host.secModels[i]);
}
VIR_FREE(caps->host.secModels);
return NULL;
}
+/**
+ * virCapabilitiesHostSecModelAddBaseLabel
+ * @secmodel: Security model to add a base label for
+ * @type: virtualization type
+ * @label: base label
+ *
+ * Returns non-zero on error.
+ */
+extern int
+virCapabilitiesHostSecModelAddBaseLabel(virCapsHostSecModelPtr secmodel,
+ const char *type,
+ const char *label)
+{
+ char *t = NULL, *l = NULL;
+
+ if (type == NULL || label == NULL)
+ return -1;
+
+ if (VIR_STRDUP(t, type) < 0)
+ goto no_memory;
+
+ if (VIR_STRDUP(l, label) < 0)
+ goto no_memory;
+
+ if (VIR_EXPAND_N(secmodel->labels, secmodel->nlabels, 1) < 0)
+ goto no_memory;
+
+ secmodel->labels[secmodel->nlabels - 1].type = t;
+ secmodel->labels[secmodel->nlabels - 1].label = l;
+
+ return 0;
+
+no_memory:
+ VIR_FREE(l);
+ VIR_FREE(t);
+ return -1;
+}
+
/**
* virCapabilitiesSupportsGuestArch:
* @caps: capabilities to query
caps->host.secModels[i].model);
virBufferAsprintf(&xml, " <doi>%s</doi>\n",
caps->host.secModels[i].doi);
+ for (j = 0; j < caps->host.secModels[i].nlabels; j++) {
+ virBufferAsprintf(&xml, " <baselabel type='%s'>%s</baselabel>\n",
+ caps->host.secModels[i].labels[j].type,
+ caps->host.secModels[i].labels[j].label);
+ }
virBufferAddLit(&xml, " </secmodel>\n");
}
virCapsHostNUMACellCPUPtr cpus;
};
+typedef struct _virCapsHostSecModelLabel virCapsHostSecModelLabel;
+typedef virCapsHostSecModelLabel *virCapsHostSecModelLabelPtr;
+struct _virCapsHostSecModelLabel {
+ char *type;
+ char *label;
+};
+
typedef struct _virCapsHostSecModel virCapsHostSecModel;
typedef virCapsHostSecModel *virCapsHostSecModelPtr;
struct _virCapsHostSecModel {
char *model;
char *doi;
+ size_t nlabels;
+ virCapsHostSecModelLabelPtr labels;
};
typedef struct _virCapsHost virCapsHost;
int defaultOn,
int toggle);
+extern int
+virCapabilitiesHostSecModelAddBaseLabel(virCapsHostSecModelPtr secmodel,
+ const char *type,
+ const char *label);
+
extern int
virCapabilitiesSupportsGuestArch(virCapsPtr caps,
virArch arch);
virCapabilitiesFreeMachines;
virCapabilitiesFreeNUMAInfo;
virCapabilitiesGetCpusForNodemask;
+virCapabilitiesHostSecModelAddBaseLabel;
virCapabilitiesNew;
virCapabilitiesSetHostCPU;
if (driver) {
/* Security driver data */
- const char *doi, *model;
+ const char *doi, *model, *label, *type;
doi = virSecurityManagerGetDOI(driver->securityManager);
model = virSecurityManagerGetModel(driver->securityManager);
+ label = virSecurityManagerGetBaseLabel(driver->securityManager,
+ VIR_DOMAIN_VIRT_LXC);
+ type = virDomainVirtTypeToString(VIR_DOMAIN_VIRT_LXC);
/* Allocate the primary security driver for LXC. */
if (VIR_ALLOC(caps->host.secModels) < 0)
goto error;
goto error;
if (VIR_STRDUP(caps->host.secModels[0].doi, doi) < 0)
goto error;
+ if (label &&
+ virCapabilitiesHostSecModelAddBaseLabel(&caps->host.secModels[0],
+ type,
+ label) < 0)
+ goto error;
VIR_DEBUG("Initialized caps for security driver \"%s\" with "
"DOI \"%s\"", model, doi);
virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
{
- size_t i;
+ size_t i, j;
virCapsPtr caps;
virSecurityManagerPtr *sec_managers = NULL;
/* Security driver data */
- const char *doi, *model;
+ const char *doi, *model, *lbl, *type;
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+ const int virtTypes[] = {VIR_DOMAIN_VIRT_KVM,
+ VIR_DOMAIN_VIRT_QEMU,};
/* Basic host arch / guest machine capabilities */
if (!(caps = virQEMUCapsInit(driver->qemuCapsCache)))
goto error;
for (i = 0; sec_managers[i]; i++) {
+ virCapsHostSecModelPtr sm = &caps->host.secModels[i];
doi = virSecurityManagerGetDOI(sec_managers[i]);
model = virSecurityManagerGetModel(sec_managers[i]);
- if (VIR_STRDUP(caps->host.secModels[i].model, model) < 0 ||
- VIR_STRDUP(caps->host.secModels[i].doi, doi) < 0)
+ if (VIR_STRDUP(sm->model, model) < 0 ||
+ VIR_STRDUP(sm->doi, doi) < 0)
goto error;
+
+ for (j = 0; j < ARRAY_CARDINALITY(virtTypes); j++) {
+ lbl = virSecurityManagerGetBaseLabel(sec_managers[i], virtTypes[j]);
+ type = virDomainVirtTypeToString(virtTypes[j]);
+ if (lbl &&
+ virCapabilitiesHostSecModelAddBaseLabel(sm, type, lbl) < 0)
+ goto error;
+ }
+
VIR_DEBUG("Initialized caps for security driver \"%s\" with "
"DOI \"%s\"", model, doi);
}
<secmodel>
<model>selinux</model>
<doi>0</doi>
+ <baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
+ <baselabel type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel>
</secmodel>
</host>
<secmodel>
<model>dac</model>
<doi>0</doi>
+ <baselabel type='kvm'>107:107</baselabel>
+ <baselabel type='qemu'>107:107</baselabel>
</secmodel>
</host>
projects / libvirt.git / commitdiff