qemuSecurityInit(struct qemud_driver *driver)
{
char **names;
- char *primary = NULL;
virSecurityManagerPtr mgr = NULL;
- virSecurityManagerPtr nested = NULL;
virSecurityManagerPtr stack = NULL;
bool hasDAC = false;
- /* set the name of the primary security driver */
- if (driver->securityDriverNames)
- primary = driver->securityDriverNames[0];
-
- /* add primary security driver */
- if ((primary == NULL && driver->privileged) ||
- STREQ_NULLABLE(primary, "dac")) {
- if (!driver->privileged) {
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("DAC security driver usable only when "
- "running privileged (as root)"));
- goto error;
- }
-
- mgr = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
- driver->user,
- driver->group,
- driver->allowDiskFormatProbing,
- driver->securityDefaultConfined,
- driver->securityRequireConfined,
- driver->dynamicOwnership);
- hasDAC = true;
- } else {
- mgr = virSecurityManagerNew(primary,
- QEMU_DRIVER_NAME,
- driver->allowDiskFormatProbing,
- driver->securityDefaultConfined,
- driver->securityRequireConfined);
- }
-
- if (!mgr)
- goto error;
-
- /* We need a stack to group the security drivers if:
- * - additional drivers are provived in configuration
- * - the primary driver isn't DAC and we are running privileged
- */
- if ((driver->privileged && !hasDAC) ||
- (driver->securityDriverNames && driver->securityDriverNames[1])) {
- if (!(stack = virSecurityManagerNewStack(mgr)))
- goto error;
- mgr = stack;
- }
-
- /* Loop through additional driver names and add them as nested */
if (driver->securityDriverNames) {
- names = driver->securityDriverNames + 1;
+ names = driver->securityDriverNames;
while (names && *names) {
- if (STREQ("dac", *names)) {
- /* A DAC driver has specific parameters */
- if (!driver->privileged) {
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("DAC security driver usable only when "
- "running privileged (as root)"));
- goto error;
- }
-
- nested = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
- driver->user,
- driver->group,
- driver->allowDiskFormatProbing,
- driver->securityDefaultConfined,
- driver->securityRequireConfined,
- driver->dynamicOwnership);
+ if (STREQ("dac", *names))
hasDAC = true;
- } else {
- nested = virSecurityManagerNew(*names,
- QEMU_DRIVER_NAME,
- driver->allowDiskFormatProbing,
- driver->securityDefaultConfined,
- driver->securityRequireConfined);
- }
-
- if (!nested)
- goto error;
- if (virSecurityManagerStackAddNested(stack, nested))
+ if (!(mgr = virSecurityManagerNew(*names,
+ QEMU_DRIVER_NAME,
+ driver->allowDiskFormatProbing,
+ driver->securityDefaultConfined,
+ driver->securityRequireConfined)))
goto error;
-
- nested = NULL;
+ if (!stack) {
+ if (!(stack = virSecurityManagerNewStack(mgr)))
+ goto error;
+ } else {
+ if (virSecurityManagerStackAddNested(stack, mgr) < 0)
+ goto error;
+ }
+ mgr = NULL;
names++;
}
- }
-
- if (driver->privileged && !hasDAC) {
- if (!(nested = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
- driver->user,
- driver->group,
- driver->allowDiskFormatProbing,
- driver->securityDefaultConfined,
- driver->securityRequireConfined,
- driver->dynamicOwnership)))
+ } else {
+ if (!(mgr = virSecurityManagerNew(NULL,
+ QEMU_DRIVER_NAME,
+ driver->allowDiskFormatProbing,
+ driver->securityDefaultConfined,
+ driver->securityRequireConfined)))
goto error;
-
- if (virSecurityManagerStackAddNested(stack, nested))
+ if (!(stack = virSecurityManagerNewStack(mgr)))
goto error;
+ mgr = NULL;
+ }
- nested = NULL;
+ if (!hasDAC && driver->privileged) {
+ if (!(mgr = virSecurityManagerNewDAC(QEMU_DRIVER_NAME,
+ driver->user,
+ driver->group,
+ driver->allowDiskFormatProbing,
+ driver->securityDefaultConfined,
+ driver->securityRequireConfined,
+ driver->dynamicOwnership)))
+ goto error;
+ if (!stack) {
+ if (!(stack = virSecurityManagerNewStack(mgr)))
+ goto error;
+ } else {
+ if (virSecurityManagerStackAddNested(stack, mgr) < 0)
+ goto error;
+ }
+ mgr = NULL;
}
- driver->securityManager = mgr;
+ driver->securityManager = stack;
return 0;
error:
VIR_ERROR(_("Failed to initialize security drivers"));
+ virSecurityManagerFree(stack);
virSecurityManagerFree(mgr);
- virSecurityManagerFree(nested);
return -1;
}
};
struct _virSecurityStackData {
- virSecurityManagerPtr primary;
virSecurityStackItemPtr itemsHead;
};
-int
-virSecurityStackAddPrimary(virSecurityManagerPtr mgr,
- virSecurityManagerPtr primary)
-{
- virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
- if (virSecurityStackAddNested(mgr, primary) < 0)
- return -1;
- priv->primary = primary;
- return 0;
-}
-
int
virSecurityStackAddNested(virSecurityManagerPtr mgr,
virSecurityManagerPtr nested)
{
virSecurityStackItemPtr item = NULL;
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr tmp;
+
+ tmp = priv->itemsHead;
+ while (tmp && tmp->next)
+ tmp = tmp->next;
if (VIR_ALLOC(item) < 0) {
virReportOOMError();
return -1;
}
item->securityManager = nested;
- item->next = priv->itemsHead;
- priv->itemsHead = item;
+ if (tmp)
+ tmp->next = item;
+ else
+ priv->itemsHead = item;
+
return 0;
}
virSecurityStackGetPrimary(virSecurityManagerPtr mgr)
{
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
- return (priv->primary) ? priv->primary : priv->itemsHead->securityManager;
-}
-
-void virSecurityStackSetPrimary(virSecurityManagerPtr mgr,
- virSecurityManagerPtr primary)
-{
- virSecurityStackAddPrimary(mgr, primary);
-}
-
-void virSecurityStackSetSecondary(virSecurityManagerPtr mgr,
- virSecurityManagerPtr secondary)
-{
- virSecurityStackAddNested(mgr, secondary);
+ return priv->itemsHead->securityManager;
}
static virSecurityDriverStatus
projects / people / liuw / libxenctrl-split / libvirt.git / commitdiff