security: Introduce functions for input device hot(un)plug

author Ján Tomko <jtomko@redhat.com>

Tue, 21 Nov 2017 12:31:53 +0000 (13:31 +0100)

committer Ján Tomko <jtomko@redhat.com>

Fri, 24 Nov 2017 16:38:51 +0000 (17:38 +0100)
author Ján Tomko <jtomko@redhat.com>
Tue, 21 Nov 2017 12:31:53 +0000 (13:31 +0100)
committer Ján Tomko <jtomko@redhat.com>
Fri, 24 Nov 2017 16:38:51 +0000 (17:38 +0100)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms

index b4d3b9a94130a59100c6cbf4c0410623a8f8fad0..875e474b6dd109ce305ba44e79bdc80b0a450baf 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1276,6 +1276,7 @@ virSecurityManagerRestoreAllLabel;
  virSecurityManagerRestoreDiskLabel;
  virSecurityManagerRestoreHostdevLabel;
  virSecurityManagerRestoreImageLabel;
+virSecurityManagerRestoreInputLabel;
  virSecurityManagerRestoreMemoryLabel;
  virSecurityManagerRestoreSavedStateLabel;
  virSecurityManagerSetAllLabel;
@@ -1285,6 +1286,7 @@ virSecurityManagerSetDiskLabel;
  virSecurityManagerSetHostdevLabel;
  virSecurityManagerSetImageFDLabel;
  virSecurityManagerSetImageLabel;
+virSecurityManagerSetInputLabel;
  virSecurityManagerSetMemoryLabel;
  virSecurityManagerSetProcessLabel;
  virSecurityManagerSetSavedStateLabel;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c

index 54120890fdd0e9a28e4fdff23464e346d5dc0a16..52ca07a10f741327963d2741ed8a4892a251e040 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2123,6 +2123,9 @@ virSecurityDriver virSecurityDriverDAC = {
      .domainSetSecurityMemoryLabel       = virSecurityDACSetMemoryLabel,
      .domainRestoreSecurityMemoryLabel   = virSecurityDACRestoreMemoryLabel,
  
+    .domainSetSecurityInputLabel        = virSecurityDACSetInputLabel,
+    .domainRestoreSecurityInputLabel    = virSecurityDACRestoreInputLabel,
+
      .domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,
      .domainSetSecuritySocketLabel       = virSecurityDACSetSocketLabel,
      .domainClearSecuritySocketLabel     = virSecurityDACClearSocketLabel,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h

index 0b3b452486ad5387630aec77ed06c43cfae8e276..1b3070d06d37a9d80ecd9b6089e0baa3d41391d5 100644 (file)
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -131,6 +131,12 @@ typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
  typedef int (*virSecurityDomainRestoreMemoryLabel) (virSecurityManagerPtr mgr,
                                                      virDomainDefPtr def,
                                                      virDomainMemoryDefPtr mem);
+typedef int (*virSecurityDomainSetInputLabel) (virSecurityManagerPtr mgr,
+                                               virDomainDefPtr def,
+                                               virDomainInputDefPtr input);
+typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr,
+                                                   virDomainDefPtr def,
+                                                   virDomainInputDefPtr input);
  typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
                                                virDomainDefPtr def,
                                                const char *path);
@@ -163,6 +169,9 @@ struct _virSecurityDriver {
      virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
      virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
  
+    virSecurityDomainSetInputLabel domainSetSecurityInputLabel;
+    virSecurityDomainRestoreInputLabel domainRestoreSecurityInputLabel;
+
      virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
      virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
      virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c

index 60cfc92e77323d2fa3e6aa989297abe391fbf6d7..3cf12188a0756cce034a40e4a5f4415c3494234f 100644 (file)
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1116,3 +1116,39 @@ virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
      virReportUnsupportedError();
      return -1;
  }
+
+
+int
+virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
+                                virDomainDefPtr vm,
+                                virDomainInputDefPtr input)
+{
+    if (mgr->drv->domainSetSecurityInputLabel) {
+        int ret;
+        virObjectLock(mgr);
+        ret = mgr->drv->domainSetSecurityInputLabel(mgr, vm, input);
+        virObjectUnlock(mgr);
+        return ret;
+    }
+
+    virReportUnsupportedError();
+    return -1;
+}
+
+
+int
+virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
+                                    virDomainDefPtr vm,
+                                    virDomainInputDefPtr input)
+{
+    if (mgr->drv->domainRestoreSecurityInputLabel) {
+        int ret;
+        virObjectLock(mgr);
+        ret = mgr->drv->domainRestoreSecurityInputLabel(mgr, vm, input);
+        virObjectUnlock(mgr);
+        return ret;
+    }
+
+    virReportUnsupportedError();
+    return -1;
+}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h

index 6712112e76fa3bdb4f2486e90ae2ec7953ce7543..834c7f1593d462b2b7215b389fb296b69a52277c 100644 (file)
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -172,6 +172,14 @@ int virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
                                          virDomainDefPtr vm,
                                          virDomainMemoryDefPtr mem);
  
+int virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
+                                    virDomainDefPtr vm,
+                                    virDomainInputDefPtr input);
+int virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
+                                        virDomainDefPtr vm,
+                                        virDomainInputDefPtr input);
+
+
  int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
                                           virDomainDefPtr vm,
                                           const char *path);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c

index 527be11e5ab890b03b51ec1719ca2502e4409da9..cfb032c68697434c34e679278f34aed830b8e642 100644 (file)
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -254,6 +254,14 @@ virSecurityDomainRestoreMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSE
      return 0;
  }
  
+static int
+virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                               virDomainDefPtr def ATTRIBUTE_UNUSED,
+                               virDomainInputDefPtr input ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
  
  virSecurityDriver virSecurityDriverNop = {
      .privateDataLen                     = 0,
@@ -276,6 +284,9 @@ virSecurityDriver virSecurityDriverNop = {
      .domainSetSecurityMemoryLabel       = virSecurityDomainSetMemoryLabelNop,
      .domainRestoreSecurityMemoryLabel   = virSecurityDomainRestoreMemoryLabelNop,
  
+    .domainSetSecurityInputLabel        = virSecurityDomainInputLabelNop,
+    .domainRestoreSecurityInputLabel    = virSecurityDomainInputLabelNop,
+
      .domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop,
      .domainSetSecuritySocketLabel       = virSecurityDomainSetSocketLabelNop,
      .domainClearSecuritySocketLabel     = virSecurityDomainClearSocketLabelNop,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c

index ed1828a12f34f3e1921d9700c81802ed3a4d14eb..b677fbcda7052f39041bcf8f93e784bdfbafb002 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3064,6 +3064,9 @@ virSecurityDriver virSecurityDriverSELinux = {
      .domainSetSecurityMemoryLabel       = virSecuritySELinuxSetMemoryLabel,
      .domainRestoreSecurityMemoryLabel   = virSecuritySELinuxRestoreMemoryLabel,
  
+    .domainSetSecurityInputLabel        = virSecuritySELinuxSetInputLabel,
+    .domainRestoreSecurityInputLabel    = virSecuritySELinuxRestoreInputLabel,
+
      .domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetDaemonSocketLabel,
      .domainSetSecuritySocketLabel       = virSecuritySELinuxSetSocketLabel,
      .domainClearSecuritySocketLabel     = virSecuritySELinuxClearSocketLabel,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c

index 53eee1692f35a3ad0bc2f3920befbefbb19f7b65..cd916382b202b48ba89ecd32de778beb64dbd021 100644 (file)
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -666,6 +666,41 @@ virSecurityStackRestoreMemoryLabel(virSecurityManagerPtr mgr,
      return rc;
  }
  
+static int
+virSecurityStackSetInputLabel(virSecurityManagerPtr mgr,
+                              virDomainDefPtr vm,
+                              virDomainInputDefPtr input)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityStackItemPtr item = priv->itemsHead;
+    int rc = 0;
+
+    for (; item; item = item->next) {
+        if (virSecurityManagerSetInputLabel(item->securityManager, vm, input) < 0)
+            rc = -1;
+    }
+
+    return rc;
+}
+
+static int
+virSecurityStackRestoreInputLabel(virSecurityManagerPtr mgr,
+                                  virDomainDefPtr vm,
+                                  virDomainInputDefPtr input)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityStackItemPtr item = priv->itemsHead;
+    int rc = 0;
+
+    for (; item; item = item->next) {
+        if (virSecurityManagerRestoreInputLabel(item->securityManager,
+                                                vm, input) < 0)
+            rc = -1;
+    }
+
+    return rc;
+}
+
  static int
  virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
                                     virDomainDefPtr vm,
@@ -711,6 +746,9 @@ virSecurityDriver virSecurityDriverStack = {
      .domainSetSecurityMemoryLabel       = virSecurityStackSetMemoryLabel,
      .domainRestoreSecurityMemoryLabel   = virSecurityStackRestoreMemoryLabel,
  
+    .domainSetSecurityInputLabel        = virSecurityStackSetInputLabel,
+    .domainRestoreSecurityInputLabel    = virSecurityStackRestoreInputLabel,
+
      .domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel,
      .domainSetSecuritySocketLabel       = virSecurityStackSetSocketLabel,
      .domainClearSecuritySocketLabel     = virSecurityStackClearSocketLabel,
author	Ján Tomko <jtomko@redhat.com>
	Tue, 21 Nov 2017 12:31:53 +0000 (13:31 +0100)
committer	Ján Tomko <jtomko@redhat.com>
	Fri, 24 Nov 2017 16:38:51 +0000 (17:38 +0100)
src/libvirt_private.syms		patch \| blob \| blame \| history
src/security/security_dac.c		patch \| blob \| blame \| history
src/security/security_driver.h		patch \| blob \| blame \| history
src/security/security_manager.c		patch \| blob \| blame \| history
src/security/security_manager.h		patch \| blob \| blame \| history
src/security/security_nop.c		patch \| blob \| blame \| history
src/security/security_selinux.c		patch \| blob \| blame \| history
src/security/security_stack.c		patch \| blob \| blame \| history