From: Cole Robinson Date: Sun, 27 Aug 2017 15:23:47 +0000 (-0400) Subject: security: add MANAGER_MOUNT_NAMESPACE flag X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=321031e482425dfeae0f125cdac6df870f079efd;p=libvirt.git security: add MANAGER_MOUNT_NAMESPACE flag The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver if mount namespaces are in use for the VM. Will be used for future changes. Wire it up in the qemu driver --- diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 70f6229486..e95683965a 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -419,6 +419,8 @@ qemuSecurityInit(virQEMUDriverPtr driver) if (virQEMUDriverIsPrivileged(driver)) { if (cfg->dynamicOwnership) flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP; + if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT)) + flags |= VIR_SECURITY_MANAGER_MOUNT_NAMESPACE; if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME, cfg->user, cfg->group, diff --git a/src/security/security_dac.c b/src/security/security_dac.c index ca7a6af6d4..507be44a26 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -57,6 +57,7 @@ struct _virSecurityDACData { gid_t *groups; int ngroups; bool dynamicOwnership; + bool mountNamespace; char *baselabel; virSecurityManagerDACChownCallback chownCallback; }; @@ -237,6 +238,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, priv->dynamicOwnership = dynamicOwnership; } +void +virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr, + bool mountNamespace) +{ + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); + priv->mountNamespace = mountNamespace; +} + + void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr, virSecurityManagerDACChownCallback chownCallback) diff --git a/src/security/security_dac.h b/src/security/security_dac.h index 846cefbb57..97681c9610 100644 --- a/src/security/security_dac.h +++ b/src/security/security_dac.h @@ -32,6 +32,9 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr, void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, bool dynamic); +void virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr, + bool mountNamespace); + void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr, virSecurityManagerDACChownCallback chownCallback); diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 95b9952308..e43c99d4f1 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -146,7 +146,8 @@ virSecurityManagerNewDAC(const char *virtDriver, virSecurityManagerPtr mgr; virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK | - VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL); + VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP | + VIR_SECURITY_MANAGER_MOUNT_NAMESPACE, NULL); mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC, virtDriver, @@ -161,6 +162,7 @@ virSecurityManagerNewDAC(const char *virtDriver, } virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP); + virSecurityDACSetMountNamespace(mgr, flags & VIR_SECURITY_MANAGER_MOUNT_NAMESPACE); virSecurityDACSetChownCallback(mgr, chownCallback); return mgr; diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 01296d339e..08fb89203a 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -36,6 +36,7 @@ typedef enum { VIR_SECURITY_MANAGER_REQUIRE_CONFINED = 1 << 2, VIR_SECURITY_MANAGER_PRIVILEGED = 1 << 3, VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP = 1 << 4, + VIR_SECURITY_MANAGER_MOUNT_NAMESPACE = 1 << 5, } virSecurityManagerNewFlags; # define VIR_SECURITY_MANAGER_NEW_MASK \