From: Daniel P. Berrange Date: Tue, 5 Jul 2011 09:49:51 +0000 (+0100) Subject: Fix default value of security label 'relabel' attribute X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=693eac388f1759d8e72b6847d40bd2e5d0e91a6b;p=libvirt.git Fix default value of security label 'relabel' attribute When no is present in the XML, the virDomainSeclabelDef struct is left as all zeros. Unfortunately, this means it gets setup as type=dynamic, with relabel=no, which is an illegal combination. Change the 'bool relabel' attribute in virDomainSeclabelDef to the inverse 'bool norelabel' so that the default initialization is sensible * src/conf/domain_conf.c, src/conf/domain_conf.h, src/security/security_apparmor.c, src/security/security_selinux.c: Replace 'relabel' with 'norelabel' --- diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 4e14303d52..7bcdcaff97 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -5076,25 +5076,25 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def, VIR_SECURITY_LABEL_BUFLEN-1, ctxt); if (p != NULL) { if (STREQ(p, "yes")) { - def->seclabel.relabel = true; + def->seclabel.norelabel = false; } else if (STREQ(p, "no")) { - def->seclabel.relabel = false; + def->seclabel.norelabel = true; } else { virDomainReportError(VIR_ERR_XML_ERROR, _("invalid security relabel value %s"), p); goto error; } if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && - !def->seclabel.relabel) { + def->seclabel.norelabel) { virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("dynamic label type must use resource relabeling")); goto error; } } else { if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) - def->seclabel.relabel = false; + def->seclabel.norelabel = true; else - def->seclabel.relabel = true; + def->seclabel.norelabel = false; } /* Only parse label, if using static labels, or @@ -5114,7 +5114,7 @@ virSecurityLabelDefParseXML(const virDomainDefPtr def, } /* Only parse imagelabel, if requested live XML with relabeling */ - if (def->seclabel.relabel && + if (!def->seclabel.norelabel && !(flags & VIR_DOMAIN_XML_INACTIVE)) { p = virXPathStringLimit("string(./seclabel/imagelabel[1])", VIR_SECURITY_LABEL_BUFLEN-1, ctxt); @@ -9893,15 +9893,15 @@ char *virDomainDefFormat(virDomainDefPtr def, (flags & VIR_DOMAIN_XML_INACTIVE)) { virBufferAsprintf(&buf, " \n", sectype, def->seclabel.model, - def->seclabel.relabel ? "yes" : "no"); + def->seclabel.norelabel ? "no" : "yes"); } else { virBufferAsprintf(&buf, " \n", sectype, def->seclabel.model, - def->seclabel.relabel ? "yes" : "no"); + def->seclabel.norelabel ? "no" : "yes"); if (def->seclabel.label) virBufferEscapeString(&buf, " \n", def->seclabel.label); - if (def->seclabel.relabel && def->seclabel.imagelabel) + if (!def->seclabel.norelabel && def->seclabel.imagelabel) virBufferEscapeString(&buf, " %s\n", def->seclabel.imagelabel); if (def->seclabel.baselabel && diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 9d28f51262..ddfe18e3d9 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -960,7 +960,7 @@ struct _virSecurityLabelDef { char *imagelabel; /* security image label string */ char *baselabel; /* base name of label string */ int type; /* virDomainSeclabelType */ - bool relabel; + bool norelabel; }; enum virDomainTimerNameType { diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 98995a8bd4..76c6e3d45d 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -265,7 +265,7 @@ reload_profile(virSecurityManagerPtr mgr, int rc = -1; char *profile_name = NULL; - if (!secdef->relabel) + if (secdef->norelabel) return 0; if ((profile_name = get_profile_name(vm)) == NULL) @@ -610,7 +610,7 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr, int rc = -1; char *profile_name; - if (!secdef->relabel) + if (secdef->norelabel) return 0; if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK) @@ -682,7 +682,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, struct SDPDOP *ptr; int ret = -1; - if (!secdef->relabel) + if (secdef->norelabel) return 0; if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) @@ -741,7 +741,7 @@ AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; - if (!secdef->relabel) + if (secdef->norelabel) return 0; return reload_profile(mgr, vm, NULL, false); diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 44e770efe3..50e19786b3 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -537,7 +537,7 @@ SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; - if (!secdef->relabel) + if (secdef->norelabel) return 0; /* Don't restore labels on readoly/shared disks, because @@ -621,7 +621,7 @@ SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr, const virSecurityLabelDefPtr secdef = &vm->def->seclabel; bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr); - if (!secdef->relabel) + if (secdef->norelabel) return 0; return virDomainDiskDefForeachPath(disk, @@ -661,7 +661,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, const virSecurityLabelDefPtr secdef = &vm->def->seclabel; int ret = -1; - if (!secdef->relabel) + if (secdef->norelabel) return 0; if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) @@ -730,7 +730,7 @@ SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, const virSecurityLabelDefPtr secdef = &vm->def->seclabel; int ret = -1; - if (!secdef->relabel) + if (secdef->norelabel) return 0; if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) @@ -784,7 +784,7 @@ SELinuxSetSecurityChardevLabel(virDomainObjPtr vm, char *in = NULL, *out = NULL; int ret = -1; - if (!secdef->relabel) + if (secdef->norelabel) return 0; switch (dev->type) { @@ -830,7 +830,7 @@ SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm, char *in = NULL, *out = NULL; int ret = -1; - if (!secdef->relabel) + if (secdef->norelabel) return 0; switch (dev->type) { @@ -918,7 +918,7 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, VIR_DEBUG("Restoring security label on %s", vm->def->name); - if (!secdef->relabel) + if (secdef->norelabel) return 0; for (i = 0 ; i < vm->def->nhostdevs ; i++) { @@ -989,7 +989,7 @@ SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; - if (!secdef->relabel) + if (secdef->norelabel) return 0; return SELinuxSetFilecon(savefile, secdef->imagelabel); @@ -1003,7 +1003,7 @@ SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; - if (!secdef->relabel) + if (secdef->norelabel) return 0; return SELinuxRestoreSecurityFileLabel(savefile); @@ -1218,7 +1218,7 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr, const virSecurityLabelDefPtr secdef = &vm->def->seclabel; int i; - if (!secdef->relabel) + if (secdef->norelabel) return 0; for (i = 0 ; i < vm->def->ndisks ; i++) {