From: Daniel P. Berrange Date: Wed, 28 Nov 2012 16:07:27 +0000 (+0000) Subject: Add support for SELinux labelling of hostdev storage/misc devices X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=a6cbdd7b81d6724f66f427495d58e0c8e950cd41;p=libvirt.git Add support for SELinux labelling of hostdev storage/misc devices The SELinux security driver needs to learn to label storage/misc hostdev devices for LXC Signed-off-by: Daniel P. Berrange --- diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 961e01e504..1f73fd2390 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1210,6 +1210,65 @@ done: } +static int +virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def, + virDomainHostdevDefPtr dev, + const char *vroot) +{ + int ret = -1; + virSecurityLabelDefPtr secdef; + char *path; + + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (secdef == NULL) + return -1; + + switch (dev->source.caps.type) { + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.storage.block) < 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.storage.block))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel); + VIR_FREE(path); + break; + } + + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.misc.chardev) < 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.misc.chardev))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxSetFilecon(path, secdef->imagelabel); + VIR_FREE(path); + break; + } + + default: + ret = 0; + break; + } + + return ret; +} + + static int virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr def, @@ -1230,6 +1289,9 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS: return virSecuritySELinuxSetSecurityHostdevSubsysLabel(def, dev, vroot); + case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES: + return virSecuritySELinuxSetSecurityHostdevCapsLabel(def, dev, vroot); + default: return 0; } @@ -1304,6 +1366,59 @@ done: } +static int +virSecuritySELinuxRestoreSecurityHostdevCapsLabel(virDomainHostdevDefPtr dev, + const char *vroot) +{ + int ret = -1; + char *path; + + switch (dev->source.caps.type) { + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.storage.block) < 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.storage.block))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxRestoreSecurityFileLabel(path); + VIR_FREE(path); + break; + } + + case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_MISC: { + if (vroot) { + if (virAsprintf(&path, "%s/%s", vroot, + dev->source.caps.u.misc.chardev) < 0) { + virReportOOMError(); + return -1; + } + } else { + if (!(path = strdup(dev->source.caps.u.misc.chardev))) { + virReportOOMError(); + return -1; + } + } + ret = virSecuritySELinuxRestoreSecurityFileLabel(path); + VIR_FREE(path); + break; + } + + default: + ret = 0; + break; + } + + return ret; +} + + static int virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr def, @@ -1324,6 +1439,9 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUT case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS: return virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(dev, vroot); + case VIR_DOMAIN_HOSTDEV_MODE_CAPABILITIES: + return virSecuritySELinuxRestoreSecurityHostdevCapsLabel(dev, vroot); + default: return 0; }