summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel P. Berrange <berrange@redhat.com>2011-06-24 14:50:36 +0100
committerDaniel P. Berrange <berrange@redhat.com>2011-06-28 16:39:30 +0100
commit8e3c6fbbe610ddc6401734cc3230b48785f25df0 (patch)
treec253e70ca1370165e53349cce3c08fced045cf50
parentRename virSecurityManagerSetFDLabel method (diff)
downloadlibvirt-8e3c6fbbe610ddc6401734cc3230b48785f25df0.tar.gz
libvirt-8e3c6fbbe610ddc6401734cc3230b48785f25df0.tar.bz2
libvirt-8e3c6fbbe610ddc6401734cc3230b48785f25df0.zip
Add a virSecurityManagerSetProcessFDLabel
Add a new security driver method for labelling an FD with the process label, rather than the image label * src/libvirt_private.syms, src/security/security_apparmor.c, src/security/security_dac.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_selinux.c, src/security/security_stack.c: Add virSecurityManagerSetProcessFDLabel & impl
-rw-r--r--src/libvirt_private.syms1
-rw-r--r--src/security/security_apparmor.c29
-rw-r--r--src/security/security_dac.c9
-rw-r--r--src/security/security_driver.h4
-rw-r--r--src/security/security_manager.c11
-rw-r--r--src/security/security_manager.h3
-rw-r--r--src/security/security_selinux.c14
-rw-r--r--src/security/security_stack.c18
8 files changed, 89 insertions, 0 deletions
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 81fc7769b..626ac6ccf 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -851,6 +851,7 @@ virSecurityManagerSetAllLabel;
virSecurityManagerSetImageFDLabel;
virSecurityManagerSetImageLabel;
virSecurityManagerSetHostdevLabel;
+virSecurityManagerSetProcessFDLabel;
virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel;
virSecurityManagerSetSocketLabel;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 02ed864df..6795184c4 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -786,6 +786,34 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
return reload_profile(mgr, vm, fd_path, true);
}
+static int
+AppArmorSetProcessFDLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm,
+ int fd)
+{
+ int rc = -1;
+ char *proc = NULL;
+ char *fd_path = NULL;
+
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+ if (secdef->imagelabel == NULL)
+ return 0;
+
+ if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1) {
+ virReportOOMError();
+ return rc;
+ }
+
+ if (virFileResolveLink(proc, &fd_path) < 0) {
+ virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+ "%s", _("could not find path for descriptor"));
+ return rc;
+ }
+
+ return reload_profile(mgr, vm, fd_path, true);
+}
+
virSecurityDriver virAppArmorSecurityDriver = {
0,
SECURITY_APPARMOR_NAME,
@@ -821,4 +849,5 @@ virSecurityDriver virAppArmorSecurityDriver = {
AppArmorRestoreSavedStateLabel,
AppArmorSetImageFDLabel,
+ AppArmorSetProcessFDLabel,
};
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 49bba5cbe..58d57ec21 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -689,6 +689,14 @@ virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return 0;
}
+static int
+virSecurityDACSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm ATTRIBUTE_UNUSED,
+ int fd ATTRIBUTE_UNUSED)
+{
+ return 0;
+}
+
virSecurityDriver virSecurityDriverDAC = {
sizeof(virSecurityDACData),
@@ -726,4 +734,5 @@ virSecurityDriver virSecurityDriverDAC = {
virSecurityDACRestoreSavedStateLabel,
virSecurityDACSetImageFDLabel,
+ virSecurityDACSetProcessFDLabel,
};
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 6c6db3e42..154f197a4 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -82,6 +82,9 @@ typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
virDomainObjPtr vm,
int fd);
+typedef int (*virSecurityDomainSetProcessFDLabel) (virSecurityManagerPtr mgr,
+ virDomainObjPtr vm,
+ int fd);
struct _virSecurityDriver {
size_t privateDataLen;
@@ -118,6 +121,7 @@ struct _virSecurityDriver {
virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
+ virSecurityDomainSetProcessFDLabel domainSetSecurityProcessFDLabel;
};
virSecurityDriverPtr virSecurityDriverLookup(const char *name);
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 04159f4b1..6ae58dc81 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -336,3 +336,14 @@ int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
return -1;
}
+
+int virSecurityManagerSetProcessFDLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm,
+ int fd)
+{
+ if (mgr->drv->domainSetSecurityProcessFDLabel)
+ return mgr->drv->domainSetSecurityProcessFDLabel(mgr, vm, fd);
+
+ virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+ return -1;
+}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 581957c29..8c3b8b2e5 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -94,5 +94,8 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
int fd);
+int virSecurityManagerSetProcessFDLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm,
+ int fd);
#endif /* VIR_SECURITY_MANAGER_H__ */
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index dc92ce678..a022daa77 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1221,6 +1221,19 @@ SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return SELinuxFSetFilecon(fd, secdef->imagelabel);
}
+static int
+SELinuxSetProcessFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm,
+ int fd)
+{
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+
+ if (secdef->label == NULL)
+ return 0;
+
+ return SELinuxFSetFilecon(fd, secdef->label);
+}
+
virSecurityDriver virSecurityDriverSELinux = {
0,
SECURITY_SELINUX_NAME,
@@ -1256,4 +1269,5 @@ virSecurityDriver virSecurityDriverSELinux = {
SELinuxRestoreSavedStateLabel,
SELinuxSetImageFDLabel,
+ SELinuxSetProcessFDLabel,
};
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index bec162649..b63e4c8a3 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -386,6 +386,23 @@ virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
}
+static int
+virSecurityStackSetProcessFDLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm,
+ int fd)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ int rc = 0;
+
+ if (virSecurityManagerSetProcessFDLabel(priv->secondary, vm, fd) < 0)
+ rc = -1;
+ if (virSecurityManagerSetProcessFDLabel(priv->primary, vm, fd) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
virSecurityDriver virSecurityDriverStack = {
sizeof(virSecurityStackData),
"stack",
@@ -421,4 +438,5 @@ virSecurityDriver virSecurityDriverStack = {
virSecurityStackRestoreSavedStateLabel,
virSecurityStackSetImageFDLabel,
+ virSecurityStackSetProcessFDLabel,
};