/**
* virRandomInt:
* @max: upper limit
*
* Generate an evenly distributed random integer between [0, @max)
*
* Return: a random number between [0,@max)
*/
uint32_t virRandomInt(uint32_t max)
{
if ((max & (max - 1)) == 0)
return virRandomBits(ffs(max) - 1);
double val = virRandom();
return val * max;
}
static int
virStorageBackendCreateIfaceIQN(const char *initiatoriqn,
char **ifacename)
{
int ret = -1, exitstatus = -1;
char temp_ifacename[32];
const char *const cmdargv1[] = {
ISCSIADM, "--mode", "iface", "--interface",
temp_ifacename, "--op", "new", NULL
};
const char *const cmdargv2[] = {
ISCSIADM, "--mode", "iface", "--interface", temp_ifacename,
"--op", "update", "--name", "iface.initiatorname", "--value",
initiatoriqn, NULL
};
if (virRandomInitialize(time(NULL) ^ getpid()) == -1) {
virStorageReportError(VIR_ERR_INTERNAL_ERROR, "%s",
_("Failed to initialize random generator "
"when creating iscsi interface"));
goto out;
}
snprintf(temp_ifacename, sizeof(temp_ifacename), "libvirt-iface-%08x",
virRandom(1024 * 1024 * 1024));
VIR_DEBUG("Attempting to create interface '%s' with IQN '%s'",
&temp_ifacename[0], initiatoriqn);
/* Note that we ignore the exitstatus. Older versions of iscsiadm
* tools returned an exit status of > 0, even if they succeeded.
* We will just rely on whether the interface got created
* properly. */
if (virRun(cmdargv1, &exitstatus) < 0) {
virStorageReportError(VIR_ERR_INTERNAL_ERROR,
_("Failed to run command '%s' to create new iscsi interface"),
cmdargv1[0]);
goto out;
}
/* Note that we ignore the exitstatus. Older versions of iscsiadm tools
* returned an exit status of > 0, even if they succeeded. We will just
* rely on whether iface file got updated properly. */
if (virRun(cmdargv2, &exitstatus) < 0) {
virStorageReportError(VIR_ERR_INTERNAL_ERROR,
_("Failed to run command '%s' to update iscsi interface with IQN '%s'"),
cmdargv2[0], initiatoriqn);
goto out;
}
/* Check again to make sure the interface was created. */
if (virStorageBackendIQNFound(initiatoriqn, ifacename) != IQN_FOUND) {
VIR_DEBUG("Failed to find interface '%s' with IQN '%s' "
"after attempting to create it",
&temp_ifacename[0], initiatoriqn);
goto out;
} else {
VIR_DEBUG("Interface '%s' with IQN '%s' was created successfully",
*ifacename, initiatoriqn);
}
ret = 0;
out:
if (ret != 0)
VIR_FREE(*ifacename);
return ret;
}
static int
SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm)
{
int rc = -1;
char *mcs = NULL;
char *scontext = NULL;
int c1 = 0;
int c2 = 0;
context_t ctx = NULL;
if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
!vm->def->seclabel.baselabel &&
vm->def->seclabel.model) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security model already defined for VM"));
return rc;
}
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
vm->def->seclabel.label) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security label already defined for VM"));
return rc;
}
if (vm->def->seclabel.imagelabel) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
"%s", _("security image label already defined for VM"));
return rc;
}
if (vm->def->seclabel.model &&
STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("security label model %s is not supported with selinux"),
vm->def->seclabel.model);
return rc;
}
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
if (!(ctx = context_new(vm->def->seclabel.label)) ) {
virReportSystemError(errno,
_("unable to allocate socket security context '%s'"),
vm->def->seclabel.label);
return rc;
}
const char *range = context_range_get(ctx);
if (!range ||
!(mcs = strdup(range))) {
virReportOOMError();
goto cleanup;
}
} else {
do {
c1 = virRandom(1024);
c2 = virRandom(1024);
if ( c1 == c2 ) {
if (virAsprintf(&mcs, "s0:c%d", c1) < 0) {
virReportOOMError();
goto cleanup;
}
} else {
if (c1 > c2) {
c1 ^= c2;
c2 ^= c1;
c1 ^= c2;
}
if (virAsprintf(&mcs, "s0:c%d,c%d", c1, c2) < 0) {
virReportOOMError();
goto cleanup;
}
}
} while (mcsAdd(mcs) == -1);
vm->def->seclabel.label =
SELinuxGenNewContext(vm->def->seclabel.baselabel ?
vm->def->seclabel.baselabel :
default_domain_context, mcs);
if (! vm->def->seclabel.label) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs);
goto cleanup;
}
}
vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
if (!vm->def->seclabel.imagelabel) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot generate selinux context for %s"), mcs);
goto cleanup;
}
if (!vm->def->seclabel.model &&
!(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
virReportOOMError();
goto cleanup;
}
rc = 0;
cleanup:
if (rc != 0) {
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
VIR_FREE(vm->def->seclabel.label);
VIR_FREE(vm->def->seclabel.imagelabel);
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
!vm->def->seclabel.baselabel)
VIR_FREE(vm->def->seclabel.model);
}
if (ctx)
context_free(ctx);
VIR_FREE(scontext);
VIR_FREE(mcs);
VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
NULLSTR(vm->def->seclabel.model),
NULLSTR(vm->def->seclabel.label),
NULLSTR(vm->def->seclabel.imagelabel),
NULLSTR(vm->def->seclabel.baselabel));
return rc;
}
