static int
SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
virSecuritySELinuxCallbackData cbdata;
cbdata.secdef = &def->seclabel;
cbdata.manager = mgr;
bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
if (cbdata.secdef->norelabel)
return 0;
if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
return 0;
/* XXX On one hand, it would be nice to have the driver's uid:gid
* here so we could retry opens with it. On the other hand, it
* probably doesn't matter because in practice that's only useful
* for files on root-squashed NFS shares, and NFS doesn't properly
* support selinux anyway.
*/
return virDomainDiskDefForeachPath(disk,
allowDiskFormatProbing,
true,
-1, -1, /* current process uid:gid */
SELinuxSetSecurityFileLabel,
&cbdata);
}
virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary)
{
virSecurityManagerPtr mgr =
virSecurityManagerNewDriver(&virSecurityDriverStack,
virSecurityManagerGetDriver(primary),
virSecurityManagerGetAllowDiskFormatProbing(primary),
virSecurityManagerGetDefaultConfined(primary),
virSecurityManagerGetRequireConfined(primary));
if (!mgr)
return NULL;
virSecurityStackAddNested(mgr, primary);
return mgr;
}
static int
SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm,
virDomainDiskDefPtr disk)
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
if (secdef->norelabel)
return 0;
return virDomainDiskDefForeachPath(disk,
allowDiskFormatProbing,
true,
SELinuxSetSecurityFileLabel,
secdef);
}
/*
* load (add) a profile. Will create one if necessary
*/
static int
load_profile(virSecurityManagerPtr mgr,
const char *profile,
virDomainDefPtr def,
const char *fn,
bool append)
{
int rc = -1;
bool create = true;
char *xml = NULL;
virCommandPtr cmd = NULL;
const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr)
? "1" : "0";
xml = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE);
if (!xml)
goto cleanup;
if (profile_status_file(profile) >= 0)
create = false;
cmd = virCommandNewArgList(VIRT_AA_HELPER, "-p", probe,
create ? "-c" : "-r",
"-u", profile, NULL);
if (!create && fn) {
if (append) {
virCommandAddArgList(cmd, "-F", fn, NULL);
} else {
virCommandAddArgList(cmd, "-f", fn, NULL);
}
}
virCommandSetInputBuffer(cmd, xml);
rc = virCommandRun(cmd, NULL);
cleanup:
VIR_FREE(xml);
virCommandFree(cmd);
return rc;
}
static int
SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
const virSecurityLabelDefPtr secdef = &def->seclabel;
bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
if (secdef->norelabel)
return 0;
if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
return 0;
return virDomainDiskDefForeachPath(disk,
allowDiskFormatProbing,
true,
SELinuxSetSecurityFileLabel,
secdef);
}
