static int SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainDiskDefPtr disk) { virSecuritySELinuxCallbackData cbdata; cbdata.secdef = &def->seclabel; cbdata.manager = mgr; bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr); if (cbdata.secdef->norelabel) return 0; if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK) return 0; /* XXX On one hand, it would be nice to have the driver's uid:gid * here so we could retry opens with it. On the other hand, it * probably doesn't matter because in practice that's only useful * for files on root-squashed NFS shares, and NFS doesn't properly * support selinux anyway. */ return virDomainDiskDefForeachPath(disk, allowDiskFormatProbing, true, -1, -1, /* current process uid:gid */ SELinuxSetSecurityFileLabel, &cbdata); }
virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary) { virSecurityManagerPtr mgr = virSecurityManagerNewDriver(&virSecurityDriverStack, virSecurityManagerGetDriver(primary), virSecurityManagerGetAllowDiskFormatProbing(primary), virSecurityManagerGetDefaultConfined(primary), virSecurityManagerGetRequireConfined(primary)); if (!mgr) return NULL; virSecurityStackAddNested(mgr, primary); return mgr; }
static int SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm, virDomainDiskDefPtr disk) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr); if (secdef->norelabel) return 0; return virDomainDiskDefForeachPath(disk, allowDiskFormatProbing, true, SELinuxSetSecurityFileLabel, secdef); }
/* * load (add) a profile. Will create one if necessary */ static int load_profile(virSecurityManagerPtr mgr, const char *profile, virDomainDefPtr def, const char *fn, bool append) { int rc = -1; bool create = true; char *xml = NULL; virCommandPtr cmd = NULL; const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr) ? "1" : "0"; xml = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE); if (!xml) goto cleanup; if (profile_status_file(profile) >= 0) create = false; cmd = virCommandNewArgList(VIRT_AA_HELPER, "-p", probe, create ? "-c" : "-r", "-u", profile, NULL); if (!create && fn) { if (append) { virCommandAddArgList(cmd, "-F", fn, NULL); } else { virCommandAddArgList(cmd, "-f", fn, NULL); } } virCommandSetInputBuffer(cmd, xml); rc = virCommandRun(cmd, NULL); cleanup: VIR_FREE(xml); virCommandFree(cmd); return rc; }
static int SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainDiskDefPtr disk) { const virSecurityLabelDefPtr secdef = &def->seclabel; bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr); if (secdef->norelabel) return 0; if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK) return 0; return virDomainDiskDefForeachPath(disk, allowDiskFormatProbing, true, SELinuxSetSecurityFileLabel, secdef); }