144 lines
5.8 KiB
Diff
144 lines
5.8 KiB
Diff
|
diff -rup libvirt-0.6.1.orig/src/qemu_driver.c libvirt-0.6.1.new/src/qemu_driver.c
|
||
|
--- libvirt-0.6.1.orig/src/qemu_driver.c 2009-03-17 11:57:04.000000000 +0000
|
||
|
+++ libvirt-0.6.1.new/src/qemu_driver.c 2009-03-17 11:57:12.000000000 +0000
|
||
|
@@ -3765,7 +3765,7 @@ static int qemudDomainAttachDevice(virDo
|
||
|
goto cleanup;
|
||
|
}
|
||
|
if (driver->securityDriver)
|
||
|
- driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev);
|
||
|
+ driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk);
|
||
|
break;
|
||
|
|
||
|
default:
|
||
|
@@ -3901,7 +3901,7 @@ static int qemudDomainDetachDevice(virDo
|
||
|
dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) {
|
||
|
ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev);
|
||
|
if (driver->securityDriver)
|
||
|
- driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev);
|
||
|
+ driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk);
|
||
|
}
|
||
|
else
|
||
|
qemudReportError(dom->conn, dom, NULL, VIR_ERR_NO_SUPPORT,
|
||
|
diff -rup libvirt-0.6.1.orig/src/security.h libvirt-0.6.1.new/src/security.h
|
||
|
--- libvirt-0.6.1.orig/src/security.h 2009-03-03 16:40:46.000000000 +0000
|
||
|
+++ libvirt-0.6.1.new/src/security.h 2009-03-17 11:57:12.000000000 +0000
|
||
|
@@ -32,11 +32,10 @@ typedef virSecurityDriverStatus (*virSec
|
||
|
typedef int (*virSecurityDriverOpen) (virConnectPtr conn,
|
||
|
virSecurityDriverPtr drv);
|
||
|
typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn,
|
||
|
- virDomainObjPtr vm,
|
||
|
- virDomainDeviceDefPtr dev);
|
||
|
+ virDomainDiskDefPtr disk);
|
||
|
typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
|
||
|
virDomainObjPtr vm,
|
||
|
- virDomainDeviceDefPtr dev);
|
||
|
+ virDomainDiskDefPtr disk);
|
||
|
typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn,
|
||
|
virDomainObjPtr sec);
|
||
|
typedef int (*virSecurityDomainGetLabel) (virConnectPtr conn,
|
||
|
diff -rup libvirt-0.6.1.orig/src/security_selinux.c libvirt-0.6.1.new/src/security_selinux.c
|
||
|
--- libvirt-0.6.1.orig/src/security_selinux.c 2009-03-03 16:40:46.000000000 +0000
|
||
|
+++ libvirt-0.6.1.new/src/security_selinux.c 2009-03-17 11:57:12.000000000 +0000
|
||
|
@@ -269,7 +269,7 @@ SELinuxGetSecurityLabel(virConnectPtr co
|
||
|
}
|
||
|
|
||
|
static int
|
||
|
-SELinuxSetFilecon(virConnectPtr conn, char *path, char *tcon)
|
||
|
+SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
|
||
|
{
|
||
|
char ebuf[1024];
|
||
|
|
||
|
@@ -288,28 +288,51 @@ SELinuxSetFilecon(virConnectPtr conn, ch
|
||
|
|
||
|
static int
|
||
|
SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
|
||
|
- virDomainObjPtr vm,
|
||
|
- virDomainDeviceDefPtr dev)
|
||
|
+ virDomainDiskDefPtr disk)
|
||
|
{
|
||
|
- const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
||
|
+ struct stat buf;
|
||
|
+ security_context_t fcon = NULL;
|
||
|
+ int rc = -1;
|
||
|
+ char *newpath = NULL;
|
||
|
+ const char *path = disk->src;
|
||
|
|
||
|
- if (secdef->imagelabel) {
|
||
|
- return SELinuxSetFilecon(conn, dev->data.disk->src, default_image_context);
|
||
|
+ if (disk->readonly || disk->shared)
|
||
|
+ return 0;
|
||
|
+
|
||
|
+ if (lstat(path, &buf) != 0)
|
||
|
+ return -1;
|
||
|
+
|
||
|
+ if (S_ISLNK(buf.st_mode)) {
|
||
|
+ if (VIR_ALLOC_N(newpath, buf.st_size + 1) < 0)
|
||
|
+ return -1;
|
||
|
+
|
||
|
+ if (readlink(path, newpath, buf.st_size) < 0)
|
||
|
+ goto err;
|
||
|
+ path = newpath;
|
||
|
+ if (stat(path, &buf) != 0)
|
||
|
+ goto err;
|
||
|
}
|
||
|
- return 0;
|
||
|
+
|
||
|
+ if (matchpathcon(path, buf.st_mode, &fcon) == 0) {
|
||
|
+ rc = SELinuxSetFilecon(conn, path, fcon);
|
||
|
+ }
|
||
|
+err:
|
||
|
+ VIR_FREE(fcon);
|
||
|
+ VIR_FREE(newpath);
|
||
|
+ return rc;
|
||
|
}
|
||
|
|
||
|
static int
|
||
|
SELinuxSetSecurityImageLabel(virConnectPtr conn,
|
||
|
virDomainObjPtr vm,
|
||
|
- virDomainDeviceDefPtr dev)
|
||
|
+ virDomainDiskDefPtr disk)
|
||
|
|
||
|
{
|
||
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
||
|
|
||
|
- if (secdef->imagelabel) {
|
||
|
- return SELinuxSetFilecon(conn, dev->data.disk->src, secdef->imagelabel);
|
||
|
- }
|
||
|
+ if (secdef->imagelabel)
|
||
|
+ return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
|
||
|
+
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
@@ -322,7 +345,7 @@ SELinuxRestoreSecurityLabel(virConnectPt
|
||
|
int rc = 0;
|
||
|
if (secdef->imagelabel) {
|
||
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
||
|
- if (SELinuxSetFilecon(conn, vm->def->disks[i]->src, default_image_context) < 0)
|
||
|
+ if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0)
|
||
|
rc = -1;
|
||
|
}
|
||
|
VIR_FREE(secdef->model);
|
||
|
@@ -368,16 +391,11 @@ SELinuxSetSecurityLabel(virConnectPtr co
|
||
|
|
||
|
if (secdef->imagelabel) {
|
||
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
||
|
- if(setfilecon(vm->def->disks[i]->src, secdef->imagelabel) < 0) {
|
||
|
- virSecurityReportError(conn, VIR_ERR_ERROR,
|
||
|
- _("%s: unable to set security context "
|
||
|
- "'\%s\' on %s: %s."), __func__,
|
||
|
- secdef->imagelabel,
|
||
|
- vm->def->disks[i]->src,
|
||
|
- virStrerror(errno, ebuf, sizeof ebuf));
|
||
|
- if (security_getenforce() == 1)
|
||
|
- return -1;
|
||
|
- }
|
||
|
+ if (vm->def->disks[i]->readonly ||
|
||
|
+ vm->def->disks[i]->shared) continue;
|
||
|
+
|
||
|
+ if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0)
|
||
|
+ return -1;
|
||
|
}
|
||
|
}
|
||
|
|