On 02/08/2017 02:32 PM, Peter Krempa wrote: > On Wed, Feb 08, 2017 at 11:37:05 +0100, Michal Privoznik wrote: >> Now that we have some qemuSecurity wrappers over >> virSecurityManager APIs, lets make sure everybody sticks with >> them. We have them for a reason and calling virSecurityManager >> API directly instead of wrapper may lead into accidentally >> labelling a file on the host instead of namespace. >> >> Signed-off-by: Michal Privoznik <[email protected]> >> --- >> cfg.mk | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/cfg.mk b/cfg.mk >> index 69e3f3a1a..6fb2fc961 100644 >> --- a/cfg.mk >> +++ b/cfg.mk >> @@ -585,6 +585,14 @@ sc_prohibit_unsigned_pid: >> halt='use signed type for pid values' \ >> $(_sc_search_regexp) >> >> +sc_prohibit_direct_secdriver: >> + @for i in $$(grep -i ^WRAP.\( src/qemu/qemu_security.c | >> \ >> + awk 'BEGIN {FS = "[^[:alnum:]]"} {print "virSecurityManager" $$2 }'); >> do \ >> + grep -n $$i $$($(VC_LIST_EXCEPT) | grep -E '^src/qemu/') && \ >> + { echo "$(ME): prefer qemuSecurity$${i#virSecurityManager} over $$i" >> 1>&2; exit 1; } \ >> + done || : > > This won't work without the "WRAP" stuff so you'll need to come up with > something else. >
Without WRAP it's going to be super tricky as I'd have try to match functions from qemu_security.h with those from security_manager.h. If you have some bright idea, please do share it, because frankly I'm out of them. Michal -- libvir-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/libvir-list
