Re: [libvirt] [PATCH 1/4] conf: introduce seclabels in shmem device element
On 07/30/2015 06:28 PM, Daniel P. Berrange wrote: On Thu, Jul 23, 2015 at 06:13:46PM +0800, Luyao Huang wrote: Introduce a new element in shmem device element, this could help users to change the shm label to a specified label. Signed-off-by: Luyao Huang lhu...@redhat.com --- docs/formatdomain.html.in | 7 ++ docs/schemas/domaincommon.rng | 3 +++ src/conf/domain_conf.c| 55 ++- src/conf/domain_conf.h| 5 4 files changed, 59 insertions(+), 11 deletions(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index d0c1741..e02c67c 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -6098,6 +6098,13 @@ qemu-kvm -net nic,model=? /dev/null vectors. The codeioeventd/code attribute enables/disables (values on/off, respectively) ioeventfd. /dd +dtcodeseclabel/code/dt +dd + The optional codeseclabel/code to override the way that labelling + is done on the shm object path or shm server path. If this + element is not present, the a href=#seclabelsecurity label is inherited + from the per-domain setting/a. +/dd /dl h4a name=elementsMemoryMemory devices/a/h4 diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 1120003..f58e8de 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -3323,6 +3323,9 @@ /optional /element /optional +zeroOrMore + ref name='devSeclabel'/ +/zeroOrMore optional ref name=address/ /optional So in the disk XML we have an explicit element to indicate whether the device is intended to be shared across multiple guests. shareable/ I think we need to have the same flag added to the shm device too, so that we sanity check whether a particular shm was intended to be shared or whether it is a mistake when multiple guests use it. This will also allow us to integrate with the virtlockd to acquire exclusive locks against the shm device to actively prevent admin mistakes starting 2 guests with the same shm. It will also let us automatically choose the right default SELinux label ie svirt_image_t:s0:c214,c3242 for exclusive access vs svirt_image_t:s0 for shared access Good idea! i will introduce this new element in next version. Thanks a lot for your advise. Regards, Daniel Luyao -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/4] conf: introduce seclabels in shmem device element
Hi Marc-André
On 07/27/2015 11:42 PM, Marc-André Lureau wrote:
Hi
On Thu, Jul 23, 2015 at 12:13 PM, Luyao Huang lhu...@redhat.com wrote:
Introduce a new element in shmem device element, this
could help users to change the shm label to a specified
label.
Signed-off-by: Luyao Huang lhu...@redhat.com
---
docs/formatdomain.html.in | 7 ++
docs/schemas/domaincommon.rng | 3 +++
src/conf/domain_conf.c| 55 ++-
src/conf/domain_conf.h| 5
4 files changed, 59 insertions(+), 11 deletions(-)
It would be better with a small test, checking parsing and format.
Oh, right, i forgot that, thanks for pointing out that, i will add them
in next version.
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index d0c1741..e02c67c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6098,6 +6098,13 @@ qemu-kvm -net nic,model=? /dev/null
vectors. The codeioeventd/code attribute enables/disables (values
on/off, respectively) ioeventfd.
/dd
+dtcodeseclabel/code/dt
+dd
+ The optional codeseclabel/code to override the way that labelling
The element may contain an optional code...
Okay
+ is done on the shm object path or shm server path. If this
+ element is not present, the a href=#seclabelsecurity label is
inherited
+ from the per-domain setting/a.
+/dd
/dl
h4a name=elementsMemoryMemory devices/a/h4
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 1120003..f58e8de 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3323,6 +3323,9 @@
/optional
/element
/optional
+zeroOrMore
+ ref name='devSeclabel'/
+/zeroOrMore
optional
ref name=address/
/optional
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 73ac537..cb3d72a 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -11261,6 +11261,8 @@ virDomainNVRAMDefParseXML(xmlNodePtr node,
static virDomainShmemDefPtr
virDomainShmemDefParseXML(xmlNodePtr node,
xmlXPathContextPtr ctxt,
+ virSecurityLabelDefPtr* vmSeclabels,
+ int nvmSeclabels,
unsigned int flags)
{
char *tmp = NULL;
@@ -11332,6 +11334,10 @@ virDomainShmemDefParseXML(xmlNodePtr node,
if (virDomainDeviceInfoParseXML(node, NULL, def-info, flags) 0)
goto cleanup;
+if (virSecurityDeviceLabelDefParseXML(def-seclabels, def-nseclabels,
+ vmSeclabels, nvmSeclabels,
+ ctxt, flags) 0)
+goto cleanup;
ret = def;
def = NULL;
@@ -12457,7 +12463,11 @@ virDomainDeviceDefParse(const char *xmlStr,
goto error;
break;
case VIR_DOMAIN_DEVICE_SHMEM:
-if (!(dev-data.shmem = virDomainShmemDefParseXML(node, ctxt, flags)))
+if (!(dev-data.shmem = virDomainShmemDefParseXML(node,
+ ctxt,
+ def-seclabels,
+ def-nseclabels,
+ flags)))
goto error;
break;
case VIR_DOMAIN_DEVICE_TPM:
@@ -16136,7 +16146,8 @@ virDomainDefParseXML(xmlDocPtr xml,
for (i = 0; i n; i++) {
virDomainShmemDefPtr shmem;
ctxt-node = nodes[i];
-shmem = virDomainShmemDefParseXML(nodes[i], ctxt, flags);
+shmem = virDomainShmemDefParseXML(nodes[i], ctxt, def-seclabels,
+ def-nseclabels, flags);
if (!shmem)
goto error;
@@ -20308,6 +20319,8 @@ virDomainShmemDefFormat(virBufferPtr buf,
virDomainShmemDefPtr def,
unsigned int flags)
{
+size_t n;
+
virBufferEscapeString(buf, shmem name='%s', def-name);
if (!def-size
@@ -20341,6 +20354,9 @@ virDomainShmemDefFormat(virBufferPtr buf,
virBufferAddLit(buf, /\n);
}
+for (n = 0; n def-nseclabels; n++)
+virSecurityDeviceLabelDefFormat(buf, def-seclabels[n], flags);
+
if (virDomainDeviceInfoFormat(buf, def-info, flags) 0)
return -1;
@@ -23851,11 +23867,25 @@ virDomainObjListExport(virDomainObjListPtr domlist,
}
+static virSecurityDeviceLabelDefPtr
+virDomainGetDeviceSecurityLabelDef(virSecurityDeviceLabelDefPtr *seclabels,
+ size_t nseclabels,
+ const char *model)
+{
+size_t i;
+
+for (i = 0; i nseclabels; i++) {
+if (STREQ_NULLABLE(seclabels[i]-model, model))
+return seclabels[i];
+}
+return NULL;
+}
+
+
Re: [libvirt] [PATCH 1/4] conf: introduce seclabels in shmem device element
On 07/30/2015 05:48 PM, Daniel P. Berrange wrote: On Thu, Jul 23, 2015 at 06:13:46PM +0800, Luyao Huang wrote: Introduce a new element in shmem device element, this could help users to change the shm label to a specified label. Signed-off-by: Luyao Huang lhu...@redhat.com --- docs/formatdomain.html.in | 7 ++ docs/schemas/domaincommon.rng | 3 +++ src/conf/domain_conf.c| 55 ++- src/conf/domain_conf.h| 5 4 files changed, 59 insertions(+), 11 deletions(-) As already mentioned, this must include additions to the qemu tests suite for XML to XML conversion. I must forgot this during wrote this patch, thanks for pointing out that, i will add a tests for the new XML element in next version. Thanks a lot for your review. Regards, Daniel Luyao -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/4] conf: introduce seclabels in shmem device element
On Thu, Jul 23, 2015 at 06:13:46PM +0800, Luyao Huang wrote: Introduce a new element in shmem device element, this could help users to change the shm label to a specified label. Signed-off-by: Luyao Huang lhu...@redhat.com --- docs/formatdomain.html.in | 7 ++ docs/schemas/domaincommon.rng | 3 +++ src/conf/domain_conf.c| 55 ++- src/conf/domain_conf.h| 5 4 files changed, 59 insertions(+), 11 deletions(-) As already mentioned, this must include additions to the qemu tests suite for XML to XML conversion. Regards, Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/4] conf: introduce seclabels in shmem device element
On Thu, Jul 23, 2015 at 06:13:46PM +0800, Luyao Huang wrote: Introduce a new element in shmem device element, this could help users to change the shm label to a specified label. Signed-off-by: Luyao Huang lhu...@redhat.com --- docs/formatdomain.html.in | 7 ++ docs/schemas/domaincommon.rng | 3 +++ src/conf/domain_conf.c| 55 ++- src/conf/domain_conf.h| 5 4 files changed, 59 insertions(+), 11 deletions(-) diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index d0c1741..e02c67c 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -6098,6 +6098,13 @@ qemu-kvm -net nic,model=? /dev/null vectors. The codeioeventd/code attribute enables/disables (values on/off, respectively) ioeventfd. /dd +dtcodeseclabel/code/dt +dd + The optional codeseclabel/code to override the way that labelling + is done on the shm object path or shm server path. If this + element is not present, the a href=#seclabelsecurity label is inherited + from the per-domain setting/a. +/dd /dl h4a name=elementsMemoryMemory devices/a/h4 diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 1120003..f58e8de 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -3323,6 +3323,9 @@ /optional /element /optional +zeroOrMore + ref name='devSeclabel'/ +/zeroOrMore optional ref name=address/ /optional So in the disk XML we have an explicit element to indicate whether the device is intended to be shared across multiple guests. shareable/ I think we need to have the same flag added to the shm device too, so that we sanity check whether a particular shm was intended to be shared or whether it is a mistake when multiple guests use it. This will also allow us to integrate with the virtlockd to acquire exclusive locks against the shm device to actively prevent admin mistakes starting 2 guests with the same shm. It will also let us automatically choose the right default SELinux label ie svirt_image_t:s0:c214,c3242 for exclusive access vs svirt_image_t:s0 for shared access Regards, Daniel -- |: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH 1/4] conf: introduce seclabels in shmem device element
Hi
On Thu, Jul 23, 2015 at 12:13 PM, Luyao Huang lhu...@redhat.com wrote:
Introduce a new element in shmem device element, this
could help users to change the shm label to a specified
label.
Signed-off-by: Luyao Huang lhu...@redhat.com
---
docs/formatdomain.html.in | 7 ++
docs/schemas/domaincommon.rng | 3 +++
src/conf/domain_conf.c| 55
++-
src/conf/domain_conf.h| 5
4 files changed, 59 insertions(+), 11 deletions(-)
It would be better with a small test, checking parsing and format.
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index d0c1741..e02c67c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6098,6 +6098,13 @@ qemu-kvm -net nic,model=? /dev/null
vectors. The codeioeventd/code attribute enables/disables (values
on/off, respectively) ioeventfd.
/dd
+dtcodeseclabel/code/dt
+dd
+ The optional codeseclabel/code to override the way that labelling
The element may contain an optional code...
+ is done on the shm object path or shm server path. If this
+ element is not present, the a href=#seclabelsecurity label is
inherited
+ from the per-domain setting/a.
+/dd
/dl
h4a name=elementsMemoryMemory devices/a/h4
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 1120003..f58e8de 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3323,6 +3323,9 @@
/optional
/element
/optional
+zeroOrMore
+ ref name='devSeclabel'/
+/zeroOrMore
optional
ref name=address/
/optional
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 73ac537..cb3d72a 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -11261,6 +11261,8 @@ virDomainNVRAMDefParseXML(xmlNodePtr node,
static virDomainShmemDefPtr
virDomainShmemDefParseXML(xmlNodePtr node,
xmlXPathContextPtr ctxt,
+ virSecurityLabelDefPtr* vmSeclabels,
+ int nvmSeclabels,
unsigned int flags)
{
char *tmp = NULL;
@@ -11332,6 +11334,10 @@ virDomainShmemDefParseXML(xmlNodePtr node,
if (virDomainDeviceInfoParseXML(node, NULL, def-info, flags) 0)
goto cleanup;
+if (virSecurityDeviceLabelDefParseXML(def-seclabels, def-nseclabels,
+ vmSeclabels, nvmSeclabels,
+ ctxt, flags) 0)
+goto cleanup;
ret = def;
def = NULL;
@@ -12457,7 +12463,11 @@ virDomainDeviceDefParse(const char *xmlStr,
goto error;
break;
case VIR_DOMAIN_DEVICE_SHMEM:
-if (!(dev-data.shmem = virDomainShmemDefParseXML(node, ctxt,
flags)))
+if (!(dev-data.shmem = virDomainShmemDefParseXML(node,
+ ctxt,
+ def-seclabels,
+ def-nseclabels,
+ flags)))
goto error;
break;
case VIR_DOMAIN_DEVICE_TPM:
@@ -16136,7 +16146,8 @@ virDomainDefParseXML(xmlDocPtr xml,
for (i = 0; i n; i++) {
virDomainShmemDefPtr shmem;
ctxt-node = nodes[i];
-shmem = virDomainShmemDefParseXML(nodes[i], ctxt, flags);
+shmem = virDomainShmemDefParseXML(nodes[i], ctxt, def-seclabels,
+ def-nseclabels, flags);
if (!shmem)
goto error;
@@ -20308,6 +20319,8 @@ virDomainShmemDefFormat(virBufferPtr buf,
virDomainShmemDefPtr def,
unsigned int flags)
{
+size_t n;
+
virBufferEscapeString(buf, shmem name='%s', def-name);
if (!def-size
@@ -20341,6 +20354,9 @@ virDomainShmemDefFormat(virBufferPtr buf,
virBufferAddLit(buf, /\n);
}
+for (n = 0; n def-nseclabels; n++)
+virSecurityDeviceLabelDefFormat(buf, def-seclabels[n], flags);
+
if (virDomainDeviceInfoFormat(buf, def-info, flags) 0)
return -1;
@@ -23851,11 +23867,25 @@ virDomainObjListExport(virDomainObjListPtr domlist,
}
+static virSecurityDeviceLabelDefPtr
+virDomainGetDeviceSecurityLabelDef(virSecurityDeviceLabelDefPtr *seclabels,
+ size_t nseclabels,
+ const char *model)
+{
+size_t i;
+
+for (i = 0; i nseclabels; i++) {
+if (STREQ_NULLABLE(seclabels[i]-model, model))
+return seclabels[i];
+}
+return NULL;
+}
+
+
virSecurityLabelDefPtr
virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char
[libvirt] [PATCH 1/4] conf: introduce seclabels in shmem device element
Introduce a new element in shmem device element, this
could help users to change the shm label to a specified
label.
Signed-off-by: Luyao Huang lhu...@redhat.com
---
docs/formatdomain.html.in | 7 ++
docs/schemas/domaincommon.rng | 3 +++
src/conf/domain_conf.c| 55 ++-
src/conf/domain_conf.h| 5
4 files changed, 59 insertions(+), 11 deletions(-)
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index d0c1741..e02c67c 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -6098,6 +6098,13 @@ qemu-kvm -net nic,model=? /dev/null
vectors. The codeioeventd/code attribute enables/disables (values
on/off, respectively) ioeventfd.
/dd
+dtcodeseclabel/code/dt
+dd
+ The optional codeseclabel/code to override the way that labelling
+ is done on the shm object path or shm server path. If this
+ element is not present, the a href=#seclabelsecurity label is
inherited
+ from the per-domain setting/a.
+/dd
/dl
h4a name=elementsMemoryMemory devices/a/h4
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 1120003..f58e8de 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3323,6 +3323,9 @@
/optional
/element
/optional
+zeroOrMore
+ ref name='devSeclabel'/
+/zeroOrMore
optional
ref name=address/
/optional
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 73ac537..cb3d72a 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -11261,6 +11261,8 @@ virDomainNVRAMDefParseXML(xmlNodePtr node,
static virDomainShmemDefPtr
virDomainShmemDefParseXML(xmlNodePtr node,
xmlXPathContextPtr ctxt,
+ virSecurityLabelDefPtr* vmSeclabels,
+ int nvmSeclabels,
unsigned int flags)
{
char *tmp = NULL;
@@ -11332,6 +11334,10 @@ virDomainShmemDefParseXML(xmlNodePtr node,
if (virDomainDeviceInfoParseXML(node, NULL, def-info, flags) 0)
goto cleanup;
+if (virSecurityDeviceLabelDefParseXML(def-seclabels, def-nseclabels,
+ vmSeclabels, nvmSeclabels,
+ ctxt, flags) 0)
+goto cleanup;
ret = def;
def = NULL;
@@ -12457,7 +12463,11 @@ virDomainDeviceDefParse(const char *xmlStr,
goto error;
break;
case VIR_DOMAIN_DEVICE_SHMEM:
-if (!(dev-data.shmem = virDomainShmemDefParseXML(node, ctxt, flags)))
+if (!(dev-data.shmem = virDomainShmemDefParseXML(node,
+ ctxt,
+ def-seclabels,
+ def-nseclabels,
+ flags)))
goto error;
break;
case VIR_DOMAIN_DEVICE_TPM:
@@ -16136,7 +16146,8 @@ virDomainDefParseXML(xmlDocPtr xml,
for (i = 0; i n; i++) {
virDomainShmemDefPtr shmem;
ctxt-node = nodes[i];
-shmem = virDomainShmemDefParseXML(nodes[i], ctxt, flags);
+shmem = virDomainShmemDefParseXML(nodes[i], ctxt, def-seclabels,
+ def-nseclabels, flags);
if (!shmem)
goto error;
@@ -20308,6 +20319,8 @@ virDomainShmemDefFormat(virBufferPtr buf,
virDomainShmemDefPtr def,
unsigned int flags)
{
+size_t n;
+
virBufferEscapeString(buf, shmem name='%s', def-name);
if (!def-size
@@ -20341,6 +20354,9 @@ virDomainShmemDefFormat(virBufferPtr buf,
virBufferAddLit(buf, /\n);
}
+for (n = 0; n def-nseclabels; n++)
+virSecurityDeviceLabelDefFormat(buf, def-seclabels[n], flags);
+
if (virDomainDeviceInfoFormat(buf, def-info, flags) 0)
return -1;
@@ -23851,11 +23867,25 @@ virDomainObjListExport(virDomainObjListPtr domlist,
}
+static virSecurityDeviceLabelDefPtr
+virDomainGetDeviceSecurityLabelDef(virSecurityDeviceLabelDefPtr *seclabels,
+ size_t nseclabels,
+ const char *model)
+{
+size_t i;
+
+for (i = 0; i nseclabels; i++) {
+if (STREQ_NULLABLE(seclabels[i]-model, model))
+return seclabels[i];
+}
+return NULL;
+}
+
+
virSecurityLabelDefPtr
virDomainDefGetSecurityLabelDef(virDomainDefPtr def, const char *model)
{
size_t i;
-virSecurityLabelDefPtr seclabel = NULL;
if (def == NULL || model == NULL)
return NULL;
@@ -23866,24 +23896,27 @@ virDomainDefGetSecurityLabelDef(virDomainDefPtr def,
const char *model)
if (STREQ(def-seclabels[i]-model, model))
return
