mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-14 12:58:33 +03:00
virSecurityManager: Track if running as privileged
We may want to do some decisions in drivers based on fact if we are running as privileged user or not. Propagate this info there. Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Michal Privoznik
parent
276c409163
commit
307fb9044c
@ -2646,7 +2646,7 @@ int main(int argc, char *argv[])
|
|||||||
|
|
||||||
if (!(ctrl->securityManager = virSecurityManagerNew(securityDriver,
|
if (!(ctrl->securityManager = virSecurityManagerNew(securityDriver,
|
||||||
LXC_DRIVER_NAME,
|
LXC_DRIVER_NAME,
|
||||||
false, false, false)))
|
false, false, false, false)))
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (ctrl->def->seclabels) {
|
if (ctrl->def->seclabels) {
|
||||||
|
|||||||
@ -1558,7 +1558,8 @@ lxcSecurityInit(virLXCDriverConfigPtr cfg)
|
|||||||
LXC_DRIVER_NAME,
|
LXC_DRIVER_NAME,
|
||||||
false,
|
false,
|
||||||
cfg->securityDefaultConfined,
|
cfg->securityDefaultConfined,
|
||||||
cfg->securityRequireConfined);
|
cfg->securityRequireConfined,
|
||||||
|
true);
|
||||||
if (!mgr)
|
if (!mgr)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
|
|||||||
@ -398,7 +398,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
|
|||||||
QEMU_DRIVER_NAME,
|
QEMU_DRIVER_NAME,
|
||||||
cfg->allowDiskFormatProbing,
|
cfg->allowDiskFormatProbing,
|
||||||
cfg->securityDefaultConfined,
|
cfg->securityDefaultConfined,
|
||||||
cfg->securityRequireConfined)))
|
cfg->securityRequireConfined,
|
||||||
|
virQEMUDriverIsPrivileged(driver))))
|
||||||
goto error;
|
goto error;
|
||||||
if (!stack) {
|
if (!stack) {
|
||||||
if (!(stack = virSecurityManagerNewStack(mgr)))
|
if (!(stack = virSecurityManagerNewStack(mgr)))
|
||||||
@ -415,7 +416,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
|
|||||||
QEMU_DRIVER_NAME,
|
QEMU_DRIVER_NAME,
|
||||||
cfg->allowDiskFormatProbing,
|
cfg->allowDiskFormatProbing,
|
||||||
cfg->securityDefaultConfined,
|
cfg->securityDefaultConfined,
|
||||||
cfg->securityRequireConfined)))
|
cfg->securityRequireConfined,
|
||||||
|
virQEMUDriverIsPrivileged(driver))))
|
||||||
goto error;
|
goto error;
|
||||||
if (!(stack = virSecurityManagerNewStack(mgr)))
|
if (!(stack = virSecurityManagerNewStack(mgr)))
|
||||||
goto error;
|
goto error;
|
||||||
@ -429,6 +431,7 @@ qemuSecurityInit(virQEMUDriverPtr driver)
|
|||||||
cfg->allowDiskFormatProbing,
|
cfg->allowDiskFormatProbing,
|
||||||
cfg->securityDefaultConfined,
|
cfg->securityDefaultConfined,
|
||||||
cfg->securityRequireConfined,
|
cfg->securityRequireConfined,
|
||||||
|
virQEMUDriverIsPrivileged(driver),
|
||||||
cfg->dynamicOwnership,
|
cfg->dynamicOwnership,
|
||||||
qemuSecurityChownCallback)))
|
qemuSecurityChownCallback)))
|
||||||
goto error;
|
goto error;
|
||||||
|
|||||||
@ -40,6 +40,7 @@ struct _virSecurityManager {
|
|||||||
bool allowDiskFormatProbing;
|
bool allowDiskFormatProbing;
|
||||||
bool defaultConfined;
|
bool defaultConfined;
|
||||||
bool requireConfined;
|
bool requireConfined;
|
||||||
|
bool privileged;
|
||||||
const char *virtDriver;
|
const char *virtDriver;
|
||||||
void *privateData;
|
void *privateData;
|
||||||
};
|
};
|
||||||
@ -78,7 +79,8 @@ virSecurityManagerNewDriver(virSecurityDriverPtr drv,
|
|||||||
const char *virtDriver,
|
const char *virtDriver,
|
||||||
bool allowDiskFormatProbing,
|
bool allowDiskFormatProbing,
|
||||||
bool defaultConfined,
|
bool defaultConfined,
|
||||||
bool requireConfined)
|
bool requireConfined,
|
||||||
|
bool privileged)
|
||||||
{
|
{
|
||||||
virSecurityManagerPtr mgr;
|
virSecurityManagerPtr mgr;
|
||||||
char *privateData;
|
char *privateData;
|
||||||
@ -87,10 +89,10 @@ virSecurityManagerNewDriver(virSecurityDriverPtr drv,
|
|||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
VIR_DEBUG("drv=%p (%s) virtDriver=%s allowDiskFormatProbing=%d "
|
VIR_DEBUG("drv=%p (%s) virtDriver=%s allowDiskFormatProbing=%d "
|
||||||
"defaultConfined=%d requireConfined=%d",
|
"defaultConfined=%d requireConfined=%d privileged=%d",
|
||||||
drv, drv->name, virtDriver,
|
drv, drv->name, virtDriver,
|
||||||
allowDiskFormatProbing, defaultConfined,
|
allowDiskFormatProbing, defaultConfined,
|
||||||
requireConfined);
|
requireConfined, privileged);
|
||||||
|
|
||||||
if (VIR_ALLOC_N(privateData, drv->privateDataLen) < 0)
|
if (VIR_ALLOC_N(privateData, drv->privateDataLen) < 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -104,6 +106,7 @@ virSecurityManagerNewDriver(virSecurityDriverPtr drv,
|
|||||||
mgr->allowDiskFormatProbing = allowDiskFormatProbing;
|
mgr->allowDiskFormatProbing = allowDiskFormatProbing;
|
||||||
mgr->defaultConfined = defaultConfined;
|
mgr->defaultConfined = defaultConfined;
|
||||||
mgr->requireConfined = requireConfined;
|
mgr->requireConfined = requireConfined;
|
||||||
|
mgr->privileged = privileged;
|
||||||
mgr->virtDriver = virtDriver;
|
mgr->virtDriver = virtDriver;
|
||||||
mgr->privateData = privateData;
|
mgr->privateData = privateData;
|
||||||
|
|
||||||
@ -124,7 +127,8 @@ virSecurityManagerNewStack(virSecurityManagerPtr primary)
|
|||||||
virSecurityManagerGetDriver(primary),
|
virSecurityManagerGetDriver(primary),
|
||||||
virSecurityManagerGetAllowDiskFormatProbing(primary),
|
virSecurityManagerGetAllowDiskFormatProbing(primary),
|
||||||
virSecurityManagerGetDefaultConfined(primary),
|
virSecurityManagerGetDefaultConfined(primary),
|
||||||
virSecurityManagerGetRequireConfined(primary));
|
virSecurityManagerGetRequireConfined(primary),
|
||||||
|
virSecurityManagerGetPrivileged(primary));
|
||||||
|
|
||||||
if (!mgr)
|
if (!mgr)
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -153,6 +157,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
|
|||||||
bool defaultConfined,
|
bool defaultConfined,
|
||||||
bool requireConfined,
|
bool requireConfined,
|
||||||
bool dynamicOwnership,
|
bool dynamicOwnership,
|
||||||
|
bool privileged,
|
||||||
virSecurityManagerDACChownCallback chownCallback)
|
virSecurityManagerDACChownCallback chownCallback)
|
||||||
{
|
{
|
||||||
virSecurityManagerPtr mgr =
|
virSecurityManagerPtr mgr =
|
||||||
@ -160,7 +165,8 @@ virSecurityManagerNewDAC(const char *virtDriver,
|
|||||||
virtDriver,
|
virtDriver,
|
||||||
allowDiskFormatProbing,
|
allowDiskFormatProbing,
|
||||||
defaultConfined,
|
defaultConfined,
|
||||||
requireConfined);
|
requireConfined,
|
||||||
|
privileged);
|
||||||
|
|
||||||
if (!mgr)
|
if (!mgr)
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -182,7 +188,8 @@ virSecurityManagerNew(const char *name,
|
|||||||
const char *virtDriver,
|
const char *virtDriver,
|
||||||
bool allowDiskFormatProbing,
|
bool allowDiskFormatProbing,
|
||||||
bool defaultConfined,
|
bool defaultConfined,
|
||||||
bool requireConfined)
|
bool requireConfined,
|
||||||
|
bool privileged)
|
||||||
{
|
{
|
||||||
virSecurityDriverPtr drv = virSecurityDriverLookup(name, virtDriver);
|
virSecurityDriverPtr drv = virSecurityDriverLookup(name, virtDriver);
|
||||||
if (!drv)
|
if (!drv)
|
||||||
@ -212,7 +219,8 @@ virSecurityManagerNew(const char *name,
|
|||||||
virtDriver,
|
virtDriver,
|
||||||
allowDiskFormatProbing,
|
allowDiskFormatProbing,
|
||||||
defaultConfined,
|
defaultConfined,
|
||||||
requireConfined);
|
requireConfined,
|
||||||
|
privileged);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -333,6 +341,13 @@ virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
bool
|
||||||
|
virSecurityManagerGetPrivileged(virSecurityManagerPtr mgr)
|
||||||
|
{
|
||||||
|
return mgr->privileged;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* virSecurityManagerRestoreDiskLabel:
|
* virSecurityManagerRestoreDiskLabel:
|
||||||
* @mgr: security manager object
|
* @mgr: security manager object
|
||||||
|
|||||||
@ -34,7 +34,8 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
|
|||||||
const char *virtDriver,
|
const char *virtDriver,
|
||||||
bool allowDiskFormatProbing,
|
bool allowDiskFormatProbing,
|
||||||
bool defaultConfined,
|
bool defaultConfined,
|
||||||
bool requireConfined);
|
bool requireConfined,
|
||||||
|
bool privileged);
|
||||||
|
|
||||||
virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary);
|
virSecurityManagerPtr virSecurityManagerNewStack(virSecurityManagerPtr primary);
|
||||||
int virSecurityManagerStackAddNested(virSecurityManagerPtr stack,
|
int virSecurityManagerStackAddNested(virSecurityManagerPtr stack,
|
||||||
@ -62,6 +63,7 @@ virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
|
|||||||
bool defaultConfined,
|
bool defaultConfined,
|
||||||
bool requireConfined,
|
bool requireConfined,
|
||||||
bool dynamicOwnership,
|
bool dynamicOwnership,
|
||||||
|
bool privileged,
|
||||||
virSecurityManagerDACChownCallback chownCallback);
|
virSecurityManagerDACChownCallback chownCallback);
|
||||||
|
|
||||||
int virSecurityManagerPreFork(virSecurityManagerPtr mgr);
|
int virSecurityManagerPreFork(virSecurityManagerPtr mgr);
|
||||||
@ -77,6 +79,7 @@ const char *virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr, int virtTy
|
|||||||
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
|
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
|
||||||
bool virSecurityManagerGetDefaultConfined(virSecurityManagerPtr mgr);
|
bool virSecurityManagerGetDefaultConfined(virSecurityManagerPtr mgr);
|
||||||
bool virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr);
|
bool virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr);
|
||||||
|
bool virSecurityManagerGetPrivileged(virSecurityManagerPtr mgr);
|
||||||
|
|
||||||
int virSecurityManagerRestoreDiskLabel(virSecurityManagerPtr mgr,
|
int virSecurityManagerRestoreDiskLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
|
|||||||
@ -361,7 +361,7 @@ mymain(void)
|
|||||||
if (!driver.lockManager)
|
if (!driver.lockManager)
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
|
|
||||||
if (!(mgr = virSecurityManagerNew("none", "qemu", false, false, false)))
|
if (!(mgr = virSecurityManagerNew("none", "qemu", false, false, false, true)))
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
if (!(driver.securityManager = virSecurityManagerNewStack(mgr)))
|
if (!(driver.securityManager = virSecurityManagerNewStack(mgr)))
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
|
|||||||
@ -17,7 +17,7 @@ main(int argc ATTRIBUTE_UNUSED, char **argv ATTRIBUTE_UNUSED)
|
|||||||
if (virThreadInitialize() < 0)
|
if (virThreadInitialize() < 0)
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
|
|
||||||
mgr = virSecurityManagerNew(NULL, "QEMU", false, true, false);
|
mgr = virSecurityManagerNew(NULL, "QEMU", false, true, false, false);
|
||||||
if (mgr == NULL) {
|
if (mgr == NULL) {
|
||||||
fprintf(stderr, "Failed to start security driver");
|
fprintf(stderr, "Failed to start security driver");
|
||||||
return EXIT_FAILURE;
|
return EXIT_FAILURE;
|
||||||
|
|||||||
@ -351,7 +351,7 @@ mymain(void)
|
|||||||
if (!rc)
|
if (!rc)
|
||||||
return EXIT_AM_SKIP;
|
return EXIT_AM_SKIP;
|
||||||
|
|
||||||
if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false))) {
|
if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true))) {
|
||||||
virErrorPtr err = virGetLastError();
|
virErrorPtr err = virGetLastError();
|
||||||
VIR_TEST_VERBOSE("Unable to initialize security driver: %s\n",
|
VIR_TEST_VERBOSE("Unable to initialize security driver: %s\n",
|
||||||
err->message);
|
err->message);
|
||||||
|
|||||||
@ -272,7 +272,7 @@ mymain(void)
|
|||||||
int ret = 0;
|
int ret = 0;
|
||||||
virSecurityManagerPtr mgr;
|
virSecurityManagerPtr mgr;
|
||||||
|
|
||||||
if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false))) {
|
if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true))) {
|
||||||
virErrorPtr err = virGetLastError();
|
virErrorPtr err = virGetLastError();
|
||||||
fprintf(stderr, "Unable to initialize security driver: %s\n",
|
fprintf(stderr, "Unable to initialize security driver: %s\n",
|
||||||
err->message);
|
err->message);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user