shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-09 20:58:33 +03:00
Code Releases Activity

conf: Fix even implicit labels

Browse Source 
https://bugzilla.redhat.com/show_bug.cgi?id=1027096#c8

There are two ways in which security model can make it way into
<seclabel/>. One is as the @model attribute, the second one is
via security_driver knob in qemu.conf. Then, while parsing
<seclabel/> several checks and fix ups of old, stale combinations
are performed. However, iff @model is specified. They are not
done in the latter case. So it's still possible to feed libvirt
with senseless combinations (if qemu.conf is adjusted correctly).

One example of a seclabel that needs some adjustment (in case
security_driver=none in qemu.conf) is:

    <seclabel type='dynamic' relabel='yes'/>

The fixup code is copied from virSecurityLabelDefParseXML
(covering the former case) into virSecurityLabelDefsParseXML
(which handles the latter case).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Michal Privoznik 2014-09-03 18:07:45 +02:00
parent cefe0ba3db
commit d869a6ea03
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/conf/domain_conf.c
View File

@ -4974,6 +4974,13 @@ virSecurityLabelDefsParseXML(virDomainDefPtr def,
host->secModels[0].model);
if (VIR_STRDUP(def->seclabels[0]->model, host->secModels[0].model) < 0)
goto error;
if (STREQ(def->seclabels[0]->model, "none") &&
flags & VIR_DOMAIN_XML_INACTIVE) {
/* Fix older configurations */
def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
def->seclabels[0]->relabel = false;
}
} else {
virReportError(VIR_ERR_XML_ERROR, "%s",
_("missing security model in domain seclabel"));