[PATCH] security: don't try to label network disks

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] security: don't try to label network disks
@ 2011-12-10  3:49 Josh Durgin
  2011-12-11 22:38 ` [libvirt] " Daniel P. Berrange
  0 siblings, 1 reply; 2+ messages in thread
From: Josh Durgin @ 2011-12-10  3:49 UTC (permalink / raw)
  To: libvir-list; +Cc: ceph-devel

Network disks don't have paths to be resolved or files to be checked
for ownership. ee3efc41e6233e625aa03003bf3127319ccd546f checked this
for some image label functions, but was partially reverted in a
refactor.  This finishes adding the check to each security driver's
set and restore label methods for images.

Signed-off-by: Josh Durgin <josh.durgin@dreamhost.com>
---
 src/security/security_apparmor.c |    3 +++
 src/security/security_dac.c      |    6 ++++++
 src/security/security_selinux.c  |    3 +++
 3 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index db7e7dc..3a01a21 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -606,6 +606,9 @@ AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
                                   virDomainObjPtr vm,
                                   virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
 {
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+        return 0;
+
     return reload_profile(mgr, vm, NULL, false);
 }
 
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 0e75319..9f8a320 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -180,6 +180,9 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
     if (!priv->dynamicOwnership)
         return 0;
 
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+        return 0;
+
     return virDomainDiskDefForeachPath(disk,
                                        virSecurityManagerGetAllowDiskFormatProbing(mgr),
                                        false,
@@ -199,6 +202,9 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
     if (!priv->dynamicOwnership)
         return 0;
 
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+        return 0;
+
     /* Don't restore labels on readoly/shared disks, because
      * other VMs may still be accessing these
      * Alternatively we could iterate over all running
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 78c0d45..6ef61c7 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -636,6 +636,9 @@ SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
     if (secdef->norelabel)
         return 0;
 
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+        return 0;
+
     return virDomainDiskDefForeachPath(disk,
                                        allowDiskFormatProbing,
                                        true,
-- 
1.7.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [libvirt] [PATCH] security: don't try to label network disks
  2011-12-10  3:49 [PATCH] security: don't try to label network disks Josh Durgin
@ 2011-12-11 22:38 ` Daniel P. Berrange
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel P. Berrange @ 2011-12-11 22:38 UTC (permalink / raw)
  To: Josh Durgin; +Cc: libvir-list, ceph-devel

On Fri, Dec 09, 2011 at 07:49:40PM -0800, Josh Durgin wrote:
> Network disks don't have paths to be resolved or files to be checked
> for ownership. ee3efc41e6233e625aa03003bf3127319ccd546f checked this
> for some image label functions, but was partially reverted in a
> refactor.  This finishes adding the check to each security driver's
> set and restore label methods for images.
> 
> Signed-off-by: Josh Durgin <josh.durgin@dreamhost.com>
> ---
>  src/security/security_apparmor.c |    3 +++
>  src/security/security_dac.c      |    6 ++++++
>  src/security/security_selinux.c  |    3 +++
>  3 files changed, 12 insertions(+), 0 deletions(-)

ACK

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-12-11 22:38 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-10  3:49 [PATCH] security: don't try to label network disks Josh Durgin
2011-12-11 22:38 ` [libvirt] " Daniel P. Berrange

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.