diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 072fcc7619..6a6d2eced3 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -812,15 +812,6 @@ virSecurityLabelDefClear(virSecurityLabelDefPtr def) VIR_FREE(def->baselabel); } -static void -virSecurityLabelDefFree(virSecurityLabelDefPtr def) -{ - if (!def) - return; - virSecurityLabelDefClear(def); - VIR_FREE(def); -} - void virDomainGraphicsDefFree(virDomainGraphicsDefPtr def) { int ii; @@ -890,7 +881,6 @@ void virDomainDiskDefFree(virDomainDiskDefPtr def) VIR_FREE(def->serial); VIR_FREE(def->src); - virSecurityLabelDefFree(def->seclabel); VIR_FREE(def->dst); VIR_FREE(def->driverName); VIR_FREE(def->driverType); @@ -2565,94 +2555,14 @@ virDomainDiskDefAssignAddress(virCapsPtr caps, virDomainDiskDefPtr def) return 0; } -/* Parse the portion of a SecurityLabel that is common to both the - * top-level and to a per-device override. - * default_seclabel is NULL for top-level, or points to the top-level - * when parsing an override. */ -static int -virSecurityLabelDefParseXMLHelper(virSecurityLabelDefPtr def, - xmlNodePtr node, - xmlXPathContextPtr ctxt, - virSecurityLabelDefPtr default_seclabel, - unsigned int flags) -{ - char *p; - xmlNodePtr save_ctxt = ctxt->node; - int ret = -1; - int type = default_seclabel ? default_seclabel->type : def->type; - - ctxt->node = node; - - /* Can't use overrides if top-level doesn't allow relabeling. */ - if (default_seclabel && default_seclabel->norelabel) { - virDomainReportError(VIR_ERR_XML_ERROR, "%s", - _("label overrides require relabeling to be " - "enabled at the domain level")); - goto cleanup; - } - - p = virXPathStringLimit("string(./@relabel)", - VIR_SECURITY_LABEL_BUFLEN-1, ctxt); - if (p != NULL) { - if (STREQ(p, "yes")) { - def->norelabel = false; - } else if (STREQ(p, "no")) { - def->norelabel = true; - } else { - virDomainReportError(VIR_ERR_XML_ERROR, - _("invalid security relabel value %s"), p); - VIR_FREE(p); - goto cleanup; - } - VIR_FREE(p); - if (!default_seclabel && - type == VIR_DOMAIN_SECLABEL_DYNAMIC && - def->norelabel) { - virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("dynamic label type must use resource " - "relabeling")); - goto cleanup; - } - } else { - if (!default_seclabel && type == VIR_DOMAIN_SECLABEL_STATIC) - def->norelabel = true; - else - def->norelabel = false; - } - - /* Only parse label, if using static labels, or - * if the 'live' VM XML is requested, or if this is a device override - */ - if (type == VIR_DOMAIN_SECLABEL_STATIC || - !(flags & VIR_DOMAIN_XML_INACTIVE) || - (default_seclabel && !def->norelabel)) { - p = virXPathStringLimit("string(./label[1])", - VIR_SECURITY_LABEL_BUFLEN-1, ctxt); - if (p == NULL && !(default_seclabel && def->norelabel)) { - virDomainReportError(VIR_ERR_XML_ERROR, - "%s", _("security label is missing")); - goto cleanup; - } - - def->label = p; - } - - ret = 0; -cleanup: - ctxt->node = save_ctxt; - return ret; -} - -/* Parse the top-level , if present. */ static int virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, xmlXPathContextPtr ctxt, unsigned int flags) { char *p; - xmlNodePtr node = virXPathNode("./seclabel", ctxt); - if (node == NULL) + if (virXPathNode("./seclabel", ctxt) == NULL) return 0; p = virXPathStringLimit("string(./seclabel/@type)", @@ -2669,9 +2579,48 @@ virSecurityLabelDefParseXML(virSecurityLabelDefPtr def, "%s", _("invalid security type")); goto error; } + p = virXPathStringLimit("string(./seclabel/@relabel)", + VIR_SECURITY_LABEL_BUFLEN-1, ctxt); + if (p != NULL) { + if (STREQ(p, "yes")) { + def->norelabel = false; + } else if (STREQ(p, "no")) { + def->norelabel = true; + } else { + virDomainReportError(VIR_ERR_XML_ERROR, + _("invalid security relabel value %s"), p); + VIR_FREE(p); + goto error; + } + VIR_FREE(p); + if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC && + def->norelabel) { + virDomainReportError(VIR_ERR_CONFIG_UNSUPPORTED, + "%s", _("dynamic label type must use resource relabeling")); + goto error; + } + } else { + if (def->type == VIR_DOMAIN_SECLABEL_STATIC) + def->norelabel = true; + else + def->norelabel = false; + } - if (virSecurityLabelDefParseXMLHelper(def, node, ctxt, NULL, flags) < 0) - goto error; + /* Only parse label, if using static labels, or + * if the 'live' VM XML is requested + */ + if (def->type == VIR_DOMAIN_SECLABEL_STATIC || + !(flags & VIR_DOMAIN_XML_INACTIVE)) { + p = virXPathStringLimit("string(./seclabel/label[1])", + VIR_SECURITY_LABEL_BUFLEN-1, ctxt); + if (p == NULL) { + virDomainReportError(VIR_ERR_XML_ERROR, + "%s", _("security label is missing")); + goto error; + } + + def->label = p; + } /* Only parse imagelabel, if requested live XML with relabeling */ if (!def->norelabel && @@ -2798,7 +2747,6 @@ virDomainDiskDefParseXML(virCapsPtr caps, xmlNodePtr node, xmlXPathContextPtr ctxt, virBitmapPtr bootMap, - virSecurityLabelDefPtr default_seclabel, unsigned int flags) { virDomainDiskDefPtr def; @@ -3109,16 +3057,6 @@ virDomainDiskDefParseXML(virCapsPtr caps, goto error; } - /* If source is present, check for an optional seclabel override. */ - if (source) { - xmlNodePtr seclabel = virXPathNode("./source/seclabel", ctxt); - if (seclabel && - (VIR_ALLOC(def->seclabel) < 0 || - virSecurityLabelDefParseXMLHelper(def->seclabel, seclabel, ctxt, - default_seclabel, flags) < 0)) - goto error; - } - if (target == NULL) { virDomainReportError(VIR_ERR_NO_TARGET, source ? "%s" : NULL, source); @@ -6475,8 +6413,7 @@ virDomainDeviceDefPtr virDomainDeviceDefParse(virCapsPtr caps, if (xmlStrEqual(node->name, BAD_CAST "disk")) { dev->type = VIR_DOMAIN_DEVICE_DISK; if (!(dev->data.disk = virDomainDiskDefParseXML(caps, node, ctxt, - NULL, &def->seclabel, - flags))) + NULL, flags))) goto error; } else if (xmlStrEqual(node->name, BAD_CAST "lease")) { dev->type = VIR_DOMAIN_DEVICE_LEASE; @@ -7586,7 +7523,6 @@ static virDomainDefPtr virDomainDefParseXML(virCapsPtr caps, nodes[i], ctxt, bootMap, - &def->seclabel, flags); if (!disk) goto error; @@ -9907,32 +9843,23 @@ virSecurityLabelDefFormat(virBufferPtr buf, virSecurityLabelDefPtr def, if (!sectype) goto cleanup; - if (def->model && - def->type == VIR_DOMAIN_SECLABEL_DYNAMIC && + if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC && !def->baselabel && (flags & VIR_DOMAIN_XML_INACTIVE)) { /* This is the default for inactive xml, so nothing to output. */ } else { - virBufferAddLit(buf, "model) - virBufferAsprintf(buf, " type='%s' model='%s'", - sectype, def->model); - virBufferAsprintf(buf, " relabel='%s'", + virBufferAsprintf(buf, "\n", + sectype, def->model, def->norelabel ? "no" : "yes"); - if (def->label || def->baselabel) { - virBufferAddLit(buf, ">\n"); - virBufferEscapeString(buf, " \n", - def->label); - if (!def->norelabel) - virBufferEscapeString(buf, " %s\n", - def->imagelabel); - if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) - virBufferEscapeString(buf, " %s\n", - def->baselabel); - virBufferAddLit(buf, "\n"); - } else { - virBufferAddLit(buf, "/>\n"); - } + virBufferEscapeString(buf, " \n", + def->label); + if (!def->norelabel) + virBufferEscapeString(buf, " %s\n", + def->imagelabel); + if (def->type == VIR_DOMAIN_SECLABEL_DYNAMIC) + virBufferEscapeString(buf, " %s\n", + def->baselabel); + virBufferAddLit(buf, "\n"); } ret = 0; cleanup: @@ -10062,36 +9989,17 @@ virDomainDiskDefFormat(virBufferPtr buf, def->startupPolicy) { switch (def->type) { case VIR_DOMAIN_DISK_TYPE_FILE: - virBufferAddLit(buf, " src) virBufferEscapeString(buf, " file='%s'", def->src); if (def->startupPolicy) virBufferEscapeString(buf, " startupPolicy='%s'", startupPolicy); - if (def->seclabel) { - virBufferAddLit(buf, ">\n"); - virBufferAdjustIndent(buf, 8); - if (virSecurityLabelDefFormat(buf, def->seclabel, flags) < 0) - return -1; - virBufferAdjustIndent(buf, -8); - virBufferAddLit(buf, " \n"); - } else { - virBufferAddLit(buf, "/>\n"); - } + virBufferAsprintf(buf, "/>\n"); break; case VIR_DOMAIN_DISK_TYPE_BLOCK: - if (def->src && def->seclabel) { - virBufferEscapeString(buf, " \n", - def->src); - virBufferAdjustIndent(buf, 8); - if (virSecurityLabelDefFormat(buf, def->seclabel, flags) < 0) - return -1; - virBufferAdjustIndent(buf, -8); - virBufferAddLit(buf, " \n"); - } else { - virBufferEscapeString(buf, " \n", - def->src); - } + virBufferEscapeString(buf, " \n", + def->src); break; case VIR_DOMAIN_DISK_TYPE_DIR: virBufferEscapeString(buf, " \n",