On 2011年12月22日 15:02, Taku Izumi wrote:
This patch introduces XML schema for capability XML.
"process" and "cap" element are added.
The list of "cap" elements represents process capabilities host supports.
<capabilities>
<host>
...
<process>
<cap name='chown'/>
<cap name='dac_override'/>
...
</process>
</host>
...
</capabilities>
Signed-off-by: Taku Izumi<izumi.t...@jp.fujitsu.com>
---
docs/schemas/capability.rng | 50 +++++++++++++++++++++++++++++++
include/libvirt/libvirt.h.in | 45 ++++++++++++++++++++++++++++
src/conf/capabilities.c | 69
+++++++++++++++++++++++++++++++++++++++++++
src/conf/capabilities.h | 5 +++
4 files changed, 169 insertions(+)
Index: libvirt/src/conf/capabilities.h
===================================================================
--- libvirt.orig/src/conf/capabilities.h
+++ libvirt/src/conf/capabilities.h
@@ -119,6 +119,10 @@ struct _virCapsHost {
virCapsHostSecModel secModel;
virCPUDefPtr cpu;
unsigned char host_uuid[VIR_UUID_BUFLEN];
+
+ unsigned long long processCaps; /* Bitmask of the Process capabilities
+ * see enum vir
s/vir/virCapsProcessCaps/
+ */
};
typedef int (*virDomainDefNamespaceParse)(xmlDocPtr, xmlNodePtr,
@@ -263,5 +267,6 @@ virCapabilitiesDefaultGuestEmulator(virC
extern char *
virCapabilitiesFormatXML(virCapsPtr caps);
+VIR_ENUM_DECL(virCapsProcessCaps)
#endif /* __VIR_CAPABILITIES_H */
Index: libvirt/src/conf/capabilities.c
===================================================================
--- libvirt.orig/src/conf/capabilities.c
+++ libvirt/src/conf/capabilities.c
@@ -33,6 +33,9 @@
#include "cpu_conf.h"
#include "virterror_internal.h"
+#if HAVE_CAPNG
+# include<cap-ng.h>
+#endif
#define VIR_FROM_THIS VIR_FROM_CAPABILITIES
@@ -40,6 +43,42 @@ VIR_ENUM_DECL(virCapsHostPMTarget)
VIR_ENUM_IMPL(virCapsHostPMTarget, VIR_NODE_SUSPEND_TARGET_LAST,
"suspend_mem", "suspend_disk", "suspend_hybrid");
+VIR_ENUM_IMPL(virCapsProcessCaps, VIR_PROCESS_CAPABILITY_LAST,
+ "chown",
+ "dac_override",
+ "dac_read_search",
+ "fowner",
+ "fsetid",
+ "kill",
+ "setgid",
+ "setuid",
+ "setpcap",
+ "linux_immutable",
+ "net_bind_service",
+ "net_broadcast",
+ "net_admin",
+ "net_raw",
+ "ipc_lock",
+ "ipc_owner",
+ "sys_module",
+ "sys_rawio",
+ "sys_chroot",
+ "sys_ptrace",
+ "sys_pacct",
+ "sys_admin",
+ "sys_boot",
+ "sys_nice",
+ "sys_resource",
+ "sys_time",
+ "sys_tty_config",
+ "mknod",
+ "lease",
+ "audit_write",
+ "audit_control",
+ "setfcap",
+ "mac_override",
+ "mac_admin")
+
/**
* virCapabilitiesNew:
* @arch: host machine architecture
@@ -63,6 +102,8 @@ virCapabilitiesNew(const char *arch,
caps->host.offlineMigrate = offlineMigrate;
caps->host.liveMigrate = liveMigrate;
+ virCapabilitiesInitProcessCaps(caps);
Mark [1]
+
return caps;
no_memory:
@@ -754,6 +795,18 @@ virCapabilitiesFormatXML(virCapsPtr caps
virBufferAddLit(&xml, "</secmodel>\n");
}
+ if (caps->host.processCaps) {
+ virBufferAddLit(&xml, "<process>\n");
+ for (i = 0; i< VIR_PROCESS_CAPABILITY_LAST; i++) {
+ if (caps->host.processCaps& (1ULL<< i)) {
+ const char *name = virCapsProcessCapsTypeToString(i);
+ if (name)
+ virBufferAsprintf(&xml, "<cap name='%s'/>\n", name);
+ }
+ }
+ virBufferAddLit(&xml, "</process>\n");
+ }
+
virBufferAddLit(&xml, "</host>\n\n");
@@ -837,6 +890,22 @@ virCapabilitiesFormatXML(virCapsPtr caps
return virBufferContentAndReset(&xml);
}
+#ifdef HAVE_CAPNG
+void
s/void/static void/
+virCapabilitiesInitProcessCaps(virCapsPtr caps)
+{
+ caps->host.processCaps |= (1ULL<< (CAP_LAST_CAP + 1)) - 1;
+}
+
+#else
+void
+virCapabilitiesInitProcessCaps(virCapsPtr caps)
+{
+ caps->host.processCaps = 0;
+}
This is no need IMHO, host.processCaps is already initialized
as 0 when doing VIR_ALLOC on caps. And what we need might be
an "ifdef HAVE_CAPNG" at [1] (see above).
+
+#endif
+
extern void
virCapabilitiesSetMacPrefix(virCapsPtr caps,
unsigned char *prefix)
Index: libvirt/docs/schemas/capability.rng
===================================================================
--- libvirt.orig/docs/schemas/capability.rng
+++ libvirt/docs/schemas/capability.rng
@@ -46,6 +46,56 @@
<optional>
<ref name='secmodel'/>
</optional>
+<optional>
+<ref name='process'/>
+</optional>
+</element>
+</define>
+
+<define name='process'>
+<element name='process'>
+<zeroOrMore>
+<element name='cap'>
+<attribute name='name'>
+<choice>
+<value>chown</value>
+<value>dac_override</value>
+<value>dac_read_search</value>
+<value>fowner</value>
+<value>fsetid</value>
+<value>kill</value>
+<value>setgid</value>
+<value>setuid</value>
+<value>setpcap</value>
+<value>linux_immutable</value>
+<value>net_bind_service</value>
+<value>net_broadcast</value>
+<value>net_admin</value>
+<value>net_raw</value>
+<value>ipc_lock</value>
+<value>ipc_owner</value>
+<value>sys_module</value>
+<value>sys_rawio</value>
+<value>sys_chroot</value>
+<value>sys_ptrace</value>
+<value>sys_pacct</value>
+<value>sys_admin</value>
+<value>sys_boot</value>
+<value>sys_nice</value>
+<value>sys_resource</value>
+<value>sys_time</value>
+<value>sys_tty_config</value>
+<value>mknod</value>
+<value>lease</value>
+<value>audit_write</value>
+<value>audit_control</value>
+<value>setfcap</value>
+<value>mac_override</value>
+<value>mac_admin</value>
+</choice>
+</attribute>
+</element>
+</zeroOrMore>
</element>
</define>
Index: libvirt/include/libvirt/libvirt.h.in
===================================================================
--- libvirt.orig/include/libvirt/libvirt.h.in
+++ libvirt/include/libvirt/libvirt.h.in
@@ -3540,6 +3540,51 @@ int virConnectSetKeepAlive(virConnectPtr
int interval,
unsigned int count);
+
+/*
+ * virProcessCapabilityType
+ *
+ * A process capability Type
+ */
+typedef enum {
+ VIR_PROCESS_CAPABILITY_CHOWN,
+ VIR_PROCESS_CAPABILITY_DAC_OVERRIDE,
+ VIR_PROCESS_CAPABILITY_DAC_READ_SEARCH,
+ VIR_PROCESS_CAPABILITY_FOWNER,
+ VIR_PROCESS_CAPABILITY_FSETID,
+ VIR_PROCESS_CAPABILITY_KILL,
+ VIR_PROCESS_CAPABILITY_SETGID,
+ VIR_PROCESS_CAPABILITY_SETUID,
+ VIR_PROCESS_CAPABILITY_SETPCAP,
+ VIR_PROCESS_CAPABILITY_LINUX_IMMUTABLE,
+ VIR_PROCESS_CAPABILITY_NET_BIND_SERVICE,
+ VIR_PROCESS_CAPABILITY_NET_BROADCAST,
+ VIR_PROCESS_CAPABILITY_NET_ADMIN,
+ VIR_PROCESS_CAPABILITY_NET_RAW,
+ VIR_PROCESS_CAPABILITY_IPC_LOCK,
+ VIR_PROCESS_CAPABILITY_IPC_OWNER,
+ VIR_PROCESS_CAPABILITY_SYS_MODULE,
+ VIR_PROCESS_CAPABILITY_SYS_RAWIO,
+ VIR_PROCESS_CAPABILITY_SYS_CHROOT,
+ VIR_PROCESS_CAPABILITY_SYS_PTRACE,
+ VIR_PROCESS_CAPABILITY_SYS_PACCT,
+ VIR_PROCESS_CAPABILITY_SYS_ADMIN,
+ VIR_PROCESS_CAPABILITY_SYS_BOOT,
+ VIR_PROCESS_CAPABILITY_SYS_NICE,
+ VIR_PROCESS_CAPABILITY_SYS_RESOURCE,
+ VIR_PROCESS_CAPABILITY_SYS_TIME,
+ VIR_PROCESS_CAPABILITY_SYS_TTY_CONFIG,
+ VIR_PROCESS_CAPABILITY_MKNOD,
+ VIR_PROCESS_CAPABILITY_LEASE,
+ VIR_PROCESS_CAPABILITY_AUDIT_WRITE,
+ VIR_PROCESS_CAPABILITY_AUDIT_CONTROL,
+ VIR_PROCESS_CAPABILITY_SETFCAP,
+ VIR_PROCESS_CAPABILITY_MAC_OVERRIDE,
+ VIR_PROCESS_CAPABILITY_MAC_ADMIN,
+
+ VIR_PROCESS_CAPABILITY_LAST
+} virProcessCapabilityType;
+
Perhaps I could get the answer in following patches, but now I'm
wondering why it's a public ENUM.
#ifdef __cplusplus
}
#endif
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
