has_gettid = cc.has_function('gettid')
+# libselinux
+selinux = dependency('libselinux',
+ required: get_option('selinux'),
+ method: 'pkg-config', kwargs: static_kwargs)
+
# Malloc tests
malloc = []
config_host_data.set('CONFIG_SPICE', spice.found())
config_host_data.set('CONFIG_X11', x11.found())
config_host_data.set('CONFIG_CFI', get_option('cfi'))
+config_host_data.set('CONFIG_SELINUX', selinux.found())
config_host_data.set('QEMU_VERSION', '"@0@"'.format(meson.project_version()))
config_host_data.set('QEMU_VERSION_MAJOR', meson.project_version().split('.')[0])
config_host_data.set('QEMU_VERSION_MINOR', meson.project_version().split('.')[1])
qemu_io = executable('qemu-io', files('qemu-io.c'),
dependencies: [block, qemuutil], install: true)
qemu_nbd = executable('qemu-nbd', files('qemu-nbd.c'),
- dependencies: [blockdev, qemuutil, gnutls], install: true)
+ dependencies: [blockdev, qemuutil, gnutls, selinux],
+ install: true)
subdir('storage-daemon')
subdir('contrib/rdmacm-mux')
summary_info += {'libudev': libudev}
# Dummy dependency, keep .found()
summary_info += {'FUSE lseek': fuse_lseek.found()}
+summary_info += {'selinux': selinux}
summary(summary_info, bool_yn: true, section: 'Dependencies')
if not supported_cpus.contains(cpu)
#include "trace/control.h"
#include "qemu-version.h"
+#ifdef CONFIG_SELINUX
+#include <selinux/selinux.h>
+#endif
+
#ifdef __linux__
#define HAVE_NBD_DEVICE 1
#else
#define QEMU_NBD_OPT_FORK 263
#define QEMU_NBD_OPT_TLSAUTHZ 264
#define QEMU_NBD_OPT_PID_FILE 265
+#define QEMU_NBD_OPT_SELINUX_LABEL 266
#define MBR_SIZE 512
" --fork fork off the server process and exit the parent\n"
" once the server is running\n"
" --pid-file=PATH store the server's process ID in the given file\n"
+#ifdef CONFIG_SELINUX
+" --selinux-label=LABEL set SELinux process label on listening socket\n"
+#endif
#if HAVE_NBD_DEVICE
"\n"
"Kernel NBD client support:\n"
const char *sockpath,
const char *address,
const char *port,
+ const char *selinux,
bool list)
{
if (device != NULL) {
return "TCP port number can't be set when using socket activation";
}
+ if (selinux != NULL) {
+ return "SELinux label can't be set when using socket activation";
+ }
+
if (list) {
return "List mode is incompatible with socket activation";
}
{ "trace", required_argument, NULL, 'T' },
{ "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
{ "pid-file", required_argument, NULL, QEMU_NBD_OPT_PID_FILE },
+ { "selinux-label", required_argument, NULL,
+ QEMU_NBD_OPT_SELINUX_LABEL },
{ NULL, 0, NULL, 0 }
};
int ch;
int old_stderr = -1;
unsigned socket_activation;
const char *pid_file_name = NULL;
+ const char *selinux_label = NULL;
BlockExportOptions *export_opts;
#ifdef CONFIG_POSIX
case QEMU_NBD_OPT_PID_FILE:
pid_file_name = optarg;
break;
+ case QEMU_NBD_OPT_SELINUX_LABEL:
+ selinux_label = optarg;
+ break;
}
}
/* Using socket activation - check user didn't use -p etc. */
const char *err_msg = socket_activation_validate_opts(device, sockpath,
bindto, port,
+ selinux_label,
list);
if (err_msg != NULL) {
error_report("%s", err_msg);
}
}
+ if (selinux_label) {
+#ifdef CONFIG_SELINUX
+ if (sockpath == NULL && device == NULL) {
+ error_report("--selinux-label is not permitted without --socket");
+ exit(EXIT_FAILURE);
+ }
+#else
+ error_report("SELinux support not enabled in this binary");
+ exit(EXIT_FAILURE);
+#endif
+ }
+
if (list) {
saddr = nbd_build_socket_address(sockpath, bindto, port);
return qemu_nbd_client_list(saddr, tlscreds, bindto);
} else {
backlog = MIN(shared, SOMAXCONN);
}
+#ifdef CONFIG_SELINUX
+ if (selinux_label && setsockcreatecon_raw(selinux_label) == -1) {
+ error_report("Cannot set SELinux socket create context to %s: %s",
+ selinux_label, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+#endif
saddr = nbd_build_socket_address(sockpath, bindto, port);
if (qio_net_listener_open_sync(server, saddr, backlog,
&local_err) < 0) {
error_report_err(local_err);
exit(EXIT_FAILURE);
}
+#ifdef CONFIG_SELINUX
+ if (selinux_label && setsockcreatecon_raw(NULL) == -1) {
+ error_report("Cannot clear SELinux socket create context: %s",
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+#endif
} else {
size_t i;
/* See comment in check_socket_activation above. */
printf "%s\n" ' sdl SDL user interface'
printf "%s\n" ' sdl-image SDL Image support for icons'
printf "%s\n" ' seccomp seccomp support'
+ printf "%s\n" ' selinux SELinux support in qemu-nbd'
printf "%s\n" ' smartcard CA smartcard emulation support'
printf "%s\n" ' snappy snappy compression support'
printf "%s\n" ' sparse sparse checker'
--disable-sdl-image) printf "%s" -Dsdl_image=disabled ;;
--enable-seccomp) printf "%s" -Dseccomp=enabled ;;
--disable-seccomp) printf "%s" -Dseccomp=disabled ;;
+ --enable-selinux) printf "%s" -Dselinux=enabled ;;
+ --disable-selinux) printf "%s" -Dselinux=disabled ;;
--enable-slirp) printf "%s" -Dslirp=enabled ;;
--disable-slirp) printf "%s" -Dslirp=disabled ;;
--enable-slirp=*) quote_sh "-Dslirp=$2" ;;
projects / qemu-nvme.git / commitdiff