security: Driver 'none' cannot create confined guests

In case the caller specifies that confined guests are required but the
security driver turns out to be 'none', we should return an error since
this driver clearly cannot meet that requirement.  As a result of this
error, libvirtd fails to start when the host admin explicitly sets
confined guests are required but there is no security driver available.

Since security driver 'none' cannot create confined guests, we override
default confined setting so that hypervisor drivers do not thing they
should create confined guests.

1 files changed, 20 insertions, 0 deletions

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index d0bafae06..0a43458d7 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -115,6 +115,26 @@ virSecurityManagerPtr virSecurityManagerNew(const char *name,
     if (!drv)
         return NULL;
 
+    /* driver "none" needs some special handling of *Confined bools */
+    if (STREQ(drv->name, "none")) {
+        if (requireConfined) {
+            virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                    _("Security driver \"none\" cannot create confined guests"));
+            return NULL;
+        }
+
+        if (defaultConfined) {
+            if (name != NULL) {
+                VIR_WARN("Configured security driver \"none\" disables default"
+                         " policy to create confined guests");
+            } else {
+                VIR_DEBUG("Auto-probed security driver is \"none\";"
+                          " confined guests will not be created");
+            }
+            defaultConfined = false;
+        }
+    }
+
     return virSecurityManagerNewDriver(drv,
                                        allowDiskFormatProbing,
                                        defaultConfined,