[libvirt] [PATCH] qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels

Daniel P. Berrangé posted 1 patch 5 years, 9 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20180622095659.20251-1-berrange@redhat.com
Test syntax-check passed
src/qemu/qemu_command.c | 86 ++++++++++++++++++++++++++++-------------
src/qemu/qemu_command.h |  1 +
src/qemu/qemu_process.c |  2 +
3 files changed, 63 insertions(+), 26 deletions(-)
[libvirt] [PATCH] qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels
Posted by Daniel P. Berrangé 5 years, 9 months ago
The UNIX socket FDs were we passing to QEMU inherited a label based on
libvirtd's context. QEMU is thus denied ability to access the UNIX
socket. We need to use the security manager to change our current
context temporarily when creating the UNIX socket FD.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/qemu/qemu_command.c | 86 ++++++++++++++++++++++++++++-------------
 src/qemu/qemu_command.h |  1 +
 src/qemu/qemu_process.c |  2 +
 3 files changed, 63 insertions(+), 26 deletions(-)

diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 1ffcb5b1ae..146f671663 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -4931,6 +4931,7 @@ qemuOpenChrChardevUNIXSocket(const virDomainChrSourceDef *dev)
  * host side of the character device */
 static char *
 qemuBuildChrChardevStr(virLogManagerPtr logManager,
+                       virSecurityManagerPtr secManager,
                        virCommandPtr cmd,
                        virQEMUDriverConfigPtr cfg,
                        const virDomainDef *def,
@@ -5065,7 +5066,13 @@ qemuBuildChrChardevStr(virLogManagerPtr logManager,
 
     case VIR_DOMAIN_CHR_TYPE_UNIX:
         if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_CHARDEV_FD_PASS)) {
+            if (qemuSecuritySetSocketLabel(secManager, (virDomainDefPtr)def) < 0)
+                goto cleanup;
             int fd = qemuOpenChrChardevUNIXSocket(dev);
+            if (qemuSecurityClearSocketLabel(secManager, (virDomainDefPtr)def) < 0) {
+                VIR_FORCE_CLOSE(fd);
+                goto cleanup;
+            }
             if (fd < 0)
                 goto cleanup;
 
@@ -5404,6 +5411,7 @@ qemuBuildHostdevCommandLine(virCommandPtr cmd,
 
 static int
 qemuBuildMonitorCommandLine(virLogManagerPtr logManager,
+                            virSecurityManagerPtr secManager,
                             virCommandPtr cmd,
                             virQEMUDriverConfigPtr cfg,
                             virDomainDefPtr def,
@@ -5414,7 +5422,8 @@ qemuBuildMonitorCommandLine(virLogManagerPtr logManager,
     if (!priv->monConfig)
         return 0;
 
-    if (!(chrdev = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+    if (!(chrdev = qemuBuildChrChardevStr(logManager, secManager,
+                                          cmd, cfg, def,
                                           priv->monConfig, "monitor",
                                           priv->qemuCaps, true,
                                           priv->chardevStdioLogd)))
@@ -5533,6 +5542,7 @@ qemuBuildSclpDevStr(virDomainChrDefPtr dev)
 
 static int
 qemuBuildRNGBackendChrdevStr(virLogManagerPtr logManager,
+                             virSecurityManagerPtr secManager,
                              virCommandPtr cmd,
                              virQEMUDriverConfigPtr cfg,
                              const virDomainDef *def,
@@ -5550,7 +5560,8 @@ qemuBuildRNGBackendChrdevStr(virLogManagerPtr logManager,
         return 0;
 
     case VIR_DOMAIN_RNG_BACKEND_EGD:
-        if (!(*chr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+        if (!(*chr = qemuBuildChrChardevStr(logManager, secManager,
+                                            cmd, cfg, def,
                                             rng->source.chardev,
                                             rng->info.alias, qemuCaps, true,
                                             chardevStdioLogd)))
@@ -5680,6 +5691,7 @@ qemuBuildRNGDevStr(const virDomainDef *def,
 
 static int
 qemuBuildRNGCommandLine(virLogManagerPtr logManager,
+                        virSecurityManagerPtr secManager,
                         virCommandPtr cmd,
                         virQEMUDriverConfigPtr cfg,
                         const virDomainDef *def,
@@ -5702,7 +5714,7 @@ qemuBuildRNGCommandLine(virLogManagerPtr logManager,
         }
 
         /* possibly add character device for backend */
-        if (qemuBuildRNGBackendChrdevStr(logManager, cmd, cfg, def,
+        if (qemuBuildRNGBackendChrdevStr(logManager, secManager, cmd, cfg, def,
                                          rng, qemuCaps, &tmp,
                                          chardevStdioLogd) < 0)
             return -1;
@@ -8135,6 +8147,7 @@ qemuBuildGraphicsCommandLine(virQEMUDriverConfigPtr cfg,
 static int
 qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
                               virLogManagerPtr logManager,
+                              virSecurityManagerPtr secManager,
                               virCommandPtr cmd,
                               virDomainDefPtr def,
                               virDomainNetDefPtr net,
@@ -8157,7 +8170,8 @@ qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
 
     switch ((virDomainChrType)net->data.vhostuser->type) {
     case VIR_DOMAIN_CHR_TYPE_UNIX:
-        if (!(chardev = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+        if (!(chardev = qemuBuildChrChardevStr(logManager, secManager,
+                                               cmd, cfg, def,
                                                net->data.vhostuser,
                                                net->info.alias, qemuCaps, false,
                                                chardevStdioLogd)))
@@ -8225,6 +8239,7 @@ qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
 static int
 qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
                               virLogManagerPtr logManager,
+                              virSecurityManagerPtr secManager,
                               virCommandPtr cmd,
                               virDomainDefPtr def,
                               virDomainNetDefPtr net,
@@ -8356,7 +8371,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
         break;
 
     case VIR_DOMAIN_NET_TYPE_VHOSTUSER:
-        ret = qemuBuildVhostuserCommandLine(driver, logManager, cmd, def,
+        ret = qemuBuildVhostuserCommandLine(driver, logManager, secManager, cmd, def,
                                             net, qemuCaps, bootindex,
                                             chardevStdioLogd);
         goto cleanup;
@@ -8534,6 +8549,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
 static int
 qemuBuildNetCommandLine(virQEMUDriverPtr driver,
                         virLogManagerPtr logManager,
+                        virSecurityManagerPtr secManager,
                         virCommandPtr cmd,
                         virDomainDefPtr def,
                         virQEMUCapsPtr qemuCaps,
@@ -8566,7 +8582,7 @@ qemuBuildNetCommandLine(virQEMUDriverPtr driver,
         for (i = 0; i < def->nnets; i++) {
             virDomainNetDefPtr net = def->nets[i];
 
-            if (qemuBuildInterfaceCommandLine(driver, logManager, cmd, def, net,
+            if (qemuBuildInterfaceCommandLine(driver, logManager, secManager, cmd, def, net,
                                               qemuCaps, bootNet, vmop,
                                               standalone, nnicindexes,
                                               nicindexes,
@@ -8629,6 +8645,7 @@ qemuBuildSmartcardFindCCIDController(const virDomainDef *def,
 
 static int
 qemuBuildSmartcardCommandLine(virLogManagerPtr logManager,
+                              virSecurityManagerPtr secManager,
                               virCommandPtr cmd,
                               virQEMUDriverConfigPtr cfg,
                               const virDomainDef *def,
@@ -8702,7 +8719,8 @@ qemuBuildSmartcardCommandLine(virLogManagerPtr logManager,
             return -1;
         }
 
-        if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+        if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
+                                              cmd, cfg, def,
                                               smartcard->data.passthru,
                                               smartcard->info.alias,
                                               qemuCaps, true,
@@ -8862,6 +8880,7 @@ qemuBuildShmemBackendMemProps(virDomainShmemDefPtr shmem)
 
 static int
 qemuBuildShmemCommandLine(virLogManagerPtr logManager,
+                          virSecurityManagerPtr secManager,
                           virCommandPtr cmd,
                           virQEMUDriverConfigPtr cfg,
                           virDomainDefPtr def,
@@ -8933,7 +8952,8 @@ qemuBuildShmemCommandLine(virLogManagerPtr logManager,
     VIR_FREE(devstr);
 
     if (shmem->server.enabled) {
-        devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+        devstr = qemuBuildChrChardevStr(logManager, secManager,
+                                        cmd, cfg, def,
                                         &shmem->server.chr,
                                         shmem->info.alias, qemuCaps, true,
                                         chardevStdioLogd);
@@ -9020,6 +9040,7 @@ qemuChrIsPlatformDevice(const virDomainDef *def,
 
 static int
 qemuBuildSerialCommandLine(virLogManagerPtr logManager,
+                           virSecurityManagerPtr secManager,
                            virCommandPtr cmd,
                            virQEMUDriverConfigPtr cfg,
                            const virDomainDef *def,
@@ -9043,7 +9064,8 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager,
         if (serial->source->type == VIR_DOMAIN_CHR_TYPE_SPICEPORT && !havespice)
             continue;
 
-        if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+        if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
+                                              cmd, cfg, def,
                                               serial->source,
                                               serial->info.alias,
                                               qemuCaps, true,
@@ -9080,6 +9102,7 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager,
 
 static int
 qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
+                              virSecurityManagerPtr secManager,
                               virCommandPtr cmd,
                               virQEMUDriverConfigPtr cfg,
                               const virDomainDef *def,
@@ -9092,7 +9115,8 @@ qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
         virDomainChrDefPtr parallel = def->parallels[i];
         char *devstr;
 
-        if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+        if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
+                                              cmd, cfg, def,
                                               parallel->source,
                                               parallel->info.alias,
                                               qemuCaps, true,
@@ -9113,6 +9137,7 @@ qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
 
 static int
 qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
+                             virSecurityManagerPtr secManager,
                              virCommandPtr cmd,
                              virQEMUDriverConfigPtr cfg,
                              const virDomainDef *def,
@@ -9127,7 +9152,8 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
 
         switch (channel->targetType) {
         case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_GUESTFWD:
-            if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+            if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
+                                                  cmd, cfg, def,
                                                   channel->source,
                                                   channel->info.alias,
                                                   qemuCaps, true,
@@ -9144,7 +9170,8 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
             break;
 
         case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO:
-            if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+            if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
+                                                  cmd, cfg, def,
                                                   channel->source,
                                                   channel->info.alias,
                                                   qemuCaps, true,
@@ -9166,6 +9193,7 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
 
 static int
 qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
+                            virSecurityManagerPtr secManager,
                             virCommandPtr cmd,
                             virQEMUDriverConfigPtr cfg,
                             const virDomainDef *def,
@@ -9187,7 +9215,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
                 return -1;
             }
 
-            if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+            if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
+                                                  cmd, cfg, def,
                                                   console->source,
                                                   console->info.alias,
                                                   qemuCaps, true,
@@ -9208,7 +9237,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
                 return -1;
             }
 
-            if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+            if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
+                                                  cmd, cfg, def,
                                                   console->source,
                                                   console->info.alias,
                                                   qemuCaps, true,
@@ -9223,7 +9253,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
             break;
 
         case VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_VIRTIO:
-            if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+            if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
+                                                  cmd, cfg, def,
                                                   console->source,
                                                   console->info.alias,
                                                   qemuCaps, true,
@@ -9342,6 +9373,7 @@ qemuBuildRedirdevDevStr(const virDomainDef *def,
 
 static int
 qemuBuildRedirdevCommandLine(virLogManagerPtr logManager,
+                             virSecurityManagerPtr secManager,
                              virCommandPtr cmd,
                              virQEMUDriverConfigPtr cfg,
                              const virDomainDef *def,
@@ -9354,7 +9386,8 @@ qemuBuildRedirdevCommandLine(virLogManagerPtr logManager,
         virDomainRedirdevDefPtr redirdev = def->redirdevs[i];
         char *devstr;
 
-        if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
+        if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
+                                              cmd, cfg, def,
                                               redirdev->source,
                                               redirdev->info.alias,
                                               qemuCaps, true,
@@ -10065,6 +10098,7 @@ qemuBuildVsockCommandLine(virCommandPtr cmd,
 virCommandPtr
 qemuBuildCommandLine(virQEMUDriverPtr driver,
                      virLogManagerPtr logManager,
+                     virSecurityManagerPtr secManager,
                      virDomainObjPtr vm,
                      const char *migrateURI,
                      virDomainSnapshotObjPtr snapshot,
@@ -10181,7 +10215,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
     if (qemuBuildSgaCommandLine(cmd, def, qemuCaps) < 0)
         goto error;
 
-    if (qemuBuildMonitorCommandLine(logManager, cmd, cfg, def, priv) < 0)
+    if (qemuBuildMonitorCommandLine(logManager, secManager, cmd, cfg, def, priv) < 0)
         goto error;
 
     if (qemuBuildClockCommandLine(cmd, def, qemuCaps) < 0)
@@ -10211,29 +10245,29 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
     if (qemuBuildFSDevCommandLine(cmd, def, qemuCaps) < 0)
         goto error;
 
-    if (qemuBuildNetCommandLine(driver, logManager, cmd, def,
+    if (qemuBuildNetCommandLine(driver, logManager, secManager, cmd, def,
                                 qemuCaps, vmop, standalone,
                                 nnicindexes, nicindexes, &bootHostdevNet,
                                 chardevStdioLogd) < 0)
         goto error;
 
-    if (qemuBuildSmartcardCommandLine(logManager, cmd, cfg, def, qemuCaps,
+    if (qemuBuildSmartcardCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
                                       chardevStdioLogd) < 0)
         goto error;
 
-    if (qemuBuildSerialCommandLine(logManager, cmd, cfg, def, qemuCaps,
+    if (qemuBuildSerialCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
                                    chardevStdioLogd) < 0)
         goto error;
 
-    if (qemuBuildParallelsCommandLine(logManager, cmd, cfg, def, qemuCaps,
+    if (qemuBuildParallelsCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
                                       chardevStdioLogd) < 0)
         goto error;
 
-    if (qemuBuildChannelsCommandLine(logManager, cmd, cfg, def, qemuCaps,
+    if (qemuBuildChannelsCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
                                      chardevStdioLogd) < 0)
         goto error;
 
-    if (qemuBuildConsoleCommandLine(logManager, cmd, cfg, def, qemuCaps,
+    if (qemuBuildConsoleCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
                                     chardevStdioLogd) < 0)
         goto error;
 
@@ -10258,7 +10292,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
     if (qemuBuildWatchdogCommandLine(cmd, def, qemuCaps) < 0)
         goto error;
 
-    if (qemuBuildRedirdevCommandLine(logManager, cmd, cfg, def, qemuCaps,
+    if (qemuBuildRedirdevCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
                                      chardevStdioLogd) < 0)
         goto error;
 
@@ -10271,7 +10305,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
     if (qemuBuildMemballoonCommandLine(cmd, def, qemuCaps) < 0)
         goto error;
 
-    if (qemuBuildRNGCommandLine(logManager, cmd, cfg, def, qemuCaps,
+    if (qemuBuildRNGCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
                                 chardevStdioLogd) < 0)
         goto error;
 
@@ -10306,7 +10340,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
         goto error;
 
     for (i = 0; i < def->nshmems; i++) {
-        if (qemuBuildShmemCommandLine(logManager, cmd, cfg,
+        if (qemuBuildShmemCommandLine(logManager, secManager, cmd, cfg,
                                       def, def->shmems[i], qemuCaps,
                                       chardevStdioLogd))
             goto error;
diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
index c78282eb09..4f1b360130 100644
--- a/src/qemu/qemu_command.h
+++ b/src/qemu/qemu_command.h
@@ -46,6 +46,7 @@ VIR_ENUM_DECL(qemuVideo)
 
 virCommandPtr qemuBuildCommandLine(virQEMUDriverPtr driver,
                                    virLogManagerPtr logManager,
+                                   virSecurityManagerPtr secManager,
                                    virDomainObjPtr vm,
                                    const char *migrateURI,
                                    virDomainSnapshotObjPtr snapshot,
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 2967568f62..7e9ad01e61 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -6174,6 +6174,7 @@ qemuProcessLaunch(virConnectPtr conn,
     VIR_DEBUG("Building emulator command line");
     if (!(cmd = qemuBuildCommandLine(driver,
                                      qemuDomainLogContextGetManager(logCtxt),
+                                     driver->securityManager,
                                      vm,
                                      incoming ? incoming->launchURI : NULL,
                                      snapshot, vmop,
@@ -6642,6 +6643,7 @@ qemuProcessCreatePretendCmd(virQEMUDriverPtr driver,
     VIR_DEBUG("Building emulator command line");
     cmd = qemuBuildCommandLine(driver,
                                NULL,
+                               driver->securityManager,
                                vm,
                                migrateURI,
                                NULL,
-- 
2.17.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels
Posted by Laine Stump 5 years, 9 months ago
On 06/22/2018 05:56 AM, Daniel P. Berrangé wrote:
> The UNIX socket FDs were we passing to QEMU inherited a label based on
> libvirtd's context. QEMU is thus denied ability to access the UNIX
> socket. We need to use the security manager to change our current
> context temporarily when creating the UNIX socket FD.

It seems like this could be more efficient if we only set the label
once, then cleared it once (for the entire domain), rather than going
through all that trouble for each socket. But I suppose that would
probably cause problems if there were any other sockets created in the
interim that were *not* destined for use with qemu (and likely other
problems in the opposite direction in other places).

This does fix the failure to start domains with selinux enabled that I
was experiencing, which trumps any whiny perception of inefficiency.

>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Reviewed-by: Laine Stump <laine@laine.org>

> ---
>  src/qemu/qemu_command.c | 86 ++++++++++++++++++++++++++++-------------
>  src/qemu/qemu_command.h |  1 +
>  src/qemu/qemu_process.c |  2 +
>  3 files changed, 63 insertions(+), 26 deletions(-)
>
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 1ffcb5b1ae..146f671663 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -4931,6 +4931,7 @@ qemuOpenChrChardevUNIXSocket(const virDomainChrSourceDef *dev)
>   * host side of the character device */
>  static char *
>  qemuBuildChrChardevStr(virLogManagerPtr logManager,
> +                       virSecurityManagerPtr secManager,
>                         virCommandPtr cmd,
>                         virQEMUDriverConfigPtr cfg,
>                         const virDomainDef *def,
> @@ -5065,7 +5066,13 @@ qemuBuildChrChardevStr(virLogManagerPtr logManager,
>  
>      case VIR_DOMAIN_CHR_TYPE_UNIX:
>          if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_CHARDEV_FD_PASS)) {
> +            if (qemuSecuritySetSocketLabel(secManager, (virDomainDefPtr)def) < 0)
> +                goto cleanup;
>              int fd = qemuOpenChrChardevUNIXSocket(dev);
> +            if (qemuSecurityClearSocketLabel(secManager, (virDomainDefPtr)def) < 0) {
> +                VIR_FORCE_CLOSE(fd);
> +                goto cleanup;
> +            }
>              if (fd < 0)
>                  goto cleanup;
>  
> @@ -5404,6 +5411,7 @@ qemuBuildHostdevCommandLine(virCommandPtr cmd,
>  
>  static int
>  qemuBuildMonitorCommandLine(virLogManagerPtr logManager,
> +                            virSecurityManagerPtr secManager,
>                              virCommandPtr cmd,
>                              virQEMUDriverConfigPtr cfg,
>                              virDomainDefPtr def,
> @@ -5414,7 +5422,8 @@ qemuBuildMonitorCommandLine(virLogManagerPtr logManager,
>      if (!priv->monConfig)
>          return 0;
>  
> -    if (!(chrdev = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +    if (!(chrdev = qemuBuildChrChardevStr(logManager, secManager,
> +                                          cmd, cfg, def,
>                                            priv->monConfig, "monitor",
>                                            priv->qemuCaps, true,
>                                            priv->chardevStdioLogd)))
> @@ -5533,6 +5542,7 @@ qemuBuildSclpDevStr(virDomainChrDefPtr dev)
>  
>  static int
>  qemuBuildRNGBackendChrdevStr(virLogManagerPtr logManager,
> +                             virSecurityManagerPtr secManager,
>                               virCommandPtr cmd,
>                               virQEMUDriverConfigPtr cfg,
>                               const virDomainDef *def,
> @@ -5550,7 +5560,8 @@ qemuBuildRNGBackendChrdevStr(virLogManagerPtr logManager,
>          return 0;
>  
>      case VIR_DOMAIN_RNG_BACKEND_EGD:
> -        if (!(*chr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +        if (!(*chr = qemuBuildChrChardevStr(logManager, secManager,
> +                                            cmd, cfg, def,
>                                              rng->source.chardev,
>                                              rng->info.alias, qemuCaps, true,
>                                              chardevStdioLogd)))
> @@ -5680,6 +5691,7 @@ qemuBuildRNGDevStr(const virDomainDef *def,
>  
>  static int
>  qemuBuildRNGCommandLine(virLogManagerPtr logManager,
> +                        virSecurityManagerPtr secManager,
>                          virCommandPtr cmd,
>                          virQEMUDriverConfigPtr cfg,
>                          const virDomainDef *def,
> @@ -5702,7 +5714,7 @@ qemuBuildRNGCommandLine(virLogManagerPtr logManager,
>          }
>  
>          /* possibly add character device for backend */
> -        if (qemuBuildRNGBackendChrdevStr(logManager, cmd, cfg, def,
> +        if (qemuBuildRNGBackendChrdevStr(logManager, secManager, cmd, cfg, def,
>                                           rng, qemuCaps, &tmp,
>                                           chardevStdioLogd) < 0)
>              return -1;
> @@ -8135,6 +8147,7 @@ qemuBuildGraphicsCommandLine(virQEMUDriverConfigPtr cfg,
>  static int
>  qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
>                                virLogManagerPtr logManager,
> +                              virSecurityManagerPtr secManager,
>                                virCommandPtr cmd,
>                                virDomainDefPtr def,
>                                virDomainNetDefPtr net,
> @@ -8157,7 +8170,8 @@ qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
>  
>      switch ((virDomainChrType)net->data.vhostuser->type) {
>      case VIR_DOMAIN_CHR_TYPE_UNIX:
> -        if (!(chardev = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +        if (!(chardev = qemuBuildChrChardevStr(logManager, secManager,
> +                                               cmd, cfg, def,
>                                                 net->data.vhostuser,
>                                                 net->info.alias, qemuCaps, false,
>                                                 chardevStdioLogd)))
> @@ -8225,6 +8239,7 @@ qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
>  static int
>  qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
>                                virLogManagerPtr logManager,
> +                              virSecurityManagerPtr secManager,
>                                virCommandPtr cmd,
>                                virDomainDefPtr def,
>                                virDomainNetDefPtr net,
> @@ -8356,7 +8371,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
>          break;
>  
>      case VIR_DOMAIN_NET_TYPE_VHOSTUSER:
> -        ret = qemuBuildVhostuserCommandLine(driver, logManager, cmd, def,
> +        ret = qemuBuildVhostuserCommandLine(driver, logManager, secManager, cmd, def,
>                                              net, qemuCaps, bootindex,
>                                              chardevStdioLogd);
>          goto cleanup;
> @@ -8534,6 +8549,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
>  static int
>  qemuBuildNetCommandLine(virQEMUDriverPtr driver,
>                          virLogManagerPtr logManager,
> +                        virSecurityManagerPtr secManager,
>                          virCommandPtr cmd,
>                          virDomainDefPtr def,
>                          virQEMUCapsPtr qemuCaps,
> @@ -8566,7 +8582,7 @@ qemuBuildNetCommandLine(virQEMUDriverPtr driver,
>          for (i = 0; i < def->nnets; i++) {
>              virDomainNetDefPtr net = def->nets[i];
>  
> -            if (qemuBuildInterfaceCommandLine(driver, logManager, cmd, def, net,
> +            if (qemuBuildInterfaceCommandLine(driver, logManager, secManager, cmd, def, net,
>                                                qemuCaps, bootNet, vmop,
>                                                standalone, nnicindexes,
>                                                nicindexes,
> @@ -8629,6 +8645,7 @@ qemuBuildSmartcardFindCCIDController(const virDomainDef *def,
>  
>  static int
>  qemuBuildSmartcardCommandLine(virLogManagerPtr logManager,
> +                              virSecurityManagerPtr secManager,
>                                virCommandPtr cmd,
>                                virQEMUDriverConfigPtr cfg,
>                                const virDomainDef *def,
> @@ -8702,7 +8719,8 @@ qemuBuildSmartcardCommandLine(virLogManagerPtr logManager,
>              return -1;
>          }
>  
> -        if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +        if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
> +                                              cmd, cfg, def,
>                                                smartcard->data.passthru,
>                                                smartcard->info.alias,
>                                                qemuCaps, true,
> @@ -8862,6 +8880,7 @@ qemuBuildShmemBackendMemProps(virDomainShmemDefPtr shmem)
>  
>  static int
>  qemuBuildShmemCommandLine(virLogManagerPtr logManager,
> +                          virSecurityManagerPtr secManager,
>                            virCommandPtr cmd,
>                            virQEMUDriverConfigPtr cfg,
>                            virDomainDefPtr def,
> @@ -8933,7 +8952,8 @@ qemuBuildShmemCommandLine(virLogManagerPtr logManager,
>      VIR_FREE(devstr);
>  
>      if (shmem->server.enabled) {
> -        devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +        devstr = qemuBuildChrChardevStr(logManager, secManager,
> +                                        cmd, cfg, def,
>                                          &shmem->server.chr,
>                                          shmem->info.alias, qemuCaps, true,
>                                          chardevStdioLogd);
> @@ -9020,6 +9040,7 @@ qemuChrIsPlatformDevice(const virDomainDef *def,
>  
>  static int
>  qemuBuildSerialCommandLine(virLogManagerPtr logManager,
> +                           virSecurityManagerPtr secManager,
>                             virCommandPtr cmd,
>                             virQEMUDriverConfigPtr cfg,
>                             const virDomainDef *def,
> @@ -9043,7 +9064,8 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager,
>          if (serial->source->type == VIR_DOMAIN_CHR_TYPE_SPICEPORT && !havespice)
>              continue;
>  
> -        if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +        if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
> +                                              cmd, cfg, def,
>                                                serial->source,
>                                                serial->info.alias,
>                                                qemuCaps, true,
> @@ -9080,6 +9102,7 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager,
>  
>  static int
>  qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
> +                              virSecurityManagerPtr secManager,
>                                virCommandPtr cmd,
>                                virQEMUDriverConfigPtr cfg,
>                                const virDomainDef *def,
> @@ -9092,7 +9115,8 @@ qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
>          virDomainChrDefPtr parallel = def->parallels[i];
>          char *devstr;
>  
> -        if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +        if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
> +                                              cmd, cfg, def,
>                                                parallel->source,
>                                                parallel->info.alias,
>                                                qemuCaps, true,
> @@ -9113,6 +9137,7 @@ qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
>  
>  static int
>  qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
> +                             virSecurityManagerPtr secManager,
>                               virCommandPtr cmd,
>                               virQEMUDriverConfigPtr cfg,
>                               const virDomainDef *def,
> @@ -9127,7 +9152,8 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
>  
>          switch (channel->targetType) {
>          case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_GUESTFWD:
> -            if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +            if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
> +                                                  cmd, cfg, def,
>                                                    channel->source,
>                                                    channel->info.alias,
>                                                    qemuCaps, true,
> @@ -9144,7 +9170,8 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
>              break;
>  
>          case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO:
> -            if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +            if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
> +                                                  cmd, cfg, def,
>                                                    channel->source,
>                                                    channel->info.alias,
>                                                    qemuCaps, true,
> @@ -9166,6 +9193,7 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
>  
>  static int
>  qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
> +                            virSecurityManagerPtr secManager,
>                              virCommandPtr cmd,
>                              virQEMUDriverConfigPtr cfg,
>                              const virDomainDef *def,
> @@ -9187,7 +9215,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
>                  return -1;
>              }
>  
> -            if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +            if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
> +                                                  cmd, cfg, def,
>                                                    console->source,
>                                                    console->info.alias,
>                                                    qemuCaps, true,
> @@ -9208,7 +9237,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
>                  return -1;
>              }
>  
> -            if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +            if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
> +                                                  cmd, cfg, def,
>                                                    console->source,
>                                                    console->info.alias,
>                                                    qemuCaps, true,
> @@ -9223,7 +9253,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
>              break;
>  
>          case VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_VIRTIO:
> -            if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +            if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
> +                                                  cmd, cfg, def,
>                                                    console->source,
>                                                    console->info.alias,
>                                                    qemuCaps, true,
> @@ -9342,6 +9373,7 @@ qemuBuildRedirdevDevStr(const virDomainDef *def,
>  
>  static int
>  qemuBuildRedirdevCommandLine(virLogManagerPtr logManager,
> +                             virSecurityManagerPtr secManager,
>                               virCommandPtr cmd,
>                               virQEMUDriverConfigPtr cfg,
>                               const virDomainDef *def,
> @@ -9354,7 +9386,8 @@ qemuBuildRedirdevCommandLine(virLogManagerPtr logManager,
>          virDomainRedirdevDefPtr redirdev = def->redirdevs[i];
>          char *devstr;
>  
> -        if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
> +        if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
> +                                              cmd, cfg, def,
>                                                redirdev->source,
>                                                redirdev->info.alias,
>                                                qemuCaps, true,
> @@ -10065,6 +10098,7 @@ qemuBuildVsockCommandLine(virCommandPtr cmd,
>  virCommandPtr
>  qemuBuildCommandLine(virQEMUDriverPtr driver,
>                       virLogManagerPtr logManager,
> +                     virSecurityManagerPtr secManager,
>                       virDomainObjPtr vm,
>                       const char *migrateURI,
>                       virDomainSnapshotObjPtr snapshot,
> @@ -10181,7 +10215,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
>      if (qemuBuildSgaCommandLine(cmd, def, qemuCaps) < 0)
>          goto error;
>  
> -    if (qemuBuildMonitorCommandLine(logManager, cmd, cfg, def, priv) < 0)
> +    if (qemuBuildMonitorCommandLine(logManager, secManager, cmd, cfg, def, priv) < 0)
>          goto error;
>  
>      if (qemuBuildClockCommandLine(cmd, def, qemuCaps) < 0)
> @@ -10211,29 +10245,29 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
>      if (qemuBuildFSDevCommandLine(cmd, def, qemuCaps) < 0)
>          goto error;
>  
> -    if (qemuBuildNetCommandLine(driver, logManager, cmd, def,
> +    if (qemuBuildNetCommandLine(driver, logManager, secManager, cmd, def,
>                                  qemuCaps, vmop, standalone,
>                                  nnicindexes, nicindexes, &bootHostdevNet,
>                                  chardevStdioLogd) < 0)
>          goto error;
>  
> -    if (qemuBuildSmartcardCommandLine(logManager, cmd, cfg, def, qemuCaps,
> +    if (qemuBuildSmartcardCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
>                                        chardevStdioLogd) < 0)
>          goto error;
>  
> -    if (qemuBuildSerialCommandLine(logManager, cmd, cfg, def, qemuCaps,
> +    if (qemuBuildSerialCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
>                                     chardevStdioLogd) < 0)
>          goto error;
>  
> -    if (qemuBuildParallelsCommandLine(logManager, cmd, cfg, def, qemuCaps,
> +    if (qemuBuildParallelsCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
>                                        chardevStdioLogd) < 0)
>          goto error;
>  
> -    if (qemuBuildChannelsCommandLine(logManager, cmd, cfg, def, qemuCaps,
> +    if (qemuBuildChannelsCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
>                                       chardevStdioLogd) < 0)
>          goto error;
>  
> -    if (qemuBuildConsoleCommandLine(logManager, cmd, cfg, def, qemuCaps,
> +    if (qemuBuildConsoleCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
>                                      chardevStdioLogd) < 0)
>          goto error;
>  
> @@ -10258,7 +10292,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
>      if (qemuBuildWatchdogCommandLine(cmd, def, qemuCaps) < 0)
>          goto error;
>  
> -    if (qemuBuildRedirdevCommandLine(logManager, cmd, cfg, def, qemuCaps,
> +    if (qemuBuildRedirdevCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
>                                       chardevStdioLogd) < 0)
>          goto error;
>  
> @@ -10271,7 +10305,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
>      if (qemuBuildMemballoonCommandLine(cmd, def, qemuCaps) < 0)
>          goto error;
>  
> -    if (qemuBuildRNGCommandLine(logManager, cmd, cfg, def, qemuCaps,
> +    if (qemuBuildRNGCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
>                                  chardevStdioLogd) < 0)
>          goto error;
>  
> @@ -10306,7 +10340,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
>          goto error;
>  
>      for (i = 0; i < def->nshmems; i++) {
> -        if (qemuBuildShmemCommandLine(logManager, cmd, cfg,
> +        if (qemuBuildShmemCommandLine(logManager, secManager, cmd, cfg,
>                                        def, def->shmems[i], qemuCaps,
>                                        chardevStdioLogd))
>              goto error;
> diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h
> index c78282eb09..4f1b360130 100644
> --- a/src/qemu/qemu_command.h
> +++ b/src/qemu/qemu_command.h
> @@ -46,6 +46,7 @@ VIR_ENUM_DECL(qemuVideo)
>  
>  virCommandPtr qemuBuildCommandLine(virQEMUDriverPtr driver,
>                                     virLogManagerPtr logManager,
> +                                   virSecurityManagerPtr secManager,
>                                     virDomainObjPtr vm,
>                                     const char *migrateURI,
>                                     virDomainSnapshotObjPtr snapshot,
> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> index 2967568f62..7e9ad01e61 100644
> --- a/src/qemu/qemu_process.c
> +++ b/src/qemu/qemu_process.c
> @@ -6174,6 +6174,7 @@ qemuProcessLaunch(virConnectPtr conn,
>      VIR_DEBUG("Building emulator command line");
>      if (!(cmd = qemuBuildCommandLine(driver,
>                                       qemuDomainLogContextGetManager(logCtxt),
> +                                     driver->securityManager,
>                                       vm,
>                                       incoming ? incoming->launchURI : NULL,
>                                       snapshot, vmop,
> @@ -6642,6 +6643,7 @@ qemuProcessCreatePretendCmd(virQEMUDriverPtr driver,
>      VIR_DEBUG("Building emulator command line");
>      cmd = qemuBuildCommandLine(driver,
>                                 NULL,
> +                               driver->securityManager,
>                                 vm,
>                                 migrateURI,
>                                 NULL,


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list