From nobody Sat Feb  7 05:53:43 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 207.211.31.120 as permitted sender) client-ip=207.211.31.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1593620157; cv=none;
	d=zohomail.com; s=zohoarc;
	b=jl/ihKZ3Ma4uBjXOU0bnTkzyXOXqBdSZBxfxLohVJPACPyYCeFhEinZtZkDYrt3o3hLTkN2OScxeamEnWFAgbDePWZneYzUln1CO+jK/mOB5zVyaUh4yb5jc1z7Nk9MtPtA9HD0rTmXIz9DViIYVF27+OnbIvohN3bSKi00BTnU=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1593620157;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=LpQdZRn0Lm7sBCN8CGUSkASezcKneyq7Vf99VgHfdvc=;
	b=Y5cdn/73jNeqJxFLHl3vyMn1Moh4xGCoPUeGVAdtLEP/x5Fm4cxAq1LQ2up03LkGAeofWgc2FxYV9kXukbT6t75CPEnTKKqQ5zuEu7z1ofO8aIEUIvjS7TUqxrP/4R/piWDS+NCWLmb9jgUZ6+iryN93Eq265YfFGAzs2PeMUeU=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
 header.from=<mprivozn@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [207.211.31.120]) by mx.zohomail.com
	with SMTPS id 1593620157394566.8795409942536;
 Wed, 1 Jul 2020 09:15:57 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-351-om-hQMxYNEqejQcQhtSDPg-1; Wed, 01 Jul 2020 12:15:49 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 644FA75E44;
	Wed,  1 Jul 2020 16:15:43 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id EFCDA73FC2;
	Wed,  1 Jul 2020 16:15:42 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id BB9081809561;
	Wed,  1 Jul 2020 16:15:42 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
	[10.5.11.16])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 061GFMPJ005218 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 1 Jul 2020 12:15:22 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id AF8225C3F8; Wed,  1 Jul 2020 16:15:22 +0000 (UTC)
Received: from localhost.localdomain (unknown [10.40.194.29])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 2E9CA5C1C5
	for <libvir-list@redhat.com>; Wed,  1 Jul 2020 16:15:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1593620156;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=LpQdZRn0Lm7sBCN8CGUSkASezcKneyq7Vf99VgHfdvc=;
	b=fBrwKwkt3PLVSXmlESM9IorssfENontXnvg9sGRy/DDuppOxeWee+/uxf25quUYxgN/VS2
	Rwl5tS+v8e/fljgUQGUzO40ftW0zOJGfw7f4baRb2nNbw7Rmpoa63eigM1pu3z4f2TP2kH
	FOa055CqOhvgKy2Cb9E7QUcuIasmj44=
X-MC-Unique: om-hQMxYNEqejQcQhtSDPg-1
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 4/7] qemu: Use qemuSecuritySetSavedStateLabel() to label
	restore path
Date: Wed,  1 Jul 2020 18:15:04 +0200
Message-Id: 
 <1856638ac8cc3373c638854084e11677aadd887b.1593620041.git.mprivozn@redhat.com>
In-Reply-To: <cover.1593620041.git.mprivozn@redhat.com>
References: <cover.1593620041.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

Currently, when restoring from a domain the path that the domain
restores from is labelled under qemuSecuritySetAllLabel() (and after
v6.3.0-rc1~108 even outside transactions). While this grants QEMU
the access, it has a flaw, because once the domain is restored, up
and running then qemuSecurityDomainRestorePathLabel() is called,
which is not real counterpart. In case of DAC driver the
SetAllLabel() does nothing with the restore path but
RestorePathLabel() does - it chown()-s the file back and since there
is no original label remembered, the file is chown()-ed to
root:root. While the apparent solution is to have DAC driver set the
label (and thus remember the original one) in SetAllLabel(), we can
do better.

Turns out, we are opening the file ourselves (because it may live on
a root squashed NFS) and then are just passing the FD to QEMU. But
this means, that we don't have to chown() the file at all, we need
to set SELinux labels and/or add the path to AppArmor profile.

And since we want to restore labels right after QEMU is done loading
the migration stream (we don't want to wait until
qemuSecurityRestoreAllLabel()), the best way to approach this is to
have separate APIs for labelling and restoring label on the restore
file.

I will investigate whether AppArmor can use the SavedStateLabel()
API instead of passing the restore path to SetAllLabel().

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1851016

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_driver.c   |  2 --
 src/qemu/qemu_process.c  | 12 ++++++++++++
 src/qemu/qemu_security.c |  7 -------
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index a5b38b3d24..9da05038d9 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6958,8 +6958,6 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
         qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_FAILED,
                         asyncJob, VIR_QEMU_PROCESS_STOP_MIGRATED);
     }
-    if (qemuSecurityDomainRestorePathLabel(driver, vm, path, true) < 0)
-        VIR_WARN("failed to restore save state label on %s", path);
     return ret;
 }
=20
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index d36088ba98..70fc24b993 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7073,6 +7073,7 @@ qemuProcessStart(virConnectPtr conn,
     qemuProcessIncomingDefPtr incoming =3D NULL;
     unsigned int stopFlags;
     bool relabel =3D false;
+    bool relabelSavedState =3D false;
     int ret =3D -1;
     int rv;
=20
@@ -7109,6 +7110,13 @@ qemuProcessStart(virConnectPtr conn,
     if (qemuProcessPrepareHost(driver, vm, flags) < 0)
         goto stop;
=20
+    if (migratePath) {
+        if (qemuSecuritySetSavedStateLabel(driver->securityManager,
+                                           vm->def, migratePath) < 0)
+            goto cleanup;
+        relabelSavedState =3D true;
+    }
+
     if ((rv =3D qemuProcessLaunch(conn, driver, vm, asyncJob, incoming,
                                 snapshot, vmop, flags)) < 0) {
         if (rv =3D=3D -2)
@@ -7145,6 +7153,10 @@ qemuProcessStart(virConnectPtr conn,
     ret =3D 0;
=20
  cleanup:
+    if (relabelSavedState &&
+        qemuSecurityRestoreSavedStateLabel(driver->securityManager,
+                                           vm->def, migratePath) < 0)
+        VIR_WARN("failed to restore save state label on %s", migratePath);
     qemuProcessIncomingDefFree(incoming);
     return ret;
=20
diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index 3b6d6e91f4..e35394b2f6 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -39,13 +39,6 @@ qemuSecuritySetAllLabel(virQEMUDriverPtr driver,
     qemuDomainObjPrivatePtr priv =3D vm->privateData;
     pid_t pid =3D -1;
=20
-    /* Explicitly run this outside of transaction. We really want to relab=
el
-     * the file in the host and not in the domain's namespace. */
-    if (virSecurityManagerDomainSetPathLabelRO(driver->securityManager,
-                                               vm->def,
-                                               stdin_path) < 0)
-        goto cleanup;
-
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
--=20
2.26.2