From nobody Tue May 7 08:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) client-ip=207.211.31.81; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=gmail.com Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by mx.zohomail.com with SMTPS id 1580149434568493.072347873922; Mon, 27 Jan 2020 10:23:54 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-229-UZCpCnl_P9Gf_P1VJbpakQ-1; Mon, 27 Jan 2020 13:23:50 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2060E802B67; Mon, 27 Jan 2020 18:23:45 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 93B9F10018FF; Mon, 27 Jan 2020 18:23:44 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6C42985779; Mon, 27 Jan 2020 18:23:40 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 00RINc9e013008 for ; Mon, 27 Jan 2020 13:23:38 -0500 Received: by smtp.corp.redhat.com (Postfix) id B10B020316FC; Mon, 27 Jan 2020 18:23:38 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id ABA0F2026D67 for ; Mon, 27 Jan 2020 18:23:36 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 598C6800146 for ; Mon, 27 Jan 2020 18:23:36 +0000 (UTC) Received: from mail-qt1-f194.google.com (mail-qt1-f194.google.com [209.85.160.194]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-430-uOKO2eJ5No-JBf1Z8l_qCg-1; Mon, 27 Jan 2020 13:23:32 -0500 Received: by mail-qt1-f194.google.com with SMTP id d5so8163264qto.0; Mon, 27 Jan 2020 10:23:32 -0800 (PST) Received: from rekt.ibmuc.com ([2804:431:c7c7:95cd:d947:55fb:7549:55ce]) by smtp.gmail.com with ESMTPSA id v55sm8367024qtc.1.2020.01.27.10.23.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Jan 2020 10:23:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1580149433; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=YBuxiGlPm2FU6b2FB4+i4pcr3XnZ8fbfbM+7DnD0Aow=; b=fzprPck9g7ut+Jw0u1TmOEDN/f7+2D9GYYG1QXUWEJepd2YcJCnRBFbZwnE3NOznfWpKOA TEKQ5+qBT6ojCs5WDHTlsmt6mYmRtGDBeoX1bVJRwjCiITjBVuU0EWROunDvEsyT3SyC/X EM7SBKFI9mfmSOSjd45v2deuUA1Z/Hk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=XGUbHLddHhaSXm2EsLkzrWQKkXoKU3YXzt7zMZitZBI=; b=PJAY4Y5J/iznqlaOQXYM2K61np+Z0oLNbGTsCdRl+5oDg/JwrOHh9kpRJpN8IWMOXw N+b8ADR3tb7ybFh1zSnMMRLNKtoVOf1bQJ3Bi3Wsp+6Gel/PUKIvFNGfOtUCm58Tcqqm /azw4Z+jkHC3rm30CDOWOtj6jOon5j7L/BHwdQQucgecn2zv0XyOWYLHwS67H27ctpmM 4EyCLcvhBFjTsG/8ox+DZyo+njYFuo2YAkCCoM80BjF8Ecb5h6bWBxGWzoFmNXZV4ULY mNKaY8g2u6FsO7PBCGOz2atLiCMGmA77R1G791GgMF9gcu8ykJXTh11ZCGGL9EJHV6/L IMUg== X-Gm-Message-State: APjAAAUCqTxQ8YDDGu3tF4/qPTXrZ/O2KTLb6/6DHZY3w0qTR6f+vbl/ CZusfRqXKXbYn9snHwTZDAoXgyaxv5A= X-Google-Smtp-Source: APXvYqwsNKIq+DnDzuFqEGdTJc7pIj9+vRN47fupZtdCH+hklib/As5Eudms8rUBMgXO+6p4ljZLmQ== X-Received: by 2002:ac8:7cb0:: with SMTP id z16mr17216136qtv.276.1580149411622; Mon, 27 Jan 2020 10:23:31 -0800 (PST) From: Daniel Henrique Barboza To: libvir-list@redhat.com Subject: [PATCH v1 1/2] security: Allow 'remember' to be set for HostdevLabelHelper Date: Mon, 27 Jan 2020 15:23:20 -0300 Message-Id: <20200127182321.713525-2-danielhb413@gmail.com> In-Reply-To: <20200127182321.713525-1-danielhb413@gmail.com> References: <20200127182321.713525-1-danielhb413@gmail.com> MIME-Version: 1.0 X-MC-Unique: uOKO2eJ5No-JBf1Z8l_qCg-1 X-MC-Unique: UZCpCnl_P9Gf_P1VJbpakQ-1 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 00RINc9e013008 X-loop: libvir-list@redhat.com Cc: mprivozn@redhat.com, Daniel Henrique Barboza X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" There is a case in which we do not want 'remember' to be set to true in SetOwnership() calls inside the HostdevLabelHelper() functions of both DAC and SELinux drivers. Next patch will explain and handle that scenario. For now, let's make virSecurityDACSetOwnership() and virSecuritySELinuxSetHostdevLabelHelper() accept a 'remember' flag, which will be used to set the 'remember' parameter of their respective SetOwnership() calls. No functional change is made. Signed-off-by: Daniel Henrique Barboza Reviewed-by: Michal Privoznik --- src/security/security_dac.c | 13 +++++++------ src/security/security_selinux.c | 14 ++++++++------ 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 2561ee440e..b456c59a02 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1144,6 +1144,7 @@ virSecurityDACMoveImageMetadata(virSecurityManagerPtr= mgr, =20 static int virSecurityDACSetHostdevLabelHelper(const char *file, + bool remember, void *opaque) { virSecurityDACCallbackDataPtr cbdata =3D opaque; @@ -1156,7 +1157,7 @@ virSecurityDACSetHostdevLabelHelper(const char *file, if (virSecurityDACGetIds(secdef, priv, &user, &group, NULL, NULL) < 0) return -1; =20 - return virSecurityDACSetOwnership(mgr, NULL, file, user, group, true); + return virSecurityDACSetOwnership(mgr, NULL, file, user, group, rememb= er); } =20 =20 @@ -1165,7 +1166,7 @@ virSecurityDACSetPCILabel(virPCIDevicePtr dev G_GNUC_= UNUSED, const char *file, void *opaque) { - return virSecurityDACSetHostdevLabelHelper(file, opaque); + return virSecurityDACSetHostdevLabelHelper(file, true, opaque); } =20 =20 @@ -1174,7 +1175,7 @@ virSecurityDACSetUSBLabel(virUSBDevicePtr dev G_GNUC_= UNUSED, const char *file, void *opaque) { - return virSecurityDACSetHostdevLabelHelper(file, opaque); + return virSecurityDACSetHostdevLabelHelper(file, true, opaque); } =20 =20 @@ -1183,7 +1184,7 @@ virSecurityDACSetSCSILabel(virSCSIDevicePtr dev G_GNU= C_UNUSED, const char *file, void *opaque) { - return virSecurityDACSetHostdevLabelHelper(file, opaque); + return virSecurityDACSetHostdevLabelHelper(file, true, opaque); } =20 =20 @@ -1192,7 +1193,7 @@ virSecurityDACSetHostLabel(virSCSIVHostDevicePtr dev = G_GNUC_UNUSED, const char *file, void *opaque) { - return virSecurityDACSetHostdevLabelHelper(file, opaque); + return virSecurityDACSetHostdevLabelHelper(file, true, opaque); } =20 =20 @@ -1312,7 +1313,7 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr m= gr, if (!(vfiodev =3D virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuids= tr))) return -1; =20 - ret =3D virSecurityDACSetHostdevLabelHelper(vfiodev, &cbdata); + ret =3D virSecurityDACSetHostdevLabelHelper(vfiodev, true, &cbdata= ); =20 VIR_FREE(vfiodev); break; diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 21279e7622..86acc0a33f 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2001,7 +2001,9 @@ virSecuritySELinuxMoveImageMetadata(virSecurityManage= rPtr mgr, =20 =20 static int -virSecuritySELinuxSetHostdevLabelHelper(const char *file, void *opaque) +virSecuritySELinuxSetHostdevLabelHelper(const char *file, + bool remember, + void *opaque) { virSecurityLabelDefPtr secdef; virSecuritySELinuxCallbackDataPtr data =3D opaque; @@ -2011,21 +2013,21 @@ virSecuritySELinuxSetHostdevLabelHelper(const char = *file, void *opaque) secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); if (secdef =3D=3D NULL) return 0; - return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel, tru= e); + return virSecuritySELinuxSetFilecon(mgr, file, secdef->imagelabel, rem= ember); } =20 static int virSecuritySELinuxSetPCILabel(virPCIDevicePtr dev G_GNUC_UNUSED, const char *file, void *opaque) { - return virSecuritySELinuxSetHostdevLabelHelper(file, opaque); + return virSecuritySELinuxSetHostdevLabelHelper(file, true, opaque); } =20 static int virSecuritySELinuxSetUSBLabel(virUSBDevicePtr dev G_GNUC_UNUSED, const char *file, void *opaque) { - return virSecuritySELinuxSetHostdevLabelHelper(file, opaque); + return virSecuritySELinuxSetHostdevLabelHelper(file, true, opaque); } =20 static int @@ -2056,7 +2058,7 @@ static int virSecuritySELinuxSetHostLabel(virSCSIVHostDevicePtr dev G_GNUC_UNUSED, const char *file, void *opaque) { - return virSecuritySELinuxSetHostdevLabelHelper(file, opaque); + return virSecuritySELinuxSetHostdevLabelHelper(file, true, opaque); } =20 =20 @@ -2164,7 +2166,7 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityMa= nagerPtr mgr, if (!(vfiodev =3D virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuids= tr))) return ret; =20 - ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfiodev, &data); + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfiodev, true, &da= ta); =20 VIR_FREE(vfiodev); break; --=20 2.24.1 From nobody Tue May 7 08:17:26 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) client-ip=207.211.31.81; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=gmail.com Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by mx.zohomail.com with SMTPS id 1580149434721751.7830680551046; Mon, 27 Jan 2020 10:23:54 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-13-EE66l7moOfCPY3fUTtiQKw-1; Mon, 27 Jan 2020 13:23:50 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 983A58010E1; Mon, 27 Jan 2020 18:23:44 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 94D393DBB; Mon, 27 Jan 2020 18:23:43 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6C44A18095FF; Mon, 27 Jan 2020 18:23:40 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 00RINcsc013009 for ; Mon, 27 Jan 2020 13:23:39 -0500 Received: by smtp.corp.redhat.com (Postfix) id C1DD31003208; Mon, 27 Jan 2020 18:23:38 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BD5BA11422D9 for ; Mon, 27 Jan 2020 18:23:36 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BECC7805A87 for ; Mon, 27 Jan 2020 18:23:36 +0000 (UTC) Received: from mail-qk1-f196.google.com (mail-qk1-f196.google.com [209.85.222.196]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-341-CWlnZdXGMJO7f-9G-IlAtw-1; Mon, 27 Jan 2020 13:23:34 -0500 Received: by mail-qk1-f196.google.com with SMTP id j20so10570811qka.10; Mon, 27 Jan 2020 10:23:33 -0800 (PST) Received: from rekt.ibmuc.com ([2804:431:c7c7:95cd:d947:55fb:7549:55ce]) by smtp.gmail.com with ESMTPSA id v55sm8367024qtc.1.2020.01.27.10.23.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Jan 2020 10:23:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1580149433; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=9xHh0Y4lM+fkCaXyYL+6bJnzPHzDxd1di5SfPDr1VMc=; b=NN9jJDaq6xSkAiUiGfyqCBX6yzj+E7g/hqlfDSAMKludn6mZDDRvAFMY7swSnolH93+a8Y qzIKULuXVOcGOMx1jtBW6doF7jRdO07edQvrPATIuap+pdvlNX3GPg2X6yf51V/kgBRGju ax9dOom0eek/ACkFx92IIudAEraYMxw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K+HRQgz0kSxD07TQxOS5TI96pySISBH1XKSAHJMxhvY=; b=F8tP00cKgjGHPWM0EeitJpoxy9QS0L8knmMBLI6j8O8c+0TZ0+ZRiPFPWqcUpzTQGt cHEEYuV3YUd/lHZ1yl60VuNB6ghetMAIaipy/i3LZ7jxYJ+PEe9fqzYfJOrfEb7ujQjx tL94Sl9CmqIAxfkmXFfjgH9WL+p0XvuvWkt/rPlh5cyj6Go5mxVBjyy6Facg7BaNkNWR pbkcNlKz9/Oia17DIqWHYzBKILI8gjh4WMfUJbNNOc7D74/TSiUYs/yFnL8rxqL7Kb4v oOInjyuJ+30giXnLBw51c3SeRRppGjpsYYI6qpPl/fanERyHv2ur0xFiZLSkDilI3wlE JQxw== X-Gm-Message-State: APjAAAXYGzXJW/k4mPkTyYc7pYG8P5+aRgmO+rc6GMuLEvXnp3BNhGeP TUKs0LFS/YPHEnOGJAS6k/Cup6r3ifM= X-Google-Smtp-Source: APXvYqyihCF7ekuTS9unIVduO875KekU5VzJHEjcWUi1m4qe/lsw5475hxYtDB7ABs87eXIX9Ic7pw== X-Received: by 2002:ae9:f711:: with SMTP id s17mr17522312qkg.238.1580149413197; Mon, 27 Jan 2020 10:23:33 -0800 (PST) From: Daniel Henrique Barboza To: libvir-list@redhat.com Subject: [PATCH v1 2/2] security: do not remember/recall labels for VFIO Date: Mon, 27 Jan 2020 15:23:21 -0300 Message-Id: <20200127182321.713525-3-danielhb413@gmail.com> In-Reply-To: <20200127182321.713525-1-danielhb413@gmail.com> References: <20200127182321.713525-1-danielhb413@gmail.com> MIME-Version: 1.0 X-MC-Unique: CWlnZdXGMJO7f-9G-IlAtw-1 X-MC-Unique: EE66l7moOfCPY3fUTtiQKw-1 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 00RINcsc013009 X-loop: libvir-list@redhat.com Cc: mprivozn@redhat.com, Daniel Henrique Barboza X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Files inside /dev/vfio/ can't be opened more than once, meaning that any subsequent open calls will fail. This behavior was introduced in kernel v3.11, commit 6d6768c61b39. When using the VFIO driver, we open a FD to /dev/vfio/N and pass it to QEMU. If any other call attempt for the same /dev/vfio/N happens while QEMU is still using the file, we are unable to open it and QEMU will report -EBUSY. This can happen if we hotplug a PCI hostdev that belongs to the same IOMMU group of an existing domain hostdev. The problem and solution is similar to what we already dealt with for TPM in commit 4e95cdcbb3. This patch changes both DAC and SELinux drivers to disable 'remember' for VFIO hostdevs in virSecurityDACSetHostdevLabelHelper() and virSecurityDACSetHostdevLabel(), and 'recall' in virSecurityDACRestoreHostdevLabel() and virSecuritySELinuxRestoreHostdevSubsysLabel(). Signed-off-by: Daniel Henrique Barboza Reviewed-by: Michal Privoznik --- src/security/security_dac.c | 7 +++++-- src/security/security_selinux.c | 6 ++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index b456c59a02..216fe93a56 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1263,7 +1263,9 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr m= gr, virPCIDeviceFree(pci); return -1; } - ret =3D virSecurityDACSetPCILabel(pci, vfioGroupDev, &cbdata); + ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, + false, + &cbdata); VIR_FREE(vfioGroupDev); } else { ret =3D virPCIDeviceFileIterate(pci, @@ -1430,7 +1432,8 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerP= tr mgr, virPCIDeviceFree(pci); return -1; } - ret =3D virSecurityDACRestorePCILabel(pci, vfioGroupDev, mgr); + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + vfioGroupDev, fal= se); VIR_FREE(vfioGroupDev); } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACRestorePCIL= abel, mgr); diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 86acc0a33f..ce46df09da 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2118,7 +2118,9 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityMa= nagerPtr mgr, virPCIDeviceFree(pci); return -1; } - ret =3D virSecuritySELinuxSetPCILabel(pci, vfioGroupDev, &data= ); + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupDev, + false, + &data); VIR_FREE(vfioGroupDev); } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxSetPCIL= abel, &data); @@ -2356,7 +2358,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecuri= tyManagerPtr mgr, virPCIDeviceFree(pci); return -1; } - ret =3D virSecuritySELinuxRestorePCILabel(pci, vfioGroupDev, m= gr); + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupDev, = false); VIR_FREE(vfioGroupDev); } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxRestore= PCILabel, mgr); --=20 2.24.1