From nobody Thu Mar 28 17:20:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 163395409785095.67106694263293; Mon, 11 Oct 2021 05:08:17 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-25-AUZ_7u7EP1qKWe4kG7m93Q-1; Mon, 11 Oct 2021 08:08:14 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id D83F9824FA6; Mon, 11 Oct 2021 12:08:09 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B8AA9177F1; Mon, 11 Oct 2021 12:08:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 7E83A4E9F5; Mon, 11 Oct 2021 12:08:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BC84ZY020486 for ; Mon, 11 Oct 2021 08:08:04 -0400 Received: by smtp.corp.redhat.com (Postfix) id A3EB640CFD11; Mon, 11 Oct 2021 12:08:04 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9ECE540CFD0F for ; Mon, 11 Oct 2021 12:08:04 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 86929899EC3 for ; Mon, 11 Oct 2021 12:08:04 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-411-usHKYTw-PgGOAncJk2OtAw-1; Mon, 11 Oct 2021 08:08:02 -0400 Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.57]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HScrG5Xhfz900w for ; Mon, 11 Oct 2021 20:03:10 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:07:59 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:07:58 +0800 X-MC-Unique: AUZ_7u7EP1qKWe4kG7m93Q-1 X-MC-Unique: usHKYTw-PgGOAncJk2OtAw-1 From: Peng Liang To: Subject: [PATCH v2 01/10] security: add virSecurityUpdateTimestampIfexists Date: Mon, 11 Oct 2021 20:00:39 +0800 Message-ID: <20211011120048.243696-2-liangpeng10@huawei.com> In-Reply-To: <20211011120048.243696-1-liangpeng10@huawei.com> References: <20211011120048.243696-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BC84ZY020486 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954099212100003 Content-Type: text/plain; charset="utf-8" Signed-off-by: Peng Liang --- src/security/security_util.c | 32 ++++++++++++++++++++++++++++++++ src/security/security_util.h | 4 ++++ 2 files changed, 36 insertions(+) diff --git a/src/security/security_util.c b/src/security/security_util.c index 26a7861e2935..07960b577e1a 100644 --- a/src/security/security_util.c +++ b/src/security/security_util.c @@ -227,6 +227,38 @@ virSecurityAddTimestamp(const char *name, } =20 =20 +/** + * virSecurityUpdateTimestampIfexists: + * @name: security driver name + * @path: file name + * + * Update timestamp of @path for given security driver (@name) if the time= stamp + * of @path exists. + * + * Returns: 0 on success, + * 1 if timestamp of @path doesn't exist, + * -1 otherwise. + */ +int +virSecurityUpdateTimestampIfexists(const char *name, + const char *path) +{ + g_autofree char *timestamp_name =3D NULL; + g_autofree char *timestamp_value =3D NULL; + g_autofree char *old_value =3D NULL; + + if (!(timestamp_value =3D virSecurityGetTimestamp()) || + !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + if (virFileGetXAttrQuiet(path, timestamp_name, &old_value) < 0) + return 1; + + + return virFileSetXAttr(path, timestamp_name, timestamp_value); +} + + static int virSecurityRemoveTimestamp(const char *name, const char *path) diff --git a/src/security/security_util.h b/src/security/security_util.h index 7af6f009e2ca..b66541fd92c5 100644 --- a/src/security/security_util.h +++ b/src/security/security_util.h @@ -33,5 +33,9 @@ virSecurityMoveRememberedLabel(const char *name, const char *src, const char *dst); =20 +int +virSecurityUpdateTimestampIfexists(const char *name, + const char *path); + bool virSecurityXATTRNamespaceDefined(void); --=20 2.31.1 From nobody Thu Mar 28 17:20:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1633954097045332.5631338883254; Mon, 11 Oct 2021 05:08:17 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-517-NyV7UwTINPaMAOorKm3nrg-1; Mon, 11 Oct 2021 08:08:12 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 84A1B100C668; Mon, 11 Oct 2021 12:08:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4DA765D9F4; Mon, 11 Oct 2021 12:08:07 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id DB35C1801241; Mon, 11 Oct 2021 12:08:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BC850J020492 for ; Mon, 11 Oct 2021 08:08:05 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0F51340CFD11; Mon, 11 Oct 2021 12:08:05 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0A04740CFD0F for ; Mon, 11 Oct 2021 12:08:05 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E77E6811E8E for ; Mon, 11 Oct 2021 12:08:04 +0000 (UTC) Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-425-rWC46IYvP7u8sMHfq46BFg-1; Mon, 11 Oct 2021 08:08:02 -0400 Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.54]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4HScrj137PzbmqX for ; Mon, 11 Oct 2021 20:03:33 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:07:59 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:07:59 +0800 X-MC-Unique: NyV7UwTINPaMAOorKm3nrg-1 X-MC-Unique: rWC46IYvP7u8sMHfq46BFg-1 From: Peng Liang To: Subject: [PATCH v2 02/10] security: add virSecurityManagerUpdateImageLabel Date: Mon, 11 Oct 2021 20:00:40 +0800 Message-ID: <20211011120048.243696-3-liangpeng10@huawei.com> In-Reply-To: <20211011120048.243696-1-liangpeng10@huawei.com> References: <20211011120048.243696-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BC850J020492 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954099129100001 Content-Type: text/plain; charset="utf-8" After migration, some labels of images need to be updated. So add virSecurityManagerUpdateImageLabel to do it. Signed-off-by: Peng Liang --- src/libvirt_private.syms | 1 + src/security/security_driver.h | 5 +++++ src/security/security_manager.c | 29 +++++++++++++++++++++++++++++ src/security/security_manager.h | 5 +++++ 4 files changed, 40 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index fd0eea0777e2..ed750de262a1 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1720,6 +1720,7 @@ virSecurityManagerStackAddNested; virSecurityManagerTransactionAbort; virSecurityManagerTransactionCommit; virSecurityManagerTransactionStart; +virSecurityManagerUpdateImageLabel; virSecurityManagerVerify; =20 =20 diff --git a/src/security/security_driver.h b/src/security/security_driver.h index a1fc23be383f..7c1e9a5a8596 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -123,6 +123,10 @@ typedef int (*virSecurityDomainMoveImageMetadata) (vir= SecurityManager *mgr, pid_t pid, virStorageSource *src, virStorageSource *dst); +typedef int (*virSecurityDomainUpdateImageLabel) (virSecurityManager *mgr, + virDomainDef *def, + virStorageSource *src, + virSecurityDomainImageLa= belFlags flags); typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManager *mgr, virDomainDef *def, virDomainMemoryDef *mem); @@ -186,6 +190,7 @@ struct _virSecurityDriver { virSecurityDomainSetImageLabel domainSetSecurityImageLabel; virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel; virSecurityDomainMoveImageMetadata domainMoveImageMetadata; + virSecurityDomainUpdateImageLabel domainUpdateSecurityImageLabel; =20 virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel; virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel; diff --git a/src/security/security_manager.c b/src/security/security_manage= r.c index d8a03a19cb8b..bbdecbf41606 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -476,6 +476,35 @@ virSecurityManagerMoveImageMetadata(virSecurityManager= *mgr, } =20 =20 +/** + * virSecurityManagerUpdateImageLabel: + * @mgr: security manager object + * @vm: domain definition object + * @src: disk source definition to operate on + * @flags: bitwise or of 'virSecurityDomainImageLabelFlags' + * + * Update security label from @src according to @flags. + * + * Returns: 0 on success, -1 on error. + */ +int +virSecurityManagerUpdateImageLabel(virSecurityManager *mgr, + virDomainDef *vm, + virStorageSource *src, + virSecurityDomainImageLabelFlags flags) +{ + if (mgr->drv->domainUpdateSecurityImageLabel) { + int ret; + virObjectLock(mgr); + ret =3D mgr->drv->domainUpdateSecurityImageLabel(mgr, vm, src, fla= gs); + virObjectUnlock(mgr); + return ret; + } + + return 0; +} + + int virSecurityManagerSetDaemonSocketLabel(virSecurityManager *mgr, virDomainDef *vm) diff --git a/src/security/security_manager.h b/src/security/security_manage= r.h index 59020b147527..365f18e2dcfd 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -175,6 +175,11 @@ int virSecurityManagerMoveImageMetadata(virSecurityMan= ager *mgr, pid_t pid, virStorageSource *src, virStorageSource *dst); +int +virSecurityManagerUpdateImageLabel(virSecurityManager *mgr, + virDomainDef *vm, + virStorageSource *src, + virSecurityDomainImageLabelFlags flags); =20 int virSecurityManagerSetMemoryLabel(virSecurityManager *mgr, virDomainDef *vm, --=20 2.31.1 From nobody Thu Mar 28 17:20:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1633954108543327.8470539244561; Mon, 11 Oct 2021 05:08:28 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-495-lq8lk7NTP0qvxSvIJDKVrQ-1; Mon, 11 Oct 2021 08:08:23 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BAC39100C671; Mon, 11 Oct 2021 12:08:18 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9DA925D6CF; Mon, 11 Oct 2021 12:08:18 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6F24C4EA39; Mon, 11 Oct 2021 12:08:18 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BC8E0A020549 for ; Mon, 11 Oct 2021 08:08:14 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4AD5340CFD0F; Mon, 11 Oct 2021 12:08:14 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 45FB140CFD11 for ; Mon, 11 Oct 2021 12:08:14 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2E5C5800883 for ; Mon, 11 Oct 2021 12:08:14 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-136-uMJF5_FEMPyHPdQsdXZebg-1; Mon, 11 Oct 2021 08:08:11 -0400 Received: from dggemv703-chm.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HScrs4xj6zRfk4 for ; Mon, 11 Oct 2021 20:03:41 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv703-chm.china.huawei.com (10.3.19.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:00 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:07:59 +0800 X-MC-Unique: lq8lk7NTP0qvxSvIJDKVrQ-1 X-MC-Unique: uMJF5_FEMPyHPdQsdXZebg-1 From: Peng Liang To: Subject: [PATCH v2 03/10] security: implement domainUpdateSecurityImageLabel for stack Date: Mon, 11 Oct 2021 20:00:41 +0800 Message-ID: <20211011120048.243696-4-liangpeng10@huawei.com> In-Reply-To: <20211011120048.243696-1-liangpeng10@huawei.com> References: <20211011120048.243696-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BC8E0A020549 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954110608100003 Content-Type: text/plain; charset="utf-8" Signed-off-by: Peng Liang --- src/security/security_stack.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 3c2239910aa5..7712cac3b542 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -706,6 +706,25 @@ virSecurityStackMoveImageMetadata(virSecurityManager *= mgr, return rc; } =20 +static int +virSecurityStackUpdateImageLabel(virSecurityManager *mgr, + virDomainDef *vm, + virStorageSource *src, + virSecurityDomainImageLabelFlags flags) +{ + virSecurityStackData *priv =3D virSecurityManagerGetPrivateData(mgr); + virSecurityStackItem *item =3D priv->itemsHead; + int rc =3D 0; + + for (; item; item =3D item->next) { + if (virSecurityManagerUpdateImageLabel(item->securityManager, + vm, src, flags) < 0) + rc =3D -1; + } + + return rc; +} + static int virSecurityStackSetMemoryLabel(virSecurityManager *mgr, virDomainDef *vm, @@ -1033,6 +1052,7 @@ virSecurityDriver virSecurityDriverStack =3D { .domainSetSecurityImageLabel =3D virSecurityStackSetImageLabel, .domainRestoreSecurityImageLabel =3D virSecurityStackRestoreImageLa= bel, .domainMoveImageMetadata =3D virSecurityStackMoveImageMetad= ata, + .domainUpdateSecurityImageLabel =3D virSecurityStackUpdateImageLab= el, =20 .domainSetSecurityMemoryLabel =3D virSecurityStackSetMemoryLabel, .domainRestoreSecurityMemoryLabel =3D virSecurityStackRestoreMemoryL= abel, --=20 2.31.1 From nobody Thu Mar 28 17:20:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 16339541135556.637855412867339; Mon, 11 Oct 2021 05:08:33 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-349-rmRR9eEFNjyyyvGcrYTl9Q-1; Mon, 11 Oct 2021 08:08:28 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3AEE1801AC3; Mon, 11 Oct 2021 12:08:23 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EBB6D60C82; Mon, 11 Oct 2021 12:08:22 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B8F8D4EA3C; Mon, 11 Oct 2021 12:08:22 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BC8Lkk020593 for ; Mon, 11 Oct 2021 08:08:21 -0400 Received: by smtp.corp.redhat.com (Postfix) id 3F94E4047279; Mon, 11 Oct 2021 12:08:21 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3BDA64047272 for ; Mon, 11 Oct 2021 12:08:21 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 24DA71066688 for ; Mon, 11 Oct 2021 12:08:21 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-145-CUZdCrvINj2sMWKsmKEeWA-1; Mon, 11 Oct 2021 08:08:03 -0400 Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.53]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HScrH5bVkz8y0F for ; Mon, 11 Oct 2021 20:03:11 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:00 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:07:59 +0800 X-MC-Unique: rmRR9eEFNjyyyvGcrYTl9Q-1 X-MC-Unique: CUZdCrvINj2sMWKsmKEeWA-1 From: Peng Liang To: Subject: [PATCH v2 04/10] security: implement domainUpdateSecurityImageLabel for DAC Date: Mon, 11 Oct 2021 20:00:42 +0800 Message-ID: <20211011120048.243696-5-liangpeng10@huawei.com> In-Reply-To: <20211011120048.243696-1-liangpeng10@huawei.com> References: <20211011120048.243696-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BC8Lkk020593 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954115389100001 Content-Type: text/plain; charset="utf-8" Signed-off-by: Peng Liang --- src/security/security_dac.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 1733d63410b3..d1e1552bb683 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1132,6 +1132,23 @@ virSecurityDACMoveImageMetadata(virSecurityManager *= mgr, } =20 =20 +static int +virSecurityDACUpdateImageLabel(virSecurityManager *mgr G_GNUC_UNUSED, + virDomainDef *def G_GNUC_UNUSED, + virStorageSource *src, + virSecurityDomainImageLabelFlags flags G_GN= UC_UNUSED) +{ + virStorageSource *n; + + for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { + if (virSecurityUpdateTimestampIfexists(SECURITY_DAC_NAME, src->pat= h) < 0) + return -1; + } + + return 0; +} + + static int virSecurityDACSetHostdevLabelHelper(const char *file, bool remember, @@ -2539,6 +2556,7 @@ virSecurityDriver virSecurityDriverDAC =3D { .domainSetSecurityImageLabel =3D virSecurityDACSetImageLabel, .domainRestoreSecurityImageLabel =3D virSecurityDACRestoreImageLabe= l, .domainMoveImageMetadata =3D virSecurityDACMoveImageMetadat= a, + .domainUpdateSecurityImageLabel =3D virSecurityDACUpdateImageLabel, =20 .domainSetSecurityMemoryLabel =3D virSecurityDACSetMemoryLabel, .domainRestoreSecurityMemoryLabel =3D virSecurityDACRestoreMemoryLab= el, --=20 2.31.1 From nobody Thu Mar 28 17:20:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 163395410407221.67090735993952; Mon, 11 Oct 2021 05:08:24 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-197-3gjwF6JwMz2AYMgBtoC66A-1; Mon, 11 Oct 2021 08:08:21 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 19B4710A8E07; Mon, 11 Oct 2021 12:08:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EEB7E5D6CF; Mon, 11 Oct 2021 12:08:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BEAE31819AC1; Mon, 11 Oct 2021 12:08:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BC86v0020500 for ; Mon, 11 Oct 2021 08:08:06 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2B2CC4047279; Mon, 11 Oct 2021 12:08:06 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 274CC4047272 for ; Mon, 11 Oct 2021 12:08:06 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 11146802A5A for ; Mon, 11 Oct 2021 12:08:06 +0000 (UTC) Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-388-tHJKg4h2OqydThSaRn49lg-1; Mon, 11 Oct 2021 08:08:04 -0400 Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.53]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4HScwb6Dd8z8tYT for ; Mon, 11 Oct 2021 20:06:55 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:00 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:00 +0800 X-MC-Unique: 3gjwF6JwMz2AYMgBtoC66A-1 X-MC-Unique: tHJKg4h2OqydThSaRn49lg-1 From: Peng Liang To: Subject: [PATCH v2 05/10] security: implement domainUpdateSecurityImageLabel for SELinux Date: Mon, 11 Oct 2021 20:00:43 +0800 Message-ID: <20211011120048.243696-6-liangpeng10@huawei.com> In-Reply-To: <20211011120048.243696-1-liangpeng10@huawei.com> References: <20211011120048.243696-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BC86v0020500 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954106032100001 Content-Type: text/plain; charset="utf-8" Signed-off-by: Peng Liang --- src/security/security_selinux.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index cc7245332980..5c491fc131ea 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1996,6 +1996,23 @@ virSecuritySELinuxMoveImageMetadata(virSecurityManag= er *mgr, } =20 =20 +static int +virSecuritySELinuxUpdateImageLabel(virSecurityManager *mgr G_GNUC_UNUSED, + virDomainDef *def G_GNUC_UNUSED, + virStorageSource *src, + virSecurityDomainImageLabelFlags flags = G_GNUC_UNUSED) +{ + virStorageSource *n; + + for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { + if (virSecurityUpdateTimestampIfexists(SECURITY_SELINUX_NAME, src-= >path) < 0) + return -1; + } + + return 0; +} + + static int virSecuritySELinuxSetHostdevLabelHelper(const char *file, bool remember, @@ -3587,6 +3604,7 @@ virSecurityDriver virSecurityDriverSELinux =3D { .domainSetSecurityImageLabel =3D virSecuritySELinuxSetImageLabe= l, .domainRestoreSecurityImageLabel =3D virSecuritySELinuxRestoreImage= Label, .domainMoveImageMetadata =3D virSecuritySELinuxMoveImageMet= adata, + .domainUpdateSecurityImageLabel =3D virSecuritySELinuxUpdateImageL= abel, =20 .domainSetSecurityMemoryLabel =3D virSecuritySELinuxSetMemoryLab= el, .domainRestoreSecurityMemoryLabel =3D virSecuritySELinuxRestoreMemor= yLabel, --=20 2.31.1 From nobody Thu Mar 28 17:20:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1633954125487398.0948783788906; Mon, 11 Oct 2021 05:08:45 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-509-wXcvQdldNhuLiBkdaCItYQ-1; Mon, 11 Oct 2021 08:08:20 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7B851CC623; Mon, 11 Oct 2021 12:08:15 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5907D5D6CF; Mon, 11 Oct 2021 12:08:15 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E80D3180BAD2; Mon, 11 Oct 2021 12:08:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BC8DJf020540 for ; Mon, 11 Oct 2021 08:08:13 -0400 Received: by smtp.corp.redhat.com (Postfix) id 8000540CFD0F; Mon, 11 Oct 2021 12:08:13 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7A69D40CFD10 for ; Mon, 11 Oct 2021 12:08:13 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6272218A01A5 for ; Mon, 11 Oct 2021 12:08:13 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-380-oRVv8M31NNWj9U69PDpdHA-1; Mon, 11 Oct 2021 08:08:11 -0400 Received: from dggemv703-chm.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HScrs6gdZzYdVf for ; Mon, 11 Oct 2021 20:03:41 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv703-chm.china.huawei.com (10.3.19.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:01 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:00 +0800 X-MC-Unique: wXcvQdldNhuLiBkdaCItYQ-1 X-MC-Unique: oRVv8M31NNWj9U69PDpdHA-1 From: Peng Liang To: Subject: [PATCH v2 06/10] qemu: add qemuSecurityUpdateImageLabel Date: Mon, 11 Oct 2021 20:00:44 +0800 Message-ID: <20211011120048.243696-7-liangpeng10@huawei.com> In-Reply-To: <20211011120048.243696-1-liangpeng10@huawei.com> References: <20211011120048.243696-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BC8DJf020540 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954126868100001 Content-Type: text/plain; charset="utf-8" Signed-off-by: Peng Liang --- src/qemu/qemu_security.c | 10 ++++++++++ src/qemu/qemu_security.h | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index 19d957dd4b96..d8f2049e0d46 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -188,6 +188,16 @@ qemuSecurityMoveImageMetadata(virQEMUDriver *driver, } =20 =20 +int +qemuSecurityUpdateImageLabel(virQEMUDriver *driver, + virDomainObj *vm, + virStorageSource *src) +{ + return virSecurityManagerUpdateImageLabel(driver->securityManager, vm-= >def, + src, 0); +} + + int qemuSecuritySetHostdevLabel(virQEMUDriver *driver, virDomainObj *vm, diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h index 8b26ea3f9922..ea6e1404936e 100644 --- a/src/qemu/qemu_security.h +++ b/src/qemu/qemu_security.h @@ -49,6 +49,11 @@ int qemuSecurityMoveImageMetadata(virQEMUDriver *driver, virStorageSource *src, virStorageSource *dst); =20 +int +qemuSecurityUpdateImageLabel(virQEMUDriver *driver, + virDomainObj *vm, + virStorageSource *src); + int qemuSecuritySetHostdevLabel(virQEMUDriver *driver, virDomainObj *vm, virDomainHostdevDef *hostdev); --=20 2.31.1 From nobody Thu Mar 28 17:20:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1633954099005966.1621296684111; Mon, 11 Oct 2021 05:08:19 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-9--9ZXYID5Mf-WNVr1dkCpVg-1; Mon, 11 Oct 2021 08:08:16 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 865E41927802; Mon, 11 Oct 2021 12:08:11 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5E14F60938; Mon, 11 Oct 2021 12:08:11 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 2853B1806D01; Mon, 11 Oct 2021 12:08:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BC89Xb020524 for ; Mon, 11 Oct 2021 08:08:09 -0400 Received: by smtp.corp.redhat.com (Postfix) id 6CC0D2026D46; Mon, 11 Oct 2021 12:08:09 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 67FD62026D60 for ; Mon, 11 Oct 2021 12:08:06 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 79FA6899EC3 for ; Mon, 11 Oct 2021 12:08:06 +0000 (UTC) Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-263-AWFi1LzMNdW8XTWFXpEtGQ-1; Mon, 11 Oct 2021 08:08:04 -0400 Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.57]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4HScw23Zx5zWl4y for ; Mon, 11 Oct 2021 20:06:26 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:01 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:01 +0800 X-MC-Unique: -9ZXYID5Mf-WNVr1dkCpVg-1 X-MC-Unique: AWFi1LzMNdW8XTWFXpEtGQ-1 From: Peng Liang To: Subject: [PATCH v2 07/10] security: rename 2 functions in DAC and SELinux Date: Mon, 11 Oct 2021 20:00:45 +0800 Message-ID: <20211011120048.243696-8-liangpeng10@huawei.com> In-Reply-To: <20211011120048.243696-1-liangpeng10@huawei.com> References: <20211011120048.243696-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BC89Xb020524 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954099305100006 Content-Type: text/plain; charset="utf-8" virSecurity{DAC,SELinux}SetImageLabelInt will be added in the next patch, so rename virSecurity{DAC,SELinux}SetImageLabelInternal to virSecurity{DAC,SELinux}SetImageLabelSingle to avoid confusion and keep consistent with virSecurity{DAC,SELinux}RestoreImageLabelInt and virSecurity{DAC,SELinux}RestoreImageLabelSingle. Signed-off-by: Peng Liang --- src/security/security_dac.c | 12 ++++++------ src/security/security_selinux.c | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index d1e1552bb683..2c0e12a6f810 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -863,11 +863,11 @@ virSecurityDACRestoreFileLabel(virSecurityManager *mg= r, =20 =20 static int -virSecurityDACSetImageLabelInternal(virSecurityManager *mgr, - virDomainDef *def, - virStorageSource *src, - virStorageSource *parent, - bool isChainTop) +virSecurityDACSetImageLabelSingle(virSecurityManager *mgr, + virDomainDef *def, + virStorageSource *src, + virStorageSource *parent, + bool isChainTop) { virSecurityLabelDef *secdef; virSecurityDeviceLabelDef *disk_seclabel; @@ -949,7 +949,7 @@ virSecurityDACSetImageLabelRelative(virSecurityManager = *mgr, for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { const bool isChainTop =3D flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT= _CHAIN_TOP; =20 - if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent, isCha= inTop) < 0) + if (virSecurityDACSetImageLabelSingle(mgr, def, n, parent, isChain= Top) < 0) return -1; =20 if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 5c491fc131ea..f6fa412de89a 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1805,11 +1805,11 @@ virSecuritySELinuxRestoreImageLabel(virSecurityMana= ger *mgr, =20 =20 static int -virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr, - virDomainDef *def, - virStorageSource *src, - virStorageSource *parent, - bool isChainTop) +virSecuritySELinuxSetImageLabelSingle(virSecurityManager *mgr, + virDomainDef *def, + virStorageSource *src, + virStorageSource *parent, + bool isChainTop) { virSecuritySELinuxData *data =3D virSecurityManagerGetPrivateData(mgr); virSecurityLabelDef *secdef; @@ -1912,7 +1912,7 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityMa= nager *mgr, for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { const bool isChainTop =3D flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT= _CHAIN_TOP; =20 - if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent, i= sChainTop) < 0) + if (virSecuritySELinuxSetImageLabelSingle(mgr, def, n, parent, isC= hainTop) < 0) return -1; =20 if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) --=20 2.31.1 From nobody Thu Mar 28 17:20:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1633954125761759.8972577941971; Mon, 11 Oct 2021 05:08:45 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-139-XIRTIq-NMXSwVVdCQFBv2A-1; Mon, 11 Oct 2021 08:08:40 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1A949CC624; Mon, 11 Oct 2021 12:08:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EE0D210023AE; Mon, 11 Oct 2021 12:08:35 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B58144EA3F; Mon, 11 Oct 2021 12:08:35 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BC8Y6e020842 for ; Mon, 11 Oct 2021 08:08:34 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2E95940CFD11; Mon, 11 Oct 2021 12:08:34 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 2955640CFD0F for ; Mon, 11 Oct 2021 12:08:34 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0CDD9800C00 for ; Mon, 11 Oct 2021 12:08:34 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-161-D_eJHtY7NLO7XUHj2AOPBA-1; Mon, 11 Oct 2021 08:08:31 -0400 Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HScsG1MXkzcbWM for ; Mon, 11 Oct 2021 20:04:02 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:01 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:01 +0800 X-MC-Unique: XIRTIq-NMXSwVVdCQFBv2A-1 X-MC-Unique: D_eJHtY7NLO7XUHj2AOPBA-1 From: Peng Liang To: Subject: [PATCH v2 08/10] security: don't remember image labels when migrating with shared fs Date: Mon, 11 Oct 2021 20:00:46 +0800 Message-ID: <20211011120048.243696-9-liangpeng10@huawei.com> In-Reply-To: <20211011120048.243696-1-liangpeng10@huawei.com> References: <20211011120048.243696-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BC8Y6e020842 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954126968100002 Content-Type: text/plain; charset="utf-8" When migrating with shared fs, the image labels has been remembered in the src host. If the dst host trys to remember image labels again, then the origin labels remembered in the src host will lost. Signed-off-by: Peng Liang --- src/security/security_dac.c | 32 +++++++++++++++++++++++--------- src/security/security_selinux.c | 33 ++++++++++++++++++++++++--------- 2 files changed, 47 insertions(+), 18 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 2c0e12a6f810..65cdf348e4c1 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -867,7 +867,8 @@ virSecurityDACSetImageLabelSingle(virSecurityManager *m= gr, virDomainDef *def, virStorageSource *src, virStorageSource *parent, - bool isChainTop) + bool isChainTop, + bool migrated) { virSecurityLabelDef *secdef; virSecurityDeviceLabelDef *disk_seclabel; @@ -931,7 +932,8 @@ virSecurityDACSetImageLabelSingle(virSecurityManager *m= gr, * but the top layer, or read only image, or disk explicitly * marked as shared. */ - remember =3D isChainTop && !src->readonly && !src->shared; + remember =3D isChainTop && !src->readonly && !src->shared && + !(migrated && virFileIsSharedFS(src->path) > 0); =20 return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remembe= r); } @@ -942,14 +944,15 @@ virSecurityDACSetImageLabelRelative(virSecurityManage= r *mgr, virDomainDef *def, virStorageSource *src, virStorageSource *parent, - virSecurityDomainImageLabelFlags flags) + virSecurityDomainImageLabelFlags flags, + bool migrated) { virStorageSource *n; =20 for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { const bool isChainTop =3D flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT= _CHAIN_TOP; =20 - if (virSecurityDACSetImageLabelSingle(mgr, def, n, parent, isChain= Top) < 0) + if (virSecurityDACSetImageLabelSingle(mgr, def, n, parent, isChain= Top, migrated) < 0) return -1; =20 if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) @@ -961,13 +964,23 @@ virSecurityDACSetImageLabelRelative(virSecurityManage= r *mgr, return 0; } =20 +static int +virSecurityDACSetImageLabelInt(virSecurityManager *mgr, + virDomainDef *def, + virStorageSource *src, + virSecurityDomainImageLabelFlags flags, + bool migrated) +{ + return virSecurityDACSetImageLabelRelative(mgr, def, src, src, flags, = migrated); +} + static int virSecurityDACSetImageLabel(virSecurityManager *mgr, virDomainDef *def, virStorageSource *src, virSecurityDomainImageLabelFlags flags) { - return virSecurityDACSetImageLabelRelative(mgr, def, src, src, flags); + return virSecurityDACSetImageLabelInt(mgr, def, src, flags, false); } =20 static int @@ -2118,7 +2131,7 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr, virDomainDef *def, const char *incomingPath G_GNUC_UNUSED, bool chardevStdioLogd, - bool migrated G_GNUC_UNUSED) + bool migrated) { virSecurityDACData *priv =3D virSecurityManagerGetPrivateData(mgr); virSecurityLabelDef *secdef; @@ -2140,9 +2153,10 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr, /* XXX fixme - we need to recursively label the entire tree :-( */ if (virDomainDiskGetType(def->disks[i]) =3D=3D VIR_STORAGE_TYPE_DI= R) continue; - if (virSecurityDACSetImageLabel(mgr, def, def->disks[i]->src, - VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA= CKING_CHAIN | - VIR_SECURITY_DOMAIN_IMAGE_PARENT_C= HAIN_TOP) < 0) + if (virSecurityDACSetImageLabelInt(mgr, def, def->disks[i]->src, + VIR_SECURITY_DOMAIN_IMAGE_LABEL= _BACKING_CHAIN | + VIR_SECURITY_DOMAIN_IMAGE_PAREN= T_CHAIN_TOP, + migrated) < 0) return -1; } =20 diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index f6fa412de89a..78d0e610f68c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1809,7 +1809,8 @@ virSecuritySELinuxSetImageLabelSingle(virSecurityMana= ger *mgr, virDomainDef *def, virStorageSource *src, virStorageSource *parent, - bool isChainTop) + bool isChainTop, + bool migrated) { virSecuritySELinuxData *data =3D virSecurityManagerGetPrivateData(mgr); virSecurityLabelDef *secdef; @@ -1840,7 +1841,8 @@ virSecuritySELinuxSetImageLabelSingle(virSecurityMana= ger *mgr, * but the top layer, or read only image, or disk explicitly * marked as shared. */ - remember =3D isChainTop && !src->readonly && !src->shared; + remember =3D isChainTop && !src->readonly && !src->shared && + !(migrated && virFileIsSharedFS(src->path) > 0); =20 disk_seclabel =3D virStorageSourceGetSecurityLabelDef(src, SECURITY_SELINUX_N= AME); @@ -1905,14 +1907,15 @@ virSecuritySELinuxSetImageLabelRelative(virSecurity= Manager *mgr, virDomainDef *def, virStorageSource *src, virStorageSource *parent, - virSecurityDomainImageLabelFlags f= lags) + virSecurityDomainImageLabelFlags f= lags, + bool migrated) { virStorageSource *n; =20 for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { const bool isChainTop =3D flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT= _CHAIN_TOP; =20 - if (virSecuritySELinuxSetImageLabelSingle(mgr, def, n, parent, isC= hainTop) < 0) + if (virSecuritySELinuxSetImageLabelSingle(mgr, def, n, parent, isC= hainTop, migrated) < 0) return -1; =20 if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) @@ -1925,13 +1928,24 @@ virSecuritySELinuxSetImageLabelRelative(virSecurity= Manager *mgr, } =20 =20 +static int +virSecuritySELinuxSetImageLabelInt(virSecurityManager *mgr, + virDomainDef *def, + virStorageSource *src, + virSecurityDomainImageLabelFlags flags, + bool migrated) +{ + return virSecuritySELinuxSetImageLabelRelative(mgr, def, src, src, fla= gs, migrated); +} + + static int virSecuritySELinuxSetImageLabel(virSecurityManager *mgr, virDomainDef *def, virStorageSource *src, virSecurityDomainImageLabelFlags flags) { - return virSecuritySELinuxSetImageLabelRelative(mgr, def, src, src, fla= gs); + return virSecuritySELinuxSetImageLabelInt(mgr, def, src, flags, false); } =20 struct virSecuritySELinuxMoveImageMetadataData { @@ -3156,7 +3170,7 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr, virDomainDef *def, const char *incomingPath G_GNUC_UNUSED, bool chardevStdioLogd, - bool migrated G_GNUC_UNUSED) + bool migrated) { size_t i; virSecuritySELinuxData *data =3D virSecurityManagerGetPrivateData(mgr); @@ -3180,9 +3194,10 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mg= r, def->disks[i]->dst); continue; } - if (virSecuritySELinuxSetImageLabel(mgr, def, def->disks[i]->src, - VIR_SECURITY_DOMAIN_IMAGE_LABE= L_BACKING_CHAIN | - VIR_SECURITY_DOMAIN_IMAGE_PARE= NT_CHAIN_TOP) < 0) + if (virSecuritySELinuxSetImageLabelInt(mgr, def, def->disks[i]->sr= c, + VIR_SECURITY_DOMAIN_IMAGE_L= ABEL_BACKING_CHAIN | + VIR_SECURITY_DOMAIN_IMAGE_P= ARENT_CHAIN_TOP, + migrated) < 0) return -1; } /* XXX fixme process def->fss if relabel =3D=3D true */ --=20 2.31.1 From nobody Thu Mar 28 17:20:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1633954108308365.73247627429987; Mon, 11 Oct 2021 05:08:28 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-420-UV_ek7x4Pa-bsAs-FiEfQw-1; Mon, 11 Oct 2021 08:08:23 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 35BA710A8E06; Mon, 11 Oct 2021 12:08:18 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 17BA510023AE; Mon, 11 Oct 2021 12:08:18 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D62744EA2F; Mon, 11 Oct 2021 12:08:17 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BC8Ewb020546 for ; Mon, 11 Oct 2021 08:08:14 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0482A404727C; Mon, 11 Oct 2021 12:08:14 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0083A4047272 for ; Mon, 11 Oct 2021 12:08:13 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id DD48B899EC1 for ; Mon, 11 Oct 2021 12:08:13 +0000 (UTC) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-394-5Hd25Ny_PeiAozw7RJGEAw-1; Mon, 11 Oct 2021 08:08:11 -0400 Received: from dggemv703-chm.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4HScrs6qp8zYkjZ for ; Mon, 11 Oct 2021 20:03:41 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv703-chm.china.huawei.com (10.3.19.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:02 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:01 +0800 X-MC-Unique: UV_ek7x4Pa-bsAs-FiEfQw-1 X-MC-Unique: 5Hd25Ny_PeiAozw7RJGEAw-1 From: Peng Liang To: Subject: [PATCH v2 09/10] migration: don't remove image labels after migration Date: Mon, 11 Oct 2021 20:00:47 +0800 Message-ID: <20211011120048.243696-10-liangpeng10@huawei.com> In-Reply-To: <20211011120048.243696-1-liangpeng10@huawei.com> References: <20211011120048.243696-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BC8Ewb020546 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954108582100001 Content-Type: text/plain; charset="utf-8" After migration, the image labels will be removed in the src host (on success) or the dst host (on failure). However, if we migrate using shared fs and remove image labels after migration in one host, the image labels will also lost in another host, which leads to that the ownership of the image will be restore to root:root instead of the origin ownership when shutting down the VM. Hence, don't remove image labels after migration with shared fs. Signed-off-by: Peng Liang --- src/qemu/qemu_process.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 1d0165af6daa..a6e64fcba8ba 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -8173,7 +8173,10 @@ void qemuProcessStop(virQEMUDriver *driver, qemuHostdevReAttachOneNVMeDisk(driver, vm->def->name, = disk->mirror); } =20 - qemuBlockRemoveImageMetadata(driver, vm, disk->dst, disk->src); + if ((reason !=3D VIR_DOMAIN_SHUTOFF_MIGRATED && + !(flags & VIR_QEMU_PROCESS_STOP_MIGRATED)) || + virFileIsSharedFS(disk->src->path) <=3D 0) + qemuBlockRemoveImageMetadata(driver, vm, disk->dst, disk->= src); =20 /* for now transient disks are forbidden with migration so they * can be handled here */ --=20 2.31.1 From nobody Thu Mar 28 17:20:03 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=huawei.com Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1633954099878910.4006991201069; Mon, 11 Oct 2021 05:08:19 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-20-XJ3sx1sOOS6CYN2F1X1-YA-1; Mon, 11 Oct 2021 08:08:16 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4D05910A8E04; Mon, 11 Oct 2021 12:08:11 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 29ED05D9F0; Mon, 11 Oct 2021 12:08:11 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id EADD24E9F5; Mon, 11 Oct 2021 12:08:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 19BC871A020507 for ; Mon, 11 Oct 2021 08:08:07 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4935440CFD11; Mon, 11 Oct 2021 12:08:07 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 443FD40CFD0F for ; Mon, 11 Oct 2021 12:08:07 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2DB36899ED4 for ; Mon, 11 Oct 2021 12:08:07 +0000 (UTC) Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-343-4uEmG_zOO6Gq2IZ2Gq9Hjw-1; Mon, 11 Oct 2021 08:08:05 -0400 Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.57]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4HScrl6lSKzbn2Y for ; Mon, 11 Oct 2021 20:03:35 +0800 (CST) Received: from dggema765-chm.china.huawei.com (10.1.198.207) by dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:02 +0800 Received: from localhost.localdomain (10.175.101.6) by dggema765-chm.china.huawei.com (10.1.198.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.8; Mon, 11 Oct 2021 20:08:02 +0800 X-MC-Unique: XJ3sx1sOOS6CYN2F1X1-YA-1 X-MC-Unique: 4uEmG_zOO6Gq2IZ2Gq9Hjw-1 From: Peng Liang To: Subject: [PATCH v2 10/10] migration: update image labels in dst after migration Date: Mon, 11 Oct 2021 20:00:48 +0800 Message-ID: <20211011120048.243696-11-liangpeng10@huawei.com> In-Reply-To: <20211011120048.243696-1-liangpeng10@huawei.com> References: <20211011120048.243696-1-liangpeng10@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.101.6] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggema765-chm.china.huawei.com (10.1.198.207) X-CFilter-Loop: Reflected X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 19BC871A020507 X-loop: libvir-list@redhat.com Cc: yubihong@huawei.com, liangpeng10@huawei.com, xiexiangyou@huawei.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1633954101507100001 Content-Type: text/plain; charset="utf-8" Bacause the timestamp XATTR (the uptime of the host) is used to validate the remembered labels, it need to update after migration. Signed-off-by: Peng Liang --- src/qemu/qemu_migration.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index dd226ea4bcb5..b82762aa0ffd 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -5619,6 +5619,7 @@ qemuMigrationDstFinish(virQEMUDriver *driver, qemuDomainJobInfo *jobInfo =3D NULL; bool inPostCopy =3D false; bool doKill =3D true; + size_t i; =20 VIR_DEBUG("driver=3D%p, dconn=3D%p, vm=3D%p, cookiein=3D%s, cookieinle= n=3D%d, " "cookieout=3D%p, cookieoutlen=3D%p, flags=3D0x%lx, retcode= =3D%d", @@ -5826,6 +5827,17 @@ qemuMigrationDstFinish(virQEMUDriver *driver, /* Guest is successfully running, so cancel previous auto destroy */ qemuProcessAutoDestroyRemove(driver, vm); =20 + for (i =3D 0; i < vm->def->ndisks; i++) { + virStorageSource *src =3D vm->def->disks[i]->src; + + if (!virStorageSourceIsLocalStorage(src) || !src->path || + virFileIsSharedFS(src->path) <=3D 0) + continue; + + if (qemuSecurityUpdateImageLabel(driver, vm, src) < 0) + VIR_WARN("Failed to update security label for %s", src->path); + } + endjob: if (!dom && !(flags & VIR_MIGRATE_OFFLINE) && --=20 2.31.1