From nobody Mon Feb 9 00:37:47 2026 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1714671707291419.3786616444121; Thu, 2 May 2024 10:41:47 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 48F27244B; Thu, 2 May 2024 13:41:46 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 46C611C52; Thu, 2 May 2024 13:39:54 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 6CA371C4C; Thu, 2 May 2024 13:39:48 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id DBBBD1C50 for ; Thu, 2 May 2024 13:39:47 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-133-piJvLlNaPxqVxD6-2GOObw-1; Thu, 02 May 2024 13:39:45 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 84B0229AA3BE for ; Thu, 2 May 2024 17:39:45 +0000 (UTC) Received: from harajuku.usersys.redhat.com (unknown [10.45.224.51]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0C898C15771 for ; Thu, 2 May 2024 17:39:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: piJvLlNaPxqVxD6-2GOObw-1 From: Andrea Bolognani To: devel@lists.libvirt.org Subject: [PATCH v3 1/5] security: Fix alignment Date: Thu, 2 May 2024 19:39:38 +0200 Message-ID: <20240502173942.431392-2-abologna@redhat.com> In-Reply-To: <20240502173942.431392-1-abologna@redhat.com> References: <20240502173942.431392-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: CZVZGFNEX7FROB4I6KICIQACFSLMIM4K X-Message-ID-Hash: CZVZGFNEX7FROB4I6KICIQACFSLMIM4K X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1714671707810100001 Signed-off-by: Andrea Bolognani Reviewed-by: Stefan Berger Reviewed-by: Peter Krempa --- src/security/security_selinux.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index aaec34ff8b..a4915dbc89 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1983,9 +1983,9 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa= nager *mgr, =20 static int virSecuritySELinuxSetImageLabel(virSecurityManager *mgr, - virDomainDef *def, - virStorageSource *src, - virSecurityDomainImageLabelFlags flags) + virDomainDef *def, + virStorageSource *src, + virSecurityDomainImageLabelFlags flags) { virStorageSource *parent =3D src; virStorageSource *n; --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon Feb 9 00:37:47 2026 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1714671768326885.4331575106612; Thu, 2 May 2024 10:42:48 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 436851A69; Thu, 2 May 2024 13:42:47 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 922262414; Thu, 2 May 2024 13:40:00 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 1E60A1C4C; Thu, 2 May 2024 13:39:49 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 344941C51 for ; Thu, 2 May 2024 13:39:48 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-208-Iy_8g3XtOUug149xjuTj3w-1; Thu, 02 May 2024 13:39:46 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 55D483C025C5 for ; Thu, 2 May 2024 17:39:46 +0000 (UTC) Received: from harajuku.usersys.redhat.com (unknown [10.45.224.51]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D04DDC13FA1 for ; Thu, 2 May 2024 17:39:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: Iy_8g3XtOUug149xjuTj3w-1 From: Andrea Bolognani To: devel@lists.libvirt.org Subject: [PATCH v3 2/5] qemu: Introduce shared_filesystems configuration option Date: Thu, 2 May 2024 19:39:39 +0200 Message-ID: <20240502173942.431392-3-abologna@redhat.com> In-Reply-To: <20240502173942.431392-1-abologna@redhat.com> References: <20240502173942.431392-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: CQ2EWEFWHXEQKRSWAZQAQRRSIADPGJTB X-Message-ID-Hash: CQ2EWEFWHXEQKRSWAZQAQRRSIADPGJTB X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1714671770057100001 As explained in the comment, this can help in scenarios where a shared filesystem can't be detected as such by libvirt, by giving the admin the opportunity to provide this information manually. Signed-off-by: Andrea Bolognani --- src/qemu/libvirtd_qemu.aug | 3 +++ src/qemu/qemu.conf.in | 23 ++++++++++++++++++++++ src/qemu/qemu_conf.c | 31 ++++++++++++++++++++++++++++++ src/qemu/qemu_conf.h | 2 ++ src/qemu/test_libvirtd_qemu.aug.in | 5 +++++ 5 files changed, 64 insertions(+) diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug index 2b6526538f..1377fd89cc 100644 --- a/src/qemu/libvirtd_qemu.aug +++ b/src/qemu/libvirtd_qemu.aug @@ -143,6 +143,8 @@ module Libvirtd_qemu =3D =20 let storage_entry =3D bool_entry "storage_use_nbdkit" =20 + let filesystem_entry =3D str_array_entry "shared_filesystems" + (* Entries that used to exist in the config which are now * deleted. We keep on parsing them so we don't break * ability to parse old configs after upgrade @@ -173,6 +175,7 @@ module Libvirtd_qemu =3D | swtpm_entry | capability_filters_entry | storage_entry + | filesystem_entry | obsolete_entry =20 let comment =3D [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \= t\n][^\n]*)?/ . del /\n/ "\n" ] diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index f406df8749..c543a0a55b 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -986,3 +986,26 @@ # note that the default might change in future releases. # #storage_use_nbdkit =3D @USE_NBDKIT_DEFAULT@ + +# libvirt will normally prevent migration if the storage backing the VM is= not +# on a shared filesystems. Sometimes, however, the storage *is* shared des= pite +# not being detected as such: for example, this is the case when one of the +# hosts involved in the migration is exporting its local storage to the ot= her +# one via NFS. +# +# Any directory listed here will be assumed to live on a shared filesystem, +# making migration possible in scenarios such as the one described above. +# +# Due to how label remembering is implemented, it will generally be necess= ary +# to set remember_owner=3D0 *on both sides of the migration* as well. +# +# NOTE: this option is intended to help in very specific scenarios that are +# rarely encountered. If you find yourself reaching for this option, consi= der +# reworking your environment so that it follows a more common architecture +# rather than using it. +# +#shared_filesystems =3D [ +# "/path/to/images", +# "/path/to/nvram", +# "/path/to/swtpm" +#] diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 4050a82341..1daa97a359 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -374,6 +374,8 @@ static void virQEMUDriverConfigDispose(void *obj) =20 g_strfreev(cfg->capabilityfilters); =20 + g_strfreev(cfg->sharedFilesystems); + g_free(cfg->deprecationBehavior); } =20 @@ -1084,6 +1086,32 @@ virQEMUDriverConfigLoadStorageEntry(virQEMUDriverCon= fig *cfg, } =20 =20 +static int +virQEMUDriverConfigLoadFilesystemEntry(virQEMUDriverConfig *cfg, + virConf *conf) +{ + char **iter; + + if (virConfGetValueStringList(conf, "shared_filesystems", false, + &cfg->sharedFilesystems) < 0) + return -1; + + if (!cfg->sharedFilesystems) + return 0; + + /* The paths provided by the user might contain trailing slashes + * and other fun diversions, which would break the naive string + * comparisons that we're later going to use them for */ + for (iter =3D cfg->sharedFilesystems; *iter; iter++) { + char *canon =3D virFileCanonicalizePath(*iter); + g_free(*iter); + *iter =3D canon; + } + + return 0; +} + + int virQEMUDriverConfigLoadFile(virQEMUDriverConfig *cfg, const char *filename, bool privileged) @@ -1158,6 +1186,9 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfig *= cfg, if (virQEMUDriverConfigLoadStorageEntry(cfg, conf) < 0) return -1; =20 + if (virQEMUDriverConfigLoadFilesystemEntry(cfg, conf) < 0) + return -1; + return 0; } =20 diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index 36049b4bfa..b53d56be02 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -233,6 +233,8 @@ struct _virQEMUDriverConfig { bool storageUseNbdkit; =20 virQEMUSchedCore schedCore; + + char **sharedFilesystems; }; =20 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virQEMUDriverConfig, virObjectUnref); diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index b97e6de11e..69fdae215a 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -119,3 +119,8 @@ module Test_libvirtd_qemu =3D { "deprecation_behavior" =3D "none" } { "sched_core" =3D "none" } { "storage_use_nbdkit" =3D "@USE_NBDKIT_DEFAULT@" } +{ "shared_filesystems" + { "1" =3D "/path/to/images" } + { "2" =3D "/path/to/nvram" } + { "3" =3D "/path/to/swtpm" } +} --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon Feb 9 00:37:47 2026 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1714672032280830.6864721965082; Thu, 2 May 2024 10:47:12 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id F2479246D; Thu, 2 May 2024 13:47:10 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id CEE8C2448; Thu, 2 May 2024 13:40:16 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 5FCE92404; Thu, 2 May 2024 13:39:58 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id C22761C4F for ; Thu, 2 May 2024 13:39:49 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-179-OOnRkiejNHqncQXAlGxd5Q-1; Thu, 02 May 2024 13:39:47 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9A0258001B2 for ; Thu, 2 May 2024 17:39:47 +0000 (UTC) Received: from harajuku.usersys.redhat.com (unknown [10.45.224.51]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A2133C13FA1 for ; Thu, 2 May 2024 17:39:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: OOnRkiejNHqncQXAlGxd5Q-1 From: Andrea Bolognani To: devel@lists.libvirt.org Subject: [PATCH v3 3/5] qemu: Propagate shared_filesystems Date: Thu, 2 May 2024 19:39:40 +0200 Message-ID: <20240502173942.431392-4-abologna@redhat.com> In-Reply-To: <20240502173942.431392-1-abologna@redhat.com> References: <20240502173942.431392-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: RYFXMQOSLRTDSTIAC7ZBGJSYINOHC3RG X-Message-ID-Hash: RYFXMQOSLRTDSTIAC7ZBGJSYINOHC3RG X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1714672033020100001 virFileIsSharedFS() is the function that ultimately decides whether a filesystem should be considered shared, but the list of manually configured shared filesystems is part of the QEMU driver's configuration, so we need to pass the information through several layers in order to make use of it. Note that with this change the list is propagated all the way through, but its contents are still ignored, so the behavior remains the same for now. Signed-off-by: Andrea Bolognani Reviewed-by: Stefan Berger Reviewed-by: Peter Krempa --- src/lxc/lxc_controller.c | 3 +- src/lxc/lxc_driver.c | 2 +- src/lxc/lxc_process.c | 4 +- src/qemu/qemu_domain.c | 7 ++- src/qemu/qemu_extdevice.c | 2 +- src/qemu/qemu_migration.c | 23 ++++----- src/qemu/qemu_security.c | 85 ++++++++++++++++++++++++-------- src/qemu/qemu_tpm.c | 29 +++++++---- src/qemu/qemu_tpm.h | 10 ++-- src/security/security_apparmor.c | 8 ++- src/security/security_dac.c | 47 ++++++++++++++---- src/security/security_driver.h | 8 ++- src/security/security_manager.c | 33 ++++++++++--- src/security/security_manager.h | 9 +++- src/security/security_nop.c | 5 ++ src/security/security_selinux.c | 50 ++++++++++++++----- src/security/security_stack.c | 32 +++++++++--- src/util/virfile.c | 13 +++-- src/util/virfile.h | 3 +- tests/securityselinuxlabeltest.c | 2 +- tests/virfiletest.c | 2 +- 21 files changed, 281 insertions(+), 96 deletions(-) diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index 505b71d05e..7b432a1160 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1919,7 +1919,8 @@ static int virLXCControllerSetupDisk(virLXCController= *ctrl, /* Labelling normally operates on src, but we need * to actually label the dst here, so hack the config */ def->src->path =3D dst; - if (virSecurityManagerSetImageLabel(securityDriver, ctrl->def, def->sr= c, + if (virSecurityManagerSetImageLabel(securityDriver, + NULL, ctrl->def, def->src, VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA= CKING_CHAIN) < 0) goto cleanup; =20 diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c index 1842ae8f0e..1fda848b0c 100644 --- a/src/lxc/lxc_driver.c +++ b/src/lxc/lxc_driver.c @@ -3261,7 +3261,7 @@ lxcDomainAttachDeviceMknodHelper(pid_t pid G_GNUC_UNU= SED, char *tmpsrc =3D def->src->path; def->src->path =3D data->file; if (virSecurityManagerSetImageLabel(data->driver->securityManager, - data->vm->def, def->src, + NULL, data->vm->def, def->src, VIR_SECURITY_DOMAIN_IMAGE_LABE= L_BACKING_CHAIN) < 0) { def->src->path =3D tmpsrc; goto cleanup; diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index 30ff4eb3d0..a7e8e2c28e 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -170,7 +170,7 @@ static void virLXCProcessCleanup(virLXCDriver *driver, } =20 if (flags & VIR_LXC_PROCESS_CLEANUP_RESTORE_SECLABEL) { - virSecurityManagerRestoreAllLabel(driver->securityManager, + virSecurityManagerRestoreAllLabel(driver->securityManager, NULL, vm->def, false, false); } =20 @@ -1320,7 +1320,7 @@ int virLXCProcessStart(virLXCDriver * driver, stopFlags |=3D VIR_LXC_PROCESS_CLEANUP_RELEASE_SECLABEL; =20 VIR_DEBUG("Setting domain security labels"); - if (virSecurityManagerSetAllLabel(driver->securityManager, + if (virSecurityManagerSetAllLabel(driver->securityManager, NULL, vm->def, NULL, false, false) < 0) goto cleanup; stopFlags |=3D VIR_LXC_PROCESS_CLEANUP_RESTORE_SECLABEL; diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 3469f0d40c..736486f9ac 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -11912,7 +11912,12 @@ virQEMUFileOpenAs(uid_t fallback_uid, bool need_unlink =3D false; unsigned int vfoflags =3D 0; int fd =3D -1; - int path_shared =3D virFileIsSharedFS(path); + /* Note that it would be pointless to pass + * virQEMUDriverConfig.sharedFilesystems here, since those + * listed there are by definition paths that can be accessed + * as local from the current host. Thus, a second attempt at + * opening the file would not make a difference */ + int path_shared =3D virFileIsSharedFS(path, NULL); uid_t uid =3D geteuid(); gid_t gid =3D getegid(); =20 diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c index ed5976d1f7..dc1bb56237 100644 --- a/src/qemu/qemu_extdevice.c +++ b/src/qemu/qemu_extdevice.c @@ -165,7 +165,7 @@ qemuExtDevicesCleanupHost(virQEMUDriver *driver, virDomainTPMDef *tpm =3D def->tpms[i]; =20 if (tpm->type =3D=3D VIR_DOMAIN_TPM_TYPE_EMULATOR) - qemuExtTPMCleanupHost(tpm, flags, outgoingMigration); + qemuExtTPMCleanupHost(driver, tpm, flags, outgoingMigration); } } =20 diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 1faab5dd23..0d496e19fe 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1429,6 +1429,7 @@ qemuMigrationSrcIsAllowed(virDomainObj *vm, unsigned int flags) { qemuDomainObjPrivate *priv =3D vm->privateData; + virQEMUDriver *driver =3D priv->driver; int nsnapshots; int pauseReason; size_t i; @@ -1599,7 +1600,7 @@ qemuMigrationSrcIsAllowed(virDomainObj *vm, } } =20 - if (qemuTPMHasSharedStorage(vm->def)&& + if (qemuTPMHasSharedStorage(driver, vm->def) && !qemuTPMCanMigrateSharedStorage(vm->def)) { virReportError(VIR_ERR_NO_SUPPORT, "%s", _("the running swtpm does not support migration= with shared storage")); @@ -1611,20 +1612,23 @@ qemuMigrationSrcIsAllowed(virDomainObj *vm, } =20 static bool -qemuMigrationSrcIsSafe(virDomainDef *def, - virQEMUCaps *qemuCaps, +qemuMigrationSrcIsSafe(virDomainObj *vm, size_t nmigrate_disks, const char **migrate_disks, unsigned int flags) =20 { + qemuDomainObjPrivate *priv =3D vm->privateData; + virQEMUCaps *qemuCaps =3D priv->qemuCaps; + virQEMUDriver *driver =3D priv->driver; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); bool storagemigration =3D flags & (VIR_MIGRATE_NON_SHARED_DISK | VIR_MIGRATE_NON_SHARED_INC); size_t i; int rc; =20 - for (i =3D 0; i < def->ndisks; i++) { - virDomainDiskDef *disk =3D def->disks[i]; + for (i =3D 0; i < vm->def->ndisks; i++) { + virDomainDiskDef *disk =3D vm->def->disks[i]; const char *src =3D virDomainDiskGetSource(disk); virStorageType actualType =3D virStorageSourceGetActualType(disk->= src); bool unsafe =3D false; @@ -1643,7 +1647,7 @@ qemuMigrationSrcIsSafe(virDomainDef *def, /* However, disks on local FS (e.g. ext4) are not safe. */ switch (actualType) { case VIR_STORAGE_TYPE_FILE: - if ((rc =3D virFileIsSharedFS(src)) < 0) { + if ((rc =3D virFileIsSharedFS(src, cfg->sharedFilesystems)) < = 0) { return false; } else if (rc =3D=3D 0) { unsafe =3D true; @@ -2604,8 +2608,7 @@ qemuMigrationSrcBeginPhase(virQEMUDriver *driver, return NULL; =20 if (!(flags & (VIR_MIGRATE_UNSAFE | VIR_MIGRATE_OFFLINE)) && - !qemuMigrationSrcIsSafe(vm->def, priv->qemuCaps, - nmigrate_disks, migrate_disks, flags)) + !qemuMigrationSrcIsSafe(vm, nmigrate_disks, migrate_disks, flags)) return NULL; =20 if (flags & VIR_MIGRATE_POSTCOPY && @@ -6066,7 +6069,6 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, int ret =3D -1; virErrorPtr orig_err =3D NULL; g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); - qemuDomainObjPrivate *priv =3D vm->privateData; qemuDomainJobPrivate *jobPriv =3D vm->job->privateData; =20 if (flags & VIR_MIGRATE_POSTCOPY_RESUME) { @@ -6091,8 +6093,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver, goto endjob; =20 if (!(flags & (VIR_MIGRATE_UNSAFE | VIR_MIGRATE_OFFLINE)) && - !qemuMigrationSrcIsSafe(vm->def, priv->qemuCaps, - nmigrate_disks, migrate_disks, flags)) + !qemuMigrationSrcIsSafe(vm, nmigrate_disks, migrate_disks, fla= gs)) goto endjob; =20 qemuMigrationSrcStoreDomainState(vm); diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index 4aaa863ae9..996c95acc0 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -38,15 +38,18 @@ qemuSecuritySetAllLabel(virQEMUDriver *driver, { int ret =3D -1; qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerSetAllLabel(driver->securityManager, + cfg->sharedFilesystems, vm->def, incomingPath, priv->chardevStdioLogd, @@ -70,6 +73,7 @@ qemuSecurityRestoreAllLabel(virQEMUDriver *driver, bool migrated) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); bool transactionStarted =3D false; =20 /* In contrast to qemuSecuritySetAllLabel, do not use vm->pid @@ -78,10 +82,12 @@ qemuSecurityRestoreAllLabel(virQEMUDriver *driver, * domain's namespace is gone as qemu was the only process * running there. We would not succeed in entering the * namespace then. */ - if (virSecurityManagerTransactionStart(driver->securityManager) >=3D 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) >=3D 0) transactionStarted =3D true; =20 virSecurityManagerRestoreAllLabel(driver->securityManager, + cfg->sharedFilesystems, vm->def, migrated, priv->chardevStdioLogd); @@ -103,6 +109,7 @@ qemuSecuritySetImageLabel(virQEMUDriver *driver, bool chainTop) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; int ret =3D -1; virSecurityDomainImageLabelFlags labelFlags =3D 0; @@ -116,10 +123,12 @@ qemuSecuritySetImageLabel(virQEMUDriver *driver, if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerSetImageLabel(driver->securityManager, + cfg->sharedFilesystems, vm->def, src, labelFlags) < 0) goto cleanup; =20 @@ -141,6 +150,7 @@ qemuSecurityRestoreImageLabel(virQEMUDriver *driver, bool backingChain) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; int ret =3D -1; virSecurityDomainImageLabelFlags labelFlags =3D 0; @@ -151,10 +161,12 @@ qemuSecurityRestoreImageLabel(virQEMUDriver *driver, if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerRestoreImageLabel(driver->securityManager, + cfg->sharedFilesystems, vm->def, src, labelFlags) < 0) goto cleanup; =20 @@ -176,6 +188,7 @@ qemuSecurityMoveImageMetadata(virQEMUDriver *driver, virStorageSource *dst) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; =20 if (!priv->rememberOwner) @@ -184,7 +197,9 @@ qemuSecurityMoveImageMetadata(virQEMUDriver *driver, if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - return virSecurityManagerMoveImageMetadata(driver->securityManager, pi= d, src, dst); + return virSecurityManagerMoveImageMetadata(driver->securityManager, + cfg->sharedFilesystems, + pid, src, dst); } =20 =20 @@ -194,13 +209,15 @@ qemuSecuritySetHostdevLabel(virQEMUDriver *driver, virDomainHostdevDef *hostdev) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; int ret =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerSetHostdevLabel(driver->securityManager, @@ -226,13 +243,15 @@ qemuSecurityRestoreHostdevLabel(virQEMUDriver *driver, virDomainHostdevDef *hostdev) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; int ret =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerRestoreHostdevLabel(driver->securityManager, @@ -258,13 +277,15 @@ qemuSecuritySetMemoryLabel(virQEMUDriver *driver, virDomainMemoryDef *mem) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; int ret =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerSetMemoryLabel(driver->securityManager, @@ -289,13 +310,15 @@ qemuSecurityRestoreMemoryLabel(virQEMUDriver *driver, virDomainMemoryDef *mem) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; int ret =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerRestoreMemoryLabel(driver->securityManager, @@ -320,13 +343,15 @@ qemuSecuritySetInputLabel(virDomainObj *vm, { qemuDomainObjPrivate *priv =3D vm->privateData; virQEMUDriver *driver =3D priv->driver; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; int ret =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerSetInputLabel(driver->securityManager, @@ -351,13 +376,15 @@ qemuSecurityRestoreInputLabel(virDomainObj *vm, { qemuDomainObjPrivate *priv =3D vm->privateData; virQEMUDriver *driver =3D priv->driver; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; int ret =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerRestoreInputLabel(driver->securityManager, @@ -383,12 +410,14 @@ qemuSecuritySetChardevLabel(virQEMUDriver *driver, { int ret =3D -1; qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerSetChardevLabel(driver->securityManager, @@ -415,12 +444,14 @@ qemuSecurityRestoreChardevLabel(virQEMUDriver *driver, { int ret =3D -1; qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerRestoreChardevLabel(driver->securityManager, @@ -446,12 +477,14 @@ qemuSecuritySetNetdevLabel(virQEMUDriver *driver, { int ret =3D -1; qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerSetNetdevLabel(driver->securityManager, @@ -476,12 +509,14 @@ qemuSecurityRestoreNetdevLabel(virQEMUDriver *driver, { int ret =3D -1; qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerRestoreNetdevLabel(driver->securityManager, @@ -505,9 +540,11 @@ qemuSecuritySetTPMLabels(virQEMUDriver *driver, bool setTPMStateLabel) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); int ret =3D -1; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerSetTPMLabels(driver->securityManager, @@ -531,9 +568,11 @@ qemuSecurityRestoreTPMLabels(virQEMUDriver *driver, bool restoreTPMStateLabel) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); int ret =3D -1; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerRestoreTPMLabels(driver->securityManager, @@ -558,13 +597,15 @@ qemuSecurityDomainSetPathLabel(virQEMUDriver *driver, bool allowSubtree) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; int ret =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerDomainSetPathLabel(driver->securityManager, @@ -590,13 +631,15 @@ qemuSecurityDomainRestorePathLabel(virQEMUDriver *dri= ver, const char *path) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); pid_t pid =3D -1; int ret =3D -1; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerDomainRestorePathLabel(driver->securityManager, @@ -634,6 +677,7 @@ qemuSecurityDomainSetMountNSPathLabel(virQEMUDriver *dr= iver, const char *path) { int ret =3D -1; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); =20 if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) { VIR_DEBUG("Not labeling '%s': mount namespace disabled for domain = '%s'", @@ -641,7 +685,8 @@ qemuSecurityDomainSetMountNSPathLabel(virQEMUDriver *dr= iver, return 1; } =20 - if (virSecurityManagerTransactionStart(driver->securityManager) < 0) + if (virSecurityManagerTransactionStart(driver->securityManager, + cfg->sharedFilesystems) < 0) goto cleanup; =20 if (virSecurityManagerDomainSetPathLabel(driver->securityManager, diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index bf0c6bcb0d..cdf4bfbad2 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -538,6 +538,7 @@ qemuTPMEmulatorReconfigure(const char *storagepath, * @privileged: whether we are running in privileged mode * @swtpm_user: The uid for the swtpm to run as (drop privileges to from r= oot) * @swtpm_group: The gid for the swtpm to run as + * @sharedFilesystems: list of filesystem to consider shared * @incomingMigration: whether we have an incoming migration * * Create the virCommand use for starting the emulator @@ -551,6 +552,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, bool privileged, uid_t swtpm_user, gid_t swtpm_group, + char *const *sharedFilesystems, bool incomingMigration) { g_autoptr(virCommand) cmd =3D NULL; @@ -568,7 +570,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, /* Do not create storage and run swtpm_setup on incoming migration over * shared storage */ - on_shared_storage =3D virFileIsSharedFS(tpm->data.emulator.storagepath= ) =3D=3D 1; + on_shared_storage =3D virFileIsSharedFS(tpm->data.emulator.storagepath= , sharedFilesystems) =3D=3D 1; if (incomingMigration && on_shared_storage) create_storage =3D false; =20 @@ -734,6 +736,7 @@ qemuTPMEmulatorInitPaths(virDomainTPMDef *tpm, =20 /** * qemuTPMEmulatorCleanupHost: + * @driver: QEMU driver * @tpm: TPM definition * @flags: flags indicating whether to keep or remove TPM persistent state * @outgoingMigration: whether cleanup is due to an outgoing migration @@ -741,15 +744,18 @@ qemuTPMEmulatorInitPaths(virDomainTPMDef *tpm, * Clean up persistent storage for the swtpm. */ static void -qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm, +qemuTPMEmulatorCleanupHost(virQEMUDriver *driver, + virDomainTPMDef *tpm, virDomainUndefineFlagsValues flags, bool outgoingMigration) { + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); + /* Never remove the state in case of outgoing migration with shared * storage. */ if (outgoingMigration && - virFileIsSharedFS(tpm->data.emulator.storagepath) =3D=3D 1) + virFileIsSharedFS(tpm->data.emulator.storagepath, cfg->sharedFiles= ystems) =3D=3D 1) return; =20 /* @@ -935,6 +941,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, driver->privileged, cfg->swtpm_user, cfg->swtpm_group, + cfg->sharedFilesystems, incomingMigration))) return -1; =20 @@ -950,7 +957,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, virCommandSetErrorFD(cmd, &errfd); =20 if (incomingMigration && - virFileIsSharedFS(tpm->data.emulator.storagepath) =3D=3D 1) { + virFileIsSharedFS(tpm->data.emulator.storagepath, cfg->sharedFiles= ystems) =3D=3D 1) { /* security labels must have been set up on source already */ setTPMStateLabel =3D false; } @@ -1010,8 +1017,10 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, =20 =20 bool -qemuTPMHasSharedStorage(virDomainDef *def) +qemuTPMHasSharedStorage(virQEMUDriver *driver, + virDomainDef *def) { + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); size_t i; =20 for (i =3D 0; i < def->ntpms; i++) { @@ -1019,7 +1028,8 @@ qemuTPMHasSharedStorage(virDomainDef *def) =20 switch (tpm->type) { case VIR_DOMAIN_TPM_TYPE_EMULATOR: - return virFileIsSharedFS(tpm->data.emulator.storagepath) =3D= =3D 1; + return virFileIsSharedFS(tpm->data.emulator.storagepath, + cfg->sharedFilesystems) =3D=3D 1; case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: case VIR_DOMAIN_TPM_TYPE_EXTERNAL: case VIR_DOMAIN_TPM_TYPE_LAST: @@ -1097,11 +1107,12 @@ qemuExtTPMPrepareHost(virQEMUDriver *driver, =20 =20 void -qemuExtTPMCleanupHost(virDomainTPMDef *tpm, +qemuExtTPMCleanupHost(virQEMUDriver *driver, + virDomainTPMDef *tpm, virDomainUndefineFlagsValues flags, bool outgoingMigration) { - qemuTPMEmulatorCleanupHost(tpm, flags, outgoingMigration); + qemuTPMEmulatorCleanupHost(driver, tpm, flags, outgoingMigration); } =20 =20 @@ -1133,7 +1144,7 @@ qemuExtTPMStop(virQEMUDriver *driver, return; =20 qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName); - if (outgoingMigration && qemuTPMHasSharedStorage(vm->def)) + if (outgoingMigration && qemuTPMHasSharedStorage(driver, vm->def)) restoreTPMStateLabel =3D false; =20 if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0) diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h index 33ba5d2268..3071dc3f71 100644 --- a/src/qemu/qemu_tpm.h +++ b/src/qemu/qemu_tpm.h @@ -35,10 +35,11 @@ int qemuExtTPMPrepareHost(virQEMUDriver *driver, ATTRIBUTE_NONNULL(3) G_GNUC_WARN_UNUSED_RESULT; =20 -void qemuExtTPMCleanupHost(virDomainTPMDef *tpm, +void qemuExtTPMCleanupHost(virQEMUDriver *driver, + virDomainTPMDef *tpm, virDomainUndefineFlagsValues flags, bool outgoingMigration) - ATTRIBUTE_NONNULL(1); + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2); =20 int qemuExtTPMStart(virQEMUDriver *driver, virDomainObj *vm, @@ -59,8 +60,9 @@ int qemuExtTPMSetupCgroup(virQEMUDriver *driver, ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) G_GNUC_WARN_UNUSED_RESULT; =20 -bool qemuTPMHasSharedStorage(virDomainDef *def) - ATTRIBUTE_NONNULL(1) +bool qemuTPMHasSharedStorage(virQEMUDriver *driver, + virDomainDef *def) + ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) G_GNUC_WARN_UNUSED_RESULT; =20 bool qemuTPMCanMigrateSharedStorage(virDomainDef *def) diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index c1dc859751..269dcb85e8 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -433,6 +433,7 @@ AppArmorGenSecurityLabel(virSecurityManager *mgr G_GNUC= _UNUSED, =20 static int AppArmorSetSecurityAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems G_GNUC_UNUSED, virDomainDef *def, const char *incomingPath, bool chardevStdioLogd G_GNUC_UNUSED, @@ -507,6 +508,7 @@ AppArmorReleaseSecurityLabel(virSecurityManager *mgr G_= GNUC_UNUSED, =20 static int AppArmorRestoreSecurityAllLabel(virSecurityManager *mgr G_GNUC_UNUSED, + char *const *sharedFilesystems G_GNUC_UNUS= ED, virDomainDef *def, bool migrated G_GNUC_UNUSED, bool chardevStdioLogd G_GNUC_UNUSED) @@ -625,6 +627,7 @@ AppArmorClearSecuritySocketLabel(virSecurityManager *mg= r G_GNUC_UNUSED, /* Called when hotplugging */ static int AppArmorRestoreSecurityImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems G_GNUC_UN= USED, virDomainDef *def, virStorageSource *src, virSecurityDomainImageLabelFlags flags G= _GNUC_UNUSED) @@ -729,6 +732,7 @@ AppArmorRestoreInputLabel(virSecurityManager *mgr, /* Called when hotplugging */ static int AppArmorSetSecurityImageLabelInternal(virSecurityManager *mgr, + char *const *sharedFilesystems G_GNU= C_UNUSED, virDomainDef *def, virStorageSource *src) { @@ -762,6 +766,7 @@ AppArmorSetSecurityImageLabelInternal(virSecurityManage= r *mgr, =20 static int AppArmorSetSecurityImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, virStorageSource *src, virSecurityDomainImageLabelFlags flags G_GNU= C_UNUSED) @@ -777,7 +782,8 @@ AppArmorSetSecurityImageLabel(virSecurityManager *mgr, return 0; =20 for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { - if (AppArmorSetSecurityImageLabelInternal(mgr, def, n) < 0) + if (AppArmorSetSecurityImageLabelInternal(mgr, sharedFilesystems, + def, n) < 0) return -1; } =20 diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 4e850e219e..9957e2663e 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -79,6 +79,7 @@ struct _virSecurityDACChownItem { typedef struct _virSecurityDACChownList virSecurityDACChownList; struct _virSecurityDACChownList { virSecurityManager *manager; + char **sharedFilesystems; virSecurityDACChownItem **items; size_t nItems; bool lock; @@ -137,6 +138,7 @@ virSecurityDACChownListFree(void *opaque) virSecurityDACChownItemFree(list->items[i]); g_free(list->items); virObjectUnref(list->manager); + g_strfreev(list->sharedFilesystems); g_free(list); } =20 @@ -228,7 +230,9 @@ virSecurityDACTransactionRun(pid_t pid G_GNUC_UNUSED, VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p); } =20 - if (!(state =3D virSecurityManagerMetadataLock(list->manager, path= s, npaths))) + if (!(state =3D virSecurityManagerMetadataLock(list->manager, + list->sharedFilesyste= ms, + paths, npaths))) return -1; =20 for (i =3D 0; i < list->nItems; i++) { @@ -538,6 +542,7 @@ virSecurityDACPreFork(virSecurityManager *mgr) /** * virSecurityDACTransactionStart: * @mgr: security manager + * @sharedFilesystems: list of filesystem to consider shared * * Starts a new transaction. In transaction nothing is chown()-ed until * TransactionCommit() is called. This is implemented as a list that is @@ -549,7 +554,8 @@ virSecurityDACPreFork(virSecurityManager *mgr) * -1 otherwise. */ static int -virSecurityDACTransactionStart(virSecurityManager *mgr) +virSecurityDACTransactionStart(virSecurityManager *mgr, + char *const *sharedFilesystems) { g_autoptr(virSecurityDACChownList) list =3D NULL; =20 @@ -562,6 +568,7 @@ virSecurityDACTransactionStart(virSecurityManager *mgr) list =3D g_new0(virSecurityDACChownList, 1); =20 list->manager =3D virObjectRef(mgr); + list->sharedFilesystems =3D g_strdupv((char **) sharedFilesystems); =20 if (virThreadLocalSet(&chownList, list) < 0) { virReportSystemError(errno, "%s", @@ -864,6 +871,7 @@ virSecurityDACRestoreFileLabel(virSecurityManager *mgr, =20 static int virSecurityDACSetImageLabelInternal(virSecurityManager *mgr, + char *const *sharedFilesystems G_GNUC_= UNUSED, virDomainDef *def, virStorageSource *src, virStorageSource *parent, @@ -943,6 +951,7 @@ virSecurityDACSetImageLabelInternal(virSecurityManager = *mgr, =20 static int virSecurityDACSetImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, virStorageSource *src, virSecurityDomainImageLabelFlags flags) @@ -953,7 +962,8 @@ virSecurityDACSetImageLabel(virSecurityManager *mgr, for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { const bool isChainTop =3D flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT= _CHAIN_TOP; =20 - if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent, isCha= inTop) < 0) + if (virSecurityDACSetImageLabelInternal(mgr, sharedFilesystems, + def, n, parent, isChainTop= ) < 0) return -1; =20 if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) @@ -967,6 +977,7 @@ virSecurityDACSetImageLabel(virSecurityManager *mgr, =20 static int virSecurityDACRestoreImageLabelInt(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, virStorageSource *src, bool migrated) @@ -1009,7 +1020,7 @@ virSecurityDACRestoreImageLabelInt(virSecurityManager= *mgr, if (!src->path) return 0; =20 - if ((rc =3D virFileIsSharedFS(src->path)) < 0) + if ((rc =3D virFileIsSharedFS(src->path, sharedFilesystems)) <= 0) return -1; } =20 @@ -1043,16 +1054,19 @@ virSecurityDACRestoreImageLabelInt(virSecurityManag= er *mgr, =20 static int virSecurityDACRestoreImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, virStorageSource *src, virSecurityDomainImageLabelFlags flags G_G= NUC_UNUSED) { - return virSecurityDACRestoreImageLabelInt(mgr, def, src, false); + return virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems, + def, src, false); } =20 =20 struct virSecurityDACMoveImageMetadataData { virSecurityManager *mgr; + char **sharedFilesystems; const char *src; const char *dst; }; @@ -1067,7 +1081,9 @@ virSecurityDACMoveImageMetadataHelper(pid_t pid G_GNU= C_UNUSED, virSecurityManagerMetadataLockState *state; int ret; =20 - if (!(state =3D virSecurityManagerMetadataLock(data->mgr, paths, G_N_E= LEMENTS(paths)))) + if (!(state =3D virSecurityManagerMetadataLock(data->mgr, + data->sharedFilesystems, + paths, G_N_ELEMENTS(paths= )))) return -1; =20 ret =3D virSecurityMoveRememberedLabel(SECURITY_DAC_NAME, data->src, d= ata->dst); @@ -1084,12 +1100,17 @@ virSecurityDACMoveImageMetadataHelper(pid_t pid G_G= NUC_UNUSED, =20 static int virSecurityDACMoveImageMetadata(virSecurityManager *mgr, + char *const *sharedFilesystems, pid_t pid, virStorageSource *src, virStorageSource *dst) { virSecurityDACData *priv =3D virSecurityManagerGetPrivateData(mgr); - struct virSecurityDACMoveImageMetadataData data =3D { .mgr =3D mgr, 0 = }; + struct virSecurityDACMoveImageMetadataData data =3D { + .mgr =3D mgr, + .sharedFilesystems =3D (char **) sharedFilesystems, + 0 + }; int rc; =20 /* If dynamicOwnership is turned off, or owner remembering is @@ -1888,6 +1909,7 @@ virSecurityDACRestoreSysinfoLabel(virSecurityManager = *mgr, =20 static int virSecurityDACRestoreAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, bool migrated, bool chardevStdioLogd) @@ -1912,6 +1934,7 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr, =20 for (i =3D 0; i < def->ndisks; i++) { if (virSecurityDACRestoreImageLabelInt(mgr, + sharedFilesystems, def, def->disks[i]->src, migrated) < 0) @@ -1969,7 +1992,8 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr, } =20 if (def->os.loader && def->os.loader->nvram) { - if (virSecurityDACRestoreImageLabelInt(mgr, def, def->os.loader->n= vram, + if (virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems, + def, def->os.loader->nvram, migrated) < 0) rc =3D -1; } @@ -2111,6 +2135,7 @@ virSecurityDACSetSysinfoLabel(virSecurityManager *mgr, =20 static int virSecurityDACSetAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, const char *incomingPath G_GNUC_UNUSED, bool chardevStdioLogd, @@ -2136,7 +2161,8 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr, /* XXX fixme - we need to recursively label the entire tree :-( */ if (virDomainDiskGetType(def->disks[i]) =3D=3D VIR_STORAGE_TYPE_DI= R) continue; - if (virSecurityDACSetImageLabel(mgr, def, def->disks[i]->src, + if (virSecurityDACSetImageLabel(mgr, sharedFilesystems, + def, def->disks[i]->src, VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA= CKING_CHAIN | VIR_SECURITY_DOMAIN_IMAGE_PARENT_C= HAIN_TOP) < 0) return -1; @@ -2195,7 +2221,8 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr, } =20 if (def->os.loader && def->os.loader->nvram) { - if (virSecurityDACSetImageLabel(mgr, def, def->os.loader->nvram, + if (virSecurityDACSetImageLabel(mgr, sharedFilesystems, + def, def->os.loader->nvram, VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA= CKING_CHAIN | VIR_SECURITY_DOMAIN_IMAGE_PARENT_C= HAIN_TOP) < 0) return -1; diff --git a/src/security/security_driver.h b/src/security/security_driver.h index aa1fb2125d..2956e002ff 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -46,7 +46,8 @@ typedef const char *(*virSecurityDriverGetBaseLabel) (vir= SecurityManager *mgr, =20 typedef int (*virSecurityDriverPreFork) (virSecurityManager *mgr); =20 -typedef int (*virSecurityDriverTransactionStart) (virSecurityManager *mgr); +typedef int (*virSecurityDriverTransactionStart) (virSecurityManager *mgr, + char *const *sharedFiles= ystems); typedef int (*virSecurityDriverTransactionCommit) (virSecurityManager *mgr, pid_t pid, bool lock); @@ -80,11 +81,13 @@ typedef int (*virSecurityDomainReserveLabel) (virSecuri= tyManager *mgr, typedef int (*virSecurityDomainReleaseLabel) (virSecurityManager *mgr, virDomainDef *sec); typedef int (*virSecurityDomainSetAllLabel) (virSecurityManager *mgr, + char *const *sharedFilesystem= s, virDomainDef *sec, const char *incomingPath, bool chardevStdioLogd, bool migrated); typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManager *mgr, + char *const *sharedFilesy= stems, virDomainDef *def, bool migrated, bool chardevStdioLogd); @@ -113,14 +116,17 @@ typedef int (*virSecurityDomainSetHugepages) (virSecu= rityManager *mgr, const char *path); =20 typedef int (*virSecurityDomainSetImageLabel) (virSecurityManager *mgr, + char *const *sharedFilesyst= ems, virDomainDef *def, virStorageSource *src, virSecurityDomainImageLabel= Flags flags); typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManager *mgr, + char *const *sharedFile= systems, virDomainDef *def, virStorageSource *src, virSecurityDomainImageL= abelFlags flags); typedef int (*virSecurityDomainMoveImageMetadata) (virSecurityManager *mgr, + char *const *sharedFile= systems, pid_t pid, virStorageSource *src, virStorageSource *dst); diff --git a/src/security/security_manager.c b/src/security/security_manage= r.c index 24f2f3d3dc..3e341be007 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -244,6 +244,7 @@ virSecurityManagerPostFork(virSecurityManager *mgr) /** * virSecurityManagerTransactionStart: * @mgr: security manager + * @sharedFilesystems: list of filesystem to consider shared * * Starts a new transaction. In transaction nothing is changed security * label until virSecurityManagerTransactionCommit() is called. @@ -252,14 +253,15 @@ virSecurityManagerPostFork(virSecurityManager *mgr) * -1 otherwise. */ int -virSecurityManagerTransactionStart(virSecurityManager *mgr) +virSecurityManagerTransactionStart(virSecurityManager *mgr, + char *const *sharedFilesystems) { VIR_LOCK_GUARD lock =3D virObjectLockGuard(mgr); =20 if (!mgr->drv->transactionStart) return 0; =20 - return mgr->drv->transactionStart(mgr); + return mgr->drv->transactionStart(mgr, sharedFilesystems); } =20 =20 @@ -402,6 +404,7 @@ virSecurityManagerGetPrivileged(virSecurityManager *mgr) /** * virSecurityManagerRestoreImageLabel: * @mgr: security manager object + * @sharedFilesystems: list of filesystem to consider shared * @vm: domain definition object * @src: disk source definition to operate on * @flags: bitwise or of 'virSecurityDomainImageLabelFlags' @@ -412,6 +415,7 @@ virSecurityManagerGetPrivileged(virSecurityManager *mgr) */ int virSecurityManagerRestoreImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *vm, virStorageSource *src, virSecurityDomainImageLabelFlags flags) @@ -423,13 +427,15 @@ virSecurityManagerRestoreImageLabel(virSecurityManage= r *mgr, return -1; } =20 - return mgr->drv->domainRestoreSecurityImageLabel(mgr, vm, src, flags); + return mgr->drv->domainRestoreSecurityImageLabel(mgr, sharedFilesystem= s, + vm, src, flags); } =20 =20 /** * virSecurityManagerMoveImageMetadata: * @mgr: security manager + * @sharedFilesystems: list of filesystem to consider shared * @pid: domain's PID * @src: source of metadata * @dst: destination to move metadata to @@ -449,6 +455,7 @@ virSecurityManagerRestoreImageLabel(virSecurityManager = *mgr, */ int virSecurityManagerMoveImageMetadata(virSecurityManager *mgr, + char *const *sharedFilesystems, pid_t pid, virStorageSource *src, virStorageSource *dst) @@ -458,7 +465,8 @@ virSecurityManagerMoveImageMetadata(virSecurityManager = *mgr, if (!mgr->drv->domainMoveImageMetadata) return 0; =20 - return mgr->drv->domainMoveImageMetadata(mgr, pid, src, dst); + return mgr->drv->domainMoveImageMetadata(mgr, sharedFilesystems, + pid, src, dst); } =20 =20 @@ -510,6 +518,7 @@ virSecurityManagerClearSocketLabel(virSecurityManager *= mgr, /** * virSecurityManagerSetImageLabel: * @mgr: security manager object + * @sharedFilesystems: list of filesystem to consider shared * @vm: domain definition object * @src: disk source definition to operate on * @flags: bitwise or of 'virSecurityDomainImageLabelFlags' @@ -520,6 +529,7 @@ virSecurityManagerClearSocketLabel(virSecurityManager *= mgr, */ int virSecurityManagerSetImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *vm, virStorageSource *src, virSecurityDomainImageLabelFlags flags) @@ -531,7 +541,8 @@ virSecurityManagerSetImageLabel(virSecurityManager *mgr, return -1; } =20 - return mgr->drv->domainSetSecurityImageLabel(mgr, vm, src, flags); + return mgr->drv->domainSetSecurityImageLabel(mgr, sharedFilesystems, + vm, src, flags); } =20 =20 @@ -816,6 +827,7 @@ int virSecurityManagerCheckAllLabel(virSecurityManager = *mgr, =20 int virSecurityManagerSetAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *vm, const char *incomingPath, bool chardevStdioLogd, @@ -828,13 +840,15 @@ virSecurityManagerSetAllLabel(virSecurityManager *mgr, return -1; } =20 - return mgr->drv->domainSetSecurityAllLabel(mgr, vm, incomingPath, + return mgr->drv->domainSetSecurityAllLabel(mgr, sharedFilesystems, + vm, incomingPath, chardevStdioLogd, migrated); } =20 =20 int virSecurityManagerRestoreAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *vm, bool migrated, bool chardevStdioLogd) @@ -846,7 +860,8 @@ virSecurityManagerRestoreAllLabel(virSecurityManager *m= gr, return -1; } =20 - return mgr->drv->domainRestoreSecurityAllLabel(mgr, vm, migrated, + return mgr->drv->domainRestoreSecurityAllLabel(mgr, sharedFilesystems, + vm, migrated, chardevStdioLogd); } =20 @@ -1270,6 +1285,7 @@ cmpstringp(const void *p1, /** * virSecurityManagerMetadataLock: * @mgr: security manager object + * @sharedFilesystems: list of filesystem to consider shared * @paths: paths to lock * @npaths: number of items in @paths array * @@ -1285,6 +1301,7 @@ cmpstringp(const void *p1, */ virSecurityManagerMetadataLockState * virSecurityManagerMetadataLock(virSecurityManager *mgr G_GNUC_UNUSED, + char *const *sharedFilesystems, const char **paths, size_t npaths) { @@ -1355,7 +1372,7 @@ virSecurityManagerMetadataLock(virSecurityManager *mg= r G_GNUC_UNUSED, } #endif /* !WIN32 */ =20 - if (virFileIsSharedFS(p)) { + if (virFileIsSharedFS(p, sharedFilesystems)) { /* Probably a root squashed NFS. */ continue; } diff --git a/src/security/security_manager.h b/src/security/security_manage= r.h index a416af3215..c622fe5882 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -81,7 +81,8 @@ virSecurityManager *virSecurityManagerNewDAC(const char *= virtDriver, int virSecurityManagerPreFork(virSecurityManager *mgr); void virSecurityManagerPostFork(virSecurityManager *mgr); =20 -int virSecurityManagerTransactionStart(virSecurityManager *mgr); +int virSecurityManagerTransactionStart(virSecurityManager *mgr, + char *const *sharedFilesystems); int virSecurityManagerTransactionCommit(virSecurityManager *mgr, pid_t pid, bool lock); @@ -129,11 +130,13 @@ int virSecurityManagerReleaseLabel(virSecurityManager= *mgr, int virSecurityManagerCheckAllLabel(virSecurityManager *mgr, virDomainDef *sec); int virSecurityManagerSetAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *sec, const char *incomingPath, bool chardevStdioLogd, bool migrated); int virSecurityManagerRestoreAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, bool migrated, bool chardevStdioLogd); @@ -168,14 +171,17 @@ typedef enum { } virSecurityDomainImageLabelFlags; =20 int virSecurityManagerSetImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *vm, virStorageSource *src, virSecurityDomainImageLabelFlags flags= ); int virSecurityManagerRestoreImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *vm, virStorageSource *src, virSecurityDomainImageLabelFlags f= lags); int virSecurityManagerMoveImageMetadata(virSecurityManager *mgr, + char *const *sharedFilesystems, pid_t pid, virStorageSource *src, virStorageSource *dst); @@ -244,6 +250,7 @@ struct _virSecurityManagerMetadataLockState { =20 virSecurityManagerMetadataLockState * virSecurityManagerMetadataLock(virSecurityManager *mgr, + char *const *sharedFilesystems, const char **paths, size_t npaths); =20 diff --git a/src/security/security_nop.c b/src/security/security_nop.c index 1413f43d57..e6e337a49d 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -116,6 +116,7 @@ virSecurityDomainReleaseLabelNop(virSecurityManager *mg= r G_GNUC_UNUSED, =20 static int virSecurityDomainSetAllLabelNop(virSecurityManager *mgr G_GNUC_UNUSED, + char *const *sharedFilesystems G_GNUC_UNUS= ED, virDomainDef *sec G_GNUC_UNUSED, const char *incomingPath G_GNUC_UNUSED, bool chardevStdioLogd G_GNUC_UNUSED, @@ -126,6 +127,7 @@ virSecurityDomainSetAllLabelNop(virSecurityManager *mgr= G_GNUC_UNUSED, =20 static int virSecurityDomainRestoreAllLabelNop(virSecurityManager *mgr G_GNUC_UNUSED, + char *const *sharedFilesystems G_GNUC_= UNUSED, virDomainDef *vm G_GNUC_UNUSED, bool migrated G_GNUC_UNUSED, bool chardevStdioLogd G_GNUC_UNUSED) @@ -189,6 +191,7 @@ virSecurityGetBaseLabel(virSecurityManager *mgr G_GNUC_= UNUSED, =20 static int virSecurityDomainRestoreImageLabelNop(virSecurityManager *mgr G_GNUC_UNUSE= D, + char *const *sharedFilesystems G_GNU= C_UNUSED, virDomainDef *def G_GNUC_UNUSED, virStorageSource *src G_GNUC_UNUSED, virSecurityDomainImageLabelFlags fla= gs G_GNUC_UNUSED) @@ -198,6 +201,7 @@ virSecurityDomainRestoreImageLabelNop(virSecurityManage= r *mgr G_GNUC_UNUSED, =20 static int virSecurityDomainSetImageLabelNop(virSecurityManager *mgr G_GNUC_UNUSED, + char *const *sharedFilesystems G_GNUC_UN= USED, virDomainDef *def G_GNUC_UNUSED, virStorageSource *src G_GNUC_UNUSED, virSecurityDomainImageLabelFlags flags G= _GNUC_UNUSED) @@ -207,6 +211,7 @@ virSecurityDomainSetImageLabelNop(virSecurityManager *m= gr G_GNUC_UNUSED, =20 static int virSecurityDomainMoveImageMetadataNop(virSecurityManager *mgr G_GNUC_UNUSE= D, + char *const *sharedFilesystems G_GNU= C_UNUSED, pid_t pid G_GNUC_UNUSED, virStorageSource *src G_GNUC_UNUSED, virStorageSource *dst G_GNUC_UNUSED) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index a4915dbc89..4f1874644f 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -77,6 +77,7 @@ struct _virSecuritySELinuxContextItem { typedef struct _virSecuritySELinuxContextList virSecuritySELinuxContextLis= t; struct _virSecuritySELinuxContextList { virSecurityManager *manager; + char **sharedFilesystems; virSecuritySELinuxContextItem **items; size_t nItems; bool lock; @@ -141,6 +142,7 @@ virSecuritySELinuxContextListFree(void *opaque) =20 g_free(list->items); virObjectUnref(list->manager); + g_strfreev(list->sharedFilesystems); g_free(list); } =20 @@ -254,7 +256,9 @@ virSecuritySELinuxTransactionRun(pid_t pid G_GNUC_UNUSE= D, VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p); } =20 - if (!(state =3D virSecurityManagerMetadataLock(list->manager, path= s, npaths))) + if (!(state =3D virSecurityManagerMetadataLock(list->manager, + list->sharedFilesyste= ms, + paths, npaths))) goto cleanup; =20 for (i =3D 0; i < list->nItems; i++) { @@ -1102,6 +1106,7 @@ virSecuritySELinuxGetDOI(virSecurityManager *mgr G_GN= UC_UNUSED) /** * virSecuritySELinuxTransactionStart: * @mgr: security manager + * @sharedFilesystems: list of filesystem to consider shared * * Starts a new transaction. In transaction nothing is changed context * until TransactionCommit() is called. This is implemented as a list @@ -1114,7 +1119,8 @@ virSecuritySELinuxGetDOI(virSecurityManager *mgr G_GN= UC_UNUSED) * -1 otherwise. */ static int -virSecuritySELinuxTransactionStart(virSecurityManager *mgr) +virSecuritySELinuxTransactionStart(virSecurityManager *mgr, + char *const *sharedFilesystems) { virSecuritySELinuxContextList *list; =20 @@ -1128,6 +1134,7 @@ virSecuritySELinuxTransactionStart(virSecurityManager= *mgr) list =3D g_new0(virSecuritySELinuxContextList, 1); =20 list->manager =3D virObjectRef(mgr); + list->sharedFilesystems =3D g_strdupv((char **) sharedFilesystems); =20 if (virThreadLocalSet(&contextList, list) < 0) { virReportSystemError(errno, "%s", @@ -1777,6 +1784,7 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityM= anager *mgr, =20 static int virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, virStorageSource *src, bool migrated) @@ -1835,7 +1843,7 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityMan= ager *mgr, if (!src->path) return 0; =20 - if ((rc =3D virFileIsSharedFS(src->path)) < 0) + if ((rc =3D virFileIsSharedFS(src->path, sharedFilesystems)) <= 0) return -1; } =20 @@ -1867,16 +1875,19 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityM= anager *mgr, =20 static int virSecuritySELinuxRestoreImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, virStorageSource *src, virSecurityDomainImageLabelFlags flags= G_GNUC_UNUSED) { - return virSecuritySELinuxRestoreImageLabelInt(mgr, def, src, false); + return virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems, + def, src, false); } =20 =20 static int virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr, + char *const *sharedFilesystems G_G= NUC_UNUSED, virDomainDef *def, virStorageSource *src, virStorageSource *parent, @@ -1983,6 +1994,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa= nager *mgr, =20 static int virSecuritySELinuxSetImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, virStorageSource *src, virSecurityDomainImageLabelFlags flags) @@ -1993,7 +2005,9 @@ virSecuritySELinuxSetImageLabel(virSecurityManager *m= gr, for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { const bool isChainTop =3D flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT= _CHAIN_TOP; =20 - if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent, i= sChainTop) < 0) + if (virSecuritySELinuxSetImageLabelInternal(mgr, sharedFilesystems, + def, n, parent, + isChainTop) < 0) return -1; =20 if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) @@ -2008,6 +2022,7 @@ virSecuritySELinuxSetImageLabel(virSecurityManager *m= gr, =20 struct virSecuritySELinuxMoveImageMetadataData { virSecurityManager *mgr; + char **sharedFilesystems; const char *src; const char *dst; }; @@ -2022,7 +2037,9 @@ virSecuritySELinuxMoveImageMetadataHelper(pid_t pid G= _GNUC_UNUSED, virSecurityManagerMetadataLockState *state; int ret; =20 - if (!(state =3D virSecurityManagerMetadataLock(data->mgr, paths, G_N_E= LEMENTS(paths)))) + if (!(state =3D virSecurityManagerMetadataLock(data->mgr, + data->sharedFilesystems, + paths, G_N_ELEMENTS(paths= )))) return -1; =20 ret =3D virSecurityMoveRememberedLabel(SECURITY_SELINUX_NAME, data->sr= c, data->dst); @@ -2039,11 +2056,16 @@ virSecuritySELinuxMoveImageMetadataHelper(pid_t pid= G_GNUC_UNUSED, =20 static int virSecuritySELinuxMoveImageMetadata(virSecurityManager *mgr, + char *const *sharedFilesystems, pid_t pid, virStorageSource *src, virStorageSource *dst) { - struct virSecuritySELinuxMoveImageMetadataData data =3D { .mgr =3D mgr= , 0 }; + struct virSecuritySELinuxMoveImageMetadataData data =3D { + .mgr =3D mgr, + .sharedFilesystems =3D (char **) sharedFilesystems, + 0 + }; int rc; =20 if (src && virStorageSourceIsLocalStorage(src)) @@ -2820,6 +2842,7 @@ virSecuritySELinuxRestoreSysinfoLabel(virSecurityMana= ger *mgr, =20 static int virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, bool migrated, bool chardevStdioLogd) @@ -2844,7 +2867,8 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager = *mgr, for (i =3D 0; i < def->ndisks; i++) { virDomainDiskDef *disk =3D def->disks[i]; =20 - if (virSecuritySELinuxRestoreImageLabelInt(mgr, def, disk->src, + if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems, + def, disk->src, migrated) < 0) rc =3D -1; } @@ -2890,7 +2914,8 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager = *mgr, } =20 if (def->os.loader && def->os.loader->nvram) { - if (virSecuritySELinuxRestoreImageLabelInt(mgr, def, def->os.loade= r->nvram, + if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems, + def, def->os.loader->nv= ram, migrated) < 0) rc =3D -1; } @@ -3232,6 +3257,7 @@ virSecuritySELinuxSetSysinfoLabel(virSecurityManager = *mgr, =20 static int virSecuritySELinuxSetAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *def, const char *incomingPath G_GNUC_UNUSED, bool chardevStdioLogd, @@ -3259,7 +3285,8 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr, def->disks[i]->dst); continue; } - if (virSecuritySELinuxSetImageLabel(mgr, def, def->disks[i]->src, + if (virSecuritySELinuxSetImageLabel(mgr, sharedFilesystems, + def, def->disks[i]->src, VIR_SECURITY_DOMAIN_IMAGE_LABE= L_BACKING_CHAIN | VIR_SECURITY_DOMAIN_IMAGE_PARE= NT_CHAIN_TOP) < 0) return -1; @@ -3309,7 +3336,8 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr, } =20 if (def->os.loader && def->os.loader->nvram) { - if (virSecuritySELinuxSetImageLabel(mgr, def, def->os.loader->nvra= m, + if (virSecuritySELinuxSetImageLabel(mgr, sharedFilesystems, + def, def->os.loader->nvram, VIR_SECURITY_DOMAIN_IMAGE_LABE= L_BACKING_CHAIN | VIR_SECURITY_DOMAIN_IMAGE_PARE= NT_CHAIN_TOP) < 0) return -1; diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 369b5dd3a6..11800535b9 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -140,13 +140,15 @@ virSecurityStackPreFork(virSecurityManager *mgr) =20 =20 static int -virSecurityStackTransactionStart(virSecurityManager *mgr) +virSecurityStackTransactionStart(virSecurityManager *mgr, + char *const *sharedFilesystems) { virSecurityStackData *priv =3D virSecurityManagerGetPrivateData(mgr); virSecurityStackItem *item =3D priv->itemsHead; =20 for (; item; item =3D item->next) { - if (virSecurityManagerTransactionStart(item->securityManager) < 0) + if (virSecurityManagerTransactionStart(item->securityManager, + sharedFilesystems) < 0) goto rollback; } =20 @@ -337,6 +339,7 @@ virSecurityStackRestoreHostdevLabel(virSecurityManager = *mgr, =20 static int virSecurityStackSetAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *vm, const char *incomingPath, bool chardevStdioLogd, @@ -346,8 +349,9 @@ virSecurityStackSetAllLabel(virSecurityManager *mgr, virSecurityStackItem *item =3D priv->itemsHead; =20 for (; item; item =3D item->next) { - if (virSecurityManagerSetAllLabel(item->securityManager, vm, - incomingPath, chardevStdioLogd, + if (virSecurityManagerSetAllLabel(item->securityManager, + sharedFilesystems, + vm, incomingPath, chardevStdioLo= gd, migrated) < 0) goto rollback; } @@ -357,6 +361,7 @@ virSecurityStackSetAllLabel(virSecurityManager *mgr, rollback: for (item =3D item->prev; item; item =3D item->prev) { if (virSecurityManagerRestoreAllLabel(item->securityManager, + sharedFilesystems, vm, migrated, chardevStdioLogd) < 0) { @@ -373,6 +378,7 @@ virSecurityStackSetAllLabel(virSecurityManager *mgr, =20 static int virSecurityStackRestoreAllLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *vm, bool migrated, bool chardevStdioLogd) @@ -382,8 +388,11 @@ virSecurityStackRestoreAllLabel(virSecurityManager *mg= r, int rc =3D 0; =20 for (; item; item =3D item->next) { - if (virSecurityManagerRestoreAllLabel(item->securityManager, vm, - migrated, chardevStdioLogd) = < 0) + if (virSecurityManagerRestoreAllLabel(item->securityManager, + sharedFilesystems, + vm, + migrated, + chardevStdioLogd) < 0) rc =3D -1; } =20 @@ -638,6 +647,7 @@ virSecurityStackGetBaseLabel(virSecurityManager *mgr, i= nt virtType) =20 static int virSecurityStackSetImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *vm, virStorageSource *src, virSecurityDomainImageLabelFlags flags) @@ -646,8 +656,9 @@ virSecurityStackSetImageLabel(virSecurityManager *mgr, virSecurityStackItem *item =3D priv->itemsHead; =20 for (; item; item =3D item->next) { - if (virSecurityManagerSetImageLabel(item->securityManager, vm, src, - flags) < 0) + if (virSecurityManagerSetImageLabel(item->securityManager, + sharedFilesystems, + vm, src, flags) < 0) goto rollback; } =20 @@ -656,6 +667,7 @@ virSecurityStackSetImageLabel(virSecurityManager *mgr, rollback: for (item =3D item->prev; item; item =3D item->prev) { if (virSecurityManagerRestoreImageLabel(item->securityManager, + sharedFilesystems, vm, src, flags) < 0) { @@ -672,6 +684,7 @@ virSecurityStackSetImageLabel(virSecurityManager *mgr, =20 static int virSecurityStackRestoreImageLabel(virSecurityManager *mgr, + char *const *sharedFilesystems, virDomainDef *vm, virStorageSource *src, virSecurityDomainImageLabelFlags flags) @@ -682,6 +695,7 @@ virSecurityStackRestoreImageLabel(virSecurityManager *m= gr, =20 for (; item; item =3D item->next) { if (virSecurityManagerRestoreImageLabel(item->securityManager, + sharedFilesystems, vm, src, flags) < 0) rc =3D -1; } @@ -691,6 +705,7 @@ virSecurityStackRestoreImageLabel(virSecurityManager *m= gr, =20 static int virSecurityStackMoveImageMetadata(virSecurityManager *mgr, + char *const *sharedFilesystems, pid_t pid, virStorageSource *src, virStorageSource *dst) @@ -701,6 +716,7 @@ virSecurityStackMoveImageMetadata(virSecurityManager *m= gr, =20 for (; item; item =3D item->next) { if (virSecurityManagerMoveImageMetadata(item->securityManager, + sharedFilesystems, pid, src, dst) < 0) rc =3D -1; } diff --git a/src/util/virfile.c b/src/util/virfile.c index deaf4555fd..3268866f8b 100644 --- a/src/util/virfile.c +++ b/src/util/virfile.c @@ -2597,8 +2597,14 @@ virFileOpenAs(const char *path, int openflags, mode_= t mode, goto error; =20 /* On Linux we can also verify the FS-type of the - * directory. (this is a NOP on other platforms). */ - if (virFileIsSharedFS(path) <=3D 0) + * directory. (this is a NOP on other platforms). + * + * Note that it would be pointless to pass + * virQEMUDriverConfig.sharedFilesystems here, since those + * listed there are by definition paths that can be accessed + * as local from the current host. Thus, a second attempt at + * opening the file would not make a difference */ + if (virFileIsSharedFS(path, NULL) <=3D 0) goto error; } =20 @@ -3795,7 +3801,8 @@ virFileGetDefaultHugepage(virHugeTLBFS *fs, return NULL; } =20 -int virFileIsSharedFS(const char *path) +int virFileIsSharedFS(const char *path, + char *const *overrides G_GNUC_UNUSED) { return virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS | diff --git a/src/util/virfile.h b/src/util/virfile.h index 56fe309bce..3fdd7f526c 100644 --- a/src/util/virfile.h +++ b/src/util/virfile.h @@ -235,7 +235,8 @@ enum { }; =20 int virFileIsSharedFSType(const char *path, unsigned int fstypes) ATTRIBUT= E_NONNULL(1); -int virFileIsSharedFS(const char *path) ATTRIBUTE_NONNULL(1); +int virFileIsSharedFS(const char *path, + char *const *overrides) ATTRIBUTE_NONNULL(1); int virFileIsClusterFS(const char *path) ATTRIBUTE_NONNULL(1); int virFileIsMountPoint(const char *file) ATTRIBUTE_NONNULL(1); int virFileIsCDROM(const char *path) diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabelt= est.c index 7b7cf53569..43db128b3a 100644 --- a/tests/securityselinuxlabeltest.c +++ b/tests/securityselinuxlabeltest.c @@ -270,7 +270,7 @@ testSELinuxLabeling(const void *opaque) if (!(def =3D testSELinuxLoadDef(testname))) goto cleanup; =20 - if (virSecurityManagerSetAllLabel(mgr, def, NULL, false, false) < 0) + if (virSecurityManagerSetAllLabel(mgr, NULL, def, NULL, false, false) = < 0) goto cleanup; =20 if (testSELinuxCheckLabels(files, nfiles) < 0) diff --git a/tests/virfiletest.c b/tests/virfiletest.c index 9fbfc37e56..e05925a321 100644 --- a/tests/virfiletest.c +++ b/tests/virfiletest.c @@ -313,7 +313,7 @@ testFileIsSharedFSType(const void *opaque G_GNUC_UNUSED) goto cleanup; } =20 - actual =3D virFileIsSharedFS(data->filename); + actual =3D virFileIsSharedFS(data->filename, NULL); =20 if (actual !=3D data->expected) { fprintf(stderr, "Unexpected FS type. Expected %d got %d\n", --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon Feb 9 00:37:47 2026 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1714671813851369.95564208728274; Thu, 2 May 2024 10:43:33 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id C975C248C; Thu, 2 May 2024 13:43:32 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id E800D2419; Thu, 2 May 2024 13:40:06 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 3266C1968; Thu, 2 May 2024 13:39:52 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 9171A1C51 for ; Thu, 2 May 2024 13:39:50 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-413-f2Xtn2fRMzCSpVWWxm17ww-1; Thu, 02 May 2024 13:39:48 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 69640299E746 for ; Thu, 2 May 2024 17:39:48 +0000 (UTC) Received: from harajuku.usersys.redhat.com (unknown [10.45.224.51]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E50E0C01595 for ; Thu, 2 May 2024 17:39:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: f2Xtn2fRMzCSpVWWxm17ww-1 From: Andrea Bolognani To: devel@lists.libvirt.org Subject: [PATCH v3 4/5] utils: Use overrides in virFileIsSharedFS() Date: Thu, 2 May 2024 19:39:41 +0200 Message-ID: <20240502173942.431392-5-abologna@redhat.com> In-Reply-To: <20240502173942.431392-1-abologna@redhat.com> References: <20240502173942.431392-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: YZUDDXZIOOD27XS4PRI2IHPIOOYHZWCF X-Message-ID-Hash: YZUDDXZIOOD27XS4PRI2IHPIOOYHZWCF X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1714671814152100001 If the local admin has explicitly declared that a certain filesystem is to be considered shared, we should treat it as such. Signed-off-by: Andrea Bolognani Reviewed-by: Stefan Berger --- src/util/virfile.c | 42 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/src/util/virfile.c b/src/util/virfile.c index 3268866f8b..45815919d6 100644 --- a/src/util/virfile.c +++ b/src/util/virfile.c @@ -3801,9 +3801,49 @@ virFileGetDefaultHugepage(virHugeTLBFS *fs, return NULL; } =20 +static bool +virFileIsSharedFSOverride(const char *path, + char *const *overrides) +{ + g_autofree char *dirpath =3D NULL; + char *p =3D NULL; + + if (!path || path[0] !=3D '/' || !overrides) + return false; + + if (g_strv_contains((const char *const *) overrides, path)) + return true; + + dirpath =3D g_strdup(path); + + /* Continue until we've scanned the entire path */ + while (p !=3D dirpath) { + + /* Find the last slash */ + if ((p =3D strrchr(dirpath, '/')) =3D=3D NULL) + break; + + /* Truncate the path by overwriting the slash that we've just + * found with a null byte. If it is the very first slash in + * the path, we need to handle things slightly differently */ + if (p =3D=3D dirpath) + *(p+1) =3D '\0'; + else + *p =3D '\0'; + + if (g_strv_contains((const char *const *) overrides, dirpath)) + return true; + } + + return false; +} + int virFileIsSharedFS(const char *path, - char *const *overrides G_GNUC_UNUSED) + char *const *overrides) { + if (virFileIsSharedFSOverride(path, overrides)) + return 1; + return virFileIsSharedFSType(path, VIR_FILE_SHFS_NFS | VIR_FILE_SHFS_GFS2 | --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org From nobody Mon Feb 9 00:37:47 2026 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1714671866497563.8973081226936; Thu, 2 May 2024 10:44:26 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 6B2D31A84; Thu, 2 May 2024 13:44:25 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id AA8B21A6D; Thu, 2 May 2024 13:40:12 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id DD75C17D8; Thu, 2 May 2024 13:39:54 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 003DD1C53 for ; Thu, 2 May 2024 13:39:50 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-410-9x6NgTfoM9WOurz2TyAZUw-1; Thu, 02 May 2024 13:39:49 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 382753C00094 for ; Thu, 2 May 2024 17:39:49 +0000 (UTC) Received: from harajuku.usersys.redhat.com (unknown [10.45.224.51]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B4B41C13FA1 for ; Thu, 2 May 2024 17:39:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: 9x6NgTfoM9WOurz2TyAZUw-1 From: Andrea Bolognani To: devel@lists.libvirt.org Subject: [PATCH v3 5/5] qemu: Always set labels for TPM state Date: Thu, 2 May 2024 19:39:42 +0200 Message-ID: <20240502173942.431392-6-abologna@redhat.com> In-Reply-To: <20240502173942.431392-1-abologna@redhat.com> References: <20240502173942.431392-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: Q3ZHNUE2XRD22K36VN6CDWQO5AS6FT6A X-Message-ID-Hash: Q3ZHNUE2XRD22K36VN6CDWQO5AS6FT6A X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1714671868341100001 Up until this point, we have avoided setting labels for incoming migration when the TPM state is stored on a shared filesystem. This seems to make sense, because since the underlying storage is shared surely the labels will be as well. There's one problem, though: when a guest is migrated, the SELinux context for the destination process is different from the one of the source process. We haven't hit any issues with the current approach so far because NFS doesn't support SELinux, so effectively it doesn't matter whether relabeling happens or not: even if the SELinux contexts of the source and target processes are different, both will be able to access the storage. Now that it's possible for the local admin to manually mark exported directories as shared filesystems, however, things can get problematic. Consider the case in which one host (mig-one) exports its local filesystem /srv/nfs/libvirt/swtpm via NFS, and at the same time bind-mounts it to /var/lib/libvirt/swtpm; another host (mig-two) mounts the same filesystem to the same location, this time via NFS. Additionally, in order to allow migration in both directions, on mig-one the /var/lib/libvirt/swtpm directory is listed in the shared_filesystems qemu.conf option. When migrating from mig-one to mig-two, things work just fine; going in the opposite direction, however, results in an error: # virsh migrate cirros qemu+ssh://mig-one/system error: internal error: QEMU unexpectedly closed the monitor (vm=3D'cirros= '): qemu-system-x86_64: tpm-emulator: Setting the stateblob (type 1) failed w= ith a TPM error 0x1f qemu-system-x86_64: error while loading state for instance 0x0 of device = 'tpm-emulator' qemu-system-x86_64: load of migration failed: Input/output error This is because the directory on mig-one is considered a shared filesystem and thus labeling is skipped, resulting in a SELinux denial. The solution is quite simple: remove the check and always relabel. We know that it's okay to do so not just because it makes the error seen above go away, but also because no such check currently exists for disks and other types of persistent storage such as NVRAM files, which always get relabeled. Signed-off-by: Andrea Bolognani Reviewed-by: Stefan Berger Reviewed-by: Peter Krempa --- src/qemu/qemu_tpm.c | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index cdf4bfbad2..e5a9fb8b16 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -929,7 +929,6 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, g_autofree char *pidfile =3D NULL; virTimeBackOffVar timebackoff; const unsigned long long timeout =3D 1000; /* ms */ - bool setTPMStateLabel =3D true; pid_t pid =3D -1; =20 cfg =3D virQEMUDriverGetConfig(driver); @@ -956,13 +955,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, virCommandSetPidFile(cmd, pidfile); virCommandSetErrorFD(cmd, &errfd); =20 - if (incomingMigration && - virFileIsSharedFS(tpm->data.emulator.storagepath, cfg->sharedFiles= ystems) =3D=3D 1) { - /* security labels must have been set up on source already */ - setTPMStateLabel =3D false; - } - - if (qemuSecuritySetTPMLabels(driver, vm, setTPMStateLabel) < 0) + if (qemuSecuritySetTPMLabels(driver, vm, true) < 0) return -1; =20 if (qemuSecurityCommandRun(driver, vm, cmd, cfg->swtpm_user, @@ -1011,7 +1004,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver, virProcessKillPainfully(pid, true); if (pidfile) unlink(pidfile); - qemuSecurityRestoreTPMLabels(driver, vm, setTPMStateLabel); + qemuSecurityRestoreTPMLabels(driver, vm, true); return -1; } =20 --=20 2.44.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org