From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725030887741208.8317320343633;
 Fri, 30 Aug 2024 08:14:47 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id AC6BC1420; Fri, 30 Aug 2024 11:14:46 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 92B9914D2;
	Fri, 30 Aug 2024 11:13:57 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 8C08211DA; Fri, 30 Aug 2024 11:13:53 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 177DF1258
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:13:53 -0400 (EDT)
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-654-VxymOiLQOO66puNzDlKzwA-1; Fri,
 30 Aug 2024 11:13:51 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 8965419560A2
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:50 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id ADE5C19560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:49 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030832;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Fl/zhDaY+5oZcl+0po8JvkCrjHgR7wwfveMokUoreNs=;
	b=B3lZmbpQTkkPIejcVRRNMU6gVhy7C0daPWmVL6yi+0fJ81aj6D0FSgoFxZ2ax+LLsMxS5k
	oCZ1y8n+/LJ7SzCFNg0gj9TNN8KeIu0IcltVgcxEdbF1xXUVO0NyTEuHnqIPwFt/0xZJVb
	Q/d64HTXGa7qSFhkt+5s7hCx2KjXg34=
X-MC-Unique: VxymOiLQOO66puNzDlKzwA-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 01/13] security: Fix alignment
Date: Fri, 30 Aug 2024 17:13:33 +0200
Message-ID: <20240830151345.717568-2-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: JHX3STLVR67HOEHAJM4MQLCBMPIJJ5GO
X-Message-ID-Hash: JHX3STLVR67HOEHAJM4MQLCBMPIJJ5GO
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/JHX3STLVR67HOEHAJM4MQLCBMPIJJ5GO/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725030888422116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/security/security_selinux.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 31df4d22db..713b5f2b0e 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1983,9 +1983,9 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa=
nager *mgr,
=20
 static int
 virSecuritySELinuxSetImageLabel(virSecurityManager *mgr,
-                               virDomainDef *def,
-                               virStorageSource *src,
-                               virSecurityDomainImageLabelFlags flags)
+                                virDomainDef *def,
+                                virStorageSource *src,
+                                virSecurityDomainImageLabelFlags flags)
 {
     virStorageSource *parent =3D src;
     virStorageSource *n;
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 17250309171581023.0389372099198;
 Fri, 30 Aug 2024 08:15:17 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 1690214E4; Fri, 30 Aug 2024 11:15:16 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 70EAC13A2;
	Fri, 30 Aug 2024 11:14:01 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 62167146A; Fri, 30 Aug 2024 11:13:56 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id B45151280
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:13:54 -0400 (EDT)
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-645-d4PjSNZ6OCS7hLkCM3tzUw-1; Fri,
 30 Aug 2024 11:13:52 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id DB51419560B4
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:51 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 0A58019560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:50 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030834;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=F57KwUvljOliSt07a4ub72+rZWJsqR8ZQ2YPZ+ijMPE=;
	b=bmYhyHnGysdIlOlWmFzDFqjKxzgEiB4wUg70piHYgAAmDhybe4CxdrdSx476iMIOuR7QdA
	Aiu3CEcPVS8EIR7QphUvU20BzAvY53h4L0M/uXuXRxZdqXBWvMcIy9xFMEJ16zIldctBym
	D/+AkTtCPeP6a1F1Zk0CLL7XP/mhZIM=
X-MC-Unique: d4PjSNZ6OCS7hLkCM3tzUw-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 02/13] qemu: Introduce shared_filesystems configuration
 option
Date: Fri, 30 Aug 2024 17:13:34 +0200
Message-ID: <20240830151345.717568-3-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: S5JHSGSJ63AOUEFMQCZ3DDBZKOJCGMJI
X-Message-ID-Hash: S5JHSGSJ63AOUEFMQCZ3DDBZKOJCGMJI
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/S5JHSGSJ63AOUEFMQCZ3DDBZKOJCGMJI/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725030918810116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

As explained in the comment, this can help in scenarios where
a shared filesystem can't be detected as such by libvirt, by
giving the admin the opportunity to provide this information
manually.

https://issues.redhat.com/browse/RHEL-35752

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/libvirtd_qemu.aug         |  3 +++
 src/qemu/qemu.conf.in              | 26 +++++++++++++++++++++++++
 src/qemu/qemu_conf.c               | 31 ++++++++++++++++++++++++++++++
 src/qemu/qemu_conf.h               |  2 ++
 src/qemu/test_libvirtd_qemu.aug.in |  5 +++++
 5 files changed, 67 insertions(+)

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 2b6526538f..1377fd89cc 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -143,6 +143,8 @@ module Libvirtd_qemu =3D
=20
    let storage_entry =3D bool_entry "storage_use_nbdkit"
=20
+   let filesystem_entry =3D str_array_entry "shared_filesystems"
+
    (* Entries that used to exist in the config which are now
     * deleted. We keep on parsing them so we don't break
     * ability to parse old configs after upgrade
@@ -173,6 +175,7 @@ module Libvirtd_qemu =3D
              | swtpm_entry
              | capability_filters_entry
              | storage_entry
+             | filesystem_entry
              | obsolete_entry
=20
    let comment =3D [ label "#comment" . del /#[ \t]*/ "# " .  store /([^ \=
t\n][^\n]*)?/ . del /\n/ "\n" ]
diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index 6bc2140dcb..b93024a489 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -985,3 +985,29 @@
 # note that the default might change in future releases.
 #
 #storage_use_nbdkit =3D @USE_NBDKIT_DEFAULT@
+
+# libvirt will normally prevent migration if the storage backing the VM is=
 not
+# on a shared filesystems. Sometimes, however, the storage *is* shared des=
pite
+# not being detected as such: for example, this is the case when one of the
+# hosts involved in the migration is exporting its local storage to the ot=
her
+# one via NFS.
+#
+# Any directory listed here will be assumed to live on a shared filesystem,
+# making migration possible in scenarios such as the one described above. =
It's
+# the system's administrator responsibility to ensure that other hosts can
+# access this directory.
+#
+# This option is not symmetrical and should only be used on hosts where the
+# storage is being exported from. It must not be used on hosts accessing t=
he
+# storage via a remote protocol.
+#
+# NOTE: this option is intended to help in very specific scenarios that are
+# rarely encountered. If you find yourself reaching for this option, consi=
der
+# reworking your environment so that it follows a more common architecture
+# rather than using it.
+#
+#shared_filesystems =3D [
+#  "/path/to/images",
+#  "/path/to/nvram",
+#  "/path/to/swtpm"
+#]
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index b36bede6c3..9c51da6cca 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -374,6 +374,8 @@ static void virQEMUDriverConfigDispose(void *obj)
=20
     g_strfreev(cfg->capabilityfilters);
=20
+    g_strfreev(cfg->sharedFilesystems);
+
     g_free(cfg->deprecationBehavior);
 }
=20
@@ -1084,6 +1086,32 @@ virQEMUDriverConfigLoadStorageEntry(virQEMUDriverCon=
fig *cfg,
 }
=20
=20
+static int
+virQEMUDriverConfigLoadFilesystemEntry(virQEMUDriverConfig *cfg,
+                                       virConf *conf)
+{
+    char **iter;
+
+    if (virConfGetValueStringList(conf, "shared_filesystems", false,
+                                  &cfg->sharedFilesystems) < 0)
+        return -1;
+
+    if (!cfg->sharedFilesystems)
+        return 0;
+
+    /* The paths provided by the user might contain trailing slashes
+     * and other fun diversions, which would break the naive string
+     * comparisons that we're later going to use them for */
+    for (iter =3D cfg->sharedFilesystems; *iter; iter++) {
+        char *canon =3D virFileCanonicalizePath(*iter);
+        g_free(*iter);
+        *iter =3D canon;
+    }
+
+    return 0;
+}
+
+
 int virQEMUDriverConfigLoadFile(virQEMUDriverConfig *cfg,
                                 const char *filename,
                                 bool privileged)
@@ -1158,6 +1186,9 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfig *=
cfg,
     if (virQEMUDriverConfigLoadStorageEntry(cfg, conf) < 0)
         return -1;
=20
+    if (virQEMUDriverConfigLoadFilesystemEntry(cfg, conf) < 0)
+        return -1;
+
     return 0;
 }
=20
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index aa1e1a626c..b9cdc75c6b 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -233,6 +233,8 @@ struct _virQEMUDriverConfig {
     bool storageUseNbdkit;
=20
     virQEMUSchedCore schedCore;
+
+    char **sharedFilesystems;
 };
=20
 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virQEMUDriverConfig, virObjectUnref);
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe=
mu.aug.in
index b97e6de11e..69fdae215a 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -119,3 +119,8 @@ module Test_libvirtd_qemu =3D
 { "deprecation_behavior" =3D "none" }
 { "sched_core" =3D "none" }
 { "storage_use_nbdkit" =3D "@USE_NBDKIT_DEFAULT@" }
+{ "shared_filesystems"
+    { "1" =3D "/path/to/images" }
+    { "2" =3D "/path/to/nvram" }
+    { "3" =3D "/path/to/swtpm" }
+}
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031029015209.97091437937206;
 Fri, 30 Aug 2024 08:17:09 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id D6009129A; Fri, 30 Aug 2024 11:17:07 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 1082B1503;
	Fri, 30 Aug 2024 11:14:18 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 439691338; Fri, 30 Aug 2024 11:14:11 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id B943D1498
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:13:56 -0400 (EDT)
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-396-hAUfXahtOcOrLJxWw4CG2w-1; Fri,
 30 Aug 2024 11:13:54 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id D437819560B4
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:53 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 5D6DB19560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030836;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=KlIwzVWRrXHciNgcQmmJ/6lzR0BwIgKU+wew7WEPRPo=;
	b=Ni0/3IdjJP/g8P5GlZ3kEFTy8drgYIZIPx4/xGgtUhBpDFM0IEBaRg8cC/Xun1/Ks7/DLg
	zFkjgo0/JejNKtGMtddAWgXA2PKM2EE/X78s6YK2RpHdvmEcCxfOuERNyAEgMToxpjleB8
	Mp9KQTT+aoaVUczCz3pOOcU7vezl964=
X-MC-Unique: hAUfXahtOcOrLJxWw4CG2w-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 03/13] qemu: Propagate shared_filesystems
Date: Fri, 30 Aug 2024 17:13:35 +0200
Message-ID: <20240830151345.717568-4-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: U2OZN4ILPSIBH63UFEQKMZVRGUOKLNRL
X-Message-ID-Hash: U2OZN4ILPSIBH63UFEQKMZVRGUOKLNRL
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/U2OZN4ILPSIBH63UFEQKMZVRGUOKLNRL/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031029582116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

virFileIsSharedFS() is the function that ultimately decides
whether a filesystem should be considered shared, but the list
of manually configured shared filesystems is part of the QEMU
driver's configuration, so we need to pass the information
through several layers in order to make use of it.

Note that with this change the list is propagated all the way
through, but its contents are still ignored, so the behavior
remains the same for now.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/lxc/lxc_controller.c         |  3 +-
 src/lxc/lxc_driver.c             |  2 +-
 src/lxc/lxc_process.c            |  4 +-
 src/qemu/qemu_domain.c           |  7 ++-
 src/qemu/qemu_extdevice.c        |  2 +-
 src/qemu/qemu_migration.c        | 23 ++++-----
 src/qemu/qemu_security.c         | 85 ++++++++++++++++++++++++--------
 src/qemu/qemu_tpm.c              | 29 +++++++----
 src/qemu/qemu_tpm.h              | 10 ++--
 src/security/security_apparmor.c |  8 ++-
 src/security/security_dac.c      | 47 ++++++++++++++----
 src/security/security_driver.h   |  8 ++-
 src/security/security_manager.c  | 33 ++++++++++---
 src/security/security_manager.h  |  9 +++-
 src/security/security_nop.c      |  5 ++
 src/security/security_selinux.c  | 50 ++++++++++++++-----
 src/security/security_stack.c    | 32 +++++++++---
 src/util/virfile.c               | 13 +++--
 src/util/virfile.h               |  3 +-
 tests/securityselinuxlabeltest.c |  2 +-
 tests/virfiletest.c              |  2 +-
 21 files changed, 281 insertions(+), 96 deletions(-)

diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index 505b71d05e..7b432a1160 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -1919,7 +1919,8 @@ static int virLXCControllerSetupDisk(virLXCController=
 *ctrl,
     /* Labelling normally operates on src, but we need
      * to actually label the dst here, so hack the config */
     def->src->path =3D dst;
-    if (virSecurityManagerSetImageLabel(securityDriver, ctrl->def, def->sr=
c,
+    if (virSecurityManagerSetImageLabel(securityDriver,
+                                        NULL, ctrl->def, def->src,
                                         VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA=
CKING_CHAIN) < 0)
         goto cleanup;
=20
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 534e257f30..0e31e5e4b9 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -3265,7 +3265,7 @@ lxcDomainAttachDeviceMknodHelper(pid_t pid G_GNUC_UNU=
SED,
         char *tmpsrc =3D def->src->path;
         def->src->path =3D data->file;
         if (virSecurityManagerSetImageLabel(data->driver->securityManager,
-                                            data->vm->def, def->src,
+                                            NULL, data->vm->def, def->src,
                                             VIR_SECURITY_DOMAIN_IMAGE_LABE=
L_BACKING_CHAIN) < 0) {
             def->src->path =3D tmpsrc;
             goto cleanup;
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index f5eb5383ec..205ab96ebb 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -170,7 +170,7 @@ static void virLXCProcessCleanup(virLXCDriver *driver,
     }
=20
     if (flags & VIR_LXC_PROCESS_CLEANUP_RESTORE_SECLABEL) {
-        virSecurityManagerRestoreAllLabel(driver->securityManager,
+        virSecurityManagerRestoreAllLabel(driver->securityManager, NULL,
                                           vm->def, false, false);
     }
=20
@@ -1320,7 +1320,7 @@ int virLXCProcessStart(virLXCDriver * driver,
     stopFlags |=3D VIR_LXC_PROCESS_CLEANUP_RELEASE_SECLABEL;
=20
     VIR_DEBUG("Setting domain security labels");
-    if (virSecurityManagerSetAllLabel(driver->securityManager,
+    if (virSecurityManagerSetAllLabel(driver->securityManager, NULL,
                                       vm->def, NULL, false, false) < 0)
         goto cleanup;
     stopFlags |=3D VIR_LXC_PROCESS_CLEANUP_RESTORE_SECLABEL;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 93dbbcbc0b..948474b121 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -12050,7 +12050,12 @@ virQEMUFileOpenAs(uid_t fallback_uid,
     bool need_unlink =3D false;
     unsigned int vfoflags =3D 0;
     int fd =3D -1;
-    int path_shared =3D virFileIsSharedFS(path);
+    /* Note that it would be pointless to pass
+     * virQEMUDriverConfig.sharedFilesystems here, since those
+     * listed there are by definition paths that can be accessed
+     * as local from the current host. Thus, a second attempt at
+     * opening the file would not make a difference */
+    int path_shared =3D virFileIsSharedFS(path, NULL);
     uid_t uid =3D geteuid();
     gid_t gid =3D getegid();
=20
diff --git a/src/qemu/qemu_extdevice.c b/src/qemu/qemu_extdevice.c
index ed5976d1f7..dc1bb56237 100644
--- a/src/qemu/qemu_extdevice.c
+++ b/src/qemu/qemu_extdevice.c
@@ -165,7 +165,7 @@ qemuExtDevicesCleanupHost(virQEMUDriver *driver,
         virDomainTPMDef *tpm =3D def->tpms[i];
=20
         if (tpm->type =3D=3D VIR_DOMAIN_TPM_TYPE_EMULATOR)
-            qemuExtTPMCleanupHost(tpm, flags, outgoingMigration);
+            qemuExtTPMCleanupHost(driver, tpm, flags, outgoingMigration);
     }
 }
=20
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 7f905f8584..e5c1784f0e 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1430,6 +1430,7 @@ qemuMigrationSrcIsAllowed(virDomainObj *vm,
                           unsigned int flags)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    virQEMUDriver *driver =3D priv->driver;
     int nsnapshots;
     int pauseReason;
     size_t i;
@@ -1604,7 +1605,7 @@ qemuMigrationSrcIsAllowed(virDomainObj *vm,
             }
         }
=20
-        if (qemuTPMHasSharedStorage(vm->def)&&
+        if (qemuTPMHasSharedStorage(driver, vm->def) &&
             !qemuTPMCanMigrateSharedStorage(vm->def)) {
             virReportError(VIR_ERR_NO_SUPPORT, "%s",
                            _("the running swtpm does not support migration=
 with shared storage"));
@@ -1616,20 +1617,23 @@ qemuMigrationSrcIsAllowed(virDomainObj *vm,
 }
=20
 static bool
-qemuMigrationSrcIsSafe(virDomainDef *def,
-                       virQEMUCaps *qemuCaps,
+qemuMigrationSrcIsSafe(virDomainObj *vm,
                        size_t nmigrate_disks,
                        const char **migrate_disks,
                        unsigned int flags)
=20
 {
+    qemuDomainObjPrivate *priv =3D vm->privateData;
+    virQEMUCaps *qemuCaps =3D priv->qemuCaps;
+    virQEMUDriver *driver =3D priv->driver;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     bool storagemigration =3D flags & (VIR_MIGRATE_NON_SHARED_DISK |
                                      VIR_MIGRATE_NON_SHARED_INC);
     size_t i;
     int rc;
=20
-    for (i =3D 0; i < def->ndisks; i++) {
-        virDomainDiskDef *disk =3D def->disks[i];
+    for (i =3D 0; i < vm->def->ndisks; i++) {
+        virDomainDiskDef *disk =3D vm->def->disks[i];
         const char *src =3D virDomainDiskGetSource(disk);
         virStorageType actualType =3D virStorageSourceGetActualType(disk->=
src);
         bool unsafe =3D false;
@@ -1648,7 +1652,7 @@ qemuMigrationSrcIsSafe(virDomainDef *def,
         /* However, disks on local FS (e.g. ext4) are not safe. */
         switch (actualType) {
         case VIR_STORAGE_TYPE_FILE:
-            if ((rc =3D virFileIsSharedFS(src)) < 0) {
+            if ((rc =3D virFileIsSharedFS(src, cfg->sharedFilesystems)) < =
0) {
                 return false;
             } else if (rc =3D=3D 0) {
                 unsafe =3D true;
@@ -2625,8 +2629,7 @@ qemuMigrationSrcBeginPhase(virQEMUDriver *driver,
         return NULL;
=20
     if (!(flags & (VIR_MIGRATE_UNSAFE | VIR_MIGRATE_OFFLINE)) &&
-        !qemuMigrationSrcIsSafe(vm->def, priv->qemuCaps,
-                                nmigrate_disks, migrate_disks, flags))
+        !qemuMigrationSrcIsSafe(vm, nmigrate_disks, migrate_disks, flags))
         return NULL;
=20
     if (flags & VIR_MIGRATE_POSTCOPY &&
@@ -6105,7 +6108,6 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver,
     int ret =3D -1;
     virErrorPtr orig_err =3D NULL;
     g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
-    qemuDomainObjPrivate *priv =3D vm->privateData;
     qemuDomainJobPrivate *jobPriv =3D vm->job->privateData;
=20
     if (flags & VIR_MIGRATE_POSTCOPY_RESUME) {
@@ -6130,8 +6132,7 @@ qemuMigrationSrcPerformJob(virQEMUDriver *driver,
             goto endjob;
=20
         if (!(flags & (VIR_MIGRATE_UNSAFE | VIR_MIGRATE_OFFLINE)) &&
-            !qemuMigrationSrcIsSafe(vm->def, priv->qemuCaps,
-                                    nmigrate_disks, migrate_disks, flags))
+            !qemuMigrationSrcIsSafe(vm, nmigrate_disks, migrate_disks, fla=
gs))
             goto endjob;
=20
         qemuMigrationSrcStoreDomainState(vm);
diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index 4aaa863ae9..996c95acc0 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -38,15 +38,18 @@ qemuSecuritySetAllLabel(virQEMUDriver *driver,
 {
     int ret =3D -1;
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerSetAllLabel(driver->securityManager,
+                                      cfg->sharedFilesystems,
                                       vm->def,
                                       incomingPath,
                                       priv->chardevStdioLogd,
@@ -70,6 +73,7 @@ qemuSecurityRestoreAllLabel(virQEMUDriver *driver,
                             bool migrated)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     bool transactionStarted =3D false;
=20
     /* In contrast to qemuSecuritySetAllLabel, do not use vm->pid
@@ -78,10 +82,12 @@ qemuSecurityRestoreAllLabel(virQEMUDriver *driver,
      * domain's namespace is gone as qemu was the only process
      * running there. We would not succeed in entering the
      * namespace then. */
-    if (virSecurityManagerTransactionStart(driver->securityManager) >=3D 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) >=3D 0)
         transactionStarted =3D true;
=20
     virSecurityManagerRestoreAllLabel(driver->securityManager,
+                                      cfg->sharedFilesystems,
                                       vm->def,
                                       migrated,
                                       priv->chardevStdioLogd);
@@ -103,6 +109,7 @@ qemuSecuritySetImageLabel(virQEMUDriver *driver,
                           bool chainTop)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
     int ret =3D -1;
     virSecurityDomainImageLabelFlags labelFlags =3D 0;
@@ -116,10 +123,12 @@ qemuSecuritySetImageLabel(virQEMUDriver *driver,
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerSetImageLabel(driver->securityManager,
+                                        cfg->sharedFilesystems,
                                         vm->def, src, labelFlags) < 0)
         goto cleanup;
=20
@@ -141,6 +150,7 @@ qemuSecurityRestoreImageLabel(virQEMUDriver *driver,
                               bool backingChain)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
     int ret =3D -1;
     virSecurityDomainImageLabelFlags labelFlags =3D 0;
@@ -151,10 +161,12 @@ qemuSecurityRestoreImageLabel(virQEMUDriver *driver,
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerRestoreImageLabel(driver->securityManager,
+                                            cfg->sharedFilesystems,
                                             vm->def, src, labelFlags) < 0)
         goto cleanup;
=20
@@ -176,6 +188,7 @@ qemuSecurityMoveImageMetadata(virQEMUDriver *driver,
                               virStorageSource *dst)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
=20
     if (!priv->rememberOwner)
@@ -184,7 +197,9 @@ qemuSecurityMoveImageMetadata(virQEMUDriver *driver,
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    return virSecurityManagerMoveImageMetadata(driver->securityManager, pi=
d, src, dst);
+    return virSecurityManagerMoveImageMetadata(driver->securityManager,
+                                               cfg->sharedFilesystems,
+                                               pid, src, dst);
 }
=20
=20
@@ -194,13 +209,15 @@ qemuSecuritySetHostdevLabel(virQEMUDriver *driver,
                             virDomainHostdevDef *hostdev)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
     int ret =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerSetHostdevLabel(driver->securityManager,
@@ -226,13 +243,15 @@ qemuSecurityRestoreHostdevLabel(virQEMUDriver *driver,
                                 virDomainHostdevDef *hostdev)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
     int ret =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
@@ -258,13 +277,15 @@ qemuSecuritySetMemoryLabel(virQEMUDriver *driver,
                            virDomainMemoryDef *mem)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
     int ret =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerSetMemoryLabel(driver->securityManager,
@@ -289,13 +310,15 @@ qemuSecurityRestoreMemoryLabel(virQEMUDriver *driver,
                                virDomainMemoryDef *mem)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
     int ret =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerRestoreMemoryLabel(driver->securityManager,
@@ -320,13 +343,15 @@ qemuSecuritySetInputLabel(virDomainObj *vm,
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
     virQEMUDriver *driver =3D priv->driver;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
     int ret =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerSetInputLabel(driver->securityManager,
@@ -351,13 +376,15 @@ qemuSecurityRestoreInputLabel(virDomainObj *vm,
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
     virQEMUDriver *driver =3D priv->driver;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
     int ret =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerRestoreInputLabel(driver->securityManager,
@@ -383,12 +410,14 @@ qemuSecuritySetChardevLabel(virQEMUDriver *driver,
 {
     int ret =3D -1;
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerSetChardevLabel(driver->securityManager,
@@ -415,12 +444,14 @@ qemuSecurityRestoreChardevLabel(virQEMUDriver *driver,
 {
     int ret =3D -1;
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerRestoreChardevLabel(driver->securityManager,
@@ -446,12 +477,14 @@ qemuSecuritySetNetdevLabel(virQEMUDriver *driver,
 {
     int ret =3D -1;
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerSetNetdevLabel(driver->securityManager,
@@ -476,12 +509,14 @@ qemuSecurityRestoreNetdevLabel(virQEMUDriver *driver,
 {
     int ret =3D -1;
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerRestoreNetdevLabel(driver->securityManager,
@@ -505,9 +540,11 @@ qemuSecuritySetTPMLabels(virQEMUDriver *driver,
                          bool setTPMStateLabel)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     int ret =3D -1;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerSetTPMLabels(driver->securityManager,
@@ -531,9 +568,11 @@ qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
                              bool restoreTPMStateLabel)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     int ret =3D -1;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerRestoreTPMLabels(driver->securityManager,
@@ -558,13 +597,15 @@ qemuSecurityDomainSetPathLabel(virQEMUDriver *driver,
                                bool allowSubtree)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
     int ret =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
@@ -590,13 +631,15 @@ qemuSecurityDomainRestorePathLabel(virQEMUDriver *dri=
ver,
                                    const char *path)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     pid_t pid =3D -1;
     int ret =3D -1;
=20
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerDomainRestorePathLabel(driver->securityManager,
@@ -634,6 +677,7 @@ qemuSecurityDomainSetMountNSPathLabel(virQEMUDriver *dr=
iver,
                                       const char *path)
 {
     int ret =3D -1;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
=20
     if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) {
         VIR_DEBUG("Not labeling '%s': mount namespace disabled for domain =
'%s'",
@@ -641,7 +685,8 @@ qemuSecurityDomainSetMountNSPathLabel(virQEMUDriver *dr=
iver,
         return 1;
     }
=20
-    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+    if (virSecurityManagerTransactionStart(driver->securityManager,
+                                           cfg->sharedFilesystems) < 0)
         goto cleanup;
=20
     if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 2f17918cbb..08af5aad2e 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -538,6 +538,7 @@ qemuTPMEmulatorReconfigure(const char *storagepath,
  * @privileged: whether we are running in privileged mode
  * @swtpm_user: The uid for the swtpm to run as (drop privileges to from r=
oot)
  * @swtpm_group: The gid for the swtpm to run as
+ * @sharedFilesystems: list of filesystem to consider shared
  * @incomingMigration: whether we have an incoming migration
  *
  * Create the virCommand use for starting the emulator
@@ -551,6 +552,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
                             bool privileged,
                             uid_t swtpm_user,
                             gid_t swtpm_group,
+                            char *const *sharedFilesystems,
                             bool incomingMigration)
 {
     g_autoptr(virCommand) cmd =3D NULL;
@@ -568,7 +570,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm,
     /* Do not create storage and run swtpm_setup on incoming migration over
      * shared storage
      */
-    on_shared_storage =3D virFileIsSharedFS(tpm->data.emulator.storagepath=
) =3D=3D 1;
+    on_shared_storage =3D virFileIsSharedFS(tpm->data.emulator.storagepath=
, sharedFilesystems) =3D=3D 1;
     if (incomingMigration && on_shared_storage)
         create_storage =3D false;
=20
@@ -738,6 +740,7 @@ qemuTPMEmulatorInitPaths(virDomainTPMDef *tpm,
=20
 /**
  * qemuTPMEmulatorCleanupHost:
+ * @driver: QEMU driver
  * @tpm: TPM definition
  * @flags: flags indicating whether to keep or remove TPM persistent state
  * @outgoingMigration: whether cleanup is due to an outgoing migration
@@ -745,15 +748,18 @@ qemuTPMEmulatorInitPaths(virDomainTPMDef *tpm,
  * Clean up persistent storage for the swtpm.
  */
 static void
-qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm,
+qemuTPMEmulatorCleanupHost(virQEMUDriver *driver,
+                           virDomainTPMDef *tpm,
                            virDomainUndefineFlagsValues flags,
                            bool outgoingMigration)
 {
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
+
     /* Never remove the state in case of outgoing migration with shared
      * storage.
      */
     if (outgoingMigration &&
-        virFileIsSharedFS(tpm->data.emulator.storagepath) =3D=3D 1)
+        virFileIsSharedFS(tpm->data.emulator.storagepath, cfg->sharedFiles=
ystems) =3D=3D 1)
         return;
=20
     /*
@@ -939,6 +945,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
                                             driver->privileged,
                                             cfg->swtpm_user,
                                             cfg->swtpm_group,
+                                            cfg->sharedFilesystems,
                                             incomingMigration)))
         return -1;
=20
@@ -954,7 +961,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     virCommandSetErrorFD(cmd, &errfd);
=20
     if (incomingMigration &&
-        virFileIsSharedFS(tpm->data.emulator.storagepath) =3D=3D 1) {
+        virFileIsSharedFS(tpm->data.emulator.storagepath, cfg->sharedFiles=
ystems) =3D=3D 1) {
         /* security labels must have been set up on source already */
         setTPMStateLabel =3D false;
     }
@@ -1014,8 +1021,10 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
=20
=20
 bool
-qemuTPMHasSharedStorage(virDomainDef *def)
+qemuTPMHasSharedStorage(virQEMUDriver *driver,
+                        virDomainDef *def)
 {
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
     size_t i;
=20
     for (i =3D 0; i < def->ntpms; i++) {
@@ -1023,7 +1032,8 @@ qemuTPMHasSharedStorage(virDomainDef *def)
=20
         switch (tpm->type) {
         case VIR_DOMAIN_TPM_TYPE_EMULATOR:
-            return virFileIsSharedFS(tpm->data.emulator.storagepath) =3D=
=3D 1;
+            return virFileIsSharedFS(tpm->data.emulator.storagepath,
+                                     cfg->sharedFilesystems) =3D=3D 1;
         case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
         case VIR_DOMAIN_TPM_TYPE_EXTERNAL:
         case VIR_DOMAIN_TPM_TYPE_LAST:
@@ -1101,11 +1111,12 @@ qemuExtTPMPrepareHost(virQEMUDriver *driver,
=20
=20
 void
-qemuExtTPMCleanupHost(virDomainTPMDef *tpm,
+qemuExtTPMCleanupHost(virQEMUDriver *driver,
+                      virDomainTPMDef *tpm,
                       virDomainUndefineFlagsValues flags,
                       bool outgoingMigration)
 {
-    qemuTPMEmulatorCleanupHost(tpm, flags, outgoingMigration);
+    qemuTPMEmulatorCleanupHost(driver, tpm, flags, outgoingMigration);
 }
=20
=20
@@ -1137,7 +1148,7 @@ qemuExtTPMStop(virQEMUDriver *driver,
         return;
=20
     qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
-    if (outgoingMigration && qemuTPMHasSharedStorage(vm->def))
+    if (outgoingMigration && qemuTPMHasSharedStorage(driver, vm->def))
         restoreTPMStateLabel =3D false;
=20
     if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0)
diff --git a/src/qemu/qemu_tpm.h b/src/qemu/qemu_tpm.h
index 33ba5d2268..3071dc3f71 100644
--- a/src/qemu/qemu_tpm.h
+++ b/src/qemu/qemu_tpm.h
@@ -35,10 +35,11 @@ int qemuExtTPMPrepareHost(virQEMUDriver *driver,
     ATTRIBUTE_NONNULL(3)
     G_GNUC_WARN_UNUSED_RESULT;
=20
-void qemuExtTPMCleanupHost(virDomainTPMDef *tpm,
+void qemuExtTPMCleanupHost(virQEMUDriver *driver,
+                           virDomainTPMDef *tpm,
                            virDomainUndefineFlagsValues flags,
                            bool outgoingMigration)
-    ATTRIBUTE_NONNULL(1);
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
=20
 int qemuExtTPMStart(virQEMUDriver *driver,
                     virDomainObj *vm,
@@ -59,8 +60,9 @@ int qemuExtTPMSetupCgroup(virQEMUDriver *driver,
     ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
     G_GNUC_WARN_UNUSED_RESULT;
=20
-bool qemuTPMHasSharedStorage(virDomainDef *def)
-    ATTRIBUTE_NONNULL(1)
+bool qemuTPMHasSharedStorage(virQEMUDriver *driver,
+                             virDomainDef *def)
+    ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2)
     G_GNUC_WARN_UNUSED_RESULT;
=20
 bool qemuTPMCanMigrateSharedStorage(virDomainDef *def)
diff --git a/src/security/security_apparmor.c b/src/security/security_appar=
mor.c
index 27184aef7f..38d4817fae 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -433,6 +433,7 @@ AppArmorGenSecurityLabel(virSecurityManager *mgr G_GNUC=
_UNUSED,
=20
 static int
 AppArmorSetSecurityAllLabel(virSecurityManager *mgr,
+                            char *const *sharedFilesystems G_GNUC_UNUSED,
                             virDomainDef *def,
                             const char *incomingPath,
                             bool chardevStdioLogd G_GNUC_UNUSED,
@@ -507,6 +508,7 @@ AppArmorReleaseSecurityLabel(virSecurityManager *mgr G_=
GNUC_UNUSED,
=20
 static int
 AppArmorRestoreSecurityAllLabel(virSecurityManager *mgr G_GNUC_UNUSED,
+                                char *const *sharedFilesystems G_GNUC_UNUS=
ED,
                                 virDomainDef *def,
                                 bool migrated G_GNUC_UNUSED,
                                 bool chardevStdioLogd G_GNUC_UNUSED)
@@ -625,6 +627,7 @@ AppArmorClearSecuritySocketLabel(virSecurityManager *mg=
r G_GNUC_UNUSED,
 /* Called when hotplugging */
 static int
 AppArmorRestoreSecurityImageLabel(virSecurityManager *mgr,
+                                  char *const *sharedFilesystems G_GNUC_UN=
USED,
                                   virDomainDef *def,
                                   virStorageSource *src,
                                   virSecurityDomainImageLabelFlags flags G=
_GNUC_UNUSED)
@@ -729,6 +732,7 @@ AppArmorRestoreInputLabel(virSecurityManager *mgr,
 /* Called when hotplugging */
 static int
 AppArmorSetSecurityImageLabelInternal(virSecurityManager *mgr,
+                                      char *const *sharedFilesystems G_GNU=
C_UNUSED,
                                       virDomainDef *def,
                                       virStorageSource *src)
 {
@@ -762,6 +766,7 @@ AppArmorSetSecurityImageLabelInternal(virSecurityManage=
r *mgr,
=20
 static int
 AppArmorSetSecurityImageLabel(virSecurityManager *mgr,
+                              char *const *sharedFilesystems,
                               virDomainDef *def,
                               virStorageSource *src,
                               virSecurityDomainImageLabelFlags flags G_GNU=
C_UNUSED)
@@ -777,7 +782,8 @@ AppArmorSetSecurityImageLabel(virSecurityManager *mgr,
         return 0;
=20
     for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) {
-        if (AppArmorSetSecurityImageLabelInternal(mgr, def, n) < 0)
+        if (AppArmorSetSecurityImageLabelInternal(mgr, sharedFilesystems,
+                                                  def, n) < 0)
             return -1;
     }
=20
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 59fc5b840f..95dbe4636f 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -79,6 +79,7 @@ struct _virSecurityDACChownItem {
 typedef struct _virSecurityDACChownList virSecurityDACChownList;
 struct _virSecurityDACChownList {
     virSecurityManager *manager;
+    char **sharedFilesystems;
     virSecurityDACChownItem **items;
     size_t nItems;
     bool lock;
@@ -137,6 +138,7 @@ virSecurityDACChownListFree(void *opaque)
         virSecurityDACChownItemFree(list->items[i]);
     g_free(list->items);
     virObjectUnref(list->manager);
+    g_strfreev(list->sharedFilesystems);
     g_free(list);
 }
=20
@@ -228,7 +230,9 @@ virSecurityDACTransactionRun(pid_t pid G_GNUC_UNUSED,
                 VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p);
         }
=20
-        if (!(state =3D virSecurityManagerMetadataLock(list->manager, path=
s, npaths)))
+        if (!(state =3D virSecurityManagerMetadataLock(list->manager,
+                                                     list->sharedFilesyste=
ms,
+                                                     paths, npaths)))
             return -1;
=20
         for (i =3D 0; i < list->nItems; i++) {
@@ -533,6 +537,7 @@ virSecurityDACPreFork(virSecurityManager *mgr)
 /**
  * virSecurityDACTransactionStart:
  * @mgr: security manager
+ * @sharedFilesystems: list of filesystem to consider shared
  *
  * Starts a new transaction. In transaction nothing is chown()-ed until
  * TransactionCommit() is called. This is implemented as a list that is
@@ -544,7 +549,8 @@ virSecurityDACPreFork(virSecurityManager *mgr)
  *        -1 otherwise.
  */
 static int
-virSecurityDACTransactionStart(virSecurityManager *mgr)
+virSecurityDACTransactionStart(virSecurityManager *mgr,
+                               char *const *sharedFilesystems)
 {
     g_autoptr(virSecurityDACChownList) list =3D NULL;
=20
@@ -557,6 +563,7 @@ virSecurityDACTransactionStart(virSecurityManager *mgr)
     list =3D g_new0(virSecurityDACChownList, 1);
=20
     list->manager =3D virObjectRef(mgr);
+    list->sharedFilesystems =3D g_strdupv((char **) sharedFilesystems);
=20
     if (virThreadLocalSet(&chownList, list) < 0) {
         virReportSystemError(errno, "%s",
@@ -859,6 +866,7 @@ virSecurityDACRestoreFileLabel(virSecurityManager *mgr,
=20
 static int
 virSecurityDACSetImageLabelInternal(virSecurityManager *mgr,
+                                    char *const *sharedFilesystems G_GNUC_=
UNUSED,
                                     virDomainDef *def,
                                     virStorageSource *src,
                                     virStorageSource *parent,
@@ -938,6 +946,7 @@ virSecurityDACSetImageLabelInternal(virSecurityManager =
*mgr,
=20
 static int
 virSecurityDACSetImageLabel(virSecurityManager *mgr,
+                            char *const *sharedFilesystems,
                             virDomainDef *def,
                             virStorageSource *src,
                             virSecurityDomainImageLabelFlags flags)
@@ -948,7 +957,8 @@ virSecurityDACSetImageLabel(virSecurityManager *mgr,
     for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) {
         const bool isChainTop =3D flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT=
_CHAIN_TOP;
=20
-        if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent, isCha=
inTop) < 0)
+        if (virSecurityDACSetImageLabelInternal(mgr, sharedFilesystems,
+                                                def, n, parent, isChainTop=
) < 0)
             return -1;
=20
         if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
@@ -962,6 +972,7 @@ virSecurityDACSetImageLabel(virSecurityManager *mgr,
=20
 static int
 virSecurityDACRestoreImageLabelInt(virSecurityManager *mgr,
+                                   char *const *sharedFilesystems,
                                    virDomainDef *def,
                                    virStorageSource *src,
                                    bool migrated)
@@ -1004,7 +1015,7 @@ virSecurityDACRestoreImageLabelInt(virSecurityManager=
 *mgr,
             if (!src->path)
                 return 0;
=20
-            if ((rc =3D virFileIsSharedFS(src->path)) < 0)
+            if ((rc =3D virFileIsSharedFS(src->path, sharedFilesystems)) <=
 0)
                 return -1;
         }
=20
@@ -1038,16 +1049,19 @@ virSecurityDACRestoreImageLabelInt(virSecurityManag=
er *mgr,
=20
 static int
 virSecurityDACRestoreImageLabel(virSecurityManager *mgr,
+                                char *const *sharedFilesystems,
                                 virDomainDef *def,
                                 virStorageSource *src,
                                 virSecurityDomainImageLabelFlags flags G_G=
NUC_UNUSED)
 {
-    return virSecurityDACRestoreImageLabelInt(mgr, def, src, false);
+    return virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems,
+                                              def, src, false);
 }
=20
=20
 struct virSecurityDACMoveImageMetadataData {
     virSecurityManager *mgr;
+    char **sharedFilesystems;
     const char *src;
     const char *dst;
 };
@@ -1062,7 +1076,9 @@ virSecurityDACMoveImageMetadataHelper(pid_t pid G_GNU=
C_UNUSED,
     virSecurityManagerMetadataLockState *state;
     int ret;
=20
-    if (!(state =3D virSecurityManagerMetadataLock(data->mgr, paths, G_N_E=
LEMENTS(paths))))
+    if (!(state =3D virSecurityManagerMetadataLock(data->mgr,
+                                                 data->sharedFilesystems,
+                                                 paths, G_N_ELEMENTS(paths=
))))
         return -1;
=20
     ret =3D virSecurityMoveRememberedLabel(SECURITY_DAC_NAME, data->src, d=
ata->dst);
@@ -1079,12 +1095,17 @@ virSecurityDACMoveImageMetadataHelper(pid_t pid G_G=
NUC_UNUSED,
=20
 static int
 virSecurityDACMoveImageMetadata(virSecurityManager *mgr,
+                                char *const *sharedFilesystems,
                                 pid_t pid,
                                 virStorageSource *src,
                                 virStorageSource *dst)
 {
     virSecurityDACData *priv =3D virSecurityManagerGetPrivateData(mgr);
-    struct virSecurityDACMoveImageMetadataData data =3D { .mgr =3D mgr, 0 =
};
+    struct virSecurityDACMoveImageMetadataData data =3D {
+        .mgr =3D mgr,
+        .sharedFilesystems =3D (char **) sharedFilesystems,
+        0
+    };
     int rc;
=20
     /* If dynamicOwnership is turned off, or owner remembering is
@@ -1883,6 +1904,7 @@ virSecurityDACRestoreSysinfoLabel(virSecurityManager =
*mgr,
=20
 static int
 virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
+                              char *const *sharedFilesystems,
                               virDomainDef *def,
                               bool migrated,
                               bool chardevStdioLogd)
@@ -1907,6 +1929,7 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
=20
     for (i =3D 0; i < def->ndisks; i++) {
         if (virSecurityDACRestoreImageLabelInt(mgr,
+                                               sharedFilesystems,
                                                def,
                                                def->disks[i]->src,
                                                migrated) < 0)
@@ -1974,7 +1997,8 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
     }
=20
     if (def->os.loader && def->os.loader->nvram) {
-        if (virSecurityDACRestoreImageLabelInt(mgr, def, def->os.loader->n=
vram,
+        if (virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems,
+                                               def, def->os.loader->nvram,
                                                migrated) < 0)
             rc =3D -1;
     }
@@ -2120,6 +2144,7 @@ virSecurityDACSetSysinfoLabel(virSecurityManager *mgr,
=20
 static int
 virSecurityDACSetAllLabel(virSecurityManager *mgr,
+                          char *const *sharedFilesystems,
                           virDomainDef *def,
                           const char *incomingPath G_GNUC_UNUSED,
                           bool chardevStdioLogd,
@@ -2145,7 +2170,8 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
         /* XXX fixme - we need to recursively label the entire tree :-( */
         if (virDomainDiskGetType(def->disks[i]) =3D=3D VIR_STORAGE_TYPE_DI=
R)
             continue;
-        if (virSecurityDACSetImageLabel(mgr, def, def->disks[i]->src,
+        if (virSecurityDACSetImageLabel(mgr, sharedFilesystems,
+                                        def, def->disks[i]->src,
                                         VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA=
CKING_CHAIN |
                                         VIR_SECURITY_DOMAIN_IMAGE_PARENT_C=
HAIN_TOP) < 0)
             return -1;
@@ -2214,7 +2240,8 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
     }
=20
     if (def->os.loader && def->os.loader->nvram) {
-        if (virSecurityDACSetImageLabel(mgr, def, def->os.loader->nvram,
+        if (virSecurityDACSetImageLabel(mgr, sharedFilesystems,
+                                        def, def->os.loader->nvram,
                                         VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA=
CKING_CHAIN |
                                         VIR_SECURITY_DOMAIN_IMAGE_PARENT_C=
HAIN_TOP) < 0)
             return -1;
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index aa1fb2125d..2956e002ff 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -46,7 +46,8 @@ typedef const char *(*virSecurityDriverGetBaseLabel) (vir=
SecurityManager *mgr,
=20
 typedef int (*virSecurityDriverPreFork) (virSecurityManager *mgr);
=20
-typedef int (*virSecurityDriverTransactionStart) (virSecurityManager *mgr);
+typedef int (*virSecurityDriverTransactionStart) (virSecurityManager *mgr,
+                                                  char *const *sharedFiles=
ystems);
 typedef int (*virSecurityDriverTransactionCommit) (virSecurityManager *mgr,
                                                    pid_t pid,
                                                    bool lock);
@@ -80,11 +81,13 @@ typedef int (*virSecurityDomainReserveLabel) (virSecuri=
tyManager *mgr,
 typedef int (*virSecurityDomainReleaseLabel) (virSecurityManager *mgr,
                                               virDomainDef *sec);
 typedef int (*virSecurityDomainSetAllLabel) (virSecurityManager *mgr,
+                                             char *const *sharedFilesystem=
s,
                                              virDomainDef *sec,
                                              const char *incomingPath,
                                              bool chardevStdioLogd,
                                              bool migrated);
 typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManager *mgr,
+                                                 char *const *sharedFilesy=
stems,
                                                  virDomainDef *def,
                                                  bool migrated,
                                                  bool chardevStdioLogd);
@@ -113,14 +116,17 @@ typedef int (*virSecurityDomainSetHugepages) (virSecu=
rityManager *mgr,
                                               const char *path);
=20
 typedef int (*virSecurityDomainSetImageLabel) (virSecurityManager *mgr,
+                                               char *const *sharedFilesyst=
ems,
                                                virDomainDef *def,
                                                virStorageSource *src,
                                                virSecurityDomainImageLabel=
Flags flags);
 typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManager *mgr,
+                                                   char *const *sharedFile=
systems,
                                                    virDomainDef *def,
                                                    virStorageSource *src,
                                                    virSecurityDomainImageL=
abelFlags flags);
 typedef int (*virSecurityDomainMoveImageMetadata) (virSecurityManager *mgr,
+                                                   char *const *sharedFile=
systems,
                                                    pid_t pid,
                                                    virStorageSource *src,
                                                    virStorageSource *dst);
diff --git a/src/security/security_manager.c b/src/security/security_manage=
r.c
index c49c4f708f..65b173e670 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -244,6 +244,7 @@ virSecurityManagerPostFork(virSecurityManager *mgr)
 /**
  * virSecurityManagerTransactionStart:
  * @mgr: security manager
+ * @sharedFilesystems: list of filesystem to consider shared
  *
  * Starts a new transaction. In transaction nothing is changed security
  * label until virSecurityManagerTransactionCommit() is called.
@@ -252,14 +253,15 @@ virSecurityManagerPostFork(virSecurityManager *mgr)
  *        -1 otherwise.
  */
 int
-virSecurityManagerTransactionStart(virSecurityManager *mgr)
+virSecurityManagerTransactionStart(virSecurityManager *mgr,
+                                   char *const *sharedFilesystems)
 {
     VIR_LOCK_GUARD lock =3D virObjectLockGuard(mgr);
=20
     if (!mgr->drv->transactionStart)
         return 0;
=20
-    return mgr->drv->transactionStart(mgr);
+    return mgr->drv->transactionStart(mgr, sharedFilesystems);
 }
=20
=20
@@ -402,6 +404,7 @@ virSecurityManagerGetPrivileged(virSecurityManager *mgr)
 /**
  * virSecurityManagerRestoreImageLabel:
  * @mgr: security manager object
+ * @sharedFilesystems: list of filesystem to consider shared
  * @vm: domain definition object
  * @src: disk source definition to operate on
  * @flags: bitwise or of 'virSecurityDomainImageLabelFlags'
@@ -412,6 +415,7 @@ virSecurityManagerGetPrivileged(virSecurityManager *mgr)
  */
 int
 virSecurityManagerRestoreImageLabel(virSecurityManager *mgr,
+                                    char *const *sharedFilesystems,
                                     virDomainDef *vm,
                                     virStorageSource *src,
                                     virSecurityDomainImageLabelFlags flags)
@@ -423,13 +427,15 @@ virSecurityManagerRestoreImageLabel(virSecurityManage=
r *mgr,
         return -1;
     }
=20
-    return mgr->drv->domainRestoreSecurityImageLabel(mgr, vm, src, flags);
+    return mgr->drv->domainRestoreSecurityImageLabel(mgr, sharedFilesystem=
s,
+                                                     vm, src, flags);
 }
=20
=20
 /**
  * virSecurityManagerMoveImageMetadata:
  * @mgr: security manager
+ * @sharedFilesystems: list of filesystem to consider shared
  * @pid: domain's PID
  * @src: source of metadata
  * @dst: destination to move metadata to
@@ -449,6 +455,7 @@ virSecurityManagerRestoreImageLabel(virSecurityManager =
*mgr,
  */
 int
 virSecurityManagerMoveImageMetadata(virSecurityManager *mgr,
+                                    char *const *sharedFilesystems,
                                     pid_t pid,
                                     virStorageSource *src,
                                     virStorageSource *dst)
@@ -458,7 +465,8 @@ virSecurityManagerMoveImageMetadata(virSecurityManager =
*mgr,
     if (!mgr->drv->domainMoveImageMetadata)
         return 0;
=20
-    return mgr->drv->domainMoveImageMetadata(mgr, pid, src, dst);
+    return mgr->drv->domainMoveImageMetadata(mgr, sharedFilesystems,
+                                             pid, src, dst);
 }
=20
=20
@@ -510,6 +518,7 @@ virSecurityManagerClearSocketLabel(virSecurityManager *=
mgr,
 /**
  * virSecurityManagerSetImageLabel:
  * @mgr: security manager object
+ * @sharedFilesystems: list of filesystem to consider shared
  * @vm: domain definition object
  * @src: disk source definition to operate on
  * @flags: bitwise or of 'virSecurityDomainImageLabelFlags'
@@ -520,6 +529,7 @@ virSecurityManagerClearSocketLabel(virSecurityManager *=
mgr,
  */
 int
 virSecurityManagerSetImageLabel(virSecurityManager *mgr,
+                                char *const *sharedFilesystems,
                                 virDomainDef *vm,
                                 virStorageSource *src,
                                 virSecurityDomainImageLabelFlags flags)
@@ -531,7 +541,8 @@ virSecurityManagerSetImageLabel(virSecurityManager *mgr,
         return -1;
     }
=20
-    return mgr->drv->domainSetSecurityImageLabel(mgr, vm, src, flags);
+    return mgr->drv->domainSetSecurityImageLabel(mgr, sharedFilesystems,
+                                                 vm, src, flags);
 }
=20
=20
@@ -816,6 +827,7 @@ int virSecurityManagerCheckAllLabel(virSecurityManager =
*mgr,
=20
 int
 virSecurityManagerSetAllLabel(virSecurityManager *mgr,
+                              char *const *sharedFilesystems,
                               virDomainDef *vm,
                               const char *incomingPath,
                               bool chardevStdioLogd,
@@ -828,13 +840,15 @@ virSecurityManagerSetAllLabel(virSecurityManager *mgr,
         return -1;
     }
=20
-    return mgr->drv->domainSetSecurityAllLabel(mgr, vm, incomingPath,
+    return mgr->drv->domainSetSecurityAllLabel(mgr, sharedFilesystems,
+                                               vm, incomingPath,
                                                chardevStdioLogd, migrated);
 }
=20
=20
 int
 virSecurityManagerRestoreAllLabel(virSecurityManager *mgr,
+                                  char *const *sharedFilesystems,
                                   virDomainDef *vm,
                                   bool migrated,
                                   bool chardevStdioLogd)
@@ -846,7 +860,8 @@ virSecurityManagerRestoreAllLabel(virSecurityManager *m=
gr,
         return -1;
     }
=20
-    return mgr->drv->domainRestoreSecurityAllLabel(mgr, vm, migrated,
+    return mgr->drv->domainRestoreSecurityAllLabel(mgr, sharedFilesystems,
+                                                   vm, migrated,
                                                    chardevStdioLogd);
 }
=20
@@ -1292,6 +1307,7 @@ cmpstringp(const void *p1,
 /**
  * virSecurityManagerMetadataLock:
  * @mgr: security manager object
+ * @sharedFilesystems: list of filesystem to consider shared
  * @paths: paths to lock
  * @npaths: number of items in @paths array
  *
@@ -1307,6 +1323,7 @@ cmpstringp(const void *p1,
  */
 virSecurityManagerMetadataLockState *
 virSecurityManagerMetadataLock(virSecurityManager *mgr G_GNUC_UNUSED,
+                               char *const *sharedFilesystems,
                                const char **paths,
                                size_t npaths)
 {
@@ -1377,7 +1394,7 @@ virSecurityManagerMetadataLock(virSecurityManager *mg=
r G_GNUC_UNUSED,
             }
 #endif /* !WIN32 */
=20
-            if (virFileIsSharedFS(p)) {
+            if (virFileIsSharedFS(p, sharedFilesystems)) {
                 /* Probably a root squashed NFS. */
                 continue;
             }
diff --git a/src/security/security_manager.h b/src/security/security_manage=
r.h
index bb6d22bc31..bf0059b2e0 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -81,7 +81,8 @@ virSecurityManager *virSecurityManagerNewDAC(const char *=
virtDriver,
 int virSecurityManagerPreFork(virSecurityManager *mgr);
 void virSecurityManagerPostFork(virSecurityManager *mgr);
=20
-int virSecurityManagerTransactionStart(virSecurityManager *mgr);
+int virSecurityManagerTransactionStart(virSecurityManager *mgr,
+                                       char *const *sharedFilesystems);
 int virSecurityManagerTransactionCommit(virSecurityManager *mgr,
                                         pid_t pid,
                                         bool lock);
@@ -129,11 +130,13 @@ int virSecurityManagerReleaseLabel(virSecurityManager=
 *mgr,
 int virSecurityManagerCheckAllLabel(virSecurityManager *mgr,
                                     virDomainDef *sec);
 int virSecurityManagerSetAllLabel(virSecurityManager *mgr,
+                                  char *const *sharedFilesystems,
                                   virDomainDef *sec,
                                   const char *incomingPath,
                                   bool chardevStdioLogd,
                                   bool migrated);
 int virSecurityManagerRestoreAllLabel(virSecurityManager *mgr,
+                                      char *const *sharedFilesystems,
                                       virDomainDef *def,
                                       bool migrated,
                                       bool chardevStdioLogd);
@@ -170,14 +173,17 @@ typedef enum {
 } virSecurityDomainImageLabelFlags;
=20
 int virSecurityManagerSetImageLabel(virSecurityManager *mgr,
+                                    char *const *sharedFilesystems,
                                     virDomainDef *vm,
                                     virStorageSource *src,
                                     virSecurityDomainImageLabelFlags flags=
);
 int virSecurityManagerRestoreImageLabel(virSecurityManager *mgr,
+                                        char *const *sharedFilesystems,
                                         virDomainDef *vm,
                                         virStorageSource *src,
                                         virSecurityDomainImageLabelFlags f=
lags);
 int virSecurityManagerMoveImageMetadata(virSecurityManager *mgr,
+                                        char *const *sharedFilesystems,
                                         pid_t pid,
                                         virStorageSource *src,
                                         virStorageSource *dst);
@@ -246,6 +252,7 @@ struct _virSecurityManagerMetadataLockState {
=20
 virSecurityManagerMetadataLockState *
 virSecurityManagerMetadataLock(virSecurityManager *mgr,
+                               char *const *sharedFilesystems,
                                const char **paths,
                                size_t npaths);
=20
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 1413f43d57..e6e337a49d 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -116,6 +116,7 @@ virSecurityDomainReleaseLabelNop(virSecurityManager *mg=
r G_GNUC_UNUSED,
=20
 static int
 virSecurityDomainSetAllLabelNop(virSecurityManager *mgr G_GNUC_UNUSED,
+                                char *const *sharedFilesystems G_GNUC_UNUS=
ED,
                                 virDomainDef *sec G_GNUC_UNUSED,
                                 const char *incomingPath G_GNUC_UNUSED,
                                 bool chardevStdioLogd G_GNUC_UNUSED,
@@ -126,6 +127,7 @@ virSecurityDomainSetAllLabelNop(virSecurityManager *mgr=
 G_GNUC_UNUSED,
=20
 static int
 virSecurityDomainRestoreAllLabelNop(virSecurityManager *mgr G_GNUC_UNUSED,
+                                    char *const *sharedFilesystems G_GNUC_=
UNUSED,
                                     virDomainDef *vm G_GNUC_UNUSED,
                                     bool migrated G_GNUC_UNUSED,
                                     bool chardevStdioLogd G_GNUC_UNUSED)
@@ -189,6 +191,7 @@ virSecurityGetBaseLabel(virSecurityManager *mgr G_GNUC_=
UNUSED,
=20
 static int
 virSecurityDomainRestoreImageLabelNop(virSecurityManager *mgr G_GNUC_UNUSE=
D,
+                                      char *const *sharedFilesystems G_GNU=
C_UNUSED,
                                       virDomainDef *def G_GNUC_UNUSED,
                                       virStorageSource *src G_GNUC_UNUSED,
                                       virSecurityDomainImageLabelFlags fla=
gs G_GNUC_UNUSED)
@@ -198,6 +201,7 @@ virSecurityDomainRestoreImageLabelNop(virSecurityManage=
r *mgr G_GNUC_UNUSED,
=20
 static int
 virSecurityDomainSetImageLabelNop(virSecurityManager *mgr G_GNUC_UNUSED,
+                                  char *const *sharedFilesystems G_GNUC_UN=
USED,
                                   virDomainDef *def G_GNUC_UNUSED,
                                   virStorageSource *src G_GNUC_UNUSED,
                                   virSecurityDomainImageLabelFlags flags G=
_GNUC_UNUSED)
@@ -207,6 +211,7 @@ virSecurityDomainSetImageLabelNop(virSecurityManager *m=
gr G_GNUC_UNUSED,
=20
 static int
 virSecurityDomainMoveImageMetadataNop(virSecurityManager *mgr G_GNUC_UNUSE=
D,
+                                      char *const *sharedFilesystems G_GNU=
C_UNUSED,
                                       pid_t pid G_GNUC_UNUSED,
                                       virStorageSource *src G_GNUC_UNUSED,
                                       virStorageSource *dst G_GNUC_UNUSED)
diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 713b5f2b0e..bfa48a5f72 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -77,6 +77,7 @@ struct _virSecuritySELinuxContextItem {
 typedef struct _virSecuritySELinuxContextList virSecuritySELinuxContextLis=
t;
 struct _virSecuritySELinuxContextList {
     virSecurityManager *manager;
+    char **sharedFilesystems;
     virSecuritySELinuxContextItem **items;
     size_t nItems;
     bool lock;
@@ -141,6 +142,7 @@ virSecuritySELinuxContextListFree(void *opaque)
=20
     g_free(list->items);
     virObjectUnref(list->manager);
+    g_strfreev(list->sharedFilesystems);
     g_free(list);
 }
=20
@@ -254,7 +256,9 @@ virSecuritySELinuxTransactionRun(pid_t pid G_GNUC_UNUSE=
D,
                 VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p);
         }
=20
-        if (!(state =3D virSecurityManagerMetadataLock(list->manager, path=
s, npaths)))
+        if (!(state =3D virSecurityManagerMetadataLock(list->manager,
+                                                     list->sharedFilesyste=
ms,
+                                                     paths, npaths)))
             goto cleanup;
=20
         for (i =3D 0; i < list->nItems; i++) {
@@ -1102,6 +1106,7 @@ virSecuritySELinuxGetDOI(virSecurityManager *mgr G_GN=
UC_UNUSED)
 /**
  * virSecuritySELinuxTransactionStart:
  * @mgr: security manager
+ * @sharedFilesystems: list of filesystem to consider shared
  *
  * Starts a new transaction. In transaction nothing is changed context
  * until TransactionCommit() is called. This is implemented as a list
@@ -1114,7 +1119,8 @@ virSecuritySELinuxGetDOI(virSecurityManager *mgr G_GN=
UC_UNUSED)
  *        -1 otherwise.
  */
 static int
-virSecuritySELinuxTransactionStart(virSecurityManager *mgr)
+virSecuritySELinuxTransactionStart(virSecurityManager *mgr,
+                                   char *const *sharedFilesystems)
 {
     virSecuritySELinuxContextList *list;
=20
@@ -1128,6 +1134,7 @@ virSecuritySELinuxTransactionStart(virSecurityManager=
 *mgr)
     list =3D g_new0(virSecuritySELinuxContextList, 1);
=20
     list->manager =3D virObjectRef(mgr);
+    list->sharedFilesystems =3D g_strdupv((char **) sharedFilesystems);
=20
     if (virThreadLocalSet(&contextList, list) < 0) {
         virReportSystemError(errno, "%s",
@@ -1777,6 +1784,7 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityM=
anager *mgr,
=20
 static int
 virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr,
+                                       char *const *sharedFilesystems,
                                        virDomainDef *def,
                                        virStorageSource *src,
                                        bool migrated)
@@ -1835,7 +1843,7 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityMan=
ager *mgr,
             if (!src->path)
                 return 0;
=20
-            if ((rc =3D virFileIsSharedFS(src->path)) < 0)
+            if ((rc =3D virFileIsSharedFS(src->path, sharedFilesystems)) <=
 0)
                 return -1;
         }
=20
@@ -1867,16 +1875,19 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityM=
anager *mgr,
=20
 static int
 virSecuritySELinuxRestoreImageLabel(virSecurityManager *mgr,
+                                    char *const *sharedFilesystems,
                                     virDomainDef *def,
                                     virStorageSource *src,
                                     virSecurityDomainImageLabelFlags flags=
 G_GNUC_UNUSED)
 {
-    return virSecuritySELinuxRestoreImageLabelInt(mgr, def, src, false);
+    return virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+                                                  def, src, false);
 }
=20
=20
 static int
 virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr,
+                                        char *const *sharedFilesystems G_G=
NUC_UNUSED,
                                         virDomainDef *def,
                                         virStorageSource *src,
                                         virStorageSource *parent,
@@ -1983,6 +1994,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa=
nager *mgr,
=20
 static int
 virSecuritySELinuxSetImageLabel(virSecurityManager *mgr,
+                                char *const *sharedFilesystems,
                                 virDomainDef *def,
                                 virStorageSource *src,
                                 virSecurityDomainImageLabelFlags flags)
@@ -1993,7 +2005,9 @@ virSecuritySELinuxSetImageLabel(virSecurityManager *m=
gr,
     for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) {
         const bool isChainTop =3D flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT=
_CHAIN_TOP;
=20
-        if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent, i=
sChainTop) < 0)
+        if (virSecuritySELinuxSetImageLabelInternal(mgr, sharedFilesystems,
+                                                    def, n, parent,
+                                                    isChainTop) < 0)
             return -1;
=20
         if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
@@ -2008,6 +2022,7 @@ virSecuritySELinuxSetImageLabel(virSecurityManager *m=
gr,
=20
 struct virSecuritySELinuxMoveImageMetadataData {
     virSecurityManager *mgr;
+    char **sharedFilesystems;
     const char *src;
     const char *dst;
 };
@@ -2022,7 +2037,9 @@ virSecuritySELinuxMoveImageMetadataHelper(pid_t pid G=
_GNUC_UNUSED,
     virSecurityManagerMetadataLockState *state;
     int ret;
=20
-    if (!(state =3D virSecurityManagerMetadataLock(data->mgr, paths, G_N_E=
LEMENTS(paths))))
+    if (!(state =3D virSecurityManagerMetadataLock(data->mgr,
+                                                 data->sharedFilesystems,
+                                                 paths, G_N_ELEMENTS(paths=
))))
         return -1;
=20
     ret =3D virSecurityMoveRememberedLabel(SECURITY_SELINUX_NAME, data->sr=
c, data->dst);
@@ -2039,11 +2056,16 @@ virSecuritySELinuxMoveImageMetadataHelper(pid_t pid=
 G_GNUC_UNUSED,
=20
 static int
 virSecuritySELinuxMoveImageMetadata(virSecurityManager *mgr,
+                                    char *const *sharedFilesystems,
                                     pid_t pid,
                                     virStorageSource *src,
                                     virStorageSource *dst)
 {
-    struct virSecuritySELinuxMoveImageMetadataData data =3D { .mgr =3D mgr=
, 0 };
+    struct virSecuritySELinuxMoveImageMetadataData data =3D {
+        .mgr =3D mgr,
+        .sharedFilesystems =3D (char **) sharedFilesystems,
+        0
+    };
     int rc;
=20
     if (src && virStorageSourceIsLocalStorage(src))
@@ -2820,6 +2842,7 @@ virSecuritySELinuxRestoreSysinfoLabel(virSecurityMana=
ger *mgr,
=20
 static int
 virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
+                                  char *const *sharedFilesystems,
                                   virDomainDef *def,
                                   bool migrated,
                                   bool chardevStdioLogd)
@@ -2844,7 +2867,8 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager =
*mgr,
     for (i =3D 0; i < def->ndisks; i++) {
         virDomainDiskDef *disk =3D def->disks[i];
=20
-        if (virSecuritySELinuxRestoreImageLabelInt(mgr, def, disk->src,
+        if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+                                                   def, disk->src,
                                                    migrated) < 0)
             rc =3D -1;
     }
@@ -2890,7 +2914,8 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager =
*mgr,
     }
=20
     if (def->os.loader && def->os.loader->nvram) {
-        if (virSecuritySELinuxRestoreImageLabelInt(mgr, def, def->os.loade=
r->nvram,
+        if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+                                                   def, def->os.loader->nv=
ram,
                                                    migrated) < 0)
             rc =3D -1;
     }
@@ -3236,6 +3261,7 @@ virSecuritySELinuxSetSysinfoLabel(virSecurityManager =
*mgr,
=20
 static int
 virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
+                              char *const *sharedFilesystems,
                               virDomainDef *def,
                               const char *incomingPath G_GNUC_UNUSED,
                               bool chardevStdioLogd,
@@ -3263,7 +3289,8 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
                      def->disks[i]->dst);
             continue;
         }
-        if (virSecuritySELinuxSetImageLabel(mgr, def, def->disks[i]->src,
+        if (virSecuritySELinuxSetImageLabel(mgr, sharedFilesystems,
+                                            def, def->disks[i]->src,
                                             VIR_SECURITY_DOMAIN_IMAGE_LABE=
L_BACKING_CHAIN |
                                             VIR_SECURITY_DOMAIN_IMAGE_PARE=
NT_CHAIN_TOP) < 0)
             return -1;
@@ -3313,7 +3340,8 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
     }
=20
     if (def->os.loader && def->os.loader->nvram) {
-        if (virSecuritySELinuxSetImageLabel(mgr, def, def->os.loader->nvra=
m,
+        if (virSecuritySELinuxSetImageLabel(mgr, sharedFilesystems,
+                                            def, def->os.loader->nvram,
                                             VIR_SECURITY_DOMAIN_IMAGE_LABE=
L_BACKING_CHAIN |
                                             VIR_SECURITY_DOMAIN_IMAGE_PARE=
NT_CHAIN_TOP) < 0)
             return -1;
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 369b5dd3a6..11800535b9 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -140,13 +140,15 @@ virSecurityStackPreFork(virSecurityManager *mgr)
=20
=20
 static int
-virSecurityStackTransactionStart(virSecurityManager *mgr)
+virSecurityStackTransactionStart(virSecurityManager *mgr,
+                                 char *const *sharedFilesystems)
 {
     virSecurityStackData *priv =3D virSecurityManagerGetPrivateData(mgr);
     virSecurityStackItem *item =3D priv->itemsHead;
=20
     for (; item; item =3D item->next) {
-        if (virSecurityManagerTransactionStart(item->securityManager) < 0)
+        if (virSecurityManagerTransactionStart(item->securityManager,
+                                               sharedFilesystems) < 0)
             goto rollback;
     }
=20
@@ -337,6 +339,7 @@ virSecurityStackRestoreHostdevLabel(virSecurityManager =
*mgr,
=20
 static int
 virSecurityStackSetAllLabel(virSecurityManager *mgr,
+                            char *const *sharedFilesystems,
                             virDomainDef *vm,
                             const char *incomingPath,
                             bool chardevStdioLogd,
@@ -346,8 +349,9 @@ virSecurityStackSetAllLabel(virSecurityManager *mgr,
     virSecurityStackItem *item =3D priv->itemsHead;
=20
     for (; item; item =3D item->next) {
-        if (virSecurityManagerSetAllLabel(item->securityManager, vm,
-                                          incomingPath, chardevStdioLogd,
+        if (virSecurityManagerSetAllLabel(item->securityManager,
+                                          sharedFilesystems,
+                                          vm, incomingPath, chardevStdioLo=
gd,
                                           migrated) < 0)
             goto rollback;
     }
@@ -357,6 +361,7 @@ virSecurityStackSetAllLabel(virSecurityManager *mgr,
  rollback:
     for (item =3D item->prev; item; item =3D item->prev) {
         if (virSecurityManagerRestoreAllLabel(item->securityManager,
+                                              sharedFilesystems,
                                               vm,
                                               migrated,
                                               chardevStdioLogd) < 0) {
@@ -373,6 +378,7 @@ virSecurityStackSetAllLabel(virSecurityManager *mgr,
=20
 static int
 virSecurityStackRestoreAllLabel(virSecurityManager *mgr,
+                                char *const *sharedFilesystems,
                                 virDomainDef *vm,
                                 bool migrated,
                                 bool chardevStdioLogd)
@@ -382,8 +388,11 @@ virSecurityStackRestoreAllLabel(virSecurityManager *mg=
r,
     int rc =3D 0;
=20
     for (; item; item =3D item->next) {
-        if (virSecurityManagerRestoreAllLabel(item->securityManager, vm,
-                                              migrated, chardevStdioLogd) =
< 0)
+        if (virSecurityManagerRestoreAllLabel(item->securityManager,
+                                              sharedFilesystems,
+                                              vm,
+                                              migrated,
+                                              chardevStdioLogd) < 0)
             rc =3D -1;
     }
=20
@@ -638,6 +647,7 @@ virSecurityStackGetBaseLabel(virSecurityManager *mgr, i=
nt virtType)
=20
 static int
 virSecurityStackSetImageLabel(virSecurityManager *mgr,
+                              char *const *sharedFilesystems,
                               virDomainDef *vm,
                               virStorageSource *src,
                               virSecurityDomainImageLabelFlags flags)
@@ -646,8 +656,9 @@ virSecurityStackSetImageLabel(virSecurityManager *mgr,
     virSecurityStackItem *item =3D priv->itemsHead;
=20
     for (; item; item =3D item->next) {
-        if (virSecurityManagerSetImageLabel(item->securityManager, vm, src,
-                                            flags) < 0)
+        if (virSecurityManagerSetImageLabel(item->securityManager,
+                                            sharedFilesystems,
+                                            vm, src, flags) < 0)
             goto rollback;
     }
=20
@@ -656,6 +667,7 @@ virSecurityStackSetImageLabel(virSecurityManager *mgr,
  rollback:
     for (item =3D item->prev; item; item =3D item->prev) {
         if (virSecurityManagerRestoreImageLabel(item->securityManager,
+                                                sharedFilesystems,
                                                 vm,
                                                 src,
                                                 flags) < 0) {
@@ -672,6 +684,7 @@ virSecurityStackSetImageLabel(virSecurityManager *mgr,
=20
 static int
 virSecurityStackRestoreImageLabel(virSecurityManager *mgr,
+                                  char *const *sharedFilesystems,
                                   virDomainDef *vm,
                                   virStorageSource *src,
                                   virSecurityDomainImageLabelFlags flags)
@@ -682,6 +695,7 @@ virSecurityStackRestoreImageLabel(virSecurityManager *m=
gr,
=20
     for (; item; item =3D item->next) {
         if (virSecurityManagerRestoreImageLabel(item->securityManager,
+                                                sharedFilesystems,
                                                 vm, src, flags) < 0)
             rc =3D -1;
     }
@@ -691,6 +705,7 @@ virSecurityStackRestoreImageLabel(virSecurityManager *m=
gr,
=20
 static int
 virSecurityStackMoveImageMetadata(virSecurityManager *mgr,
+                                  char *const *sharedFilesystems,
                                   pid_t pid,
                                   virStorageSource *src,
                                   virStorageSource *dst)
@@ -701,6 +716,7 @@ virSecurityStackMoveImageMetadata(virSecurityManager *m=
gr,
=20
     for (; item; item =3D item->next) {
         if (virSecurityManagerMoveImageMetadata(item->securityManager,
+                                                sharedFilesystems,
                                                 pid, src, dst) < 0)
             rc =3D -1;
     }
diff --git a/src/util/virfile.c b/src/util/virfile.c
index d820172405..e02ad0ef65 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -2604,8 +2604,14 @@ virFileOpenAs(const char *path,
                 goto error;
=20
             /* On Linux we can also verify the FS-type of the
-             * directory.  (this is a NOP on other platforms). */
-            if (virFileIsSharedFS(path) <=3D 0)
+             * directory.  (this is a NOP on other platforms).
+             *
+             * Note that it would be pointless to pass
+             * virQEMUDriverConfig.sharedFilesystems here, since those
+             * listed there are by definition paths that can be accessed
+             * as local from the current host. Thus, a second attempt at
+             * opening the file would not make a difference */
+            if (virFileIsSharedFS(path, NULL) <=3D 0)
                 goto error;
         }
=20
@@ -3798,7 +3804,8 @@ virFileGetDefaultHugepage(virHugeTLBFS *fs,
     return NULL;
 }
=20
-int virFileIsSharedFS(const char *path)
+int virFileIsSharedFS(const char *path,
+                      char *const *overrides G_GNUC_UNUSED)
 {
     return virFileIsSharedFSType(path,
                                  VIR_FILE_SHFS_NFS |
diff --git a/src/util/virfile.h b/src/util/virfile.h
index 7df3fcb840..4f9d2bd5da 100644
--- a/src/util/virfile.h
+++ b/src/util/virfile.h
@@ -235,7 +235,8 @@ enum {
 };
=20
 int virFileIsSharedFSType(const char *path, unsigned int fstypes) ATTRIBUT=
E_NONNULL(1);
-int virFileIsSharedFS(const char *path) ATTRIBUTE_NONNULL(1);
+int virFileIsSharedFS(const char *path,
+                      char *const *overrides) ATTRIBUTE_NONNULL(1);
 int virFileIsClusterFS(const char *path) ATTRIBUTE_NONNULL(1);
 int virFileIsMountPoint(const char *file) ATTRIBUTE_NONNULL(1);
 int virFileIsCDROM(const char *path)
diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabelt=
est.c
index 7b7cf53569..43db128b3a 100644
--- a/tests/securityselinuxlabeltest.c
+++ b/tests/securityselinuxlabeltest.c
@@ -270,7 +270,7 @@ testSELinuxLabeling(const void *opaque)
     if (!(def =3D testSELinuxLoadDef(testname)))
         goto cleanup;
=20
-    if (virSecurityManagerSetAllLabel(mgr, def, NULL, false, false) < 0)
+    if (virSecurityManagerSetAllLabel(mgr, NULL, def, NULL, false, false) =
< 0)
         goto cleanup;
=20
     if (testSELinuxCheckLabels(files, nfiles) < 0)
diff --git a/tests/virfiletest.c b/tests/virfiletest.c
index 9fbfc37e56..e05925a321 100644
--- a/tests/virfiletest.c
+++ b/tests/virfiletest.c
@@ -313,7 +313,7 @@ testFileIsSharedFSType(const void *opaque G_GNUC_UNUSED)
         goto cleanup;
     }
=20
-    actual =3D virFileIsSharedFS(data->filename);
+    actual =3D virFileIsSharedFS(data->filename, NULL);
=20
     if (actual !=3D data->expected) {
         fprintf(stderr, "Unexpected FS type. Expected %d got %d\n",
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725030936930968.1000751190309;
 Fri, 30 Aug 2024 08:15:36 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id DD5C313AB; Fri, 30 Aug 2024 11:15:35 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 628D41338;
	Fri, 30 Aug 2024 11:14:15 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 12D8C1325; Fri, 30 Aug 2024 11:14:11 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id A5D9D1325
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:13:57 -0400 (EDT)
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-83-UnOLWutSPfiahZ5WDTEjSQ-1; Fri,
 30 Aug 2024 11:13:55 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 1AE881955BEE
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:55 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 3E6E619560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030837;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=VZ5sLaJeegDg8PMwKa443iA55nY8hjerKaRUbgtfQeU=;
	b=awDJI10QZ8bHqLiD+Y4wsuPx2nFgPQzzIGiJ8fN/jHDmpcPU2zX6soR0n8yoF9axM5e74f
	8GZDgDq6hWLsMI+UT8AJJaNGqQZCzGrCPN9eI6CqPkmUTlTyNRdcW295AkJnvAvly0+TRW
	tO4PmFMgjc0Dy1hLZnUC3w2Aj1UFhpw=
X-MC-Unique: UnOLWutSPfiahZ5WDTEjSQ-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 04/13] utils: Use overrides in virFileIsSharedFS()
Date: Fri, 30 Aug 2024 17:13:36 +0200
Message-ID: <20240830151345.717568-5-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 6KLZERR5NI3BPEMWIGOUNE3KSMCEWQEH
X-Message-ID-Hash: 6KLZERR5NI3BPEMWIGOUNE3KSMCEWQEH
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/6KLZERR5NI3BPEMWIGOUNE3KSMCEWQEH/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725030938749116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

If the local admin has explicitly declared that a certain
filesystem is to be considered shared, we should treat it as
such.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/util/virfile.c | 42 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/src/util/virfile.c b/src/util/virfile.c
index e02ad0ef65..a8abd7d913 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -3804,9 +3804,49 @@ virFileGetDefaultHugepage(virHugeTLBFS *fs,
     return NULL;
 }
=20
+static bool
+virFileIsSharedFSOverride(const char *path,
+                          char *const *overrides)
+{
+    g_autofree char *dirpath =3D NULL;
+    char *p =3D NULL;
+
+    if (!path || path[0] !=3D '/' || !overrides)
+        return false;
+
+    if (g_strv_contains((const char *const *) overrides, path))
+        return true;
+
+    dirpath =3D g_strdup(path);
+
+    /* Continue until we've scanned the entire path */
+    while (p !=3D dirpath) {
+
+        /* Find the last slash */
+        if ((p =3D strrchr(dirpath, '/')) =3D=3D NULL)
+            break;
+
+        /* Truncate the path by overwriting the slash that we've just
+         * found with a null byte. If it is the very first slash in
+         * the path, we need to handle things slightly differently */
+        if (p =3D=3D dirpath)
+            *(p+1) =3D '\0';
+        else
+            *p =3D '\0';
+
+        if (g_strv_contains((const char *const *) overrides, dirpath))
+            return true;
+    }
+
+    return false;
+}
+
 int virFileIsSharedFS(const char *path,
-                      char *const *overrides G_GNUC_UNUSED)
+                      char *const *overrides)
 {
+    if (virFileIsSharedFSOverride(path, overrides))
+        return 1;
+
     return virFileIsSharedFSType(path,
                                  VIR_FILE_SHFS_NFS |
                                  VIR_FILE_SHFS_GFS2 |
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031069911442.7503869624487;
 Fri, 30 Aug 2024 08:17:49 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id D87E1138D; Fri, 30 Aug 2024 11:17:48 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id E431512A9;
	Fri, 30 Aug 2024 11:14:21 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id EAB5B14E6; Fri, 30 Aug 2024 11:14:16 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 70B7D14E6
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:13:59 -0400 (EDT)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-45-ieW_2GPjMnC6ajpaL26XFA-1; Fri,
 30 Aug 2024 11:13:57 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 6E7FF1955F40
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:56 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 8EDAB19560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:55 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030839;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=92G7Frn0f+xzHdn8U8Pdkk40ESke/pji/T001KzWrvo=;
	b=NsQe9LmVwQLM1Xdz6NIg4T56f+2YxIfE3e/zK5jyLpwcpfvtTXinfN/m5POXlB3PFekc8w
	bNvyULDGsPVI/oxQffj0DB8vWbpULMc2xTZ1/czinCSn4qRdur9SyyOnvd25UsO6bX5FoZ
	i7+lAFfwaAfJUHI/CSFmmBelunFS3Hg=
X-MC-Unique: ieW_2GPjMnC6ajpaL26XFA-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 05/13] qemu: Always set labels for TPM state
Date: Fri, 30 Aug 2024 17:13:37 +0200
Message-ID: <20240830151345.717568-6-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 3TRAFAR5MXDMXOX3MLRYANHR5JGL6HXN
X-Message-ID-Hash: 3TRAFAR5MXDMXOX3MLRYANHR5JGL6HXN
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/3TRAFAR5MXDMXOX3MLRYANHR5JGL6HXN/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031071555116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

Up until this point, we have avoided setting labels for
incoming migration when the TPM state is stored on a shared
filesystem. This seems to make sense, because since the
underlying storage is shared surely the labels will be as
well.

There's one problem, though: when a guest is migrated, the
SELinux context for the destination process is different from
the one of the source process.

We haven't hit any issues with the current approach so far
because NFS doesn't support SELinux, so effectively it doesn't
matter whether relabeling happens or not: even if the SELinux
contexts of the source and target processes are different,
both will be able to access the storage.

Now that it's possible for the local admin to manually mark
exported directories as shared filesystems, however, things
can get problematic.

Consider the case in which one host (mig-one) exports its
local filesystem /srv/nfs/libvirt/swtpm via NFS, and at the
same time bind-mounts it to /var/lib/libvirt/swtpm; another
host (mig-two) mounts the same filesystem to the same
location, this time via NFS. Additionally, in order to
allow migration in both directions, on mig-one the
/var/lib/libvirt/swtpm directory is listed in the
shared_filesystems qemu.conf option.

When migrating from mig-one to mig-two, things work just fine;
going in the opposite direction, however, results in an error:

  # virsh migrate cirros qemu+ssh://mig-one/system
  error: internal error: QEMU unexpectedly closed the monitor (vm=3D'cirros=
'):
  qemu-system-x86_64: tpm-emulator: Setting the stateblob (type 1) failed w=
ith a TPM error 0x1f
  qemu-system-x86_64: error while loading state for instance 0x0 of device =
'tpm-emulator'
  qemu-system-x86_64: load of migration failed: Input/output error

This is because the directory on mig-one is considered a
shared filesystem and thus labeling is skipped, resulting in
a SELinux denial.

The solution is quite simple: remove the check and always
relabel. We know that it's okay to do so not just because it
makes the error seen above go away, but also because no such
check currently exists for disks and other types of persistent
storage such as NVRAM files, which always get relabeled.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/qemu/qemu_tpm.c | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 08af5aad2e..55927b4582 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -933,7 +933,6 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     g_autofree char *pidfile =3D NULL;
     virTimeBackOffVar timebackoff;
     const unsigned long long timeout =3D 1000; /* ms */
-    bool setTPMStateLabel =3D true;
     pid_t pid =3D -1;
=20
     cfg =3D virQEMUDriverGetConfig(driver);
@@ -960,13 +959,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     virCommandSetPidFile(cmd, pidfile);
     virCommandSetErrorFD(cmd, &errfd);
=20
-    if (incomingMigration &&
-        virFileIsSharedFS(tpm->data.emulator.storagepath, cfg->sharedFiles=
ystems) =3D=3D 1) {
-        /* security labels must have been set up on source already */
-        setTPMStateLabel =3D false;
-    }
-
-    if (qemuSecuritySetTPMLabels(driver, vm, setTPMStateLabel) < 0)
+    if (qemuSecuritySetTPMLabels(driver, vm, true) < 0)
         return -1;
=20
     if (qemuSecurityCommandRun(driver, vm, cmd, cfg->swtpm_user,
@@ -1015,7 +1008,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
         virProcessKillPainfully(pid, true);
     if (pidfile)
         unlink(pidfile);
-    qemuSecurityRestoreTPMLabels(driver, vm, setTPMStateLabel);
+    qemuSecurityRestoreTPMLabels(driver, vm, true);
     return -1;
 }
=20
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031090198323.6293621116315;
 Fri, 30 Aug 2024 08:18:10 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 24B7C14CD; Fri, 30 Aug 2024 11:18:09 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id A5CEF1528;
	Fri, 30 Aug 2024 11:14:24 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id B3E6B1519; Fri, 30 Aug 2024 11:14:17 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 7D0E5138D
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:14:00 -0400 (EDT)
Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-189-VaSzauIyOoKXgiD7fXrkWQ-1; Fri,
 30 Aug 2024 11:13:58 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id BBB0C1956064
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:57 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id E1B2B19560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:56 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030840;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=EBgDYF5ELxdg2pdrFEXaAlpLVTacZZH9hCaVSQBCDZ4=;
	b=JgzvryV/nneu8bI5QFBK6NJfkmq7tl6uUtU0IPP+WFUtl7wuYdso/E9AAkeWmhzLOegZki
	tbacgsUEJwh6E9gwJ/D4RMKL2bygdxqQEj8f9SFiSO21KTOc0tfHaZNJ2lC4FD7bONBjuE
	iKqCOJD0Dfvj+PrtE/ceeeLOxb3nrmo=
X-MC-Unique: VaSzauIyOoKXgiD7fXrkWQ-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 06/13] virFileIsSharedFSOverride: Export
Date: Fri, 30 Aug 2024 17:13:38 +0200
Message-ID: <20240830151345.717568-7-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 7JZ5AVR66ZXIQEDJNOAPF7BLXZKIDYOB
X-Message-ID-Hash: 7JZ5AVR66ZXIQEDJNOAPF7BLXZKIDYOB
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/7JZ5AVR66ZXIQEDJNOAPF7BLXZKIDYOB/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031091622116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Peter Krempa <pkrempa@redhat.com>

Document the function and export it for use outside of the 'virfile'
utils module.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/libvirt_private.syms |  1 +
 src/util/virfile.c       | 12 +++++++++++-
 src/util/virfile.h       |  2 ++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index af40e5dca3..9d893c7ba6 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2359,6 +2359,7 @@ virFileIsLink;
 virFileIsMountPoint;
 virFileIsRegular;
 virFileIsSharedFS;
+virFileIsSharedFSOverride;
 virFileIsSharedFSType;
 virFileLength;
 virFileLinkPointsTo;
diff --git a/src/util/virfile.c b/src/util/virfile.c
index a8abd7d913..6ac0f4efb3 100644
--- a/src/util/virfile.c
+++ b/src/util/virfile.c
@@ -3804,7 +3804,16 @@ virFileGetDefaultHugepage(virHugeTLBFS *fs,
     return NULL;
 }
=20
-static bool
+
+/**
+ * virFileIsSharedFSOverride:
+ * @path: Path to check
+ * @overrides: string list of path overrides
+ *
+ * Checks whether @path is inside any of the shared filesystem override
+ * directories passed as @overrides.
+ */
+bool
 virFileIsSharedFSOverride(const char *path,
                           char *const *overrides)
 {
@@ -3841,6 +3850,7 @@ virFileIsSharedFSOverride(const char *path,
     return false;
 }
=20
+
 int virFileIsSharedFS(const char *path,
                       char *const *overrides)
 {
diff --git a/src/util/virfile.h b/src/util/virfile.h
index 4f9d2bd5da..e760724037 100644
--- a/src/util/virfile.h
+++ b/src/util/virfile.h
@@ -234,6 +234,8 @@ enum {
     VIR_FILE_SHFS_BEEGFS =3D (1 << 11), /* BeeGFS/fhGFS */
 };
=20
+bool virFileIsSharedFSOverride(const char *path,
+                               char *const *overrides);
 int virFileIsSharedFSType(const char *path, unsigned int fstypes) ATTRIBUT=
E_NONNULL(1);
 int virFileIsSharedFS(const char *path,
                       char *const *overrides) ATTRIBUTE_NONNULL(1);
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031110466938.6271128612392;
 Fri, 30 Aug 2024 08:18:30 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 3C1E6134F; Fri, 30 Aug 2024 11:18:29 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id A703D1370;
	Fri, 30 Aug 2024 11:14:26 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 238911420; Fri, 30 Aug 2024 11:14:18 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 28D3114F1
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:14:02 -0400 (EDT)
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-561-ttY-r03NObqVP8Sy_V6v9g-1; Fri,
 30 Aug 2024 11:14:00 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 3325D19560A2
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:59 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 3FE7619560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:57 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030841;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=siBOQxa5frBfq8j7Kr/UlKukii8IrJvHwBFoQXcrN80=;
	b=OWb7YbSc6Smzdyqa/dBogfBGWCv5m6BWrrdSzvUo4N8PY8RjddHFjNTV1jnQKOv1AUBQwQ
	aX3iPtyHRd0vYKHoLVZ6l0Z9noH1PqJDeRnA3ciMldB/CfCqKVVgwLCJTXOj8TX/9AajwY
	h8XFOziICl+/2kGWADSqh6dlz0LxtTA=
X-MC-Unique: ttY-r03NObqVP8Sy_V6v9g-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 07/13] virParseOwnershipIds: Refactor
Date: Fri, 30 Aug 2024 17:13:39 +0200
Message-ID: <20240830151345.717568-8-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: HLYTD64SPP4FTHX5HP3NFRCDOKN6HPPU
X-Message-ID-Hash: HLYTD64SPP4FTHX5HP3NFRCDOKN6HPPU
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/HLYTD64SPP4FTHX5HP3NFRCDOKN6HPPU/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031111595116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Peter Krempa <pkrempa@redhat.com>

Use automatic clearing for temporary variable, remove 'cleanup' label
and declare parameters according to new coding style rules.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/util/virutil.c | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/src/util/virutil.c b/src/util/virutil.c
index dc5009f11d..56682d7be9 100644
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
@@ -1367,25 +1367,24 @@ virValidateWWN(const char *wwn)
  * Returns -1 on error, 0 otherwise.
  */
 int
-virParseOwnershipIds(const char *label, uid_t *uidPtr, gid_t *gidPtr)
+virParseOwnershipIds(const char *label,
+                     uid_t *uidPtr,
+                     gid_t *gidPtr)
 {
-    int rc =3D -1;
     uid_t theuid;
     gid_t thegid;
-    char *tmp_label =3D NULL;
+    g_autofree char *tmp_label =3D g_strdup(label);
     char *sep =3D NULL;
     char *owner =3D NULL;
     char *group =3D NULL;
=20
-    tmp_label =3D g_strdup(label);
-
     /* Split label */
     sep =3D strchr(tmp_label, ':');
     if (sep =3D=3D NULL) {
         virReportError(VIR_ERR_INVALID_ARG,
                        _("Failed to parse uid and gid from '%1$s'"),
                        label);
-        goto cleanup;
+        return -1;
     }
     *sep =3D '\0';
     owner =3D tmp_label;
@@ -1396,19 +1395,14 @@ virParseOwnershipIds(const char *label, uid_t *uidP=
tr, gid_t *gidPtr)
      */
     if (virGetUserID(owner, &theuid) < 0 ||
         virGetGroupID(group, &thegid) < 0)
-        goto cleanup;
+        return -1;
=20
     if (uidPtr)
         *uidPtr =3D theuid;
     if (gidPtr)
         *gidPtr =3D thegid;
=20
-    rc =3D 0;
-
- cleanup:
-    VIR_FREE(tmp_label);
-
-    return rc;
+    return 0;
 }
=20
 static time_t selfLastChanged;
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031152084553.1539842308091;
 Fri, 30 Aug 2024 08:19:12 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 116CB136F; Fri, 30 Aug 2024 11:19:11 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 3D15C13A6;
	Fri, 30 Aug 2024 11:14:31 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 3D79E1325; Fri, 30 Aug 2024 11:14:24 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id D203513A8
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:14:02 -0400 (EDT)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-445-o8gjl2B2OhSn-EpdGBARdA-1; Fri,
 30 Aug 2024 11:14:01 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 6CDCC1955F03
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:00 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 912EB19560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:13:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030842;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=ReDGtraYFm1C0RMgWVXnS2UrgBHIfM95TMCkF9pHcGg=;
	b=I1twG3RydQ3AUIRAKThle7mzCEppNycbxdJA9NlMVIeSwLS1qCM8Ag3EALBCZVZ3Of7vUd
	TxIdFP8U+qdSShiLRcBQ1neZqHtkH7ObfNqifPoow6iNyuqSY8qxDV7oJCxh+qeJTaBXPi
	JBmQaKNdo9MR/63o0SkNAx3wydyD06Q=
X-MC-Unique: o8gjl2B2OhSn-EpdGBARdA-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 08/13] virSecuritySELinuxRestoreImageLabelInt: Move FD
 image relabeling after 'migrated' check
Date: Fri, 30 Aug 2024 17:13:40 +0200
Message-ID: <20240830151345.717568-9-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: B362E5JPJRN7MRRDFYVPHPG7EHBXD44G
X-Message-ID-Hash: B362E5JPJRN7MRRDFYVPHPG7EHBXD44G
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/B362E5JPJRN7MRRDFYVPHPG7EHBXD44G/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031153927116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Peter Krempa <pkrempa@redhat.com>

Reorganize the code so that the 'migrated' flag isn't checked multiple
times and thus that it's more obvious what is happening when the
'migrated' flag is asserted.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/security/security_selinux.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index bfa48a5f72..453ac67d25 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1819,26 +1819,15 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityM=
anager *mgr,
     if (src->readonly || src->shared)
         return 0;
=20
-    if (virStorageSourceIsFD(src)) {
-        if (migrated)
-            return 0;
-
-        if (!src->fdtuple ||
-            !src->fdtuple->selinuxLabel ||
-            src->fdtuple->nfds =3D=3D 0)
-            return 0;
-
-        ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0],
-                                                   src->fdtuple->selinuxLa=
bel));
-        return 0;
-    }
-
     /* If we have a shared FS and are doing migration, we must not change
      * ownership, because that kills access on the destination host which =
is
      * sub-optimal for the guest VM's I/O attempts :-) */
     if (migrated) {
         int rc =3D 1;
=20
+        if (virStorageSourceIsFD(src))
+            return 0;
+
         if (virStorageSourceIsLocalStorage(src)) {
             if (!src->path)
                 return 0;
@@ -1854,6 +1843,17 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityMa=
nager *mgr,
         }
     }
=20
+    if (virStorageSourceIsFD(src)) {
+        if (!src->fdtuple ||
+            !src->fdtuple->selinuxLabel ||
+            src->fdtuple->nfds =3D=3D 0)
+            return 0;
+
+        ignore_value(virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0],
+                                                   src->fdtuple->selinuxLa=
bel));
+        return 0;
+    }
+
     /* This is not very clean. But so far we don't have NVMe
      * storage pool backend so that its chownCallback would be
      * called. And this place looks least offensive. */
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031131722791.8473203813785;
 Fri, 30 Aug 2024 08:18:51 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 9C9B6153F; Fri, 30 Aug 2024 11:18:50 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 7EB411258;
	Fri, 30 Aug 2024 11:14:28 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 35ED2129A; Fri, 30 Aug 2024 11:14:24 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 3E0F714FE
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:14:04 -0400 (EDT)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-457-UNT6XugtPbKSFDUoc2Kncw-1; Fri,
 30 Aug 2024 11:14:02 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id C0952195608A
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:01 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id E22481955F45
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030843;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=k3FKF8fhEiE0gwg/sfg4wzpcNx9tn2GuIXBMhifjloo=;
	b=UTPIs+RqVtnjwx3xRIrxqIkERVwVZlP2cTxFkfv3wsq9SaolcAjmqunSEgXtO9vir1YblI
	ci3MlGiuzomwI4wlJYXK30U6qwwA6oIJim1krioXLOHYnrZTBVmag9C2X7hAtQG7PW20Mm
	ftLuQ0O43Rn8sv2hazh3Ew48hIHh2m0=
X-MC-Unique: UNT6XugtPbKSFDUoc2Kncw-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 09/13] security_(dac|selinux): Unref remembered security
 labels on outgoing migration
Date: Fri, 30 Aug 2024 17:13:41 +0200
Message-ID: <20240830151345.717568-10-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: AS4WXEIWWUNRW7N7IYTLOI66KSBY5H6B
X-Message-ID-Hash: AS4WXEIWWUNRW7N7IYTLOI66KSBY5H6B
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/AS4WXEIWWUNRW7N7IYTLOI66KSBY5H6B/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031143704116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Peter Krempa <pkrempa@redhat.com>

When 'qemuSecurityRestoreAllLabel' is called on outgoing migration it
skips the actual relabeling part of the images in dac/selinux drivers in
order to avoid cutting off access to the image.

As shared filesystems don't really support the trusted XATTR groups,
remembering of security labels never worked on those paths so we never
actually had remembered seclabels for images that could be migrated.

With recent changes we now support migration from local storage to
remote in case the admin declares it as shared. This means that in case
when the VM is started on local storage we'd actually store seclabels,
but when migrating out the XATTRs remembering the seclabels would not
actually be unref'd and thus the seclabels would leak.

As we can't know whether a remote host will be able to use the XATTRs or
not (but really it won't) and at the same time the destination side of
migration will actually call 'qemuSecuritySetAllLabel' setting/refing
it's own seclabels we really need to unref them on our side.

This patch adds the appropriate *RecallLabel() calls on the code paths
in which relabelling is skipped due to migration.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/security/security_dac.c     | 3 +++
 src/security/security_selinux.c | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 95dbe4636f..c327e4c9e0 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1022,6 +1022,9 @@ virSecurityDACRestoreImageLabelInt(virSecurityManager=
 *mgr,
         if (rc =3D=3D 1) {
             VIR_DEBUG("Skipping image label restore on %s because FS is sh=
ared",
                       src->path);
+
+            ignore_value(virSecurityDACRecallLabel(priv, src->path, NULL, =
NULL));
+
             return 0;
         }
     }
diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 453ac67d25..779a52ac11 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1837,8 +1837,15 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityMa=
nager *mgr,
         }
=20
         if (rc =3D=3D 1) {
+            g_autofree char *oldlabel =3D NULL;
+
             VIR_DEBUG("Skipping image label restore on %s because FS is sh=
ared",
                       src->path);
+
+            /* We still want to remove the local reference of the remember=
ed
+             * seclabel. The destination will take its own reference when
+             * starting the migrated VM */
+            ignore_value(virSecuritySELinuxRecallLabel(src->path, &oldlabe=
l));
             return 0;
         }
     }
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031203671450.2297721036184;
 Fri, 30 Aug 2024 08:20:03 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 4787C15B5; Fri, 30 Aug 2024 11:20:02 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 3A24714A3;
	Fri, 30 Aug 2024 11:14:34 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 1439F14B6; Fri, 30 Aug 2024 11:14:25 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id EB1A313CF
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:14:05 -0400 (EDT)
Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-609-FDr2uS4jMd6WcPxhsbiKfQ-1; Fri,
 30 Aug 2024 11:14:04 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 3B3F41955D4B
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:03 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 3EC4A19560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:01 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030845;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Zb1M9QcCxCPNFldJ6J4iyCpUr3te+BNdAz74VH2vdmE=;
	b=ZazCWnvkjS3iZJKVeS+IHDhBCChMey9uDXALusgCGiqll9Do+z96oIHUTqVwn7WldFID3N
	GhxsLO7rjnsFNRA2uL8ONzUykDbE5rQBHIXjZlI+aMR4bp5wBToytg82o3uGwPhos3rrHt
	w+ymHOjGPdZG6O0Hm29rFmBJqT25B/Y=
X-MC-Unique: FDr2uS4jMd6WcPxhsbiKfQ-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 10/13] storage_source: Add field for skipping seclabel
 remembering
Date: Fri, 30 Aug 2024 17:13:42 +0200
Message-ID: <20240830151345.717568-11-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: YKMLMXZMNCOZIGWCJ6XXLAAAQF76TMKR
X-Message-ID-Hash: YKMLMXZMNCOZIGWCJ6XXLAAAQF76TMKR
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/YKMLMXZMNCOZIGWCJ6XXLAAAQF76TMKR/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031206025116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Peter Krempa <pkrempa@redhat.com>

In case of incoming migration where a local directory is shared to other
hosts we'll need to avoid seclabel remembering as the code would
remember the seclabel already allowing access to the image.

As the decision requires a lot of information not available in the
security driver it would either require plumbing in unpleasant callbacks
able to pass in the data or alternatively we can mark this in the
'virStorageSource' struct.

This patch chose to do the latter approach by adding a field called
'seclabelSkipRemember' which will be filled before starting the process
in cases when it will be required.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/conf/storage_source_conf.c  | 3 +++
 src/conf/storage_source_conf.h  | 9 +++++++++
 src/security/security_dac.c     | 3 +++
 src/security/security_selinux.c | 3 +++
 4 files changed, 18 insertions(+)

diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c
index 908bc5fab2..5b9a80f100 100644
--- a/src/conf/storage_source_conf.c
+++ b/src/conf/storage_source_conf.c
@@ -820,6 +820,9 @@ virStorageSourceCopy(const virStorageSource *src,
     /* storage driver metadata are not copied */
     def->drv =3D NULL;
=20
+    /* flag to avoid seclabel remember is not copied */
+    def->seclabelSkipRemember =3D false;
+
     def->path =3D g_strdup(src->path);
     def->fdgroup =3D g_strdup(src->fdgroup);
     def->volume =3D g_strdup(src->volume);
diff --git a/src/conf/storage_source_conf.h b/src/conf/storage_source_conf.h
index 05b4bda16c..a507116007 100644
--- a/src/conf/storage_source_conf.h
+++ b/src/conf/storage_source_conf.h
@@ -431,6 +431,15 @@ struct _virStorageSource {
     bool thresholdEventWithIndex;
=20
     virStorageSourceFDTuple *fdtuple;
+
+    /* Setting 'seclabelSkipRemember' to true will cause the security driv=
er to
+     * not remember the security label even if it otherwise were to be
+     * remembered. This is needed in cases such as incoming migration for
+     * shared images where the existing security label may no longer be the
+     * correct. The security driver otherwise doesn't have enough informat=
ion
+     * to do this decision.
+     */
+    bool seclabelSkipRemember;
 };
=20
 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virStorageSource, virObjectUnref);
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index c327e4c9e0..fdc11876c9 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -940,6 +940,9 @@ virSecurityDACSetImageLabelInternal(virSecurityManager =
*mgr,
      */
     remember =3D isChainTop && !src->readonly && !src->shared;
=20
+    if (src->seclabelSkipRemember)
+        remember =3D false;
+
     return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remembe=
r);
 }
=20
diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 779a52ac11..3e213a553b 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1992,6 +1992,9 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa=
nager *mgr,
=20
         ret =3D virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0], use_la=
bel);
     } else {
+        if (src->seclabelSkipRemember)
+            remember =3D false;
+
         ret =3D virSecuritySELinuxSetFilecon(mgr, path, use_label, remembe=
r);
     }
=20
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031174125670.2537340928595;
 Fri, 30 Aug 2024 08:19:34 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 0EFE2158C; Fri, 30 Aug 2024 11:19:33 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id F0AE61550;
	Fri, 30 Aug 2024 11:14:32 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id D7A8C14C1; Fri, 30 Aug 2024 11:14:24 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id E87101449
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:14:06 -0400 (EDT)
Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-277-_5pQX4tMOquzjppXBO3FYw-1; Fri,
 30 Aug 2024 11:14:05 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 8D5721955F43
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:04 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 932E119560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030846;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=9E1zxFg4jZNO9JvD+L5K1EOw+S5BVLU2rCCCIZIdlwE=;
	b=L8ck0eGD3h65oGAHnHSaHfAQQ9UNIg9M0IRHDrHcw11M6Hf/GbcaCrVDXoVwnv3bfsdaoZ
	Dv9itQu8WkbsIyQSiGfk7Yi1tlCdTlbdHUyKEhsG8TjSPCyTft7G5WEHG7O7KdTqRmgajG
	7dRWQ00ZtJMpg+HxuTmxcbq7WgkqMbE=
X-MC-Unique: _5pQX4tMOquzjppXBO3FYw-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 11/13] qemu: migration: Don't remember seclabel for images
 shared from current host
Date: Fri, 30 Aug 2024 17:13:43 +0200
Message-ID: <20240830151345.717568-12-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: X2HXDKVEHW7NT2MRCZMSRHLFEZJ4NZQQ
X-Message-ID-Hash: X2HXDKVEHW7NT2MRCZMSRHLFEZJ4NZQQ
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/X2HXDKVEHW7NT2MRCZMSRHLFEZJ4NZQQ/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031175873116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Peter Krempa <pkrempa@redhat.com>

In case when the user exports images from current host and there is an
incoming migration from a remote host, security label remembering would
be possible but would attempt to remember the label allowing access to
the image as the image is already used by a VM on remote host.

To prevent remembering the wrong label, we'll skip the remembering of
the label for any shared resource, so that the code behaves identically
regardless of how the image is accessed.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_migration.c | 63 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index e5c1784f0e..c3a6678e2f 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -533,6 +533,67 @@ qemuMigrationDstPrepareStorage(virDomainObj *vm,
 }
=20
=20
+static void
+qemuMigrationDstPrepareDiskSeclabelOne(virStorageSource *src,
+                                       char *const *sharedFilesystems)
+{
+    if (!virStorageSourceIsLocalStorage(src))
+        return;
+
+    /* We care only about existing local storage */
+    if (virStorageSourceIsEmpty(src))
+        return;
+
+    /* Only paths which are on local filesystem but shared elsewhere are r=
elevant */
+    if (!virFileIsSharedFSOverride(src->path, sharedFilesystems))
+        return;
+
+    src->seclabelSkipRemember =3D true;
+}
+
+
+static void
+qemuMigrationDstPrepareDiskSeclabels(virDomainObj *vm,
+                                     size_t nmigrate_disks,
+                                     const char **migrate_disks,
+                                     unsigned int flags)
+{
+    qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(priv->dr=
iver);
+    size_t i;
+
+    /* In case when storage is exported from this host, security label
+     * remembering would behave differently compared to the host which mou=
nts
+     * the exported filesystem. Specifically for incoming migration rememb=
ering
+     * a seclabel would remember a seclabel already allowing access to the=
 image,
+     * which is not desired. Thus we skip remembering of seclabels for ima=
ges
+     * which are local to this host but accessed in a shared way from anot=
her
+     * host.
+     */
+    if (!cfg->sharedFilesystems ||
+        cfg->sharedFilesystems[0] =3D=3D NULL)
+        return;
+
+    for (i =3D 0; i < vm->def->ndisks; i++) {
+        virDomainDiskDef *disk =3D vm->def->disks[i];
+
+        /* Any storage that was migrated via NBD is technically fully loca=
l so
+         * we want seclabels remembered */
+        if (flags & (VIR_MIGRATE_NON_SHARED_DISK | VIR_MIGRATE_NON_SHARED_=
INC)) {
+            if (qemuMigrationAnyCopyDisk(disk, nmigrate_disks, migrate_dis=
ks))
+                continue;
+        }
+
+        qemuMigrationDstPrepareDiskSeclabelOne(disk->src, cfg->sharedFiles=
ystems);
+    }
+
+    if (vm->def->os.loader && vm->def->os.loader->nvram) {
+        qemuMigrationDstPrepareDiskSeclabelOne(vm->def->os.loader->nvram,
+                                               cfg->sharedFilesystems);
+    }
+}
+
+
 /**
  * qemuMigrationDstStartNBDServer:
  * @driver: qemu driver
@@ -3171,6 +3232,8 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver,
                                              dataFD[0])))
         goto error;
=20
+    qemuMigrationDstPrepareDiskSeclabels(vm, nmigrate_disks, migrate_disks=
, flags);
+
     if (qemuProcessPrepareDomain(driver, vm, startFlags) < 0)
         goto error;
=20
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031224723591.4502046024987;
 Fri, 30 Aug 2024 08:20:24 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 94A6A1350; Fri, 30 Aug 2024 11:20:23 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id EDF921326;
	Fri, 30 Aug 2024 11:14:36 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id A9509145B; Fri, 30 Aug 2024 11:14:29 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 40C2814CB
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:14:08 -0400 (EDT)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-363-Gl9iGvscM1meQhz3e9zKOg-1; Fri,
 30 Aug 2024 11:14:06 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id BE2361955F40
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:05 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id E43E219560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:04 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030847;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=EKVXeBWxUkJPKJ8rltasEuPZJmJe+/VdvGjCBY0drgI=;
	b=c28ObyXmHMrrIyxDzlhZrJVMI64iVPuhDIbJAGYzmjAH8otNBSXfSUG85EwSwMmDK01JKC
	81nILRqemNshTG24K9pruQfisfioTQlRvbj15ZS+26EZE1uJ+WMIrqEYD9DrBUCNzvOjDw
	x1HCFB94t2pf8w5NaLBPXg8PPDp6igY=
X-MC-Unique: Gl9iGvscM1meQhz3e9zKOg-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 12/13] security: Always forget labels for TPM state
 directory
Date: Fri, 30 Aug 2024 17:13:44 +0200
Message-ID: <20240830151345.717568-13-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: QMRUS7NLCVV7V3PMFVMOB67WBILYVUZJ
X-Message-ID-Hash: QMRUS7NLCVV7V3PMFVMOB67WBILYVUZJ
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/QMRUS7NLCVV7V3PMFVMOB67WBILYVUZJ/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031226215116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

In the case of outgoing migration, we avoid restoring the
remembered labels for the TPM state directory because doing so
would risk cutting off storage access for the target node.

Even in that case though, we should still forget (unref) the
remembered labels: if we don't, the source node will keep
thinking that the state directory is in use.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
---
 src/security/security_selinux.c | 54 +++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 3e213a553b..4f13d305d9 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -210,6 +210,51 @@ virSecuritySELinuxRecallLabel(const char *path,
 }
=20
=20
+/**
+ * virSecuritySELinuxForgetLabels:
+ * @path: file or directory to work on
+ *
+ * Forgets rememebered SELinux labels for @path, including its
+ * children if it is a directory.
+ *
+ * This is intended to be used in cleanup paths, so failure to forget
+ * a single label is not considered fatal; instead, a best-effort
+ * attempt to continue and forget as many labels as possible will be
+ * made.
+ *
+ * Returns: 0 on success, <0 on failure
+ */
+static int
+virSecuritySELinuxForgetLabels(const char *path)
+{
+    int ret =3D 0;
+    struct dirent *ent;
+    g_autoptr(DIR) dir =3D NULL;
+    g_autofree char *con =3D NULL;
+
+    if (virSecuritySELinuxRecallLabel(path, &con) < 0)
+        VIR_WARN("Failed to forget remembered SELinux labels for %s, ignor=
ing", path);
+
+    if (!virFileIsDir(path))
+        return 0;
+
+    if (virDirOpen(&dir, path) < 0)
+        return -1;
+
+    while ((ret =3D virDirRead(dir, &ent, path)) > 0) {
+        g_autofree char *spath =3D NULL;
+        g_autofree char *scon =3D NULL;
+
+        spath =3D g_strdup_printf("%s/%s", path, ent->d_name);
+
+        if (virSecuritySELinuxRecallLabel(spath, &scon) < 0)
+            VIR_WARN("Failed to forget remembered SELinux labels for %s, i=
gnoring", spath);
+    }
+
+    return ret;
+}
+
+
 static int virSecuritySELinuxSetFilecon(virSecurityManager *mgr,
                                         const char *path,
                                         const char *tcon,
@@ -3709,6 +3754,15 @@ virSecuritySELinuxRestoreTPMLabels(virSecurityManage=
r *mgr,
         if (restoreTPMStateLabel) {
             ret =3D virSecuritySELinuxRestoreFileLabels(mgr,
                                                       def->tpms[i]->data.e=
mulator.storagepath);
+        } else {
+            g_autofree char *oldlabel =3D NULL;
+
+            /* Even if we're not restoring the original label for the
+             * TPM state directory, we should still forget any
+             * remembered label so that a subsequent attempt at TPM
+             * startup will not fail due to the state directory being
+             * considered as still in use */
+            ignore_value(virSecuritySELinuxForgetLabels(def->tpms[i]->data=
.emulator.storagepath));
         }
=20
         if (ret =3D=3D 0 &&
--=20
2.46.0
From nobody Thu Sep 19 01:40:21 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031244105446.4409653003729;
 Fri, 30 Aug 2024 08:20:44 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 0244612C2; Fri, 30 Aug 2024 11:20:42 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 30F901534;
	Fri, 30 Aug 2024 11:14:39 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id BDFC713A6; Fri, 30 Aug 2024 11:14:30 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 53B5014F0
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:14:10 -0400 (EDT)
Received: from mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-433-gkN_RYHmPuylF4v_Dk4FNg-1; Fri,
 30 Aug 2024 11:14:08 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 3C35C19560BF
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:07 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 42F3B19560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:06 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030849;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=eHJhwJ7Y7od2TA+CUgirOGo0fvPd4wZYDQHUdSFhQZA=;
	b=LrSag+LaifdaAC8ZLktkWorRhwhcmI8wj2Yud8lrN38j2wkJDOib547FwbWljdEn5EuZOr
	9xuy1Enhqj+2eT6savK1v7lAj7k0RQvOAiTYBTmfBLta8pFYZ19HXsVMor+oyFIe4U6AfT
	wkLz2k7jbTYfGAxcmXyoHeRBSc4Fp0E=
X-MC-Unique: gkN_RYHmPuylF4v_Dk4FNg-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 13/13] qemu: Don't lock TPM state directory for incoming
 migration
Date: Fri, 30 Aug 2024 17:13:45 +0200
Message-ID: <20240830151345.717568-14-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: LC4QY6XFL5HKJCDRVDVJNM52C4JWVFBQ
X-Message-ID-Hash: LC4QY6XFL5HKJCDRVDVJNM52C4JWVFBQ
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/LC4QY6XFL5HKJCDRVDVJNM52C4JWVFBQ/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031246183116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

We will never be able to acquire the lock on the destination
host because the swtpm process that's running on the source
host is still holding on to it.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/qemu/qemu_security.c | 10 ++++++----
 src/qemu/qemu_security.h |  6 ++++--
 src/qemu/qemu_tpm.c      | 20 +++++++++++++++++---
 3 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index 996c95acc0..11af9100fb 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -537,7 +537,8 @@ qemuSecurityRestoreNetdevLabel(virQEMUDriver *driver,
 int
 qemuSecuritySetTPMLabels(virQEMUDriver *driver,
                          virDomainObj *vm,
-                         bool setTPMStateLabel)
+                         bool setTPMStateLabel,
+                         bool attemptLocking)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
     g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
@@ -552,7 +553,7 @@ qemuSecuritySetTPMLabels(virQEMUDriver *driver,
         goto cleanup;
=20
     if (virSecurityManagerTransactionCommit(driver->securityManager,
-                                            -1, priv->rememberOwner) < 0)
+                                            -1, priv->rememberOwner && att=
emptLocking) < 0)
         goto cleanup;
=20
     ret =3D 0;
@@ -565,7 +566,8 @@ qemuSecuritySetTPMLabels(virQEMUDriver *driver,
 int
 qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
                              virDomainObj *vm,
-                             bool restoreTPMStateLabel)
+                             bool restoreTPMStateLabel,
+                             bool attemptLocking)
 {
     qemuDomainObjPrivate *priv =3D vm->privateData;
     g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver);
@@ -580,7 +582,7 @@ qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
         goto cleanup;
=20
     if (virSecurityManagerTransactionCommit(driver->securityManager,
-                                            -1, priv->rememberOwner) < 0)
+                                            -1, priv->rememberOwner && att=
emptLocking) < 0)
         goto cleanup;
=20
     ret =3D 0;
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index 32f29bc210..4e3186a2af 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -87,11 +87,13 @@ int qemuSecurityRestoreNetdevLabel(virQEMUDriver *drive=
r,
=20
 int qemuSecuritySetTPMLabels(virQEMUDriver *driver,
                              virDomainObj *vm,
-                             bool setTPMStateLabel);
+                             bool setTPMStateLabel,
+                             bool attemptLocking);
=20
 int qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
                                  virDomainObj *vm,
-                                 bool restoreTPMStateLabel);
+                                 bool restoreTPMStateLabel,
+                                 bool attemptLocking);
=20
 int qemuSecuritySetSavedStateLabel(virQEMUDriver *driver,
                                    virDomainObj *vm,
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 55927b4582..6ab4fc9d01 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -934,6 +934,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     virTimeBackOffVar timebackoff;
     const unsigned long long timeout =3D 1000; /* ms */
     pid_t pid =3D -1;
+    bool attemptLocking =3D true;
=20
     cfg =3D virQEMUDriverGetConfig(driver);
=20
@@ -959,7 +960,20 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     virCommandSetPidFile(cmd, pidfile);
     virCommandSetErrorFD(cmd, &errfd);
=20
-    if (qemuSecuritySetTPMLabels(driver, vm, true) < 0)
+    if (incomingMigration && qemuTPMHasSharedStorage(driver, vm->def)) {
+        /* If the TPM is being migrated over shared storage, we can't
+         * lock the files before labeling them: the source swtpm
+         * process is still holding a lock on some of them, and it
+         * will only release it after negotiation with the target
+         * swtpm process, which we can't start until labeling has
+         * been performed.
+         *
+         * So we run with fewer guarantees in this specific, narrow
+         * scenario in order to make the migration possible at all */
+        attemptLocking =3D false;
+    }
+
+    if (qemuSecuritySetTPMLabels(driver, vm, true, attemptLocking) < 0)
         return -1;
=20
     if (qemuSecurityCommandRun(driver, vm, cmd, cfg->swtpm_user,
@@ -1008,7 +1022,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
         virProcessKillPainfully(pid, true);
     if (pidfile)
         unlink(pidfile);
-    qemuSecurityRestoreTPMLabels(driver, vm, true);
+    qemuSecurityRestoreTPMLabels(driver, vm, true, attemptLocking);
     return -1;
 }
=20
@@ -1144,7 +1158,7 @@ qemuExtTPMStop(virQEMUDriver *driver,
     if (outgoingMigration && qemuTPMHasSharedStorage(driver, vm->def))
         restoreTPMStateLabel =3D false;
=20
-    if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0)
+    if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel, tru=
e) < 0)
         VIR_WARN("Unable to restore labels on TPM state and/or log file");
 }
=20
--=20
2.46.0