From nobody Thu Sep 19 16:26:09 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031131722791.8473203813785;
 Fri, 30 Aug 2024 08:18:51 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 9C9B6153F; Fri, 30 Aug 2024 11:18:50 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 7EB411258;
	Fri, 30 Aug 2024 11:14:28 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 35ED2129A; Fri, 30 Aug 2024 11:14:24 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 3E0F714FE
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:14:04 -0400 (EDT)
Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-457-UNT6XugtPbKSFDUoc2Kncw-1; Fri,
 30 Aug 2024 11:14:02 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id C0952195608A
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:01 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id E22481955F45
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:00 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030843;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=k3FKF8fhEiE0gwg/sfg4wzpcNx9tn2GuIXBMhifjloo=;
	b=UTPIs+RqVtnjwx3xRIrxqIkERVwVZlP2cTxFkfv3wsq9SaolcAjmqunSEgXtO9vir1YblI
	ci3MlGiuzomwI4wlJYXK30U6qwwA6oIJim1krioXLOHYnrZTBVmag9C2X7hAtQG7PW20Mm
	ftLuQ0O43Rn8sv2hazh3Ew48hIHh2m0=
X-MC-Unique: UNT6XugtPbKSFDUoc2Kncw-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 09/13] security_(dac|selinux): Unref remembered security
 labels on outgoing migration
Date: Fri, 30 Aug 2024 17:13:41 +0200
Message-ID: <20240830151345.717568-10-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: AS4WXEIWWUNRW7N7IYTLOI66KSBY5H6B
X-Message-ID-Hash: AS4WXEIWWUNRW7N7IYTLOI66KSBY5H6B
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/AS4WXEIWWUNRW7N7IYTLOI66KSBY5H6B/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031143704116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Peter Krempa <pkrempa@redhat.com>

When 'qemuSecurityRestoreAllLabel' is called on outgoing migration it
skips the actual relabeling part of the images in dac/selinux drivers in
order to avoid cutting off access to the image.

As shared filesystems don't really support the trusted XATTR groups,
remembering of security labels never worked on those paths so we never
actually had remembered seclabels for images that could be migrated.

With recent changes we now support migration from local storage to
remote in case the admin declares it as shared. This means that in case
when the VM is started on local storage we'd actually store seclabels,
but when migrating out the XATTRs remembering the seclabels would not
actually be unref'd and thus the seclabels would leak.

As we can't know whether a remote host will be able to use the XATTRs or
not (but really it won't) and at the same time the destination side of
migration will actually call 'qemuSecuritySetAllLabel' setting/refing
it's own seclabels we really need to unref them on our side.

This patch adds the appropriate *RecallLabel() calls on the code paths
in which relabelling is skipped due to migration.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
 src/security/security_dac.c     | 3 +++
 src/security/security_selinux.c | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 95dbe4636f..c327e4c9e0 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1022,6 +1022,9 @@ virSecurityDACRestoreImageLabelInt(virSecurityManager=
 *mgr,
         if (rc =3D=3D 1) {
             VIR_DEBUG("Skipping image label restore on %s because FS is sh=
ared",
                       src->path);
+
+            ignore_value(virSecurityDACRecallLabel(priv, src->path, NULL, =
NULL));
+
             return 0;
         }
     }
diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 453ac67d25..779a52ac11 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1837,8 +1837,15 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityMa=
nager *mgr,
         }
=20
         if (rc =3D=3D 1) {
+            g_autofree char *oldlabel =3D NULL;
+
             VIR_DEBUG("Skipping image label restore on %s because FS is sh=
ared",
                       src->path);
+
+            /* We still want to remove the local reference of the remember=
ed
+             * seclabel. The destination will take its own reference when
+             * starting the migrated VM */
+            ignore_value(virSecuritySELinuxRecallLabel(src->path, &oldlabe=
l));
             return 0;
         }
     }
--=20
2.46.0