From nobody Thu Sep 19 16:47:03 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1725031174125670.2537340928595;
 Fri, 30 Aug 2024 08:19:34 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 0EFE2158C; Fri, 30 Aug 2024 11:19:33 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id F0AE61550;
	Fri, 30 Aug 2024 11:14:32 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id D7A8C14C1; Fri, 30 Aug 2024 11:14:24 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id E87101449
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 11:14:06 -0400 (EDT)
Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-277-_5pQX4tMOquzjppXBO3FYw-1; Fri,
 30 Aug 2024 11:14:05 -0400
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com
 (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS
 id 8D5721955F43
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:04 +0000 (UTC)
Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown
 [10.45.224.110])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with
 ESMTPS id 932E119560AA
	for <devel@lists.libvirt.org>; Fri, 30 Aug 2024 15:14:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1725030846;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=9E1zxFg4jZNO9JvD+L5K1EOw+S5BVLU2rCCCIZIdlwE=;
	b=L8ck0eGD3h65oGAHnHSaHfAQQ9UNIg9M0IRHDrHcw11M6Hf/GbcaCrVDXoVwnv3bfsdaoZ
	Dv9itQu8WkbsIyQSiGfk7Yi1tlCdTlbdHUyKEhsG8TjSPCyTft7G5WEHG7O7KdTqRmgajG
	7dRWQ00ZtJMpg+HxuTmxcbq7WgkqMbE=
X-MC-Unique: _5pQX4tMOquzjppXBO3FYw-1
From: Andrea Bolognani <abologna@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v6 11/13] qemu: migration: Don't remember seclabel for images
 shared from current host
Date: Fri, 30 Aug 2024 17:13:43 +0200
Message-ID: <20240830151345.717568-12-abologna@redhat.com>
In-Reply-To: <20240830151345.717568-1-abologna@redhat.com>
References: <20240830151345.717568-1-abologna@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: X2HXDKVEHW7NT2MRCZMSRHLFEZJ4NZQQ
X-Message-ID-Hash: X2HXDKVEHW7NT2MRCZMSRHLFEZJ4NZQQ
X-MailFrom: abologna@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/X2HXDKVEHW7NT2MRCZMSRHLFEZJ4NZQQ/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1725031175873116600
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Peter Krempa <pkrempa@redhat.com>

In case when the user exports images from current host and there is an
incoming migration from a remote host, security label remembering would
be possible but would attempt to remember the label allowing access to
the image as the image is already used by a VM on remote host.

To prevent remembering the wrong label, we'll skip the remembering of
the label for any shared resource, so that the code behaves identically
regardless of how the image is accessed.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_migration.c | 63 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index e5c1784f0e..c3a6678e2f 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -533,6 +533,67 @@ qemuMigrationDstPrepareStorage(virDomainObj *vm,
 }
=20
=20
+static void
+qemuMigrationDstPrepareDiskSeclabelOne(virStorageSource *src,
+                                       char *const *sharedFilesystems)
+{
+    if (!virStorageSourceIsLocalStorage(src))
+        return;
+
+    /* We care only about existing local storage */
+    if (virStorageSourceIsEmpty(src))
+        return;
+
+    /* Only paths which are on local filesystem but shared elsewhere are r=
elevant */
+    if (!virFileIsSharedFSOverride(src->path, sharedFilesystems))
+        return;
+
+    src->seclabelSkipRemember =3D true;
+}
+
+
+static void
+qemuMigrationDstPrepareDiskSeclabels(virDomainObj *vm,
+                                     size_t nmigrate_disks,
+                                     const char **migrate_disks,
+                                     unsigned int flags)
+{
+    qemuDomainObjPrivate *priv =3D vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(priv->dr=
iver);
+    size_t i;
+
+    /* In case when storage is exported from this host, security label
+     * remembering would behave differently compared to the host which mou=
nts
+     * the exported filesystem. Specifically for incoming migration rememb=
ering
+     * a seclabel would remember a seclabel already allowing access to the=
 image,
+     * which is not desired. Thus we skip remembering of seclabels for ima=
ges
+     * which are local to this host but accessed in a shared way from anot=
her
+     * host.
+     */
+    if (!cfg->sharedFilesystems ||
+        cfg->sharedFilesystems[0] =3D=3D NULL)
+        return;
+
+    for (i =3D 0; i < vm->def->ndisks; i++) {
+        virDomainDiskDef *disk =3D vm->def->disks[i];
+
+        /* Any storage that was migrated via NBD is technically fully loca=
l so
+         * we want seclabels remembered */
+        if (flags & (VIR_MIGRATE_NON_SHARED_DISK | VIR_MIGRATE_NON_SHARED_=
INC)) {
+            if (qemuMigrationAnyCopyDisk(disk, nmigrate_disks, migrate_dis=
ks))
+                continue;
+        }
+
+        qemuMigrationDstPrepareDiskSeclabelOne(disk->src, cfg->sharedFiles=
ystems);
+    }
+
+    if (vm->def->os.loader && vm->def->os.loader->nvram) {
+        qemuMigrationDstPrepareDiskSeclabelOne(vm->def->os.loader->nvram,
+                                               cfg->sharedFilesystems);
+    }
+}
+
+
 /**
  * qemuMigrationDstStartNBDServer:
  * @driver: qemu driver
@@ -3171,6 +3232,8 @@ qemuMigrationDstPrepareActive(virQEMUDriver *driver,
                                              dataFD[0])))
         goto error;
=20
+    qemuMigrationDstPrepareDiskSeclabels(vm, nmigrate_disks, migrate_disks=
, flags);
+
     if (qemuProcessPrepareDomain(driver, vm, startFlags) < 0)
         goto error;
=20
--=20
2.46.0