Best viewed with 'git show -w'.
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
---
src/security/security_dac.c | 22 +++++++++++---
src/security/security_selinux.c | 53 +++++++++++++++++++++------------
src/security/virt-aa-helper.c | 44 ++++++++++++++++-----------
3 files changed, 78 insertions(+), 41 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index d0ed22db2d..a8d5c23f97 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2061,11 +2061,17 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
rc = -1;
}
- if (def->os.loader && def->os.loader->nvram) {
- if (virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems,
+ if (def->os.loader) {
+ if (def->os.loader->nvram &&
+ virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems,
def, def->os.loader->nvram,
migrated) < 0)
rc = -1;
+
+ if (def->os.varstore &&
+ def->os.varstore->path &&
+ virSecurityDACRestoreFileLabel(mgr, def->os.varstore->path) < 0)
+ rc = -1;
}
if (def->os.kernel &&
@@ -2310,12 +2316,20 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
return -1;
}
- if (def->os.loader && def->os.loader->nvram) {
- if (virSecurityDACSetImageLabel(mgr, sharedFilesystems,
+ if (def->os.loader) {
+ if (def->os.loader->nvram &&
+ virSecurityDACSetImageLabel(mgr, sharedFilesystems,
def, def->os.loader->nvram,
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP) < 0)
return -1;
+
+ if (def->os.varstore &&
+ def->os.varstore->path &&
+ virSecurityDACSetOwnership(mgr, NULL,
+ def->os.varstore->path,
+ user, group, true) < 0)
+ return -1;
}
if (def->os.kernel &&
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 834383a7de..7b831e228d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2993,11 +2993,18 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
rc = -1;
}
- if (def->os.loader && def->os.loader->nvram) {
- if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+ if (def->os.loader) {
+ if (def->os.loader->nvram &&
+ virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
def, def->os.loader->nvram,
migrated) < 0)
rc = -1;
+
+ if (def->os.varstore &&
+ def->os.varstore->path &&
+ virSecuritySELinuxRestoreFileLabel(mgr, def->os.varstore->path,
+ true, false) < 0)
+ rc = -1;
}
if (def->os.kernel &&
@@ -3341,6 +3348,22 @@ virSecuritySELinuxSetSysinfoLabel(virSecurityManager *mgr,
}
+static int
+virSecuritySELinuxDomainSetPathLabel(virSecurityManager *mgr,
+ virDomainDef *def,
+ const char *path,
+ bool allowSubtree G_GNUC_UNUSED)
+{
+ virSecurityLabelDef *seclabel;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (!seclabel || !seclabel->relabel)
+ return 0;
+
+ return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, true);
+}
+
+
static int
virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
char *const *sharedFilesystems,
@@ -3421,12 +3444,19 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
return -1;
}
- if (def->os.loader && def->os.loader->nvram) {
- if (virSecuritySELinuxSetImageLabel(mgr, sharedFilesystems,
+ if (def->os.loader) {
+ if (def->os.loader->nvram &&
+ virSecuritySELinuxSetImageLabel(mgr, sharedFilesystems,
def, def->os.loader->nvram,
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP) < 0)
return -1;
+
+ if (def->os.varstore &&
+ def->os.varstore->path &&
+ virSecuritySELinuxDomainSetPathLabel(mgr, def,
+ def->os.varstore->path, true) < 0)
+ return -1;
}
if (def->os.kernel &&
@@ -3593,21 +3623,6 @@ virSecuritySELinuxGetSecurityMountOptions(virSecurityManager *mgr,
return opts;
}
-static int
-virSecuritySELinuxDomainSetPathLabel(virSecurityManager *mgr,
- virDomainDef *def,
- const char *path,
- bool allowSubtree G_GNUC_UNUSED)
-{
- virSecurityLabelDef *seclabel;
-
- seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
- if (!seclabel || !seclabel->relabel)
- return 0;
-
- return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel, true);
-}
-
static int
virSecuritySELinuxDomainSetPathLabelRO(virSecurityManager *mgr,
virDomainDef *def,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 3ac4740fb5..e932e79dab 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1019,27 +1019,35 @@ get_files(vahControl * ctl)
return -1;
}
- if (ctl->def->os.loader && ctl->def->os.loader->path) {
- bool readonly = false;
-
- /* Look at the readonly attribute, but also keep in mind that ROMs
- * are always loaded read-only regardless of whether the attribute
- * is present. Validation ensures that nonsensical configurations
- * (type=rom readonly=no) are rejected long before we get here */
- virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
- if (ctl->def->os.loader->type == VIR_DOMAIN_LOADER_TYPE_ROM)
- readonly = true;
-
- if (vah_add_file(&buf,
- ctl->def->os.loader->path,
- readonly ? "rk" : "rwk") != 0) {
+ if (ctl->def->os.loader) {
+ if (ctl->def->os.loader->path) {
+ bool readonly = false;
+
+ /* Look at the readonly attribute, but also keep in mind that ROMs
+ * are always loaded read-only regardless of whether the attribute
+ * is present. Validation ensures that nonsensical configurations
+ * (type=rom readonly=no) are rejected long before we get here */
+ virTristateBoolToBool(ctl->def->os.loader->readonly, &readonly);
+ if (ctl->def->os.loader->type == VIR_DOMAIN_LOADER_TYPE_ROM)
+ readonly = true;
+
+ if (vah_add_file(&buf,
+ ctl->def->os.loader->path,
+ readonly ? "rk" : "rwk") != 0) {
+ return -1;
+ }
+ }
+
+ if (ctl->def->os.loader->nvram &&
+ storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) < 0) {
return -1;
}
- }
- if (ctl->def->os.loader && ctl->def->os.loader->nvram &&
- storage_source_add_files(ctl->def->os.loader->nvram, &buf, 0) < 0) {
- return -1;
+ if (ctl->def->os.varstore &&
+ ctl->def->os.varstore->path &&
+ vah_add_file(&buf, ctl->def->os.varstore->path, "rw") != 0) {
+ return -1;
+ }
}
for (i = 0; i < ctl->def->ngraphics; i++) {
--
2.53.0