From nobody Thu Nov 28 01:34:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1534245609937975.8534657141653; Tue, 14 Aug 2018 04:20:09 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 48BE23082A33; Tue, 14 Aug 2018 11:20:07 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 08B323001A6D; Tue, 14 Aug 2018 11:20:07 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 96EBC18037F2; Tue, 14 Aug 2018 11:20:06 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w7EBJo4u012438 for ; Tue, 14 Aug 2018 07:19:50 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9A9032027047; Tue, 14 Aug 2018 11:19:50 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.192]) by smtp.corp.redhat.com (Postfix) with ESMTP id 39B052026D7E for ; Tue, 14 Aug 2018 11:19:50 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Tue, 14 Aug 2018 13:19:43 +0200 Message-Id: <795c0df95f015229e7252b6c331b357b94eba657.1534245398.git.mprivozn@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 7/7] qemu_security: Lock metadata while relabelling X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Tue, 14 Aug 2018 11:20:08 +0000 (UTC) X-ZohoMail: RDMRC_0 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Fortunately, we have qemu wrappers so it's sufficient to put lock/unlock call only there. Signed-off-by: Michal Privoznik --- src/qemu/qemu_security.c | 107 +++++++++++++++++++++++++++++++++++++++++++= ++++ 1 file changed, 107 insertions(+) diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index af3be42854..527563947c 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -26,6 +26,7 @@ #include "qemu_domain.h" #include "qemu_security.h" #include "virlog.h" +#include "locking/domain_lock.h" =20 #define VIR_FROM_THIS VIR_FROM_QEMU =20 @@ -39,6 +40,12 @@ qemuSecuritySetAllLabel(virQEMUDriverPtr driver, { int ret =3D -1; qemuDomainObjPrivatePtr priv =3D vm->privateData; + bool locked =3D false; + + if (virDomainLockMetadataLock(driver->lockManager, vm) < 0) + goto cleanup; + + locked =3D true; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && virSecurityManagerTransactionStart(driver->securityManager) < 0) @@ -55,9 +62,17 @@ qemuSecuritySetAllLabel(virQEMUDriverPtr driver, vm->pid) < 0) goto cleanup; =20 + locked =3D false; + + if (virDomainLockMetadataUnlock(driver->lockManager, vm) < 0) + goto cleanup; + ret =3D 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); + if (locked && + virDomainLockMetadataUnlock(driver->lockManager, vm) < 0) + VIR_WARN("unable to release metadata lock"); return ret; } =20 @@ -68,6 +83,10 @@ qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver, bool migrated) { qemuDomainObjPrivatePtr priv =3D vm->privateData; + bool unlock =3D true; + + if (virDomainLockMetadataLock(driver->lockManager, vm) < 0) + unlock =3D false; =20 /* In contrast to qemuSecuritySetAllLabel, do not use * secdriver transactions here. This function is called from @@ -79,6 +98,10 @@ qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver, vm->def, migrated, priv->chardevStdioLogd); + + if (unlock && + virDomainLockMetadataUnlock(driver->lockManager, vm) < 0) + VIR_WARN("unable to release metadata lock"); } =20 =20 @@ -88,6 +111,12 @@ qemuSecuritySetDiskLabel(virQEMUDriverPtr driver, virDomainDiskDefPtr disk) { int ret =3D -1; + bool locked =3D false; + + if (virDomainLockMetadataDiskLock(driver->lockManager, vm, disk) < 0) + goto cleanup; + + locked =3D true; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && virSecurityManagerTransactionStart(driver->securityManager) < 0) @@ -103,9 +132,17 @@ qemuSecuritySetDiskLabel(virQEMUDriverPtr driver, vm->pid) < 0) goto cleanup; =20 + locked =3D false; + + if (virDomainLockMetadataDiskUnlock(driver->lockManager, vm, disk) < 0) + goto cleanup; + ret =3D 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); + if (locked && + virDomainLockMetadataDiskUnlock(driver->lockManager, vm, disk) < 0) + VIR_WARN("unable to release disk metadata lock"); return ret; } =20 @@ -116,6 +153,12 @@ qemuSecurityRestoreDiskLabel(virQEMUDriverPtr driver, virDomainDiskDefPtr disk) { int ret =3D -1; + bool locked =3D false; + + if (virDomainLockMetadataDiskLock(driver->lockManager, vm, disk) < 0) + goto cleanup; + + locked =3D true; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && virSecurityManagerTransactionStart(driver->securityManager) < 0) @@ -131,9 +174,17 @@ qemuSecurityRestoreDiskLabel(virQEMUDriverPtr driver, vm->pid) < 0) goto cleanup; =20 + locked =3D false; + + if (virDomainLockMetadataDiskUnlock(driver->lockManager, vm, disk) < 0) + goto cleanup; + ret =3D 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); + if (locked && + virDomainLockMetadataDiskUnlock(driver->lockManager, vm, disk) < 0) + VIR_WARN("unable to release disk metadata lock"); return ret; } =20 @@ -144,6 +195,12 @@ qemuSecuritySetImageLabel(virQEMUDriverPtr driver, virStorageSourcePtr src) { int ret =3D -1; + bool locked =3D false; + + if (virDomainLockMetadataImageLock(driver->lockManager, vm, src) < 0) + goto cleanup; + + locked =3D true; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && virSecurityManagerTransactionStart(driver->securityManager) < 0) @@ -159,9 +216,17 @@ qemuSecuritySetImageLabel(virQEMUDriverPtr driver, vm->pid) < 0) goto cleanup; =20 + locked =3D false; + + if (virDomainLockMetadataImageUnlock(driver->lockManager, vm, src) < 0) + goto cleanup; + ret =3D 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); + if (locked && + virDomainLockMetadataImageUnlock(driver->lockManager, vm, src) < 0) + VIR_WARN("unable to release image metadata lock"); return ret; } =20 @@ -172,6 +237,12 @@ qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver, virStorageSourcePtr src) { int ret =3D -1; + bool locked =3D false; + + if (virDomainLockMetadataImageLock(driver->lockManager, vm, src) < 0) + goto cleanup; + + locked =3D true; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && virSecurityManagerTransactionStart(driver->securityManager) < 0) @@ -187,9 +258,17 @@ qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver, vm->pid) < 0) goto cleanup; =20 + locked =3D false; + + if (virDomainLockMetadataImageUnlock(driver->lockManager, vm, src) < 0) + goto cleanup; + ret =3D 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); + if (locked && + virDomainLockMetadataImageUnlock(driver->lockManager, vm, src) < 0) + VIR_WARN("unable to release image metadata lock"); return ret; } =20 @@ -258,6 +337,12 @@ qemuSecuritySetMemoryLabel(virQEMUDriverPtr driver, virDomainMemoryDefPtr mem) { int ret =3D -1; + bool locked =3D false; + + if (virDomainLockMetadataMemLock(driver->lockManager, vm, mem) < 0) + goto cleanup; + + locked =3D true; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && virSecurityManagerTransactionStart(driver->securityManager) < 0) @@ -273,9 +358,17 @@ qemuSecuritySetMemoryLabel(virQEMUDriverPtr driver, vm->pid) < 0) goto cleanup; =20 + locked =3D false; + + if (virDomainLockMetadataMemUnlock(driver->lockManager, vm, mem) < 0) + goto cleanup; + ret =3D 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); + if (locked && + virDomainLockMetadataMemUnlock(driver->lockManager, vm, mem) < 0) + VIR_WARN("unable to release memory metadata lock"); return ret; } =20 @@ -286,6 +379,12 @@ qemuSecurityRestoreMemoryLabel(virQEMUDriverPtr driver, virDomainMemoryDefPtr mem) { int ret =3D -1; + bool locked =3D false; + + if (virDomainLockMetadataMemLock(driver->lockManager, vm, mem) < 0) + goto cleanup; + + locked =3D true; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && virSecurityManagerTransactionStart(driver->securityManager) < 0) @@ -301,9 +400,17 @@ qemuSecurityRestoreMemoryLabel(virQEMUDriverPtr driver, vm->pid) < 0) goto cleanup; =20 + locked =3D false; + + if (virDomainLockMetadataMemUnlock(driver->lockManager, vm, mem) < 0) + goto cleanup; + ret =3D 0; cleanup: virSecurityManagerTransactionAbort(driver->securityManager); + if (locked && + virDomainLockMetadataMemUnlock(driver->lockManager, vm, mem) < 0) + VIR_WARN("unable to release memory metadata lock"); return ret; } =20 --=20 2.16.4 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list