From nobody Sun Feb 8 22:18:26 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1654175677; cv=none; d=zohomail.com; s=zohoarc; b=NqhvbL7KjkxSH5TAgA/4U+DNj/2OHy++e6VTKlLSg69jy8O9GwMPA4zrfO3Z4VCAgKmkli1I+9uyUwM6MHwV/hfnmu5xhKlEhMtg7Bioohc96udVrTfbxd669MaNy/IPNDJnnRSafi4biGqUMTFjTcxonoHAgwiozivLP8ynMgA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1654175677; h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To; bh=+8itzBejOuA3xmbfuXcJPBk879TExsmZeQjxw7lwc0U=; b=MeNSetfqDTXwy/PV1BczzpdgG8J9SQy6M3IGNumzBnZHpBfIZ52vwGJQrNRy9OhMXbu5D8bG/BHREqzhvOoBmWf46P6sEpPC9ftf7vWQEG3JH1iWcwpAzcS6OPb7qyzNAODYn7NJ/l2VulhHXK7qS8susZj4Z3GmOAGcvMXJ2qc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 165417567757663.66874294476713; Thu, 2 Jun 2022 06:14:37 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-660-6pG2Osj4OeC8RqNRZr-B9A-1; Thu, 02 Jun 2022 09:14:32 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 891012949BD6; Thu, 2 Jun 2022 13:14:30 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1E36E4111488; Thu, 2 Jun 2022 13:14:30 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id DC5711947BA2; Thu, 2 Jun 2022 13:14:29 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 4F0B01947BA1 for ; Thu, 2 Jun 2022 13:14:28 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 32FB84111495; Thu, 2 Jun 2022 13:14:28 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.180]) by smtp.corp.redhat.com (Postfix) with ESMTP id CE98A4111488 for ; Thu, 2 Jun 2022 13:14:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1654175676; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=+8itzBejOuA3xmbfuXcJPBk879TExsmZeQjxw7lwc0U=; b=Wav94hsn1VT8NvDZRNqtZVYq3XULdC5Guhe2c3L7zvAoOaL3qFeEPJvWj3C2oou7goJQjB vVTfWgmIXyGBow2cbNpU6/uAIMS3egLh5SCqS+PiA6s0KWhqzKVFM2UwlIDbATOCNOzCxa KvpU2OwKTuHTbzeljWRoo2VuqR9QzhA= X-MC-Unique: 6pG2Osj4OeC8RqNRZr-B9A-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH] qemu: Restore label to temp file in qemuDomainScreenshot() Date: Thu, 2 Jun 2022 15:14:25 +0200 Message-Id: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1654175679577100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Obtaining a screenshot via virDomainScreenshot() works like this: 1) we create a temp file, label it, then 2) tell QEMU to store the screenshot into it, and 3) finally, open the file for transfer via virStream Since the file is just temporary and even explicitly unlinked at the end, no seclabel restoration is done. This makes perfect sense for security models which attach a label to file itself (DAC, SELinux) because the label is gone with the file. However, for models where a list of files and allowed actions is kept on a side (AppArmor) this approach means we just append files into the profile and never remove them. In turn, the file grows and policy update takes longer with each entry. Restore the seclabel for AppArmor's sake. Signed-off-by: Michal Privoznik Reviewed-by: Jiri Denemark --- src/qemu/qemu_driver.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index fb63e6550f..0c6645ed89 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -3423,8 +3423,13 @@ qemuDomainScreenshot(virDomainPtr dom, =20 endjob: VIR_FORCE_CLOSE(tmp_fd); - if (unlink_tmp) + if (unlink_tmp) { + /* This may look pointless, since we're removing the file anyways,= but + * it's crucial for AppArmor. Otherwise these temp files would + * accumulate in the domain's profile. */ + qemuSecurityDomainRestorePathLabel(driver, vm, tmp); unlink(tmp); + } =20 qemuDomainObjEndJob(vm); =20 --=20 2.35.1