[libvirt] [PATCH] qemu_security: Introduce ImageLabel APIs

Michal Privoznik posted 1 patch 7 years, 1 month ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/cf24ccb926b5ae913159c2d18ca0b58925ccceb9.1486567002.git.mprivozn@redhat.com
src/qemu/qemu_domain.c   |  7 +++---
src/qemu/qemu_security.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++
src/qemu/qemu_security.h |  8 +++++++
3 files changed, 67 insertions(+), 4 deletions(-)
[libvirt] [PATCH] qemu_security: Introduce ImageLabel APIs
Posted by Michal Privoznik 7 years, 1 month ago
Just like we need wrappers over other virSecurityManager APIs, we
need one for virSecurityManagerSetImageLabel and
virSecurityManagerRestoreImageLabel. Otherwise we might end up
relabelling device in wrong namespace.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_domain.c   |  7 +++---
 src/qemu/qemu_security.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++
 src/qemu/qemu_security.h |  8 +++++++
 3 files changed, 67 insertions(+), 4 deletions(-)

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index d3f765605..7c696963e 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -31,6 +31,7 @@
 #include "qemu_parse_command.h"
 #include "qemu_capabilities.h"
 #include "qemu_migration.h"
+#include "qemu_security.h"
 #include "viralloc.h"
 #include "virlog.h"
 #include "virerror.h"
@@ -5094,8 +5095,7 @@ qemuDomainDiskChainElementRevoke(virQEMUDriverPtr driver,
         VIR_WARN("Failed to teardown cgroup for disk path %s",
                  NULLSTR(elem->path));
 
-    if (virSecurityManagerRestoreImageLabel(driver->securityManager,
-                                            vm->def, elem) < 0)
+    if (qemuSecurityRestoreImageLabel(driver, vm, elem) < 0)
         VIR_WARN("Unable to restore security label on %s", NULLSTR(elem->path));
 
     if (qemuDomainNamespaceTeardownDisk(driver, vm, elem) < 0)
@@ -5135,8 +5135,7 @@ qemuDomainDiskChainElementPrepare(virQEMUDriverPtr driver,
     if (qemuSetupImageCgroup(vm, elem) < 0)
         goto cleanup;
 
-    if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def,
-                                        elem) < 0)
+    if (qemuSecuritySetImageLabel(driver, vm, elem) < 0)
         goto cleanup;
 
     ret = 0;
diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index ceac5bf56..f2931976b 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -133,6 +133,62 @@ qemuSecurityRestoreDiskLabel(virQEMUDriverPtr driver,
 }
 
 
+int
+qemuSecuritySetImageLabel(virQEMUDriverPtr driver,
+                          virDomainObjPtr vm,
+                          virStorageSourcePtr src)
+{
+    int ret = -1;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+
+    if (virSecurityManagerSetImageLabel(driver->securityManager,
+                                        vm->def,
+                                        src) < 0)
+        goto cleanup;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
+
+
+int
+qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver,
+                              virDomainObjPtr vm,
+                              virStorageSourcePtr src)
+{
+    int ret = -1;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+
+    if (virSecurityManagerRestoreImageLabel(driver->securityManager,
+                                            vm->def,
+                                            src) < 0)
+        goto cleanup;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
+
+
 int
 qemuSecuritySetHostdevLabel(virQEMUDriverPtr driver,
                             virDomainObjPtr vm,
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index cc373b3e1..54638908d 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -45,6 +45,14 @@ int qemuSecurityRestoreDiskLabel(virQEMUDriverPtr driver,
                                  virDomainObjPtr vm,
                                  virDomainDiskDefPtr disk);
 
+int qemuSecuritySetImageLabel(virQEMUDriverPtr driver,
+                              virDomainObjPtr vm,
+                              virStorageSourcePtr src);
+
+int qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver,
+                                  virDomainObjPtr vm,
+                                  virStorageSourcePtr src);
+
 int qemuSecuritySetHostdevLabel(virQEMUDriverPtr driver,
                                 virDomainObjPtr vm,
                                 virDomainHostdevDefPtr hostdev);
-- 
2.11.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] qemu_security: Introduce ImageLabel APIs
Posted by Peter Krempa 7 years, 1 month ago
On Wed, Feb 08, 2017 at 16:16:42 +0100, Michal Privoznik wrote:
> Just like we need wrappers over other virSecurityManager APIs, we
> need one for virSecurityManagerSetImageLabel and
> virSecurityManagerRestoreImageLabel. Otherwise we might end up
> relabelling device in wrong namespace.
> 
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>  src/qemu/qemu_domain.c   |  7 +++---
>  src/qemu/qemu_security.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++
>  src/qemu/qemu_security.h |  8 +++++++
>  3 files changed, 67 insertions(+), 4 deletions(-)

ACK
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list