From nobody Thu Apr 18 20:07:55 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) client-ip=209.132.183.25; envelope-from=libvir-list-bounces@redhat.com; helo=mx4-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25]) by mx.zohomail.com with SMTPS id 1486567304677567.6552255103776; Wed, 8 Feb 2017 07:21:44 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v18FGopb008586; Wed, 8 Feb 2017 10:16:50 -0500 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v18FGn1x008708 for ; Wed, 8 Feb 2017 10:16:49 -0500 Received: from moe.brq.redhat.com (dhcp129-131.brq.redhat.com [10.34.129.131]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v18FGmnT001314; Wed, 8 Feb 2017 10:16:48 -0500 From: Michal Privoznik To: libvir-list@redhat.com Date: Wed, 8 Feb 2017 16:16:42 +0100 Message-Id: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-loop: libvir-list@redhat.com Cc: pkrempa@redhat.com Subject: [libvirt] [PATCH] qemu_security: Introduce ImageLabel APIs X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Just like we need wrappers over other virSecurityManager APIs, we need one for virSecurityManagerSetImageLabel and virSecurityManagerRestoreImageLabel. Otherwise we might end up relabelling device in wrong namespace. Signed-off-by: Michal Privoznik --- src/qemu/qemu_domain.c | 7 +++--- src/qemu/qemu_security.c | 56 ++++++++++++++++++++++++++++++++++++++++++++= ++++ src/qemu/qemu_security.h | 8 +++++++ 3 files changed, 67 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index d3f765605..7c696963e 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -31,6 +31,7 @@ #include "qemu_parse_command.h" #include "qemu_capabilities.h" #include "qemu_migration.h" +#include "qemu_security.h" #include "viralloc.h" #include "virlog.h" #include "virerror.h" @@ -5094,8 +5095,7 @@ qemuDomainDiskChainElementRevoke(virQEMUDriverPtr dri= ver, VIR_WARN("Failed to teardown cgroup for disk path %s", NULLSTR(elem->path)); =20 - if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm->def, elem) < 0) + if (qemuSecurityRestoreImageLabel(driver, vm, elem) < 0) VIR_WARN("Unable to restore security label on %s", NULLSTR(elem->p= ath)); =20 if (qemuDomainNamespaceTeardownDisk(driver, vm, elem) < 0) @@ -5135,8 +5135,7 @@ qemuDomainDiskChainElementPrepare(virQEMUDriverPtr dr= iver, if (qemuSetupImageCgroup(vm, elem) < 0) goto cleanup; =20 - if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def, - elem) < 0) + if (qemuSecuritySetImageLabel(driver, vm, elem) < 0) goto cleanup; =20 ret =3D 0; diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index ceac5bf56..f2931976b 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -133,6 +133,62 @@ qemuSecurityRestoreDiskLabel(virQEMUDriverPtr driver, } =20 =20 +int +qemuSecuritySetImageLabel(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virStorageSourcePtr src) +{ + int ret =3D -1; + + if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && + virSecurityManagerTransactionStart(driver->securityManager) < 0) + goto cleanup; + + if (virSecurityManagerSetImageLabel(driver->securityManager, + vm->def, + src) < 0) + goto cleanup; + + if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && + virSecurityManagerTransactionCommit(driver->securityManager, + vm->pid) < 0) + goto cleanup; + + ret =3D 0; + cleanup: + virSecurityManagerTransactionAbort(driver->securityManager); + return ret; +} + + +int +qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virStorageSourcePtr src) +{ + int ret =3D -1; + + if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && + virSecurityManagerTransactionStart(driver->securityManager) < 0) + goto cleanup; + + if (virSecurityManagerRestoreImageLabel(driver->securityManager, + vm->def, + src) < 0) + goto cleanup; + + if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && + virSecurityManagerTransactionCommit(driver->securityManager, + vm->pid) < 0) + goto cleanup; + + ret =3D 0; + cleanup: + virSecurityManagerTransactionAbort(driver->securityManager); + return ret; +} + + int qemuSecuritySetHostdevLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h index cc373b3e1..54638908d 100644 --- a/src/qemu/qemu_security.h +++ b/src/qemu/qemu_security.h @@ -45,6 +45,14 @@ int qemuSecurityRestoreDiskLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainDiskDefPtr disk); =20 +int qemuSecuritySetImageLabel(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virStorageSourcePtr src); + +int qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virStorageSourcePtr src); + int qemuSecuritySetHostdevLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virDomainHostdevDefPtr hostdev); --=20 2.11.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list