From nobody Thu May  2 12:30:08 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.120 as permitted sender) client-ip=205.139.110.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1582805280; cv=none;
	d=zohomail.com; s=zohoarc;
	b=TbgflCNcUqizFTOs41L7e8Tp+MMa/ckzjyiR6xLFC2QD0SCHCiW/dS21mAr1sIFoJy6XJ0EBeBNsBhIY7mQ3VYNJTRuxx58HIVDYS1/rZmnDg1XSHqAftKCC6W2c7ULuESrKD+ZPGmlMWN1h79Rha0gZ0+kD/Oc2uagyKUMvEco=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1582805280;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=U3rnITClYnGa2KNE+NDcqnV0FjO1/i7WCEeYE1XHRFQ=;
	b=mSw0g5cIoVY9a8hw4ibauJerNFOpa6VLdtvtijdPhZYZ17pv43vRVoAQVg1XhtodUKjuCp7IgeN5STJPgFTKARcuZbv87xV9s6bg7djrRMhA0CCCBl+9U/gRBGErCYHOKaLgVld5YST5Rhw9qxI9SDokLkc7x4EG8xKMVEnE/+M=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
 header.from=<mprivozn@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [205.139.110.120]) by mx.zohomail.com
	with SMTPS id 1582805280700161.8079296094387;
 Thu, 27 Feb 2020 04:08:00 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-196-rzCoTw0FPl-uLlOPqEgDaQ-1; Thu, 27 Feb 2020 07:07:55 -0500
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E4AA510CE780;
	Thu, 27 Feb 2020 12:07:48 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id D3ED777945;
	Thu, 27 Feb 2020 12:07:47 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8763D18089CE;
	Thu, 27 Feb 2020 12:07:44 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 01RC7g84026289 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 27 Feb 2020 07:07:42 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id CDCDE92984; Thu, 27 Feb 2020 12:07:42 +0000 (UTC)
Received: from moe.redhat.com (unknown [10.43.2.30])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 2D2E092973
	for <libvir-list@redhat.com>; Thu, 27 Feb 2020 12:07:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1582805277;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=U3rnITClYnGa2KNE+NDcqnV0FjO1/i7WCEeYE1XHRFQ=;
	b=MDFRKphaEKz2rsa5WzWzWL2u9/4f1mAM5UNH5+cdt76rtY9FSVn+SDOGl15j/CHCwnIfaN
	WkO/uMCU3PTfYDKuX7J81VlKeVJVDsWjlnBkpte1CxV0xTIInyF3qg1K38dSQFAax5c6QM
	1yPT1GgqdcTmhUKh1dHIZklVzmX1N/c=
X-MC-Unique: rzCoTw0FPl-uLlOPqEgDaQ-1
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 1/2] security: Introduce VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT
	flag
Date: Thu, 27 Feb 2020 13:07:35 +0100
Message-Id: 
 <0c387be59b82033be7d95049d11c472b9dc583a8.1582805083.git.mprivozn@redhat.com>
In-Reply-To: <cover.1582805083.git.mprivozn@redhat.com>
References: <cover.1582805083.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

Our decision whether to remember seclabel for a disk image
depends on a few factors. If the image is readonly or shared or
not top parent of a backing chain the remembering is suppressed
for the image. However, the virSecurityManagerSetImageLabel() is
too low level to determine whether passed @src is top parent or
not. Even though it has domain definition available, in some
cases (like snapshots or block copy) the @src is added to the
definition only after the operation succeeded. Therefore,
introduce a flag which callers can use to help us with the
decision.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/security_dac.c     | 16 +++++++++++-----
 src/security/security_manager.h |  1 +
 src/security/security_selinux.c | 18 ++++++++++++------
 3 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index f412054d0e..3f8b04b307 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -889,14 +889,14 @@ static int
 virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr,
                                     virDomainDefPtr def,
                                     virStorageSourcePtr src,
-                                    virStorageSourcePtr parent)
+                                    virStorageSourcePtr parent,
+                                    bool is_topparent)
 {
     virSecurityLabelDefPtr secdef;
     virSecurityDeviceLabelDefPtr disk_seclabel;
     virSecurityDeviceLabelDefPtr parent_seclabel =3D NULL;
     virSecurityDACDataPtr priv =3D virSecurityManagerGetPrivateData(mgr);
     bool remember;
-    bool is_toplevel =3D parent =3D=3D src || parent->externalDataStore =
=3D=3D src;
     uid_t user;
     gid_t group;
=20
@@ -954,7 +954,7 @@ virSecurityDACSetImageLabelInternal(virSecurityManagerP=
tr mgr,
      * but the top layer, or read only image, or disk explicitly
      * marked as shared.
      */
-    remember =3D is_toplevel && !src->readonly && !src->shared;
+    remember =3D is_topparent && !src->readonly && !src->shared;
=20
     return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remembe=
r);
 }
@@ -967,10 +967,13 @@ virSecurityDACSetImageLabelRelative(virSecurityManage=
rPtr mgr,
                                     virStorageSourcePtr parent,
                                     virSecurityDomainImageLabelFlags flags)
 {
+    bool is_topparent =3D flags & VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
     virStorageSourcePtr n;
=20
+    flags &=3D ~VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
+
     for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) {
-        if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent) < 0)
+        if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent, is_to=
pparent) < 0)
             return -1;
=20
         if (n->externalDataStore &&
@@ -983,6 +986,8 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerP=
tr mgr,
=20
         if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
             break;
+
+        is_topparent =3D false;
     }
=20
     return 0;
@@ -2114,7 +2119,8 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
         if (virDomainDiskGetType(def->disks[i]) =3D=3D VIR_STORAGE_TYPE_DI=
R)
             continue;
         if (virSecurityDACSetImageLabel(mgr, def, def->disks[i]->src,
-                                        VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA=
CKING_CHAIN) < 0)
+                                        VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA=
CKING_CHAIN |
+                                        VIR_SECURITY_DOMAIN_IMAGE_TOP_PARE=
NT) < 0)
             return -1;
     }
=20
diff --git a/src/security/security_manager.h b/src/security/security_manage=
r.h
index b92ea5dc87..11904fda89 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -151,6 +151,7 @@ virSecurityManagerPtr* virSecurityManagerGetNested(virS=
ecurityManagerPtr mgr);
=20
 typedef enum {
     VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN =3D 1 << 0,
+    VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT =3D 1 << 1,
 } virSecurityDomainImageLabelFlags;
=20
 int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
diff --git a/src/security/security_selinux.c b/src/security/security_selinu=
x.c
index 2241a35e6e..0aa0c2bb71 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1824,7 +1824,8 @@ static int
 virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
                                         virDomainDefPtr def,
                                         virStorageSourcePtr src,
-                                        virStorageSourcePtr parent)
+                                        virStorageSourcePtr parent,
+                                        bool is_topparent)
 {
     virSecuritySELinuxDataPtr data =3D virSecurityManagerGetPrivateData(mg=
r);
     virSecurityLabelDefPtr secdef;
@@ -1832,7 +1833,6 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa=
nagerPtr mgr,
     virSecurityDeviceLabelDefPtr parent_seclabel =3D NULL;
     char *use_label =3D NULL;
     bool remember;
-    bool is_toplevel =3D parent =3D=3D src || parent->externalDataStore =
=3D=3D src;
     g_autofree char *vfioGroupDev =3D NULL;
     const char *path =3D src->path;
     int ret;
@@ -1856,7 +1856,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa=
nagerPtr mgr,
      * but the top layer, or read only image, or disk explicitly
      * marked as shared.
      */
-    remember =3D is_toplevel && !src->readonly && !src->shared;
+    remember =3D is_topparent && !src->readonly && !src->shared;
=20
     disk_seclabel =3D virStorageSourceGetSecurityLabelDef(src,
                                                         SECURITY_SELINUX_N=
AME);
@@ -1873,7 +1873,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa=
nagerPtr mgr,
             return 0;
=20
         use_label =3D parent_seclabel->label;
-    } else if (is_toplevel) {
+    } else if (parent =3D=3D src || parent->externalDataStore =3D=3D src) {
         if (src->shared) {
             use_label =3D data->file_context;
         } else if (src->readonly) {
@@ -1927,10 +1927,13 @@ virSecuritySELinuxSetImageLabelRelative(virSecurity=
ManagerPtr mgr,
                                         virStorageSourcePtr parent,
                                         virSecurityDomainImageLabelFlags f=
lags)
 {
+    bool is_topparent =3D flags & VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
     virStorageSourcePtr n;
=20
+    flags &=3D ~VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
+
     for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) {
-        if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent) <=
 0)
+        if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent, i=
s_topparent) < 0)
             return -1;
=20
         if (n->externalDataStore &&
@@ -1943,6 +1946,8 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityMa=
nagerPtr mgr,
=20
         if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
             break;
+
+        is_topparent =3D false;
     }
=20
     return 0;
@@ -3146,7 +3151,8 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr m=
gr,
             continue;
         }
         if (virSecuritySELinuxSetImageLabel(mgr, def, def->disks[i]->src,
-                                            VIR_SECURITY_DOMAIN_IMAGE_LABE=
L_BACKING_CHAIN) < 0)
+                                            VIR_SECURITY_DOMAIN_IMAGE_LABE=
L_BACKING_CHAIN |
+                                            VIR_SECURITY_DOMAIN_IMAGE_TOP_=
PARENT) < 0)
             return -1;
     }
     /* XXX fixme process  def->fss if relabel =3D=3D true */
--=20
2.24.1

From nobody Thu May  2 12:30:08 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.120 as permitted sender) client-ip=205.139.110.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1582805297; cv=none;
	d=zohomail.com; s=zohoarc;
	b=iqLfm161cod0quqfjDD5LYzN1PLd1AYLQTQhGPI757PmWpmfOBKi2Jk2Bom7Y/3sWWYqaTNwvcNZRaBWpmUgN7bTEeha/lSl+KODUcEWEiuzZiCC0diRed/GcW+VJxdQhE+94oEVUUrFiVhnUZhrzdt/lQrzFu9/E3lUk0c0xjs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1582805297;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=g+h89rPD7JIC+U3EYeO+5y5QN9npxUm3QZEej6suC/8=;
	b=icKhKvNcyd77ZvWH/JUYt3jNwUmkL8/b7LFdLM5BS9/NcYKijqFh+8+uTsznh3kbYaMhNFNtUUkdJRZ5pzdzxV3ST+jJhlx/MVv4TX2mB/xqqWlCenfm/R/xSumg9XcrfpQw3uiiu06610AbT/nQ1sisble/ql7AFPUXVkiSnww=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<mprivozn@redhat.com> (p=none dis=none)
 header.from=<mprivozn@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [205.139.110.120]) by mx.zohomail.com
	with SMTPS id 1582805297810378.81280941828004;
 Thu, 27 Feb 2020 04:08:17 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-126-JrwsxwhMNyaWoUP1xd5hdQ-1; Thu, 27 Feb 2020 07:08:13 -0500
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com
 [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 54E618017CC;
	Thu, 27 Feb 2020 12:08:08 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 245261001902;
	Thu, 27 Feb 2020 12:08:08 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 7992F18089CF;
	Thu, 27 Feb 2020 12:08:07 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 01RC7h58026299 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 27 Feb 2020 07:07:43 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id A2F0792984; Thu, 27 Feb 2020 12:07:43 +0000 (UTC)
Received: from moe.redhat.com (unknown [10.43.2.30])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 2984492973
	for <libvir-list@redhat.com>; Thu, 27 Feb 2020 12:07:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1582805296;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=g+h89rPD7JIC+U3EYeO+5y5QN9npxUm3QZEej6suC/8=;
	b=XlMBgAlQRG5TiejDANHVaCm80AummIiGu+iHI7N1NzgBlAdiBj8XE1Ry5krLkyb0E7eHVw
	PFaKxkAIz2keQVTTfLInuct2mdhgAcQTVVRjkO1ktUjskbkKBfaonSGe+2xT25D3E5arhS
	2/dKS5CGUtSQvHeC8LqACVD4rSzEI/g=
X-MC-Unique: JrwsxwhMNyaWoUP1xd5hdQ-1
From: Michal Privoznik <mprivozn@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 2/2] qemu: Tell secdrivers which images are top parent
Date: Thu, 27 Feb 2020 13:07:36 +0100
Message-Id: 
 <226097382fd7e6422fe33886250a4d90c1cb4f82.1582805083.git.mprivozn@redhat.com>
In-Reply-To: <cover.1582805083.git.mprivozn@redhat.com>
References: <cover.1582805083.git.mprivozn@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

When preparing images for block jobs we modify their seclabels so
that QEMU can open them. However, as mentioned in the previous
commit, secdrivers base some it their decisions whether the image
they are working on is top parent or not. Fortunately, in places
where we call secdrivers we know this and the information can be
passed to secdrivers.

This fixes the problem described in the linked bugzilla. The
problem is the following: after the first blockcommit from the
base to one of the parents the XATTRs on the base image are not
cleared and therefore the second attempt to do another
blockcommit fails. This is caused by blockcommit code calling
qemuSecuritySetImageLabel() over the base image and never calling
the corresponding qemuSecurityRestoreImageLabel(). A naive fix
would be to call the restore function. But this is not possible,
because that would deny QEMU the access to the base image.
Fortunately, we can use the fact that seclabels are remembered
only for the top parent and not for the rest of the backing
chain. And thanks to the previous commit we can tell secdrivers
which images are top parents.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1803551

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_backup.c     |  4 ++--
 src/qemu/qemu_blockjob.c   |  6 ++++--
 src/qemu/qemu_checkpoint.c |  6 ++++--
 src/qemu/qemu_domain.c     | 15 +++++++++++++--
 src/qemu/qemu_domain.h     |  3 ++-
 src/qemu/qemu_driver.c     | 15 ++++++++++-----
 src/qemu/qemu_process.c    |  2 +-
 src/qemu/qemu_security.c   |  6 +++++-
 src/qemu/qemu_security.h   |  3 ++-
 9 files changed, 43 insertions(+), 17 deletions(-)

diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c
index 2cc6ff7a42..8b66ee8d1f 100644
--- a/src/qemu/qemu_backup.c
+++ b/src/qemu/qemu_backup.c
@@ -469,8 +469,8 @@ qemuBackupDiskPrepareOneStorage(virDomainObjPtr vm,
         dd->created =3D true;
     }
=20
-    if (qemuDomainStorageSourceAccessAllow(priv->driver, vm, dd->store, fa=
lse,
-                                           true) < 0)
+    if (qemuDomainStorageSourceAccessAllow(priv->driver, vm, dd->store,
+                                           false, true, true) < 0)
         return -1;
=20
     dd->labelled =3D true;
diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
index 71df0d1ab2..9db1b71a3e 100644
--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
@@ -1105,9 +1105,11 @@ qemuBlockJobProcessEventCompletedCommit(virQEMUDrive=
rPtr driver,
         return;
=20
     /* revert access to images */
-    qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base, =
true, false);
+    qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base,
+                                       true, false, false);
     if (job->data.commit.topparent !=3D job->disk->src)
-        qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.to=
pparent, true, false);
+        qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.to=
pparent,
+                                           true, false, false);
=20
     baseparent->backingStore =3D NULL;
     job->data.commit.topparent->backingStore =3D job->data.commit.base;
diff --git a/src/qemu/qemu_checkpoint.c b/src/qemu/qemu_checkpoint.c
index c06bfe6a21..fe54af74ec 100644
--- a/src/qemu/qemu_checkpoint.c
+++ b/src/qemu/qemu_checkpoint.c
@@ -298,7 +298,8 @@ qemuCheckpointDiscardBitmaps(virDomainObjPtr vm,
     for (next =3D reopenimages; next; next =3D next->next) {
         virStorageSourcePtr src =3D next->data;
=20
-        if (qemuDomainStorageSourceAccessAllow(driver, vm, src, false, fal=
se) < 0)
+        if (qemuDomainStorageSourceAccessAllow(driver, vm, src,
+                                               false, false, false) < 0)
             goto relabel;
=20
         relabelimages =3D g_slist_prepend(relabelimages, src);
@@ -313,7 +314,8 @@ qemuCheckpointDiscardBitmaps(virDomainObjPtr vm,
     for (next =3D relabelimages; next; next =3D next->next) {
         virStorageSourcePtr src =3D next->data;
=20
-        ignore_value(qemuDomainStorageSourceAccessAllow(driver, vm, src, t=
rue, false));
+        ignore_value(qemuDomainStorageSourceAccessAllow(driver, vm, src,
+                                                        true, false, false=
));
     }
=20
     return rc;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 3dfa71650d..32e8220d98 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -11589,6 +11589,8 @@ typedef enum {
     QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE =3D 1 << 4,
     /* VM already has access to the source and we are just modifying it */
     QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_MODIFY_ACCESS =3D 1 << 5,
+    /* whether the image is top parent of backing chain */
+    QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PARENT =3D 1 << 6,
 } qemuDomainStorageSourceAccessFlags;
=20
=20
@@ -11666,6 +11668,7 @@ qemuDomainStorageSourceAccessModify(virQEMUDriverPt=
r driver,
     bool force_ro =3D flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_FORCE_READ=
_ONLY;
     bool force_rw =3D flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_FORCE_READ=
_WRITE;
     bool revoke =3D flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_REVOKE;
+    bool topparent =3D flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PAREN=
T;
     int rc;
     bool was_readonly =3D src->readonly;
     bool revoke_cgroup =3D false;
@@ -11712,7 +11715,7 @@ qemuDomainStorageSourceAccessModify(virQEMUDriverPt=
r driver,
         revoke_namespace =3D true;
     }
=20
-    if (qemuSecuritySetImageLabel(driver, vm, src, chain) < 0)
+    if (qemuSecuritySetImageLabel(driver, vm, src, chain, topparent) < 0)
         goto revoke;
=20
     revoke_label =3D true;
@@ -11817,6 +11820,7 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriverPt=
r driver,
  * @elem: source structure to set access for
  * @readonly: setup read-only access if true
  * @newSource: @elem describes a storage source which @vm can't access yet
+ * @topparent: @elem is top parent of backing chain
  *
  * Allow a VM access to a single element of a disk backing chain; this hel=
per
  * ensures that the lock manager, cgroup device controller, and security m=
anager
@@ -11824,13 +11828,17 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriver=
Ptr driver,
  *
  * When modifying permissions of @elem which @vm can already access (is in=
 the
  * backing chain) @newSource needs to be set to false.
+ *
+ * When the @elem is top parent of a backing chain, then @topparent must be
+ * true, otherwise it must be false.
  */
 int
 qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr driver,
                                    virDomainObjPtr vm,
                                    virStorageSourcePtr elem,
                                    bool readonly,
-                                   bool newSource)
+                                   bool newSource,
+                                   bool topparent)
 {
     qemuDomainStorageSourceAccessFlags flags =3D QEMU_DOMAIN_STORAGE_SOURC=
E_ACCESS_SKIP_REVOKE;
=20
@@ -11842,6 +11850,9 @@ qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr=
 driver,
     if (!newSource)
         flags |=3D QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_MODIFY_ACCESS;
=20
+    if (topparent)
+        flags |=3D QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PARENT;
+
     return qemuDomainStorageSourceAccessModify(driver, vm, elem, flags);
 }
=20
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index f8fb48f2ff..f679cdbf09 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -896,7 +896,8 @@ int qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr=
 driver,
                                        virDomainObjPtr vm,
                                        virStorageSourcePtr elem,
                                        bool readonly,
-                                       bool newSource);
+                                       bool newSource,
+                                       bool topparent);
=20
 int qemuDomainPrepareStorageSourceBlockdev(virDomainDiskDefPtr disk,
                                            virStorageSourcePtr src,
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 35ade1ef37..39c29a0d47 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -15141,7 +15141,8 @@ qemuDomainSnapshotDiskPrepareOne(virQEMUDriverPtr d=
river,
     }
=20
     /* set correct security, cgroup and locking options on the new image */
-    if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src, false, tru=
e) < 0)
+    if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src,
+                                           false, true, true) < 0)
         return -1;
=20
     dd->prepared =3D true;
@@ -18489,9 +18490,11 @@ qemuDomainBlockCommit(virDomainPtr dom,
      * operation succeeds, but doing that requires tracking the
      * operation in XML across libvirtd restarts.  */
     clean_access =3D true;
-    if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, false, =
false) < 0 ||
+    if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource,
+                                           false, false, false) < 0 ||
         (top_parent && top_parent !=3D disk->src &&
-         qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, false,=
 false) < 0))
+         qemuDomainStorageSourceAccessAllow(driver, vm, top_parent,
+                                            false, false, false) < 0))
         goto endjob;
=20
     if (!(job =3D qemuBlockJobDiskNewCommit(vm, disk, top_parent, topSourc=
e,
@@ -18551,9 +18554,11 @@ qemuDomainBlockCommit(virDomainPtr dom,
         virErrorPtr orig_err;
         virErrorPreserveLast(&orig_err);
         /* Revert access to read-only, if possible.  */
-        qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, true, f=
alse);
+        qemuDomainStorageSourceAccessAllow(driver, vm, baseSource,
+                                           true, false, false);
         if (top_parent && top_parent !=3D disk->src)
-            qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, tru=
e, false);
+            qemuDomainStorageSourceAccessAllow(driver, vm, top_parent,
+                                               true, false, false);
=20
         virErrorRestore(&orig_err);
     }
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index d9035055e8..425a21d77e 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7851,7 +7851,7 @@ qemuProcessRefreshLegacyBlockjob(void *payload,
                 (qemuDomainNamespaceSetupDisk(vm, disk->mirror) < 0 ||
                  qemuSetupImageChainCgroup(vm, disk->mirror) < 0 ||
                  qemuSecuritySetImageLabel(priv->driver, vm, disk->mirror,
-                                           true) < 0))
+                                           true, false) < 0))
                 goto cleanup;
         }
     }
diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index 2aa2b5b9c6..ad9d0b8012 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -98,7 +98,8 @@ int
 qemuSecuritySetImageLabel(virQEMUDriverPtr driver,
                           virDomainObjPtr vm,
                           virStorageSourcePtr src,
-                          bool backingChain)
+                          bool backingChain,
+                          bool topparent)
 {
     qemuDomainObjPrivatePtr priv =3D vm->privateData;
     pid_t pid =3D -1;
@@ -108,6 +109,9 @@ qemuSecuritySetImageLabel(virQEMUDriverPtr driver,
     if (backingChain)
         labelFlags |=3D VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN;
=20
+    if (topparent)
+        labelFlags |=3D VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
+
     if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
         pid =3D vm->pid;
=20
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index a8c648ece1..90ff660257 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -36,7 +36,8 @@ void qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver,
 int qemuSecuritySetImageLabel(virQEMUDriverPtr driver,
                               virDomainObjPtr vm,
                               virStorageSourcePtr src,
-                              bool backingChain);
+                              bool backingChain,
+                              bool topparent);
=20
 int qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver,
                                   virDomainObjPtr vm,
--=20
2.24.1