From nobody Sun Apr 28 22:53:49 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) client-ip=207.211.31.81; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1583742623; cv=none; d=zohomail.com; s=zohoarc; b=WVdWJKWCG8hJ0ukSOEu5v6VwGMQXG+TGtnVY2Ogolwxde54C2RovgrnWZfW4t0HzA5YHb3eutenVC+njtNVHeD9+sVShfcHfjX2FLV7nVBUeTZJl1UODY4uLazaKT/lc7KaG/NZXAazOkXubUYIIL5c9Bllj0ehv6IMrCbmvAu8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1583742623; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=z9ObTov+uoRI95JQ7QQQcSa7YI9uTYEjrgdXD7aqdB8=; b=lDFUMcMJtJA0NnPYmCfeSAz5C/1f++hyRcZVNsqZF/cSdRgi7iXZqCjf/isnBDpQV7yDA7nKBtrYsyumm6UFAzgoV11F6JnSuLa0FZBsFGoWA3j8qfJ0r/2s9eGZ5oVHi64nMEbH1IFZSFIyYUl1R/t0vs1xHwo3DCuX74fOvgQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.81]) by mx.zohomail.com with SMTPS id 1583742623207202.9248435655726; Mon, 9 Mar 2020 01:30:23 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-277-IbRVGMNtM2Ka-MzQd0MLUA-1; Mon, 09 Mar 2020 04:30:19 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 761F1800D54; Mon, 9 Mar 2020 08:30:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 913F073879; Mon, 9 Mar 2020 08:30:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C7F7684488; Mon, 9 Mar 2020 08:30:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0298Tn9h000378 for ; Mon, 9 Mar 2020 04:29:49 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9D84938D; Mon, 9 Mar 2020 08:29:49 +0000 (UTC) Received: from moe.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id F0565271A1 for ; Mon, 9 Mar 2020 08:29:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583742622; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=z9ObTov+uoRI95JQ7QQQcSa7YI9uTYEjrgdXD7aqdB8=; b=W810+cgOQu+ZqxCGqAimZXmuQt7PO0Mv+l0fEmbIyx5ar2IYtraAxomXz6h0v4Cdu+Vl1U 2e7JV2V0WfmCJlsqk8pVzrQ7C03va87q2s0KRhsJAHF3y1zToOLy47lKNljvVU3blRbjlI CGCwfLdvfH6Bntys2pe+zYFALsoJd1E= X-MC-Unique: IbRVGMNtM2Ka-MzQd0MLUA-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH v2 1/2] security: Introduce VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP flag Date: Mon, 9 Mar 2020 09:29:42 +0100 Message-Id: <3d5928d8c4f98d5ff33c4c6115573528aa91578a.1583742275.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Our decision whether to remember seclabel for a disk image depends on a few factors. If the image is readonly or shared or not the chain top the remembering is suppressed for the image. However, the virSecurityManagerSetImageLabel() is too low level to determine whether passed @src is chain top or not. Even though the function has the @parent argument it does not necessarily reflect the chain top - it only points to the top level image in the chain we want to relabel and not to the topmost image of the whole chain. And this can't be derived from the passed domain definition reliably neither - in some cases (like snapshots or block copy) the @src is added to the definition only after the operation succeeded. Therefore, introduce a flag which callers can use to help us with the decision. Signed-off-by: Michal Privoznik --- src/security/security_dac.c | 15 ++++++++++----- src/security/security_manager.h | 4 ++++ src/security/security_selinux.c | 17 +++++++++++------ 3 files changed, 25 insertions(+), 11 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index f412054d0e..34da07fc9f 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -889,14 +889,14 @@ static int virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr, virDomainDefPtr def, virStorageSourcePtr src, - virStorageSourcePtr parent) + virStorageSourcePtr parent, + bool is_topparent) { virSecurityLabelDefPtr secdef; virSecurityDeviceLabelDefPtr disk_seclabel; virSecurityDeviceLabelDefPtr parent_seclabel =3D NULL; virSecurityDACDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); bool remember; - bool is_toplevel =3D parent =3D=3D src || parent->externalDataStore = =3D=3D src; uid_t user; gid_t group; =20 @@ -954,7 +954,7 @@ virSecurityDACSetImageLabelInternal(virSecurityManagerP= tr mgr, * but the top layer, or read only image, or disk explicitly * marked as shared. */ - remember =3D is_toplevel && !src->readonly && !src->shared; + remember =3D is_topparent && !src->readonly && !src->shared; =20 return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remembe= r); } @@ -970,7 +970,9 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerP= tr mgr, virStorageSourcePtr n; =20 for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { - if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent) < 0) + const bool is_topparent =3D flags & VIR_SECURITY_DOMAIN_IMAGE_PARE= NT_CHAIN_TOP; + + if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent, is_to= pparent) < 0) return -1; =20 if (n->externalDataStore && @@ -983,6 +985,8 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerP= tr mgr, =20 if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) break; + + flags &=3D ~VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP; } =20 return 0; @@ -2114,7 +2118,8 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, if (virDomainDiskGetType(def->disks[i]) =3D=3D VIR_STORAGE_TYPE_DI= R) continue; if (virSecurityDACSetImageLabel(mgr, def, def->disks[i]->src, - VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA= CKING_CHAIN) < 0) + VIR_SECURITY_DOMAIN_IMAGE_LABEL_BA= CKING_CHAIN | + VIR_SECURITY_DOMAIN_IMAGE_PARENT_C= HAIN_TOP) < 0) return -1; } =20 diff --git a/src/security/security_manager.h b/src/security/security_manage= r.h index b92ea5dc87..7699bcbc6f 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -151,6 +151,10 @@ virSecurityManagerPtr* virSecurityManagerGetNested(vir= SecurityManagerPtr mgr); =20 typedef enum { VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN =3D 1 << 0, + /* The VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP should be set if the + * image passed to virSecurityManagerSetImageLabel() is the top parent= of + * the whole backing chain. */ + VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP =3D 1 << 1, } virSecurityDomainImageLabelFlags; =20 int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 2241a35e6e..90b992d1e1 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1824,7 +1824,8 @@ static int virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr, virDomainDefPtr def, virStorageSourcePtr src, - virStorageSourcePtr parent) + virStorageSourcePtr parent, + bool is_topparent) { virSecuritySELinuxDataPtr data =3D virSecurityManagerGetPrivateData(mg= r); virSecurityLabelDefPtr secdef; @@ -1832,7 +1833,6 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa= nagerPtr mgr, virSecurityDeviceLabelDefPtr parent_seclabel =3D NULL; char *use_label =3D NULL; bool remember; - bool is_toplevel =3D parent =3D=3D src || parent->externalDataStore = =3D=3D src; g_autofree char *vfioGroupDev =3D NULL; const char *path =3D src->path; int ret; @@ -1856,7 +1856,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa= nagerPtr mgr, * but the top layer, or read only image, or disk explicitly * marked as shared. */ - remember =3D is_toplevel && !src->readonly && !src->shared; + remember =3D is_topparent && !src->readonly && !src->shared; =20 disk_seclabel =3D virStorageSourceGetSecurityLabelDef(src, SECURITY_SELINUX_N= AME); @@ -1873,7 +1873,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityMa= nagerPtr mgr, return 0; =20 use_label =3D parent_seclabel->label; - } else if (is_toplevel) { + } else if (parent =3D=3D src || parent->externalDataStore =3D=3D src) { if (src->shared) { use_label =3D data->file_context; } else if (src->readonly) { @@ -1930,7 +1930,9 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityMa= nagerPtr mgr, virStorageSourcePtr n; =20 for (n =3D src; virStorageSourceIsBacking(n); n =3D n->backingStore) { - if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent) <= 0) + const bool is_topparent =3D flags & VIR_SECURITY_DOMAIN_IMAGE_PARE= NT_CHAIN_TOP; + + if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent, i= s_topparent) < 0) return -1; =20 if (n->externalDataStore && @@ -1943,6 +1945,8 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityMa= nagerPtr mgr, =20 if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) break; + + flags &=3D ~VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP; } =20 return 0; @@ -3146,7 +3150,8 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr m= gr, continue; } if (virSecuritySELinuxSetImageLabel(mgr, def, def->disks[i]->src, - VIR_SECURITY_DOMAIN_IMAGE_LABE= L_BACKING_CHAIN) < 0) + VIR_SECURITY_DOMAIN_IMAGE_LABE= L_BACKING_CHAIN | + VIR_SECURITY_DOMAIN_IMAGE_PARE= NT_CHAIN_TOP) < 0) return -1; } /* XXX fixme process def->fss if relabel =3D=3D true */ --=20 2.24.1 From nobody Sun Apr 28 22:53:49 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) client-ip=207.211.31.81; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1583742633; cv=none; d=zohomail.com; s=zohoarc; b=dNkplmlUMr60AwGf7D2CrAx8DwyAlvMvOV0G565U5q7nj/V552X5RCc8mPm6MCxpfXZh2LwN3kI/VFyWUuRJ3gL3OASNnUeJUribJ/4OCMoVFtqBhX4PEcKaofIZLPpl266U9NKA5iUH7hfuwqNDfe25agVrsSyV+4lWxQ8yyw4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1583742633; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=UqQvt8s5IlBn5e3MIcNYT3bY+QmrysGhLjC6Yvrb3D4=; b=OUCLFGitoTdFm3xpNm2QR9thzciMJf00Wzw/ydG4/awn90rQlMYAxsJvM7HswIMXD84B9bOUDNV4sHPRcEiHgosIKolYhqGNr08zYMpCbnEXujsFkZXA3B8MdUOy2b1drpb0c6EM927StnJ1elQWb7FGh/6A6Twa+Ud6EGEX3SQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 207.211.31.81 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) by mx.zohomail.com with SMTPS id 1583742633624316.6025549326987; Mon, 9 Mar 2020 01:30:33 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-471-NDbUxuiWMAOUPwMMvWBRbw-1; Mon, 09 Mar 2020 04:30:29 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 26FCA1B2C984; Mon, 9 Mar 2020 08:30:24 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DA5AE1001DC2; Mon, 9 Mar 2020 08:30:23 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 50D2618089CD; Mon, 9 Mar 2020 08:30:23 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0298TolL000388 for ; Mon, 9 Mar 2020 04:29:50 -0400 Received: by smtp.corp.redhat.com (Postfix) id 73F9926DD8; Mon, 9 Mar 2020 08:29:50 +0000 (UTC) Received: from moe.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id EDDCD38D for ; Mon, 9 Mar 2020 08:29:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1583742632; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=UqQvt8s5IlBn5e3MIcNYT3bY+QmrysGhLjC6Yvrb3D4=; b=Yu2ZP/MJ1tNYNl2Df9idz2SCfbkPBIh8FhHoQYifNs6w1TWqsVx/abPLJMBwvlMqbU59Ke x3BgU2rkG+pinFyTpYMTWDOgP8vDVAphZl0M6EyLQ2whnOn0JK9xJRiDukmDazOTe0+IfB IOffvTXSWDxOIQrK3frTPVTTPB1f4rw= X-MC-Unique: NDbUxuiWMAOUPwMMvWBRbw-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH v2 2/2] qemu: Tell secdrivers which images are top parent Date: Mon, 9 Mar 2020 09:29:43 +0100 Message-Id: <9e315e1769beba74f6a5289728569daa27144464.1583742275.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" When preparing images for block jobs we modify their seclabels so that QEMU can open them. However, as mentioned in the previous commit, secdrivers base some it their decisions whether the image they are working on is top of of the backing chain. Fortunately, in places where we call secdrivers we know this and the information can be passed to secdrivers. The problem is the following: after the first blockcommit from the base to one of the parents the XATTRs on the base image are not cleared and therefore the second attempt to do another blockcommit fails. This is caused by blockcommit code calling qemuSecuritySetImageLabel() over the base image, possibly multiple times (to ensure RW/RO access). A naive fix would be to call the restore function. But this is not possible, because that would deny QEMU the access to the base image. Fortunately, we can use the fact that seclabels are remembered only for the top of the backing chain and not for the rest of the backing chain. And thanks to the previous commit we can tell secdrivers which images are top of the backing chain. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1803551 Signed-off-by: Michal Privoznik Reviewed-by: Peter Krempa --- src/qemu/qemu_backup.c | 4 ++-- src/qemu/qemu_blockjob.c | 6 ++++-- src/qemu/qemu_checkpoint.c | 6 ++++-- src/qemu/qemu_domain.c | 24 ++++++++++++++++++++---- src/qemu/qemu_domain.h | 3 ++- src/qemu/qemu_driver.c | 23 +++++++++++++++++------ src/qemu/qemu_process.c | 2 +- src/qemu/qemu_security.c | 6 +++++- src/qemu/qemu_security.h | 3 ++- 9 files changed, 57 insertions(+), 20 deletions(-) diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c index 2cc6ff7a42..8b66ee8d1f 100644 --- a/src/qemu/qemu_backup.c +++ b/src/qemu/qemu_backup.c @@ -469,8 +469,8 @@ qemuBackupDiskPrepareOneStorage(virDomainObjPtr vm, dd->created =3D true; } =20 - if (qemuDomainStorageSourceAccessAllow(priv->driver, vm, dd->store, fa= lse, - true) < 0) + if (qemuDomainStorageSourceAccessAllow(priv->driver, vm, dd->store, + false, true, true) < 0) return -1; =20 dd->labelled =3D true; diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c index 71df0d1ab2..e894e1634d 100644 --- a/src/qemu/qemu_blockjob.c +++ b/src/qemu/qemu_blockjob.c @@ -1105,9 +1105,11 @@ qemuBlockJobProcessEventCompletedCommit(virQEMUDrive= rPtr driver, return; =20 /* revert access to images */ - qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base, = true, false); + qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base, + true, false, false); if (job->data.commit.topparent !=3D job->disk->src) - qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.to= pparent, true, false); + qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.to= pparent, + true, false, true); =20 baseparent->backingStore =3D NULL; job->data.commit.topparent->backingStore =3D job->data.commit.base; diff --git a/src/qemu/qemu_checkpoint.c b/src/qemu/qemu_checkpoint.c index a387e7dfe7..ea87b09aa0 100644 --- a/src/qemu/qemu_checkpoint.c +++ b/src/qemu/qemu_checkpoint.c @@ -296,7 +296,8 @@ qemuCheckpointDiscardBitmaps(virDomainObjPtr vm, for (next =3D reopenimages; next; next =3D next->next) { virStorageSourcePtr src =3D next->data; =20 - if (qemuDomainStorageSourceAccessAllow(driver, vm, src, false, fal= se) < 0) + if (qemuDomainStorageSourceAccessAllow(driver, vm, src, + false, false, false) < 0) goto relabel; =20 relabelimages =3D g_slist_prepend(relabelimages, src); @@ -311,7 +312,8 @@ qemuCheckpointDiscardBitmaps(virDomainObjPtr vm, for (next =3D relabelimages; next; next =3D next->next) { virStorageSourcePtr src =3D next->data; =20 - ignore_value(qemuDomainStorageSourceAccessAllow(driver, vm, src, t= rue, false)); + ignore_value(qemuDomainStorageSourceAccessAllow(driver, vm, src, + true, false, false= )); } =20 return rc; diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 33c2158eb5..5b53d74d38 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -11668,6 +11668,8 @@ typedef enum { QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE =3D 1 << 4, /* VM already has access to the source and we are just modifying it */ QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_MODIFY_ACCESS =3D 1 << 5, + /* whether the image is the top image of the backing chain (e.g. disk = source) */ + QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_CHAIN_TOP =3D 1 << 6, } qemuDomainStorageSourceAccessFlags; =20 =20 @@ -11745,6 +11747,7 @@ qemuDomainStorageSourceAccessModify(virQEMUDriverPt= r driver, bool force_ro =3D flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_FORCE_READ= _ONLY; bool force_rw =3D flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_FORCE_READ= _WRITE; bool revoke =3D flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_REVOKE; + bool topparent =3D flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_CHAIN_TOP; int rc; bool was_readonly =3D src->readonly; bool revoke_cgroup =3D false; @@ -11791,7 +11794,7 @@ qemuDomainStorageSourceAccessModify(virQEMUDriverPt= r driver, revoke_namespace =3D true; } =20 - if (qemuSecuritySetImageLabel(driver, vm, src, chain) < 0) + if (qemuSecuritySetImageLabel(driver, vm, src, chain, topparent) < 0) goto revoke; =20 revoke_label =3D true; @@ -11854,7 +11857,8 @@ qemuDomainStorageSourceChainAccessAllow(virQEMUDriv= erPtr driver, virDomainObjPtr vm, virStorageSourcePtr src) { - qemuDomainStorageSourceAccessFlags flags =3D QEMU_DOMAIN_STORAGE_SOURC= E_ACCESS_CHAIN; + qemuDomainStorageSourceAccessFlags flags =3D QEMU_DOMAIN_STORAGE_SOURC= E_ACCESS_CHAIN | + QEMU_DOMAIN_STORAGE_SOURCE_= ACCESS_CHAIN_TOP; =20 return qemuDomainStorageSourceAccessModify(driver, vm, src, flags); } @@ -11866,7 +11870,8 @@ qemuDomainStorageSourceChainAccessRevoke(virQEMUDri= verPtr driver, virStorageSourcePtr src) { qemuDomainStorageSourceAccessFlags flags =3D QEMU_DOMAIN_STORAGE_SOURC= E_ACCESS_REVOKE | - QEMU_DOMAIN_STORAGE_SOURCE_= ACCESS_CHAIN; + QEMU_DOMAIN_STORAGE_SOURCE_= ACCESS_CHAIN | + QEMU_DOMAIN_STORAGE_SOURCE_= ACCESS_CHAIN_TOP; =20 return qemuDomainStorageSourceAccessModify(driver, vm, src, flags); } @@ -11896,6 +11901,7 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriverPt= r driver, * @elem: source structure to set access for * @readonly: setup read-only access if true * @newSource: @elem describes a storage source which @vm can't access yet + * @topparent: @elem is top parent of backing chain * * Allow a VM access to a single element of a disk backing chain; this hel= per * ensures that the lock manager, cgroup device controller, and security m= anager @@ -11903,13 +11909,20 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriver= Ptr driver, * * When modifying permissions of @elem which @vm can already access (is in= the * backing chain) @newSource needs to be set to false. + * + * The @topparent flag must be set if the @elem image is the topmost image= of a + * given backing chain or meant to become the topmost image (for e.g. + * snapshots, or blockcopy or even in the end for active layer block commi= t, + * where we discard the top of the backing chain so one of the intermediat= es + * (the base) becomes the top of the chain). */ int qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr driver, virDomainObjPtr vm, virStorageSourcePtr elem, bool readonly, - bool newSource) + bool newSource, + bool topparent) { qemuDomainStorageSourceAccessFlags flags =3D QEMU_DOMAIN_STORAGE_SOURC= E_ACCESS_SKIP_REVOKE; =20 @@ -11921,6 +11934,9 @@ qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr= driver, if (!newSource) flags |=3D QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_MODIFY_ACCESS; =20 + if (topparent) + flags |=3D QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_CHAIN_TOP; + return qemuDomainStorageSourceAccessModify(driver, vm, elem, flags); } =20 diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index 476056c73f..8c031abf82 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -896,7 +896,8 @@ int qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr= driver, virDomainObjPtr vm, virStorageSourcePtr elem, bool readonly, - bool newSource); + bool newSource, + bool topparent); =20 int qemuDomainPrepareStorageSourceBlockdev(virDomainDiskDefPtr disk, virStorageSourcePtr src, diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 3707448f49..b392ba25a6 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -15142,7 +15142,8 @@ qemuDomainSnapshotDiskPrepareOne(virQEMUDriverPtr d= river, } =20 /* set correct security, cgroup and locking options on the new image */ - if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src, false, tru= e) < 0) + if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src, + false, true, true) < 0) return -1; =20 dd->prepared =3D true; @@ -18490,11 +18491,19 @@ qemuDomainBlockCommit(virDomainPtr dom, * operation succeeds, but doing that requires tracking the * operation in XML across libvirtd restarts. */ clean_access =3D true; - if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, false, = false) < 0 || - (top_parent && top_parent !=3D disk->src && - qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, false,= false) < 0)) + if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, + false, false, false) < 0) goto endjob; =20 + if (top_parent && top_parent !=3D disk->src) { + /* While top_parent is topmost image, we don't need to remember its + * owner as it will be overwritten upon finishing the commit. Henc= e, + * pass topparent =3D false. */ + if (qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, + false, false, false) < 0) + goto endjob; + } + if (!(job =3D qemuBlockJobDiskNewCommit(vm, disk, top_parent, topSourc= e, baseSource, flags & VIR_DOMAIN_BLOCK_COMMIT_= DELETE, @@ -18552,9 +18561,11 @@ qemuDomainBlockCommit(virDomainPtr dom, virErrorPtr orig_err; virErrorPreserveLast(&orig_err); /* Revert access to read-only, if possible. */ - qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, true, f= alse); + qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, + true, false, false); if (top_parent && top_parent !=3D disk->src) - qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, tru= e, false); + qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, + true, false, false); =20 virErrorRestore(&orig_err); } diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index bec822a2ae..499d39a920 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -7856,7 +7856,7 @@ qemuProcessRefreshLegacyBlockjob(void *payload, (qemuDomainNamespaceSetupDisk(vm, disk->mirror) < 0 || qemuSetupImageChainCgroup(vm, disk->mirror) < 0 || qemuSecuritySetImageLabel(priv->driver, vm, disk->mirror, - true) < 0)) + true, true) < 0)) goto cleanup; } } diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index 2aa2b5b9c6..8660f70305 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -98,7 +98,8 @@ int qemuSecuritySetImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virStorageSourcePtr src, - bool backingChain) + bool backingChain, + bool topparent) { qemuDomainObjPrivatePtr priv =3D vm->privateData; pid_t pid =3D -1; @@ -108,6 +109,9 @@ qemuSecuritySetImageLabel(virQEMUDriverPtr driver, if (backingChain) labelFlags |=3D VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN; =20 + if (topparent) + labelFlags |=3D VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP; + if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid =3D vm->pid; =20 diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h index a8c648ece1..90ff660257 100644 --- a/src/qemu/qemu_security.h +++ b/src/qemu/qemu_security.h @@ -36,7 +36,8 @@ void qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver, int qemuSecuritySetImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virStorageSourcePtr src, - bool backingChain); + bool backingChain, + bool topparent); =20 int qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, --=20 2.24.1