[PATCH v5 10/11] storage_source: Add field for skipping seclabel remembering

Peter Krempa posted 11 patches 2 months, 2 weeks ago
There is a newer version of this series
[PATCH v5 10/11] storage_source: Add field for skipping seclabel remembering
Posted by Peter Krempa 2 months, 2 weeks ago
In case of incoming migration where a local directory is shared to other
hosts we'll need to avoid seclabel remembering as the code would
remember the seclabel already allowing access to the image.

As the decision requires a lot of information not available in the
security driver it would either require plumbing in unpleasant callbacks
able to pass in the data or alternatively we can mark this in the
'virStorageSource' struct.

This patch chose to do the latter approach by adding a field called
'seclabelSkipRemeber' which will be filled before starting the process
in cases when it will be required.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 src/conf/storage_source_conf.c  | 3 +++
 src/conf/storage_source_conf.h  | 9 +++++++++
 src/security/security_dac.c     | 3 +++
 src/security/security_selinux.c | 3 +++
 4 files changed, 18 insertions(+)

diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c
index 908bc5fab2..3cbed8188f 100644
--- a/src/conf/storage_source_conf.c
+++ b/src/conf/storage_source_conf.c
@@ -820,6 +820,9 @@ virStorageSourceCopy(const virStorageSource *src,
     /* storage driver metadata are not copied */
     def->drv = NULL;

+    /* flag to avoid seclabel rember is not copied */
+    def->seclabelSkipRemeber = false;
+
     def->path = g_strdup(src->path);
     def->fdgroup = g_strdup(src->fdgroup);
     def->volume = g_strdup(src->volume);
diff --git a/src/conf/storage_source_conf.h b/src/conf/storage_source_conf.h
index 05b4bda16c..96dedc63b5 100644
--- a/src/conf/storage_source_conf.h
+++ b/src/conf/storage_source_conf.h
@@ -431,6 +431,15 @@ struct _virStorageSource {
     bool thresholdEventWithIndex;

     virStorageSourceFDTuple *fdtuple;
+
+    /* Setting 'seclabelSkipRemeber' to true will cause the security driver to
+     * not remembe the security label even if it otherwise were to be
+     * remembered. This is needed in cases such as incoming migration for
+     * shared images where the existing security label may no longer be the
+     * correct. The security driver otherwise doesn't have enough information
+     * to do this decision.
+     */
+    bool seclabelSkipRemeber;
 };

 G_DEFINE_AUTOPTR_CLEANUP_FUNC(virStorageSource, virObjectUnref);
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index c327e4c9e0..2386d652df 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -940,6 +940,9 @@ virSecurityDACSetImageLabelInternal(virSecurityManager *mgr,
      */
     remember = isChainTop && !src->readonly && !src->shared;

+    if (src->seclabelSkipRemeber)
+        remember = false;
+
     return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remember);
 }

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 158f40fed9..0f19e6ac63 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1992,6 +1992,9 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr,

         ret = virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0], use_label);
     } else {
+        if (src->seclabelSkipRemeber)
+            remember = false;
+
         ret = virSecuritySELinuxSetFilecon(mgr, path, use_label, remember);
     }

-- 
2.45.2