[libvirt] [PATCH] Follow up fix of commit a58e1cb4
Cedric Bosdonnat
cbosdonnat at suse.com
Mon Feb 9 09:56:52 UTC 2015
Hi Jan,
On Mon, 2015-02-09 at 10:04 +0100, Ján Tomko wrote:
> On Fri, Feb 06, 2015 at 02:28:15PM +0100, Cédric Bosdonnat wrote:
> > commit a58e1cb4 didn't fix the bug if the security_default_confined is
> > not set to 1. We now clean up even if there is no seclabel defined or
> > the default one.
> > ---
> > src/lxc/lxc_process.c | 8 +++++++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
> >
>
> The commit summary is too vague, it would look better to me
> describing what the commit does, e.g.:
> Clear dynamic seclabels on LXCProcessStart failure
>
> ACK if you use a more specific commit summary.
Pushed with your summary. Thanks for the review.
--
Cedric
> Jan
>
> > diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
> > index b385423..19ea7f3 100644
> > --- a/src/lxc/lxc_process.c
> > +++ b/src/lxc/lxc_process.c
> > @@ -1022,6 +1022,7 @@ int virLXCProcessStart(virConnectPtr conn,
> > virCgroupPtr selfcgroup;
> > int status;
> > char *pidfile = NULL;
> > + bool clearSeclabel = false;
> >
> > if (virCgroupNewSelf(&selfcgroup) < 0)
> > return -1;
> > @@ -1126,6 +1127,10 @@ int virLXCProcessStart(virConnectPtr conn,
> > /* If you are using a SecurityDriver with dynamic labelling,
> > then generate a security label for isolation */
> > VIR_DEBUG("Generating domain security label (if required)");
> > +
> > + clearSeclabel = vm->def->nseclabels == 0 ||
> > + vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT;
> > +
> > if (vm->def->nseclabels &&
> > vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT)
> > vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
> > @@ -1387,7 +1392,8 @@ int virLXCProcessStart(virConnectPtr conn,
> > virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
> > /* Clear out dynamically assigned labels */
> > if (vm->def->nseclabels &&
> > - vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
> > + (vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC ||
> > + clearSeclabel)) {
> > VIR_FREE(vm->def->seclabels[0]->model);
> > VIR_FREE(vm->def->seclabels[0]->label);
> > VIR_FREE(vm->def->seclabels[0]->imagelabel);
> > --
> > 2.1.4
> >
> > --
> > libvir-list mailing list
> > libvir-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/libvir-list
More information about the libvir-list
mailing list