[libvirt] [PATCH 2/2] qemu: Don't overwrite security labels
Michal Privoznik
mprivozn at redhat.com
Tue Jun 12 09:18:30 UTC 2012
On 11.06.2012 18:54, Eric Blake wrote:
> On 06/11/2012 08:29 AM, Michal Privoznik wrote:
>> Currently, if qemuProcessStart fail at some point, e.g. because
>> domain being started wants a PCI/USB device already assigned to
>> a different domain, we jump to cleanup label where qemuProcessStop
>> is performed. This unconditionally calls virSecurityManagerRestoreAllLabel
>> which is wrong because the other domain is still using those devices.
>>
>> However, once we successfully label all devices/paths in
>> qemuProcessStart() from that point on, we have to perform a rollback
>> on failure - that is - we have to virSecurityManagerRestoreAllLabel.
>> ---
>> src/qemu/qemu_process.c | 12 ++++++++----
>> src/qemu/qemu_process.h | 3 ++-
>> 2 files changed, 10 insertions(+), 5 deletions(-)
>
> Double-negative logic. But I guess we're stuck with it, as the default
> of 'flags==0' must imply the relabel.
>
>> @@ -3984,9 +3987,10 @@ void qemuProcessStop(struct qemud_driver *driver,
>> }
>>
>> /* Reset Security Labels */
>> - virSecurityManagerRestoreAllLabel(driver->securityManager,
>> - vm->def,
>> - flags & VIR_QEMU_PROCESS_STOP_MIGRATED);
>> + if (!(flags & VIR_QEMU_PROCESS_STOP_NO_RELABEL))
>
> Took me a couple reads to convince myself that I couldn't come up with
> any nicer wording of this condition without breaking defaults.
>
> ACK.
>
Yeah, it is quite confusing, therefore I am squashing in some comments
before pushing:
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 0309bfb..5f3aa99 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -3281,7 +3281,7 @@ int qemuProcessStart(virConnectPtr conn,
int i;
char *nodeset = NULL;
char *nodemask = NULL;
- unsigned int stop_flags = VIR_QEMU_PROCESS_STOP_NO_RELABEL;
+ unsigned int stop_flags;
/* Okay, these are just internal flags,
* but doesn't hurt to check */
@@ -3289,6 +3289,12 @@ int qemuProcessStart(virConnectPtr conn,
VIR_QEMU_PROCESS_START_PAUSED |
VIR_QEMU_PROCESS_START_AUTODESROY, -1);
+ /* From now on until domain security labeling is done:
+ * if any operation fails and we goto cleanup, we must not
+ * restore any security label as we would overwrite labels
+ * we did not set. */
+ stop_flags = VIR_QEMU_PROCESS_STOP_NO_RELABEL;
+
hookData.conn = conn;
hookData.vm = vm;
hookData.driver = driver;
@@ -3632,6 +3638,10 @@ int qemuProcessStart(virConnectPtr conn,
vm->def, stdin_path) < 0)
goto cleanup;
+ /* Security manager labeled all devices, therefore
+ * if any operation from now on fails and we goto cleanup,
+ * where virSecurityManagerRestoreAllLabel() is called
+ * (hidden under qemuProcessStop) we need to restore labels. */
stop_flags &= ~VIR_QEMU_PROCESS_STOP_NO_RELABEL;
if (stdin_fd != -1) {
@@ -3986,7 +3996,7 @@ void qemuProcessStop(struct qemud_driver *driver,
VIR_FREE(xml);
}
- /* Reset Security Labels */
+ /* Reset Security Labels unless caller don't want us to */
if (!(flags & VIR_QEMU_PROCESS_STOP_NO_RELABEL))
virSecurityManagerRestoreAllLabel(driver->securityManager,
vm->def,
---
And pushed now. Thanks for review!
Michal
More information about the libvir-list
mailing list