[libvirt] [PATCH] qemu: Log error if domain uses security driver which is not loaded

Martin Kletzander mkletzan at redhat.com
Tue May 5 13:09:12 UTC 2015

On Tue, May 05, 2015 at 02:14:24PM +0200, Erik Skultety wrote:
>When starting a domain, if we find out domain requests security drivers
>we do not have loaded, we fail. However we don't check for this during
>reconnect, so any operation relying on security driver functionality would fail.
>If someone e.g. starts a domain with selinux driver loaded, then they turn off
>the security driver in config, restart the daemon and call dump/save/..,
>QEMU returns an error.
>As we shouldn't kill the domain, we should at least log an error to let the
>user know that domain reconnect wasn't completely clean.
> src/qemu/qemu_process.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
>index 56719eb..8da79e5 100644
>--- a/src/qemu/qemu_process.c
>+++ b/src/qemu/qemu_process.c
>@@ -3747,6 +3747,12 @@ qemuProcessReconnect(void *opaque)
>         if ((qemuDomainAssignAddresses(obj->def, priv->qemuCaps, obj)) < 0)
>             goto error;
>+    /* if domain requests security driver we haven't loaded, report error, but
>+     * do not kill the domain
>+     */
>+    ignore_value(virSecurityManagerCheckAllLabel(driver->securityManager,
>+                                                 obj->def));

Shouldn't you reset any possible error after that?

>     if (virSecurityManagerReserveLabel(driver->securityManager, obj->def, obj->pid) < 0)
>         goto error;
>libvir-list mailing list
>libvir-list at redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20150505/c8ed5521/attachment-0001.sig>

More information about the libvir-list mailing list