[libvirt] [PATCH] qemu: Log error if domain uses security driver which is not loaded
jtomko at redhat.com
Thu May 21 10:21:51 UTC 2015
On Tue, May 05, 2015 at 03:09:12PM +0200, Martin Kletzander wrote:
> On Tue, May 05, 2015 at 02:14:24PM +0200, Erik Skultety wrote:
> >When starting a domain, if we find out domain requests security drivers
> >we do not have loaded, we fail. However we don't check for this during
> >reconnect, so any operation relying on security driver functionality would fail.
> >If someone e.g. starts a domain with selinux driver loaded, then they turn off
> >the security driver in config, restart the daemon and call dump/save/..,
> >QEMU returns an error.
> >As we shouldn't kill the domain, we should at least log an error to let the
> >user know that domain reconnect wasn't completely clean.
> > src/qemu/qemu_process.c | 6 ++++++
> > 1 file changed, 6 insertions(+)
> >diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> >index 56719eb..8da79e5 100644
> >--- a/src/qemu/qemu_process.c
> >+++ b/src/qemu/qemu_process.c
> >@@ -3747,6 +3747,12 @@ qemuProcessReconnect(void *opaque)
> > if ((qemuDomainAssignAddresses(obj->def, priv->qemuCaps, obj)) < 0)
> > goto error;
> >+ /* if domain requests security driver we haven't loaded, report error, but
> >+ * do not kill the domain
> >+ */
> >+ ignore_value(virSecurityManagerCheckAllLabel(driver->securityManager,
> >+ obj->def));
> Shouldn't you reset any possible error after that?
Why? It's already logged and nobody will ever look at it after this
function (called in a separate thread) ends.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: Digital signature
More information about the libvir-list