[libvirt] [PATCH 04/10] qemuSecurityRestoreAllLabel: Don't use transactions
Martin Kletzander
mkletzan at redhat.com
Thu Feb 2 14:16:04 UTC 2017
On Fri, Jan 20, 2017 at 10:42:44AM +0100, Michal Privoznik wrote:
>Because of the nature of security driver transactions, it is
>impossible to use them properly. The thing is, transactions enter
>the domain namespace and commit all the seclabel changes.
>However, in RestoreAllLabel() this is impossible - the qemu
>process, the only process running in the namespace, is gone. And
>thus is the namespace. Therefore we shouldn't use the transactions
>as there is no namespace to enter.
>
>Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>---
> src/qemu/qemu_security.c | 25 +++++++++----------------
> 1 file changed, 9 insertions(+), 16 deletions(-)
>
ACK, no need to duplicate the same information in the commit message and
the comment below IMHO.
>diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
>index 544feeb4a..13d99cdbd 100644
>--- a/src/qemu/qemu_security.c
>+++ b/src/qemu/qemu_security.c
>@@ -73,22 +73,15 @@ qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver,
> virDomainObjPtr vm,
> bool migrated)
> {
>- if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
>- virSecurityManagerTransactionStart(driver->securityManager) < 0)
>- goto cleanup;
>-
>- if (virSecurityManagerRestoreAllLabel(driver->securityManager,
>- vm->def,
>- migrated) < 0)
>- goto cleanup;
>-
>- if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
>- virSecurityManagerTransactionCommit(driver->securityManager,
>- vm->pid) < 0)
>- goto cleanup;
>-
>- cleanup:
>- virSecurityManagerTransactionAbort(driver->securityManager);
>+ /* In contrast to qemuSecuritySetAllLabel, do not use
>+ * secdriver transactions here. This function is called from
>+ * qemuProcessStop() which is meant to do cleanup after qemu
>+ * process died. If it did do, the namespace is gone as qemu
>+ * was the only process running there. We would not succeed
>+ * in entering the namespace then. */
>+ virSecurityManagerRestoreAllLabel(driver->securityManager,
>+ vm->def,
>+ migrated);
> }
>
>
>--
>2.11.0
>
>--
>libvir-list mailing list
>libvir-list at redhat.com
>https://www.redhat.com/mailman/listinfo/libvir-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170202/ede11ae4/attachment-0001.sig>
More information about the libvir-list
mailing list