[PATCH 2/3] security: Introduce virSecurityManagerDomainSetIncomingPathLabel
Erik Skultety
eskultet at redhat.com
Fri Apr 17 10:57:12 UTC 2020
On Fri, Apr 03, 2020 at 05:58:02PM +0200, Michal Privoznik wrote:
> This API allows drivers to separate out handling of @stdin_path
> of virSecurityManagerSetAllLabel(). The thing is, the QEMU driver
> uses transactions for virSecurityManagerSetAllLabel() which
> relabels devices from inside of domain's namespace. This is what
> we usually want. Except when resuming domain from a file. The
> file is opened before any namespace is set up and the FD is
> passed to QEMU to read the migration stream from. Because of
> this, the file lives outside of the namespace and if it so
> happens that the file is a block device (i.e. it lives under
> /dev) its copy will be created in the namespace. But the FD that
> is passed to QEMU points to the original living in the host and
> not in the namespace. So relabeling the file inside the namespace
> helps nothing.
>
> But if we have a separate API for relabeling the restore file
> then the QEMU driver can continue calling
> virSecurityManagerSetAllLabel() with transactions enabled and
> call this new API without transactions.
>
> We already have an API for relabeling a single file
> (virSecurityManagerDomainSetPathLabel()) but in case of SELinux
> it uses @imagelabel (which allows RW access) and we want to use
> @content_context (which allows RO access).
Since this patch is only adding a generic driver API rather than a specific
security backend API, I'd move ^this last paragraph to the next patch, I
actually appreciated the info there much more than here during the review.
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> src/libvirt_private.syms | 1 +
> src/security/security_driver.h | 4 ++++
> src/security/security_manager.c | 29 +++++++++++++++++++++++++++++
> src/security/security_manager.h | 4 ++++
> src/security/security_stack.c | 21 +++++++++++++++++++++
> 5 files changed, 59 insertions(+)
>
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index e276f55bb1..2c63f37fc2 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -1523,6 +1523,7 @@ virSecurityDriverLookup;
> # security/security_manager.h
> virSecurityManagerCheckAllLabel;
> virSecurityManagerClearSocketLabel;
> +virSecurityManagerDomainSetIncomingPathLabel;
IncomingPath sounds a bit confusing to me, I'd go with something like HostPath
instead, in patch 3/3 you also have an explicit commentary why we're using the
respective backend API for this rather than simply using SetPathLabel.
> virSecurityManagerDomainSetPathLabel;
> virSecurityManagerGenLabel;
> virSecurityManagerGetBaseLabel;
> diff --git a/src/security/security_driver.h b/src/security/security_driver.h
> index 3353955813..6cbe8613c9 100644
> --- a/src/security/security_driver.h
> +++ b/src/security/security_driver.h
> @@ -140,6 +140,9 @@ typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
> virDomainDefPtr def,
> const char *path,
> bool allowSubtree);
> +typedef int (*virSecurityDomainSetIncomingPathLabel) (virSecurityManagerPtr mgr,
> + virDomainDefPtr def,
> + const char *path);
> typedef int (*virSecurityDomainSetChardevLabel) (virSecurityManagerPtr mgr,
> virDomainDefPtr def,
> virDomainChrSourceDefPtr dev_source,
> @@ -211,6 +214,7 @@ struct _virSecurityDriver {
> virSecurityDriverGetBaseLabel getBaseLabel;
>
> virSecurityDomainSetPathLabel domainSetPathLabel;
> + virSecurityDomainSetIncomingPathLabel domainSetIncomingPathLabel;
>
> virSecurityDomainSetChardevLabel domainSetSecurityChardevLabel;
> virSecurityDomainRestoreChardevLabel domainRestoreSecurityChardevLabel;
> diff --git a/src/security/security_manager.c b/src/security/security_manager.c
> index fe032746ff..a76b953ee4 100644
> --- a/src/security/security_manager.c
> +++ b/src/security/security_manager.c
> @@ -1077,6 +1077,35 @@ virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
> }
>
>
> +/**
> + * virSecurityManagerDomainSetIncomingPathLabel:
> + * @mgr: security manager object
> + * @vm: domain definition object
> + * @path: path to label
> + *
> + * This function relabels given @path so that @vm can restore for
maybe add "host" @path here to make it even clearer.
> + * it. This allows the driver backend to use different label than
> + * virSecurityManagerDomainSetPathLabel().
> + *
> + * Returns: 0 on success, -1 on error.
> + */
> +int
> +virSecurityManagerDomainSetIncomingPathLabel(virSecurityManagerPtr mgr,
> + virDomainDefPtr vm,
> + const char *path)
> +{
> + if (mgr->drv->domainSetIncomingPathLabel) {
> + int ret;
> + virObjectLock(mgr);
> + ret = mgr->drv->domainSetIncomingPathLabel(mgr, vm, path);
> + virObjectUnlock(mgr);
> + return ret;
> + }
> +
> + return 0;
> +}
Looks good and works:
Reviewed-by: Erik Skultety <eskultet at redhat.com>
More information about the libvir-list
mailing list