[PATCH 1/7] security: Reintroduce virSecurityManager{Set, Restore}SavedStateLabel
Michal Privoznik
mprivozn at redhat.com
Wed Jul 1 16:15:01 UTC 2020
These APIs were removed/renamed in v6.5.0-rc1~142 and v6.5.0-rc1~141
because they deemed unused. And if it wasn't for the RFE [1] things
would stay that way.
The RFE asks for us to not change DAC ownership on the file a domain is
restoring from. We have been doing that for ages (if not forever),
nevertheless it's annoying because if the restore file is on an NFS
remembering owner won't help - NFS doesn't support XATTRs yet. But more
importantly, there is no need for us to chown() the file because when
restoring the domain the file is opened and the FD is then passed to
QEMU. Therefore, we really need only to set SELinux and AppArmor.
This reverts bd22eec903976c5c51b1d00e335c315699e5acd6.
This partially reverts 4ccbd207f213066c000f43eb544eb00ec745023b.
The difference to the original code is that secdrivers are now
not required to provide dummy implementation to avoid
virReportUnsupportedError(). The callback is run if it exists, if
it doesn't zero is returned without any error.
1: https://bugzilla.redhat.com/show_bug.cgi?id=1851016
Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
---
src/libvirt_private.syms | 2 ++
src/security/security_driver.h | 9 ++++++
src/security/security_manager.c | 34 ++++++++++++++++++++++
src/security/security_manager.h | 6 ++++
src/security/security_stack.c | 51 +++++++++++++++++++++++++++++++++
5 files changed, 102 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index ae0e253ab9..8712213f40 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1560,6 +1560,7 @@ virSecurityManagerRestoreHostdevLabel;
virSecurityManagerRestoreImageLabel;
virSecurityManagerRestoreInputLabel;
virSecurityManagerRestoreMemoryLabel;
+virSecurityManagerRestoreSavedStateLabel;
virSecurityManagerRestoreTPMLabels;
virSecurityManagerSetAllLabel;
virSecurityManagerSetChardevLabel;
@@ -1571,6 +1572,7 @@ virSecurityManagerSetImageLabel;
virSecurityManagerSetInputLabel;
virSecurityManagerSetMemoryLabel;
virSecurityManagerSetProcessLabel;
+virSecurityManagerSetSavedStateLabel;
virSecurityManagerSetSocketLabel;
virSecurityManagerSetTapFDLabel;
virSecurityManagerSetTPMLabels;
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index bfff789552..f0ba77032d 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -67,6 +67,12 @@ typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainHostdevDefPtr dev,
const char *vroot);
+typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ const char *savefile);
+typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ const char *savefile);
typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr sec);
typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr,
@@ -200,6 +206,9 @@ struct _virSecurityDriver {
virSecurityDomainSetHostdevLabel domainSetSecurityHostdevLabel;
virSecurityDomainRestoreHostdevLabel domainRestoreSecurityHostdevLabel;
+ virSecurityDomainSetSavedStateLabel domainSetSavedStateLabel;
+ virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
+
virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
virSecurityDomainSetTapFDLabel domainSetSecurityTapFDLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index ad1938caeb..c073d8cc0d 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -596,6 +596,40 @@ virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
}
+int
+virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ const char *savefile)
+{
+ if (mgr->drv->domainSetSavedStateLabel) {
+ int ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->domainSetSavedStateLabel(mgr, vm, savefile);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ return 0;
+}
+
+
+int
+virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ const char *savefile)
+{
+ if (mgr->drv->domainRestoreSavedStateLabel) {
+ int ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->domainRestoreSavedStateLabel(mgr, vm, savefile);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ return 0;
+}
+
+
int
virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm)
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 999752ce09..277151848e 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -104,6 +104,12 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virDomainHostdevDefPtr dev,
const char *vroot);
+int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ const char *savefile);
+int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ const char *savefile);
int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
virDomainDefPtr sec);
int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 379c9302bc..624431d4ef 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -394,6 +394,54 @@ virSecurityStackRestoreAllLabel(virSecurityManagerPtr mgr,
}
+static int
+virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ const char *savefile)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr item = priv->itemsHead;
+
+ for (; item; item = item->next) {
+ if (virSecurityManagerSetSavedStateLabel(item->securityManager, vm, savefile) < 0)
+ goto rollback;
+ }
+
+ return 0;
+
+ rollback:
+ for (item = item->prev; item; item = item->prev) {
+ if (virSecurityManagerRestoreSavedStateLabel(item->securityManager,
+ vm,
+ savefile) < 0) {
+ VIR_WARN("Unable to restore saved state label after failed set "
+ "label call virDriver=%s driver=%s savefile=%s",
+ virSecurityManagerGetVirtDriver(mgr),
+ virSecurityManagerGetDriver(item->securityManager),
+ savefile);
+ }
+ }
+ return -1;
+}
+
+
+static int
+virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ const char *savefile)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr item = priv->itemsHead;
+ int rc = 0;
+
+ for (; item; item = item->next) {
+ if (virSecurityManagerRestoreSavedStateLabel(item->securityManager, vm, savefile) < 0)
+ rc = -1;
+ }
+
+ return rc;
+}
+
static int
virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm)
@@ -964,6 +1012,9 @@ virSecurityDriver virSecurityDriverStack = {
.domainSetSecurityHostdevLabel = virSecurityStackSetHostdevLabel,
.domainRestoreSecurityHostdevLabel = virSecurityStackRestoreHostdevLabel,
+ .domainSetSavedStateLabel = virSecurityStackSetSavedStateLabel,
+ .domainRestoreSavedStateLabel = virSecurityStackRestoreSavedStateLabel,
+
.domainSetSecurityImageFDLabel = virSecurityStackSetImageFDLabel,
.domainSetSecurityTapFDLabel = virSecurityStackSetTapFDLabel,
--
2.26.2
More information about the libvir-list
mailing list