[PATCH v2 1/2] security: Introduce VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP flag

Peter Krempa pkrempa at redhat.com
Mon Mar 9 08:51:55 UTC 2020


On Mon, Mar 09, 2020 at 09:29:42 +0100, Michal Privoznik wrote:
> Our decision whether to remember seclabel for a disk image
> depends on a few factors. If the image is readonly or shared or
> not the chain top the remembering is suppressed for the image.
> However, the virSecurityManagerSetImageLabel() is too low level
> to determine whether passed @src is chain top or not. Even though
> the function has the @parent argument it does not necessarily
> reflect the chain top - it only points to the top level image in
> the chain we want to relabel and not to the topmost image of the
> whole chain. And this can't be derived from the passed domain
> definition reliably neither - in some cases (like snapshots or
> block copy) the @src is added to the definition only after the
> operation succeeded. Therefore, introduce a flag which callers
> can use to help us with the decision.
> 
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
>  src/security/security_dac.c     | 15 ++++++++++-----
>  src/security/security_manager.h |  4 ++++
>  src/security/security_selinux.c | 17 +++++++++++------
>  3 files changed, 25 insertions(+), 11 deletions(-)
> 
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index f412054d0e..34da07fc9f 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -889,14 +889,14 @@ static int
>  virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr,
>                                      virDomainDefPtr def,
>                                      virStorageSourcePtr src,
> -                                    virStorageSourcePtr parent)
> +                                    virStorageSourcePtr parent,
> +                                    bool is_topparent)

The variable name is still confusing. Since it's the point of first
contact with the code, you should change that one as well.

I'm sorry I didn't point this out explicitly in my previous review, but
I wanted both the flag name and the variable names changed. Especially
since they are the same except for being lowercase.

Also please fix all the functions, not just this one.




More information about the libvir-list mailing list