2016-11-23 11:52:57 +01:00
|
|
|
/*
|
|
|
|
* qemu_security.c: QEMU security management
|
|
|
|
*
|
|
|
|
* Copyright (C) 2016 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library. If not, see
|
|
|
|
* <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#include "qemu_domain.h"
|
2020-07-20 16:18:57 +02:00
|
|
|
#include "qemu_namespace.h"
|
2016-11-23 11:52:57 +01:00
|
|
|
#include "qemu_security.h"
|
|
|
|
#include "virlog.h"
|
|
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_QEMU
|
|
|
|
|
2020-06-23 15:58:12 +08:00
|
|
|
VIR_LOG_INIT("qemu.qemu_security");
|
2016-11-23 11:52:57 +01:00
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecuritySetAllLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
2020-06-30 22:02:19 +02:00
|
|
|
const char *incomingPath,
|
2019-09-11 07:53:09 +02:00
|
|
|
bool migrated)
|
2016-11-23 11:52:57 +01:00
|
|
|
{
|
2016-12-15 16:47:15 +01:00
|
|
|
int ret = -1;
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2016-12-15 16:47:15 +01:00
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2016-12-15 16:47:15 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerSetAllLabel(driver->securityManager,
|
2024-08-02 15:23:36 +02:00
|
|
|
cfg->sharedFilesystems,
|
2016-12-15 16:47:15 +01:00
|
|
|
vm->def,
|
2020-06-30 22:02:19 +02:00
|
|
|
incomingPath,
|
2019-09-11 07:53:09 +02:00
|
|
|
priv->chardevStdioLogd,
|
|
|
|
migrated) < 0)
|
2016-12-15 16:47:15 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2016-12-15 16:47:15 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
2016-11-23 11:52:57 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecurityRestoreAllLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
2016-11-23 11:52:57 +01:00
|
|
|
bool migrated)
|
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
bool transactionStarted = false;
|
|
|
|
|
|
|
|
/* In contrast to qemuSecuritySetAllLabel, do not use vm->pid
|
|
|
|
* here. This function is called from qemuProcessStop() which
|
|
|
|
* is meant to do cleanup after qemu process died. The
|
|
|
|
* domain's namespace is gone as qemu was the only process
|
|
|
|
* running there. We would not succeed in entering the
|
|
|
|
* namespace then. */
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) >= 0)
|
2018-09-05 14:00:20 +02:00
|
|
|
transactionStarted = true;
|
2017-05-29 14:27:51 +02:00
|
|
|
|
2017-01-20 10:06:39 +01:00
|
|
|
virSecurityManagerRestoreAllLabel(driver->securityManager,
|
2024-08-02 15:23:36 +02:00
|
|
|
cfg->sharedFilesystems,
|
2017-01-20 10:06:39 +01:00
|
|
|
vm->def,
|
2017-05-29 14:27:51 +02:00
|
|
|
migrated,
|
|
|
|
priv->chardevStdioLogd);
|
2018-09-05 14:00:20 +02:00
|
|
|
|
|
|
|
if (transactionStarted &&
|
2018-11-13 10:57:25 +01:00
|
|
|
virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
-1, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2018-09-05 14:00:20 +02:00
|
|
|
VIR_WARN("Unable to run security manager transaction");
|
|
|
|
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
2016-11-23 11:52:57 +01:00
|
|
|
}
|
2016-11-15 16:53:04 +01:00
|
|
|
|
|
|
|
|
2017-02-03 17:09:33 +01:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecuritySetImageLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virStorageSource *src,
|
2020-02-27 11:20:51 +01:00
|
|
|
bool backingChain,
|
|
|
|
bool chainTop)
|
2017-02-03 17:09:33 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2017-02-03 17:09:33 +01:00
|
|
|
int ret = -1;
|
2019-01-23 13:37:00 +01:00
|
|
|
virSecurityDomainImageLabelFlags labelFlags = 0;
|
|
|
|
|
|
|
|
if (backingChain)
|
|
|
|
labelFlags |= VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN;
|
2017-02-03 17:09:33 +01:00
|
|
|
|
2020-02-27 11:20:51 +01:00
|
|
|
if (chainTop)
|
|
|
|
labelFlags |= VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP;
|
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2017-02-03 17:09:33 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerSetImageLabel(driver->securityManager,
|
2024-08-02 15:23:36 +02:00
|
|
|
cfg->sharedFilesystems,
|
2019-01-23 13:37:00 +01:00
|
|
|
vm->def, src, labelFlags) < 0)
|
2017-02-03 17:09:33 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2017-02-03 17:09:33 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecurityRestoreImageLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virStorageSource *src,
|
2019-01-23 13:37:00 +01:00
|
|
|
bool backingChain)
|
2017-02-03 17:09:33 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2017-02-03 17:09:33 +01:00
|
|
|
int ret = -1;
|
2019-01-23 13:37:00 +01:00
|
|
|
virSecurityDomainImageLabelFlags labelFlags = 0;
|
|
|
|
|
|
|
|
if (backingChain)
|
|
|
|
labelFlags |= VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN;
|
2017-02-03 17:09:33 +01:00
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2017-02-03 17:09:33 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
|
2024-08-02 15:23:36 +02:00
|
|
|
cfg->sharedFilesystems,
|
2019-01-23 13:37:00 +01:00
|
|
|
vm->def, src, labelFlags) < 0)
|
2017-02-03 17:09:33 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2017-01-18 09:50:14 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
2016-11-15 16:53:04 +01:00
|
|
|
}
|
2016-11-16 15:27:47 +01:00
|
|
|
|
|
|
|
|
2019-03-21 16:36:38 +01:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecurityMoveImageMetadata(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virStorageSource *src,
|
|
|
|
virStorageSource *dst)
|
2019-03-21 16:36:38 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2019-03-21 16:36:38 +01:00
|
|
|
pid_t pid = -1;
|
|
|
|
|
|
|
|
if (!priv->rememberOwner)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
return virSecurityManagerMoveImageMetadata(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems,
|
|
|
|
pid, src, dst);
|
2019-03-21 16:36:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-11-16 15:27:47 +01:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecuritySetHostdevLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virDomainHostdevDef *hostdev)
|
2016-11-16 15:27:47 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2017-01-18 09:50:14 +01:00
|
|
|
int ret = -1;
|
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2017-01-18 09:50:14 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerSetHostdevLabel(driver->securityManager,
|
|
|
|
vm->def,
|
|
|
|
hostdev,
|
|
|
|
NULL) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2017-01-18 09:50:14 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
2016-11-16 15:27:47 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecurityRestoreHostdevLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virDomainHostdevDef *hostdev)
|
2016-11-16 15:27:47 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2017-01-18 09:50:14 +01:00
|
|
|
int ret = -1;
|
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2017-01-18 09:50:14 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
|
|
|
|
vm->def,
|
|
|
|
hostdev,
|
|
|
|
NULL) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2017-01-18 09:50:14 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
2016-11-16 15:27:47 +01:00
|
|
|
}
|
2016-08-04 15:26:09 +02:00
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecuritySetMemoryLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virDomainMemoryDef *mem)
|
2016-08-04 15:26:09 +02:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2016-08-04 15:26:09 +02:00
|
|
|
int ret = -1;
|
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2016-08-04 15:26:09 +02:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerSetMemoryLabel(driver->securityManager,
|
|
|
|
vm->def,
|
|
|
|
mem) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2016-08-04 15:26:09 +02:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecurityRestoreMemoryLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virDomainMemoryDef *mem)
|
2016-08-04 15:26:09 +02:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2016-08-04 15:26:09 +02:00
|
|
|
int ret = -1;
|
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2016-08-04 15:26:09 +02:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerRestoreMemoryLabel(driver->securityManager,
|
|
|
|
vm->def,
|
|
|
|
mem) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2016-08-04 15:26:09 +02:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
2017-11-21 13:55:12 +01:00
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecuritySetInputLabel(virDomainObj *vm,
|
|
|
|
virDomainInputDef *input)
|
2017-11-21 13:55:12 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
|
|
|
virQEMUDriver *driver = priv->driver;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2017-11-21 13:55:12 +01:00
|
|
|
int ret = -1;
|
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2017-11-21 13:55:12 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerSetInputLabel(driver->securityManager,
|
|
|
|
vm->def,
|
|
|
|
input) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2017-11-21 13:55:12 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecurityRestoreInputLabel(virDomainObj *vm,
|
|
|
|
virDomainInputDef *input)
|
2017-11-21 13:55:12 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
|
|
|
virQEMUDriver *driver = priv->driver;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2017-11-21 13:55:12 +01:00
|
|
|
int ret = -1;
|
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2017-11-21 13:55:12 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerRestoreInputLabel(driver->securityManager,
|
|
|
|
vm->def,
|
|
|
|
input) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2017-11-21 13:55:12 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
2017-12-01 13:10:35 +01:00
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecuritySetChardevLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virDomainChrDef *chr)
|
2017-12-01 13:10:35 +01:00
|
|
|
{
|
|
|
|
int ret = -1;
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2017-12-01 13:10:35 +01:00
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2017-12-01 13:10:35 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerSetChardevLabel(driver->securityManager,
|
|
|
|
vm->def,
|
|
|
|
chr->source,
|
|
|
|
priv->chardevStdioLogd) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2017-12-01 13:10:35 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecurityRestoreChardevLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virDomainChrDef *chr)
|
2017-12-01 13:10:35 +01:00
|
|
|
{
|
|
|
|
int ret = -1;
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
|
|
|
|
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
2017-12-01 13:10:35 +01:00
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2017-12-01 13:10:35 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerRestoreChardevLabel(driver->securityManager,
|
|
|
|
vm->def,
|
|
|
|
chr->source,
|
|
|
|
priv->chardevStdioLogd) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2017-12-01 13:10:35 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
2018-04-04 12:40:32 -04:00
|
|
|
|
2021-07-27 18:13:36 -06:00
|
|
|
int
|
|
|
|
qemuSecuritySetNetdevLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virDomainNetDef *net)
|
|
|
|
{
|
|
|
|
int ret = -1;
|
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2021-07-27 18:13:36 -06:00
|
|
|
pid_t pid = -1;
|
|
|
|
|
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2021-07-27 18:13:36 -06:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerSetNetdevLabel(driver->securityManager,
|
|
|
|
vm->def, net) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2021-07-27 18:13:36 -06:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
|
|
|
qemuSecurityRestoreNetdevLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virDomainNetDef *net)
|
|
|
|
{
|
|
|
|
int ret = -1;
|
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2021-07-27 18:13:36 -06:00
|
|
|
pid_t pid = -1;
|
|
|
|
|
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2021-07-27 18:13:36 -06:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerRestoreNetdevLabel(driver->securityManager,
|
|
|
|
vm->def, net) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2021-07-27 18:13:36 -06:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2018-04-04 12:40:32 -04:00
|
|
|
|
2022-12-14 10:27:57 +01:00
|
|
|
int
|
|
|
|
qemuSecuritySetTPMLabels(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
2024-10-02 11:10:08 +02:00
|
|
|
bool setTPMStateLabel,
|
|
|
|
bool lockMetadataException)
|
2022-12-14 10:27:57 +01:00
|
|
|
{
|
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2022-12-14 10:27:57 +01:00
|
|
|
int ret = -1;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2022-12-14 10:27:57 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerSetTPMLabels(driver->securityManager,
|
|
|
|
vm->def, setTPMStateLabel) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
-1, priv->rememberOwner,
|
2024-10-02 11:10:08 +02:00
|
|
|
lockMetadataException) < 0)
|
2022-12-14 10:27:57 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2022-12-14 14:53:10 +01:00
|
|
|
int
|
2022-12-14 10:18:54 +01:00
|
|
|
qemuSecurityRestoreTPMLabels(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
2024-10-02 11:10:08 +02:00
|
|
|
bool restoreTPMStateLabel,
|
|
|
|
bool lockMetadataException)
|
2018-04-04 12:40:32 -04:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2022-12-14 14:53:10 +01:00
|
|
|
int ret = -1;
|
2018-09-05 14:00:20 +02:00
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2022-12-14 14:53:10 +01:00
|
|
|
goto cleanup;
|
2018-09-05 14:00:20 +02:00
|
|
|
|
2022-12-14 14:53:10 +01:00
|
|
|
if (virSecurityManagerRestoreTPMLabels(driver->securityManager,
|
|
|
|
vm->def, restoreTPMStateLabel) < 0)
|
|
|
|
goto cleanup;
|
2018-09-05 14:00:20 +02:00
|
|
|
|
2022-12-14 14:53:10 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
-1, priv->rememberOwner,
|
2024-10-02 11:10:08 +02:00
|
|
|
lockMetadataException) < 0)
|
2022-12-14 14:53:10 +01:00
|
|
|
goto cleanup;
|
2018-09-05 14:00:20 +02:00
|
|
|
|
2022-12-14 14:53:10 +01:00
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
2018-09-05 14:00:20 +02:00
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
2022-12-14 14:53:10 +01:00
|
|
|
return ret;
|
2018-04-04 12:40:32 -04:00
|
|
|
}
|
2018-09-05 11:19:14 +02:00
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecurityDomainSetPathLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
2018-09-05 11:19:14 +02:00
|
|
|
const char *path,
|
|
|
|
bool allowSubtree)
|
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2018-09-05 11:19:14 +02:00
|
|
|
int ret = -1;
|
|
|
|
|
2018-09-05 14:00:20 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2018-09-05 11:19:14 +02:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
|
|
|
|
vm->def,
|
|
|
|
path,
|
|
|
|
allowSubtree) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2018-09-05 11:19:14 +02:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
2018-09-05 11:29:46 +02:00
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecurityDomainRestorePathLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
2020-06-30 19:49:12 +02:00
|
|
|
const char *path)
|
2018-09-05 11:29:46 +02:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2018-09-05 14:00:20 +02:00
|
|
|
pid_t pid = -1;
|
2018-09-05 11:29:46 +02:00
|
|
|
int ret = -1;
|
|
|
|
|
2020-06-30 19:49:12 +02:00
|
|
|
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
|
2018-09-05 14:00:20 +02:00
|
|
|
pid = vm->pid;
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2018-09-05 11:29:46 +02:00
|
|
|
goto cleanup;
|
|
|
|
|
2020-06-17 11:32:53 +02:00
|
|
|
if (virSecurityManagerDomainRestorePathLabel(driver->securityManager,
|
2018-09-05 11:29:46 +02:00
|
|
|
vm->def,
|
2020-06-17 12:40:28 +02:00
|
|
|
path) < 0)
|
2018-09-05 11:29:46 +02:00
|
|
|
goto cleanup;
|
|
|
|
|
2018-11-13 10:57:25 +01:00
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
pid, priv->rememberOwner,
|
|
|
|
false) < 0)
|
2018-09-05 11:29:46 +02:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
2019-08-08 18:54:59 +04:00
|
|
|
|
|
|
|
|
2024-02-08 15:56:38 +01:00
|
|
|
/**
|
|
|
|
* qemuSecurityDomainSetMountNSPathLabel:
|
|
|
|
*
|
|
|
|
* Label given path in mount namespace. If mount namespace is not enabled,
|
|
|
|
* nothing is labeled at all.
|
|
|
|
*
|
|
|
|
* Because the label is only applied in mount namespace, there's no need to
|
|
|
|
* restore it.
|
|
|
|
*
|
|
|
|
* Returns 0 on success,
|
|
|
|
* 1 when mount namespace is not enabled,
|
|
|
|
* -1 on error.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
qemuSecurityDomainSetMountNSPathLabel(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
const char *path)
|
|
|
|
{
|
|
|
|
int ret = -1;
|
2024-08-02 15:23:36 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
2024-02-08 15:56:38 +01:00
|
|
|
|
|
|
|
if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) {
|
|
|
|
VIR_DEBUG("Not labeling '%s': mount namespace disabled for domain '%s'",
|
|
|
|
path, vm->def->name);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2024-08-02 15:23:36 +02:00
|
|
|
if (virSecurityManagerTransactionStart(driver->securityManager,
|
|
|
|
cfg->sharedFilesystems) < 0)
|
2024-02-08 15:56:38 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
|
|
|
|
vm->def, path, false) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virSecurityManagerTransactionCommit(driver->securityManager,
|
2024-08-12 17:07:54 +02:00
|
|
|
vm->pid, false, false) < 0)
|
2024-02-08 15:56:38 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
virSecurityManagerTransactionAbort(driver->securityManager);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2019-08-08 18:54:59 +04:00
|
|
|
/**
|
|
|
|
* qemuSecurityCommandRun:
|
|
|
|
* @driver: the QEMU driver
|
|
|
|
* @vm: the domain object
|
|
|
|
* @cmd: the command to run
|
|
|
|
* @uid: the uid to force
|
|
|
|
* @gid: the gid to force
|
qemu: Let virCommand module translate exitstatus
When starting (some) external helpers, callers of
qemuSecurityCommandRun() pass &exitstatus variable, to learn the
exit code of helper process (with qemuTPMEmulatorStart() being
the only exception). Then, if the status wasn't zero they produce
a generic error message, like:
"Starting of helper process failed. exitstatus=%d"
or, in case of qemuPasstStart():
"Could not start 'passt': %s"
This is needless as virCommandRun() (that's called under the
hood), can do both for us, if NULL was passed instead of
@exitstatus. Not only it appends exit status, it also reads
stderr of failed command producing comprehensive error message:
Child process (${args}) unexpected exit status ${exitstatus}: ${stderr}
Therefore, pass NULL everywhere. But in contrast with one of
previous commits which removed @cmdret argument, there could be a
sensible caller which might want to process exit code. So keep
the argument for now and just pass NULL.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2023-02-13 12:35:28 +01:00
|
|
|
* @existstatus: optional pointer to int returning exit status of process
|
2019-08-08 18:54:59 +04:00
|
|
|
*
|
|
|
|
* Run @cmd with seclabels set on it. If @uid and/or @gid are not
|
2023-02-13 12:27:49 +01:00
|
|
|
* -1 then their value is enforced.
|
2019-08-08 18:54:59 +04:00
|
|
|
*
|
|
|
|
* Returns: 0 on success,
|
2023-02-13 12:18:02 +01:00
|
|
|
* -1 otherwise (with error reported).
|
2019-08-08 18:54:59 +04:00
|
|
|
*/
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSecurityCommandRun(virQEMUDriver *driver,
|
|
|
|
virDomainObj *vm,
|
|
|
|
virCommand *cmd,
|
2019-08-08 18:54:59 +04:00
|
|
|
uid_t uid,
|
|
|
|
gid_t gid,
|
2023-03-01 15:34:32 -05:00
|
|
|
bool useBinarySpecificLabel,
|
2023-02-13 12:27:49 +01:00
|
|
|
int *exitstatus)
|
2019-08-08 18:54:59 +04:00
|
|
|
{
|
2022-08-11 16:12:24 +02:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
|
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2023-02-13 12:27:49 +01:00
|
|
|
int ret = -1;
|
2022-08-11 16:12:24 +02:00
|
|
|
|
2019-08-08 18:54:59 +04:00
|
|
|
if (virSecurityManagerSetChildProcessLabel(driver->securityManager,
|
2023-03-01 15:34:32 -05:00
|
|
|
vm->def, useBinarySpecificLabel,
|
|
|
|
cmd) < 0) {
|
2019-08-08 18:54:59 +04:00
|
|
|
return -1;
|
2023-03-01 15:34:32 -05:00
|
|
|
}
|
2019-08-08 18:54:59 +04:00
|
|
|
|
|
|
|
if (uid != (uid_t) -1)
|
|
|
|
virCommandSetUID(cmd, uid);
|
|
|
|
if (gid != (gid_t) -1)
|
|
|
|
virCommandSetGID(cmd, gid);
|
2022-08-11 16:12:24 +02:00
|
|
|
if (cfg->schedCore == QEMU_SCHED_CORE_FULL) {
|
|
|
|
pid_t pid = vm->pid;
|
|
|
|
|
|
|
|
if (pid <= 0)
|
|
|
|
pid = priv->schedCoreChildPID;
|
|
|
|
|
|
|
|
virCommandSetRunAmong(cmd, pid);
|
|
|
|
}
|
2019-08-08 18:54:59 +04:00
|
|
|
|
|
|
|
if (virSecurityManagerPreFork(driver->securityManager) < 0)
|
|
|
|
return -1;
|
|
|
|
|
2023-02-13 12:27:49 +01:00
|
|
|
ret = virCommandRun(cmd, exitstatus);
|
2019-08-08 18:54:59 +04:00
|
|
|
|
|
|
|
virSecurityManagerPostFork(driver->securityManager);
|
|
|
|
|
2023-02-13 12:27:49 +01:00
|
|
|
return ret;
|
2019-08-08 18:54:59 +04:00
|
|
|
}
|