External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-22 03:12:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

qemu: Use transactions from security driver

Browse Source 
So far if qemu is spawned under separate mount namespace in order
to relabel everything it needs an access to the security driver
to run in that namespace too. This has a very nasty down side -
it is being run in a separate process, so any internal state
transition is NOT reflected in the daemon. This can lead to many
sleepless nights. Therefore, use the transaction APIs so that
libvirt developers can sleep tight again.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Michal Privoznik 2016-12-15 16:47:15 +01:00
parent 4674fc6afd
commit 095f042ed6
1 changed files with 30 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
src/qemu/qemu_security.c
View File

@ -40,66 +40,31 @@ struct qemuSecuritySetRestoreAllLabelData {
};
static int
qemuSecuritySetRestoreAllLabelHelper(pid_t pid,
void *opaque)
{
struct qemuSecuritySetRestoreAllLabelData *data = opaque;
virSecurityManagerPostFork(data->driver->securityManager);
if (data->set) {
VIR_DEBUG("Setting up security labels inside namespace pid=%lld",
(long long) pid);
if (virSecurityManagerSetAllLabel(data->driver->securityManager,
data->vm->def,
data->stdin_path) < 0)
return -1;
} else {
VIR_DEBUG("Restoring security labels inside namespace pid=%lld",
(long long) pid);
if (virSecurityManagerRestoreAllLabel(data->driver->securityManager,
data->vm->def,
data->migrated) < 0)
return -1;
}
return 0;
}
int
qemuSecuritySetAllLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
const char *stdin_path)
{
struct qemuSecuritySetRestoreAllLabelData data;
int ret = -1;
memset(&data, 0, sizeof(data));
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionStart(driver->securityManager) < 0)
goto cleanup;
data.set = true;
data.driver = driver;
data.vm = vm;
data.stdin_path = stdin_path;
if (virSecurityManagerSetAllLabel(driver->securityManager,
vm->def,
stdin_path) < 0)
goto cleanup;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) {
if (virSecurityManagerPreFork(driver->securityManager) < 0)
return -1;
if (virProcessRunInMountNamespace(vm->pid,
qemuSecuritySetRestoreAllLabelHelper,
&data) < 0) {
virSecurityManagerPostFork(driver->securityManager);
return -1;
}
virSecurityManagerPostFork(driver->securityManager);
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionCommit(driver->securityManager,
vm->pid) < 0)
goto cleanup;
} else {
if (virSecurityManagerSetAllLabel(driver->securityManager,
vm->def,
stdin_path) < 0)
return -1;
}
return 0;
ret = 0;
cleanup:
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
@ -108,27 +73,22 @@ qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
bool migrated)
{
struct qemuSecuritySetRestoreAllLabelData data;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionStart(driver->securityManager) < 0)
goto cleanup;
memset(&data, 0, sizeof(data));
data.driver = driver;
data.vm = vm;
data.migrated = migrated;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) {
if (virSecurityManagerPreFork(driver->securityManager) < 0)
return;
virProcessRunInMountNamespace(vm->pid,
qemuSecuritySetRestoreAllLabelHelper,
&data);
virSecurityManagerPostFork(driver->securityManager);
} else {
virSecurityManagerRestoreAllLabel(driver->securityManager,
if (virSecurityManagerRestoreAllLabel(driver->securityManager,
vm->def,
migrated);
}
migrated) < 0)
goto cleanup;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionCommit(driver->securityManager,
vm->pid) < 0)
goto cleanup;
cleanup:
virSecurityManagerTransactionAbort(driver->securityManager);
}