lxc: Restore seclabels after the container is killed

Due to a bug the seclabels are restored before any PID in the
container is killed. This should be done afterwards in
virLXCProcessCleanup.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
This commit is contained in:
Michal Privoznik 2019-01-24 17:38:10 +01:00
parent 401030499b
commit 16c123679c

View File

@ -180,6 +180,17 @@ static void virLXCProcessCleanup(virLXCDriverPtr driver,
VIR_FREE(xml); VIR_FREE(xml);
} }
virSecurityManagerRestoreAllLabel(driver->securityManager,
vm->def, false, false);
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
/* Clear out dynamically assigned labels */
if (vm->def->nseclabels &&
vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
VIR_FREE(vm->def->seclabels[0]->model);
VIR_FREE(vm->def->seclabels[0]->label);
VIR_FREE(vm->def->seclabels[0]->imagelabel);
}
/* Stop autodestroy in case guest is restarted */ /* Stop autodestroy in case guest is restarted */
virCloseCallbacksUnset(driver->closeCallbacks, vm, virCloseCallbacksUnset(driver->closeCallbacks, vm,
lxcProcessAutoDestroy); lxcProcessAutoDestroy);
@ -836,17 +847,6 @@ int virLXCProcessStop(virLXCDriverPtr driver,
priv = vm->privateData; priv = vm->privateData;
virSecurityManagerRestoreAllLabel(driver->securityManager,
vm->def, false, false);
virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
/* Clear out dynamically assigned labels */
if (vm->def->nseclabels &&
vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
VIR_FREE(vm->def->seclabels[0]->model);
VIR_FREE(vm->def->seclabels[0]->label);
VIR_FREE(vm->def->seclabels[0]->imagelabel);
}
/* If the LXC domain is suspended we send all processes a SIGKILL /* If the LXC domain is suspended we send all processes a SIGKILL
* and thaw them. Upon wakeup the process sees the pending signal * and thaw them. Upon wakeup the process sees the pending signal
* and dies immediately. It is guaranteed that priv->cgroup != NULL * and dies immediately. It is guaranteed that priv->cgroup != NULL