diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 5a342b9fd4..73b72c9e10 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1572,6 +1572,7 @@ virSecurityManagerRestoreHostdevLabel; virSecurityManagerRestoreImageLabel; virSecurityManagerRestoreInputLabel; virSecurityManagerRestoreMemoryLabel; +virSecurityManagerRestoreSavedStateLabel; virSecurityManagerRestoreTPMLabels; virSecurityManagerSetAllLabel; virSecurityManagerSetChardevLabel; @@ -1583,6 +1584,7 @@ virSecurityManagerSetImageLabel; virSecurityManagerSetInputLabel; virSecurityManagerSetMemoryLabel; virSecurityManagerSetProcessLabel; +virSecurityManagerSetSavedStateLabel; virSecurityManagerSetSocketLabel; virSecurityManagerSetTapFDLabel; virSecurityManagerSetTPMLabels; diff --git a/src/security/security_driver.h b/src/security/security_driver.h index bfff789552..f0ba77032d 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -67,6 +67,12 @@ typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainHostdevDefPtr dev, const char *vroot); +typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr, + virDomainDefPtr def, + const char *savefile); +typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr, + virDomainDefPtr def, + const char *savefile); typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr, virDomainDefPtr sec); typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr, @@ -200,6 +206,9 @@ struct _virSecurityDriver { virSecurityDomainSetHostdevLabel domainSetSecurityHostdevLabel; virSecurityDomainRestoreHostdevLabel domainRestoreSecurityHostdevLabel; + virSecurityDomainSetSavedStateLabel domainSetSavedStateLabel; + virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel; + virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel; virSecurityDomainSetTapFDLabel domainSetSecurityTapFDLabel; diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 252cfefcff..1399be256b 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -596,6 +596,40 @@ virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, } +int +virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, + virDomainDefPtr vm, + const char *savefile) +{ + if (mgr->drv->domainSetSavedStateLabel) { + int ret; + virObjectLock(mgr); + ret = mgr->drv->domainSetSavedStateLabel(mgr, vm, savefile); + virObjectUnlock(mgr); + return ret; + } + + return 0; +} + + +int +virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, + virDomainDefPtr vm, + const char *savefile) +{ + if (mgr->drv->domainRestoreSavedStateLabel) { + int ret; + virObjectLock(mgr); + ret = mgr->drv->domainRestoreSavedStateLabel(mgr, vm, savefile); + virObjectUnlock(mgr); + return ret; + } + + return 0; +} + + int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm) diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 999752ce09..277151848e 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -104,6 +104,12 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainHostdevDefPtr dev, const char *vroot); +int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + const char *savefile); +int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + const char *savefile); int virSecurityManagerGenLabel(virSecurityManagerPtr mgr, virDomainDefPtr sec); int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr, diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 379c9302bc..624431d4ef 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -394,6 +394,54 @@ virSecurityStackRestoreAllLabel(virSecurityManagerPtr mgr, } +static int +virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr, + virDomainDefPtr vm, + const char *savefile) +{ + virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityStackItemPtr item = priv->itemsHead; + + for (; item; item = item->next) { + if (virSecurityManagerSetSavedStateLabel(item->securityManager, vm, savefile) < 0) + goto rollback; + } + + return 0; + + rollback: + for (item = item->prev; item; item = item->prev) { + if (virSecurityManagerRestoreSavedStateLabel(item->securityManager, + vm, + savefile) < 0) { + VIR_WARN("Unable to restore saved state label after failed set " + "label call virDriver=%s driver=%s savefile=%s", + virSecurityManagerGetVirtDriver(mgr), + virSecurityManagerGetDriver(item->securityManager), + savefile); + } + } + return -1; +} + + +static int +virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr, + virDomainDefPtr vm, + const char *savefile) +{ + virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityStackItemPtr item = priv->itemsHead; + int rc = 0; + + for (; item; item = item->next) { + if (virSecurityManagerRestoreSavedStateLabel(item->securityManager, vm, savefile) < 0) + rc = -1; + } + + return rc; +} + static int virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm) @@ -964,6 +1012,9 @@ virSecurityDriver virSecurityDriverStack = { .domainSetSecurityHostdevLabel = virSecurityStackSetHostdevLabel, .domainRestoreSecurityHostdevLabel = virSecurityStackRestoreHostdevLabel, + .domainSetSavedStateLabel = virSecurityStackSetSavedStateLabel, + .domainRestoreSavedStateLabel = virSecurityStackRestoreSavedStateLabel, + .domainSetSecurityImageFDLabel = virSecurityStackSetImageFDLabel, .domainSetSecurityTapFDLabel = virSecurityStackSetTapFDLabel,