security: Reintroduce virSecurityManager{Set,Restore}SavedStateLabel

These APIs were removed/renamed in v6.5.0-rc1~142 and v6.5.0-rc1~141 because they deemed unused. And if it wasn't for the RFE [1] things would stay that way. The RFE asks for us to not change DAC ownership on the file a domain is restoring from. We have been doing that for ages (if not forever), nevertheless it's annoying because if the restore file is on an NFS remembering owner won't help - NFS doesn't support XATTRs yet. But more importantly, there is no need for us to chown() the file because when restoring the domain the file is opened and the FD is then passed to QEMU. Therefore, we really need only to set SELinux and AppArmor. This reverts bd22eec903976c5c51b1d00e335c315699e5acd6. This partially reverts 4ccbd207f213066c000f43eb544eb00ec745023b. The difference to the original code is that secdrivers are now not required to provide dummy implementation to avoid virReportUnsupportedError(). The callback is run if it exists, if it doesn't zero is returned without any error. 1: https://bugzilla.redhat.com/show_bug.cgi?id=1851016 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com>
2025-03-07 17:28:15 +00:00 · 2020-06-26 17:05:39 +02:00 · 2020-06-26 17:05:39 +02:00 · 228a27f59b
commit 228a27f59b
parent c531f42755
5 changed files with 102 additions and 0 deletions
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@ -1572,6 +1572,7 @@ virSecurityManagerRestoreHostdevLabel;
 virSecurityManagerRestoreImageLabel;
 virSecurityManagerRestoreInputLabel;
 virSecurityManagerRestoreMemoryLabel;
 virSecurityManagerRestoreSavedStateLabel;
 virSecurityManagerRestoreTPMLabels;
 virSecurityManagerSetAllLabel;
 virSecurityManagerSetChardevLabel;
@ -1583,6 +1584,7 @@ virSecurityManagerSetImageLabel;
 virSecurityManagerSetInputLabel;
 virSecurityManagerSetMemoryLabel;
 virSecurityManagerSetProcessLabel;
 virSecurityManagerSetSavedStateLabel;
 virSecurityManagerSetSocketLabel;
 virSecurityManagerSetTapFDLabel;
 virSecurityManagerSetTPMLabels;
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@ -67,6 +67,12 @@ typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr,
                                                 virDomainDefPtr def,
                                                 virDomainHostdevDefPtr dev,
                                                 const char *vroot);
 typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr,
                                                    virDomainDefPtr def,
                                                    const char *savefile);
 typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr,
                                                        virDomainDefPtr def,
                                                        const char *savefile);
 typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr,
                                          virDomainDefPtr sec);
 typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr,
@ -200,6 +206,9 @@ struct _virSecurityDriver {
    virSecurityDomainSetHostdevLabel domainSetSecurityHostdevLabel;
    virSecurityDomainRestoreHostdevLabel domainRestoreSecurityHostdevLabel;
    virSecurityDomainSetSavedStateLabel domainSetSavedStateLabel;
    virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
    virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
    virSecurityDomainSetTapFDLabel domainSetSecurityTapFDLabel;
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@ -596,6 +596,40 @@ virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
 }
 int
 virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
                                     virDomainDefPtr vm,
                                     const char *savefile)
 {
    if (mgr->drv->domainSetSavedStateLabel) {
        int ret;
        virObjectLock(mgr);
        ret = mgr->drv->domainSetSavedStateLabel(mgr, vm, savefile);
        virObjectUnlock(mgr);
        return ret;
    }
    return 0;
 }
 int
 virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
                                         virDomainDefPtr vm,
                                         const char *savefile)
 {
    if (mgr->drv->domainRestoreSavedStateLabel) {
        int ret;
        virObjectLock(mgr);
        ret = mgr->drv->domainRestoreSavedStateLabel(mgr, vm, savefile);
        virObjectUnlock(mgr);
        return ret;
    }
    return 0;
 }
 int
 virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
                           virDomainDefPtr vm)
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@ -104,6 +104,12 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
                                      virDomainDefPtr def,
                                      virDomainHostdevDefPtr dev,
                                      const char *vroot);
 int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
                                         virDomainDefPtr def,
                                         const char *savefile);
 int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
                                             virDomainDefPtr def,
                                             const char *savefile);
 int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
                               virDomainDefPtr sec);
 int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@ -394,6 +394,54 @@ virSecurityStackRestoreAllLabel(virSecurityManagerPtr mgr,
 }
 static int
 virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr,
                                   virDomainDefPtr vm,
                                   const char *savefile)
 {
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    virSecurityStackItemPtr item = priv->itemsHead;
    for (; item; item = item->next) {
        if (virSecurityManagerSetSavedStateLabel(item->securityManager, vm, savefile) < 0)
            goto rollback;
    }
    return 0;
 rollback:
    for (item = item->prev; item; item = item->prev) {
        if (virSecurityManagerRestoreSavedStateLabel(item->securityManager,
                                                     vm,
                                                     savefile) < 0) {
            VIR_WARN("Unable to restore saved state label after failed set "
                     "label call virDriver=%s driver=%s savefile=%s",
                     virSecurityManagerGetVirtDriver(mgr),
                     virSecurityManagerGetDriver(item->securityManager),
                     savefile);
        }
    }
    return -1;
 }
 static int
 virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr,
                                       virDomainDefPtr vm,
                                       const char *savefile)
 {
    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    virSecurityStackItemPtr item = priv->itemsHead;
    int rc = 0;
    for (; item; item = item->next) {
        if (virSecurityManagerRestoreSavedStateLabel(item->securityManager, vm, savefile) < 0)
            rc = -1;
    }
    return rc;
 }
 static int
 virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr,
                                virDomainDefPtr vm)
@ -964,6 +1012,9 @@ virSecurityDriver virSecurityDriverStack = {
    .domainSetSecurityHostdevLabel      = virSecurityStackSetHostdevLabel,
    .domainRestoreSecurityHostdevLabel  = virSecurityStackRestoreHostdevLabel,
    .domainSetSavedStateLabel           = virSecurityStackSetSavedStateLabel,
    .domainRestoreSavedStateLabel       = virSecurityStackRestoreSavedStateLabel,
    .domainSetSecurityImageFDLabel      = virSecurityStackSetImageFDLabel,
    .domainSetSecurityTapFDLabel        = virSecurityStackSetTapFDLabel,