security_dac: Allow selective remember/recall for chardevs

While in most cases we want to remember/recall label for a chardev, there are some special ones (like /dev/tpm0) where we don't want to remember the seclabel nor recall it. See next commit for rationale behind. While the easiest way to implement this would be to just add new argument to virSecurityDACSetChardevLabel() this one is also a callback for virSecurityManagerSetChardevLabel() and thus has more or less stable set of arguments. Therefore, the current virSecurityDACSetChardevLabel() is renamed to virSecurityDACSetChardevLabelHelper() and the original function is set to call the new one. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Cole Robinson <crobinso@redhat.com>
2025-01-10 23:07:44 +00:00 · 2019-10-01 11:02:36 +02:00 · 2019-10-01 11:02:36 +02:00 · 2b44cf8c32
commit 2b44cf8c32
parent 1a84a1ced1
1 changed files with 49 additions and 18 deletions
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@ -1431,10 +1431,11 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
 static int
-virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
+virSecurityDACSetChardevLabelHelper(virSecurityManagerPtr mgr,
                                    virDomainDefPtr def,
                                    virDomainChrSourceDefPtr dev_source,
-                              bool chardevStdioLogd)
+                                    bool chardevStdioLogd,
                                    bool remember)
 {
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@ -1471,7 +1472,7 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
    case VIR_DOMAIN_CHR_TYPE_FILE:
        ret = virSecurityDACSetOwnership(mgr, NULL,
                                         dev_source->data.file.path,
-                                         user, group, true);
+                                         user, group, remember);
        break;
    case VIR_DOMAIN_CHR_TYPE_PIPE:
@ -1479,12 +1480,12 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
            virAsprintf(&out, "%s.out", dev_source->data.file.path) < 0)
            goto done;
        if (virFileExists(in) && virFileExists(out)) {
-            if (virSecurityDACSetOwnership(mgr, NULL, in, user, group, true) < 0 ||
+            if (virSecurityDACSetOwnership(mgr, NULL, in, user, group, remember) < 0 ||
-                virSecurityDACSetOwnership(mgr, NULL, out, user, group, true) < 0)
+                virSecurityDACSetOwnership(mgr, NULL, out, user, group, remember) < 0)
                goto done;
        } else if (virSecurityDACSetOwnership(mgr, NULL,
                                              dev_source->data.file.path,
-                                              user, group, true) < 0) {
+                                              user, group, remember) < 0) {
            goto done;
        }
        ret = 0;
@ -1499,7 +1500,7 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
             * and passed via FD */
            if (virSecurityDACSetOwnership(mgr, NULL,
                                           dev_source->data.nix.path,
-                                           user, group, true) < 0)
+                                           user, group, remember) < 0)
                goto done;
        }
        ret = 0;
@ -1525,11 +1526,24 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
    return ret;
 }
 static int
-virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
+virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
-                                  virDomainDefPtr def ATTRIBUTE_UNUSED,
+                              virDomainDefPtr def,
                              virDomainChrSourceDefPtr dev_source,
                              bool chardevStdioLogd)
 {
    return virSecurityDACSetChardevLabelHelper(mgr, def, dev_source,
                                               chardevStdioLogd, true);
 }
 static int
 virSecurityDACRestoreChardevLabelHelper(virSecurityManagerPtr mgr,
                                        virDomainDefPtr def ATTRIBUTE_UNUSED,
                                        virDomainChrSourceDefPtr dev_source,
                                        bool chardevStdioLogd,
                                        bool recall)
 {
    virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
    char *in = NULL, *out = NULL;
@ -1549,7 +1563,9 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
    switch ((virDomainChrType)dev_source->type) {
    case VIR_DOMAIN_CHR_TYPE_DEV:
    case VIR_DOMAIN_CHR_TYPE_FILE:
-        ret = virSecurityDACRestoreFileLabel(mgr, dev_source->data.file.path);
+        ret = virSecurityDACRestoreFileLabelInternal(mgr, NULL,
                                                     dev_source->data.file.path,
                                                     recall);
        break;
    case VIR_DOMAIN_CHR_TYPE_PIPE:
@ -1557,10 +1573,12 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
            virAsprintf(&in, "%s.in", dev_source->data.file.path) < 0)
            goto done;
        if (virFileExists(in) && virFileExists(out)) {
-            if (virSecurityDACRestoreFileLabel(mgr, out) < 0 ||
+            if (virSecurityDACRestoreFileLabelInternal(mgr, NULL, out, recall) < 0 ||
-                virSecurityDACRestoreFileLabel(mgr, in) < 0)
+                virSecurityDACRestoreFileLabelInternal(mgr, NULL, in, recall) < 0)
                goto done;
-        } else if (virSecurityDACRestoreFileLabel(mgr, dev_source->data.file.path) < 0) {
+        } else if (virSecurityDACRestoreFileLabelInternal(mgr, NULL,
                                                          dev_source->data.file.path,
                                                          recall) < 0) {
            goto done;
        }
        ret = 0;
@ -1568,7 +1586,9 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
    case VIR_DOMAIN_CHR_TYPE_UNIX:
        if (!dev_source->data.nix.listen &&
-            virSecurityDACRestoreFileLabel(mgr, dev_source->data.nix.path) < 0) {
+            virSecurityDACRestoreFileLabelInternal(mgr, NULL,
                                                   dev_source->data.nix.path,
                                                   recall) < 0) {
            goto done;
        }
        ret = 0;
@ -1595,6 +1615,17 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
 }
 static int
 virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr,
                                  virDomainDefPtr def,
                                  virDomainChrSourceDefPtr dev_source,
                                  bool chardevStdioLogd)
 {
    return virSecurityDACRestoreChardevLabelHelper(mgr, def, dev_source,
                                                   chardevStdioLogd, true);
 }
 struct _virSecuritySELinuxChardevCallbackData {
    virSecurityManagerPtr mgr;
    bool chardevStdioLogd;