mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 22:25:25 +00:00
security_dac: honor relabel='no' in disk config
https://bugzilla.redhat.com/show_bug.cgi?id=999301 The DAC driver ignores the relabel='no' attribute in disk config <disk type='file' device='floppy'> <driver name='qemu' type='raw'/> <source file='/some/path/floppy.img'> <seclabel model='dac' relabel='no'/> </source> <target dev='fda' bus='fdc'/> <readonly/> </disk> This patch avoid labeling disks when relabel='no' is specified. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
This commit is contained in:
parent
9369a56244
commit
3c2487ab0a
@ -289,7 +289,7 @@ virSecurityDACRestoreSecurityFileLabel(const char *path)
|
||||
|
||||
|
||||
static int
|
||||
virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
|
||||
virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk,
|
||||
const char *path,
|
||||
size_t depth ATTRIBUTE_UNUSED,
|
||||
void *opaque)
|
||||
@ -298,11 +298,23 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
|
||||
virSecurityManagerPtr mgr = cbdata->manager;
|
||||
virSecurityLabelDefPtr secdef = cbdata->secdef;
|
||||
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||
virSecurityDeviceLabelDefPtr disk_seclabel;
|
||||
uid_t user;
|
||||
gid_t group;
|
||||
|
||||
if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
|
||||
return -1;
|
||||
disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
|
||||
SECURITY_DAC_NAME);
|
||||
|
||||
if (disk_seclabel && disk_seclabel->norelabel)
|
||||
return 0;
|
||||
|
||||
if (disk_seclabel && disk_seclabel->label) {
|
||||
if (virParseOwnershipIds(disk_seclabel->label, &user, &group) < 0)
|
||||
return -1;
|
||||
} else {
|
||||
if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
|
||||
return -1;
|
||||
}
|
||||
|
||||
return virSecurityDACSetOwnership(path, user, group);
|
||||
}
|
||||
@ -326,6 +338,9 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
|
||||
|
||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
|
||||
|
||||
if (secdef && secdef->norelabel)
|
||||
return 0;
|
||||
|
||||
cbdata.manager = mgr;
|
||||
cbdata.secdef = secdef;
|
||||
return virDomainDiskDefForeachPath(disk,
|
||||
@ -337,11 +352,13 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
|
||||
|
||||
static int
|
||||
virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
|
||||
virDomainDefPtr def ATTRIBUTE_UNUSED,
|
||||
virDomainDefPtr def,
|
||||
virDomainDiskDefPtr disk,
|
||||
int migrated)
|
||||
{
|
||||
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||
virSecurityLabelDefPtr secdef;
|
||||
virSecurityDeviceLabelDefPtr disk_seclabel;
|
||||
const char *src = virDomainDiskGetSource(disk);
|
||||
|
||||
if (!priv->dynamicOwnership)
|
||||
@ -350,6 +367,17 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
|
||||
if (virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK)
|
||||
return 0;
|
||||
|
||||
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
|
||||
|
||||
if (secdef && secdef->norelabel)
|
||||
return 0;
|
||||
|
||||
disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
|
||||
SECURITY_DAC_NAME);
|
||||
|
||||
if (disk_seclabel && disk_seclabel->norelabel)
|
||||
return 0;
|
||||
|
||||
/* Don't restore labels on readoly/shared disks, because
|
||||
* other VMs may still be accessing these
|
||||
* Alternatively we could iterate over all running
|
||||
|
Loading…
Reference in New Issue
Block a user