Skip bulk relabelling of resources in SELinux driver when used with LXC

The virSecurityManager{Set,Restore}AllLabel methods are invoked at domain startup/shutdown to relabel resources associated with a domain. This works fine with QEMU, but with LXC they are in fact both currently no-ops since LXC does not support disks, hostdevs, or kernel/initrd files. Worse, when LXC gains support for disks/hostdevs, they will do the wrong thing, since they run in host context, not container context. Thus this patch turns then into a formal no-op when used with LXC. The LXC controller will call out to specific security manager labelling APIs as required during startup. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit 89c5a9d0e8)
2024-12-28 08:35:22 +00:00 · 2012-11-28 13:54:39 +00:00 · 2012-11-28 13:54:39 +00:00 · 460e481647
commit 460e481647
parent 8cdeb0f85e
1 changed files with 9 additions and 3 deletions
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -61,6 +61,7 @@ struct _virSecuritySELinuxData {
    char *file_context;
    char *content_context;
    virHashTablePtr mcs;
+    bool skipAllLabel;
 };

 struct _virSecuritySELinuxCallbackData {
@ -363,6 +364,8 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
    virConfPtr selinux_conf;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

+    data->skipAllLabel = true;
+
    selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
    if (!selinux_conf) {
        virReportSystemError(errno,
@ -438,6 +441,8 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
    char *ptr;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

+    data->skipAllLabel = false;
+
    if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT, &(data->domain_context)) < 0) {
        virReportSystemError(errno,
                             _("cannot read SELinux virtual domain context file '%s'"),
@ -1441,11 +1446,12 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,


 static int
-virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
                                          virDomainDefPtr def,
                                          int migrated ATTRIBUTE_UNUSED)
 {
    virSecurityLabelDefPtr secdef;
+    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
    int i;
    int rc = 0;

@ -1455,7 +1461,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
    if (secdef == NULL)
        return -1;

-    if (secdef->norelabel)
+    if (secdef->norelabel || data->skipAllLabel)
        return 0;

    for (i = 0 ; i < def->nhostdevs ; i++) {
@ -1813,7 +1819,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
    if (secdef == NULL)
        return -1;

-    if (secdef->norelabel)
+    if (secdef->norelabel || data->skipAllLabel)
        return 0;

    for (i = 0 ; i < def->ndisks ; i++) {