From 709c37e9321484939caa1dc94555cb72865f32f0 Mon Sep 17 00:00:00 2001 From: Jamie Strandboge Date: Wed, 7 Oct 2009 12:36:35 +0200 Subject: [PATCH] Add a domain argument to SVirt *RestoreImageLabel When James Morris originally submitted his sVirt patches (as seen in libvirt 0.6.1), he did not require on disk labelling for virSecurityDomainRestoreImageLabel. A later commit[2] changed this behavior to assume on disk labelling, which halts implementations for path-based MAC systems such as AppArmor and TOMOYO where vm->def->seclabel is required to obtain the label. * src/security/security_driver.h src/qemu/qemu_driver.c src/security/security_selinux.c: adds the 'virDomainObjPtr vm' argument back to *RestoreImageLabel --- src/qemu/qemu_driver.c | 2 +- src/security/security_driver.h | 1 + src/security/security_selinux.c | 4 +++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 95e672bd7c..f03f054311 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -5160,7 +5160,7 @@ static int qemudDomainDetachDevice(virDomainPtr dom, dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) { ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev); if (driver->securityDriver) - driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk); + driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev->data.disk); if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0) VIR_WARN0("Fail to restore disk device ownership"); } else if (dev->type == VIR_DOMAIN_DEVICE_NET) { diff --git a/src/security/security_driver.h b/src/security/security_driver.h index 40f9d95ec5..fde2978de7 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -32,6 +32,7 @@ typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void); typedef int (*virSecurityDriverOpen) (virConnectPtr conn, virSecurityDriverPtr drv); typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn, + virDomainObjPtr vm, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn, virDomainObjPtr vm, diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index d08d502faa..7e0f71aeeb 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -378,6 +378,7 @@ err: static int SELinuxRestoreSecurityImageLabel(virConnectPtr conn, + virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk) { /* Don't restore labels on readoly/shared disks, because @@ -608,7 +609,8 @@ SELinuxRestoreSecurityLabel(virConnectPtr conn, rc = -1; } for (i = 0 ; i < vm->def->ndisks ; i++) { - if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0) + if (SELinuxRestoreSecurityImageLabel(conn, vm, + vm->def->disks[i]) < 0) rc = -1; } VIR_FREE(secdef->model);