mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-25 15:15:25 +00:00
Add a domain argument to SVirt *RestoreImageLabel
When James Morris originally submitted his sVirt patches (as seen in libvirt 0.6.1), he did not require on disk labelling for virSecurityDomainRestoreImageLabel. A later commit[2] changed this behavior to assume on disk labelling, which halts implementations for path-based MAC systems such as AppArmor and TOMOYO where vm->def->seclabel is required to obtain the label. * src/security/security_driver.h src/qemu/qemu_driver.c src/security/security_selinux.c: adds the 'virDomainObjPtr vm' argument back to *RestoreImageLabel
This commit is contained in:
parent
db68d6b164
commit
709c37e932
@ -5160,7 +5160,7 @@ static int qemudDomainDetachDevice(virDomainPtr dom,
|
|||||||
dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) {
|
dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) {
|
||||||
ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev);
|
ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev);
|
||||||
if (driver->securityDriver)
|
if (driver->securityDriver)
|
||||||
driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk);
|
driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev->data.disk);
|
||||||
if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0)
|
if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0)
|
||||||
VIR_WARN0("Fail to restore disk device ownership");
|
VIR_WARN0("Fail to restore disk device ownership");
|
||||||
} else if (dev->type == VIR_DOMAIN_DEVICE_NET) {
|
} else if (dev->type == VIR_DOMAIN_DEVICE_NET) {
|
||||||
|
@ -32,6 +32,7 @@ typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
|
|||||||
typedef int (*virSecurityDriverOpen) (virConnectPtr conn,
|
typedef int (*virSecurityDriverOpen) (virConnectPtr conn,
|
||||||
virSecurityDriverPtr drv);
|
virSecurityDriverPtr drv);
|
||||||
typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn,
|
typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn,
|
||||||
|
virDomainObjPtr vm,
|
||||||
virDomainDiskDefPtr disk);
|
virDomainDiskDefPtr disk);
|
||||||
typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
|
typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
|
||||||
virDomainObjPtr vm,
|
virDomainObjPtr vm,
|
||||||
|
@ -378,6 +378,7 @@ err:
|
|||||||
|
|
||||||
static int
|
static int
|
||||||
SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
|
SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
|
||||||
|
virDomainObjPtr vm ATTRIBUTE_UNUSED,
|
||||||
virDomainDiskDefPtr disk)
|
virDomainDiskDefPtr disk)
|
||||||
{
|
{
|
||||||
/* Don't restore labels on readoly/shared disks, because
|
/* Don't restore labels on readoly/shared disks, because
|
||||||
@ -608,7 +609,8 @@ SELinuxRestoreSecurityLabel(virConnectPtr conn,
|
|||||||
rc = -1;
|
rc = -1;
|
||||||
}
|
}
|
||||||
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
||||||
if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0)
|
if (SELinuxRestoreSecurityImageLabel(conn, vm,
|
||||||
|
vm->def->disks[i]) < 0)
|
||||||
rc = -1;
|
rc = -1;
|
||||||
}
|
}
|
||||||
VIR_FREE(secdef->model);
|
VIR_FREE(secdef->model);
|
||||||
|
Loading…
Reference in New Issue
Block a user