Add a domain argument to SVirt *RestoreImageLabel

When James Morris originally submitted his sVirt patches (as seen in
libvirt 0.6.1), he did not require on disk labelling for
virSecurityDomainRestoreImageLabel. A later commit[2] changed this
behavior to assume on disk labelling, which halts implementations for
path-based MAC systems such as AppArmor and TOMOYO where
vm->def->seclabel is required to obtain the label.

* src/security/security_driver.h src/qemu/qemu_driver.c
  src/security/security_selinux.c: adds the 'virDomainObjPtr vm'
  argument back to *RestoreImageLabel
This commit is contained in:
Jamie Strandboge 2009-10-07 12:36:35 +02:00 committed by Daniel Veillard
parent db68d6b164
commit 709c37e932
3 changed files with 5 additions and 2 deletions

View File

@ -5160,7 +5160,7 @@ static int qemudDomainDetachDevice(virDomainPtr dom,
dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) { dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) {
ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev); ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev);
if (driver->securityDriver) if (driver->securityDriver)
driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk); driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev->data.disk);
if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0) if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0)
VIR_WARN0("Fail to restore disk device ownership"); VIR_WARN0("Fail to restore disk device ownership");
} else if (dev->type == VIR_DOMAIN_DEVICE_NET) { } else if (dev->type == VIR_DOMAIN_DEVICE_NET) {

View File

@ -32,6 +32,7 @@ typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
typedef int (*virSecurityDriverOpen) (virConnectPtr conn, typedef int (*virSecurityDriverOpen) (virConnectPtr conn,
virSecurityDriverPtr drv); virSecurityDriverPtr drv);
typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn, typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn,
virDomainObjPtr vm,
virDomainDiskDefPtr disk); virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn, typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
virDomainObjPtr vm, virDomainObjPtr vm,

View File

@ -378,6 +378,7 @@ err:
static int static int
SELinuxRestoreSecurityImageLabel(virConnectPtr conn, SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
virDomainObjPtr vm ATTRIBUTE_UNUSED,
virDomainDiskDefPtr disk) virDomainDiskDefPtr disk)
{ {
/* Don't restore labels on readoly/shared disks, because /* Don't restore labels on readoly/shared disks, because
@ -608,7 +609,8 @@ SELinuxRestoreSecurityLabel(virConnectPtr conn,
rc = -1; rc = -1;
} }
for (i = 0 ; i < vm->def->ndisks ; i++) { for (i = 0 ; i < vm->def->ndisks ; i++) {
if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0) if (SELinuxRestoreSecurityImageLabel(conn, vm,
vm->def->disks[i]) < 0)
rc = -1; rc = -1;
} }
VIR_FREE(secdef->model); VIR_FREE(secdef->model);