security: DAC: handle qcow2 data-file on image label set/restore

Signed-off-by: Nikolai Barybin <nikolai.barybin@virtuozzo.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
This commit is contained in:
Nikolai Barybin 2024-11-20 18:48:43 +03:00 committed by Peter Krempa
parent 0a3d177d9b
commit 724a4c6dc4

View File

@ -969,6 +969,13 @@ virSecurityDACSetImageLabel(virSecurityManager *mgr,
def, n, parent, isChainTop) < 0) def, n, parent, isChainTop) < 0)
return -1; return -1;
/* Unlike backing images, data files are not designed to be shared by
* anyone. Thus, we always consider them as chain top. */
if (n->dataFileStore &&
virSecurityDACSetImageLabelInternal(mgr, sharedFilesystems, def,
n->dataFileStore, n, true) < 0)
return -1;
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
break; break;
@ -1065,8 +1072,16 @@ virSecurityDACRestoreImageLabel(virSecurityManager *mgr,
virStorageSource *src, virStorageSource *src,
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED) virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
{ {
return virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems, if (virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems,
def, src, false); def, src, false) < 0)
return -1;
if (src->dataFileStore &&
virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems,
def, src->dataFileStore, false) < 0)
return -1;
return 0;
} }
@ -1946,6 +1961,14 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
def->disks[i]->src, def->disks[i]->src,
migrated) < 0) migrated) < 0)
rc = -1; rc = -1;
if (def->disks[i]->src->dataFileStore &&
virSecurityDACRestoreImageLabelInt(mgr,
sharedFilesystems,
def,
def->disks[i]->src->dataFileStore,
migrated) < 0)
rc = -1;
} }
for (i = 0; i < def->ngraphics; i++) { for (i = 0; i < def->ngraphics; i++) {