From 7fceb5e16823d62fd800b546fdba6e561a5ab2ed Mon Sep 17 00:00:00 2001 From: Peter Krempa Date: Thu, 5 Jan 2023 12:59:23 +0100 Subject: [PATCH] secuirity: DAC: Don't relabel FD-passed virStorageSource images DAC security label is irrelevant once you have the FD. Disable all labelling for such images. Signed-off-by: Peter Krempa Reviewed-by: Pavel Hrdina --- src/security/security_dac.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 917fcf76a3..4036a2c27a 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -881,6 +881,10 @@ virSecurityDACSetImageLabelInternal(virSecurityManager *mgr, if (!priv->dynamicOwnership) return 0; + /* Images passed via FD don't need DAC seclabel change */ + if (virStorageSourceIsFD(src)) + return 0; + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); if (secdef && !secdef->relabel) return 0; @@ -992,6 +996,10 @@ virSecurityDACRestoreImageLabelSingle(virSecurityManager *mgr, if (src->readonly || src->shared) return 0; + /* Images passed via FD don't need DAC seclabel change */ + if (virStorageSourceIsFD(src)) + return 0; + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); if (secdef && !secdef->relabel) return 0; @@ -1112,10 +1120,14 @@ virSecurityDACMoveImageMetadata(virSecurityManager *mgr, if (!priv->dynamicOwnership) return 0; - if (src && virStorageSourceIsLocalStorage(src)) + if (src && + virStorageSourceIsLocalStorage(src) && + !virStorageSourceIsFD(src)) data.src = src->path; - if (dst && virStorageSourceIsLocalStorage(dst)) + if (dst && + virStorageSourceIsLocalStorage(dst) && + !virStorageSourceIsFD(dst)) data.dst = dst->path; if (!data.src)