secuirity: DAC: Don't relabel FD-passed virStorageSource images

DAC security label is irrelevant once you have the FD. Disable all
labelling for such images.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
This commit is contained in:
Peter Krempa 2023-01-05 12:59:23 +01:00
parent 74f3f4b93c
commit 7fceb5e168

View File

@ -881,6 +881,10 @@ virSecurityDACSetImageLabelInternal(virSecurityManager *mgr,
if (!priv->dynamicOwnership) if (!priv->dynamicOwnership)
return 0; return 0;
/* Images passed via FD don't need DAC seclabel change */
if (virStorageSourceIsFD(src))
return 0;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
if (secdef && !secdef->relabel) if (secdef && !secdef->relabel)
return 0; return 0;
@ -992,6 +996,10 @@ virSecurityDACRestoreImageLabelSingle(virSecurityManager *mgr,
if (src->readonly || src->shared) if (src->readonly || src->shared)
return 0; return 0;
/* Images passed via FD don't need DAC seclabel change */
if (virStorageSourceIsFD(src))
return 0;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
if (secdef && !secdef->relabel) if (secdef && !secdef->relabel)
return 0; return 0;
@ -1112,10 +1120,14 @@ virSecurityDACMoveImageMetadata(virSecurityManager *mgr,
if (!priv->dynamicOwnership) if (!priv->dynamicOwnership)
return 0; return 0;
if (src && virStorageSourceIsLocalStorage(src)) if (src &&
virStorageSourceIsLocalStorage(src) &&
!virStorageSourceIsFD(src))
data.src = src->path; data.src = src->path;
if (dst && virStorageSourceIsLocalStorage(dst)) if (dst &&
virStorageSourceIsLocalStorage(dst) &&
!virStorageSourceIsFD(dst))
data.dst = dst->path; data.dst = dst->path;
if (!data.src) if (!data.src)