From c0c52a951999e9ed1948e650e07fe235f5a61944 Mon Sep 17 00:00:00 2001
From: Michal Privoznik <mprivozn@redhat.com>
Date: Wed, 14 Dec 2022 15:12:38 +0100
Subject: [PATCH] qemu_tpm: Restore TPM labels on failed start

If swtpm binary fails to start after successful exec() (e.g. it
fails to initialize itself), the seclabels set in
qemuSecurityStartTPMEmulator() are not restored. This is due to
lacking qemuSecurityRestoreTPMLabels() call in the error path.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
---
 src/qemu/qemu_tpm.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 200ff0de6f..03055002cb 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -927,6 +927,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     virTimeBackOffVar timebackoff;
     const unsigned long long timeout = 1000; /* ms */
     bool setTPMStateLabel = true;
+    bool teardownlabel = false;
     int cmdret = 0;
     pid_t pid = -1;
 
@@ -970,6 +971,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
          * already reported error. */
         goto error;
     }
+    teardownlabel = true;
 
     if (virPidFileReadPath(pidfile, &pid) < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
@@ -1012,6 +1014,8 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
         virProcessKillPainfully(pid, true);
     if (pidfile)
         unlink(pidfile);
+    if (teardownlabel)
+        qemuSecurityRestoreTPMLabels(driver, vm, setTPMStateLabel);
     return -1;
 }