qemu_security: Fully implement qemuSecurityDomainSetPathLabel

Even though the current use of the function does not require full implementation with transactions (none of the callers pass a path somewhere under /dev), it doesn't hurt either. Moreover, in future patches the paradigm is going to shift so that any API that touches a file is required to use transactions. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
2024-07-30 21:47:18 +00:00 · 2018-09-05 11:19:14 +02:00 · 2018-09-05 11:19:14 +02:00 · da24db2d30
commit da24db2d30
parent 679895eb5d
4 changed files with 42 additions and 12 deletions
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@ -808,8 +808,7 @@ qemuDomainWriteMasterKeyFile(virQEMUDriverPtr driver,
        goto cleanup;
    }

-    if (qemuSecurityDomainSetPathLabel(driver->securityManager,
-                                       vm->def, path, false) < 0)
+    if (qemuSecurityDomainSetPathLabel(driver, vm, path, false) < 0)
        goto cleanup;

    ret = 0;
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@ -2790,8 +2790,7 @@ qemuProcessStartManagedPRDaemon(virDomainObjPtr vm)
        virCgroupAddMachineTask(priv->cgroup, cpid) < 0)
        goto cleanup;

-    if (qemuSecurityDomainSetPathLabel(driver->securityManager,
-                                       vm->def, socketPath, true) < 0)
+    if (qemuSecurityDomainSetPathLabel(driver, vm, socketPath, true) < 0)
        goto cleanup;

    priv->prDaemonRunning = true;
@ -3653,7 +3652,7 @@ qemuProcessNeedMemoryBackingPath(virDomainDefPtr def,

 static int
 qemuProcessBuildDestroyMemoryPathsImpl(virQEMUDriverPtr driver,
-                                       virDomainDefPtr def,
+                                       virDomainObjPtr vm,
                                       const char *path,
                                       bool build)
 {
@ -3668,8 +3667,7 @@ qemuProcessBuildDestroyMemoryPathsImpl(virQEMUDriverPtr driver,
            return -1;
        }

-        if (qemuSecurityDomainSetPathLabel(driver->securityManager,
-                                           def, path, true) < 0)
+        if (qemuSecurityDomainSetPathLabel(driver, vm, path, true) < 0)
            return -1;
    } else {
        if (virFileDeleteTree(path) < 0)
@ -3705,7 +3703,7 @@ qemuProcessBuildDestroyMemoryPaths(virQEMUDriverPtr driver,
            if (!path)
                goto cleanup;

-            if (qemuProcessBuildDestroyMemoryPathsImpl(driver, vm->def,
+            if (qemuProcessBuildDestroyMemoryPathsImpl(driver, vm,
                                                       path, build) < 0)
                goto cleanup;

@ -3717,7 +3715,7 @@ qemuProcessBuildDestroyMemoryPaths(virQEMUDriverPtr driver,
        if (qemuGetMemoryBackingDomainPath(vm->def, cfg, &path) < 0)
            goto cleanup;

-        if (qemuProcessBuildDestroyMemoryPathsImpl(driver, vm->def,
+        if (qemuProcessBuildDestroyMemoryPathsImpl(driver, vm,
                                                   path, build) < 0)
            goto cleanup;

@ -4909,8 +4907,7 @@ qemuProcessMakeDir(virQEMUDriverPtr driver,
        goto cleanup;
    }

-    if (qemuSecurityDomainSetPathLabel(driver->securityManager,
-                                       vm->def, path, true) < 0)
+    if (qemuSecurityDomainSetPathLabel(driver, vm, path, true) < 0)
        goto cleanup;

    ret = 0;
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@ -493,3 +493,33 @@ qemuSecurityCleanupTPMEmulator(virQEMUDriverPtr driver,
 {
    virSecurityManagerRestoreTPMLabels(driver->securityManager, def);
 }
+
+
+int
+qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
+                               virDomainObjPtr vm,
+                               const char *path,
+                               bool allowSubtree)
+{
+    int ret = -1;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+
+    if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
+                                             vm->def,
+                                             path,
+                                             allowSubtree) < 0)
+        goto cleanup;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@ -95,12 +95,16 @@ int qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver,
 void qemuSecurityCleanupTPMEmulator(virQEMUDriverPtr driver,
                                    virDomainDefPtr def);

+int qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
+                                   virDomainObjPtr vm,
+                                   const char *path,
+                                   bool allowSubtree);
+
 /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
 * new APIs here. If an API can touch a /dev file add a proper wrapper instead.
 */
 # define qemuSecurityCheckAllLabel virSecurityManagerCheckAllLabel
 # define qemuSecurityClearSocketLabel virSecurityManagerClearSocketLabel
-# define qemuSecurityDomainSetPathLabel virSecurityManagerDomainSetPathLabel
 # define qemuSecurityGenLabel virSecurityManagerGenLabel
 # define qemuSecurityGetBaseLabel virSecurityManagerGetBaseLabel
 # define qemuSecurityGetDOI virSecurityManagerGetDOI