qemu_security: Fully implement qemuSecurity{Set,Restore}SavedStateLabel

Even though the current use of the functions does not require full implementation with transactions (none of the callers passes a path somewhere under /dev), it doesn't hurt either. Moreover, in future patches the paradigm is going to shift so that any API that touches a file is required to use transactions. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
2024-12-22 13:45:38 +00:00 · 2018-09-05 11:29:46 +02:00 · 2018-09-05 11:29:46 +02:00 · e2c23982dd
commit e2c23982dd
parent da24db2d30
3 changed files with 67 additions and 6 deletions
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@ -4043,7 +4043,7 @@ qemuDomainScreenshot(virDomainPtr dom,
    }
    unlink_tmp = true;

-    qemuSecuritySetSavedStateLabel(driver->securityManager, vm->def, tmp);
+    qemuSecuritySetSavedStateLabel(driver, vm, tmp);

    qemuDomainObjEnterMonitor(driver, vm);
    if (qemuMonitorScreendump(priv->mon, videoAlias, screen, tmp) < 0) {
@ -6662,8 +6662,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
    virObjectUnref(cookie);
    virCommandFree(cmd);
    VIR_FREE(errbuf);
-    if (qemuSecurityRestoreSavedStateLabel(driver->securityManager,
-                                           vm->def, path) < 0)
+    if (qemuSecurityRestoreSavedStateLabel(driver, vm, path) < 0)
        VIR_WARN("failed to restore save state label on %s", path);
    virObjectUnref(cfg);
    return ret;
@ -11828,7 +11827,7 @@ qemuDomainMemoryPeek(virDomainPtr dom,
        goto endjob;
    }

-    qemuSecuritySetSavedStateLabel(driver->securityManager, vm->def, tmp);
+    qemuSecuritySetSavedStateLabel(driver, vm, tmp);

    priv = vm->privateData;
    qemuDomainObjEnterMonitor(driver, vm);
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@ -523,3 +523,59 @@ qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
    virSecurityManagerTransactionAbort(driver->securityManager);
    return ret;
 }
+
+
+int
+qemuSecuritySetSavedStateLabel(virQEMUDriverPtr driver,
+                                   virDomainObjPtr vm,
+                                   const char *savefile)
+{
+    int ret = -1;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+
+    if (virSecurityManagerSetSavedStateLabel(driver->securityManager,
+                                             vm->def,
+                                             savefile) < 0)
+        goto cleanup;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
+
+
+int
+qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
+                                       virDomainObjPtr vm,
+                                       const char *savefile)
+{
+    int ret = -1;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+
+    if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
+                                                 vm->def,
+                                                 savefile) < 0)
+        goto cleanup;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@ -100,6 +100,14 @@ int qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
                                   const char *path,
                                   bool allowSubtree);

+int qemuSecuritySetSavedStateLabel(virQEMUDriverPtr driver,
+                                   virDomainObjPtr vm,
+                                   const char *savefile);
+
+int qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
+                                       virDomainObjPtr vm,
+                                       const char *savefile);
+
 /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
 * new APIs here. If an API can touch a /dev file add a proper wrapper instead.
 */
@ -119,11 +127,9 @@ int qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
 # define qemuSecurityPreFork virSecurityManagerPreFork
 # define qemuSecurityReleaseLabel virSecurityManagerReleaseLabel
 # define qemuSecurityReserveLabel virSecurityManagerReserveLabel
-# define qemuSecurityRestoreSavedStateLabel virSecurityManagerRestoreSavedStateLabel
 # define qemuSecuritySetChildProcessLabel virSecurityManagerSetChildProcessLabel
 # define qemuSecuritySetDaemonSocketLabel virSecurityManagerSetDaemonSocketLabel
 # define qemuSecuritySetImageFDLabel virSecurityManagerSetImageFDLabel
-# define qemuSecuritySetSavedStateLabel virSecurityManagerSetSavedStateLabel
 # define qemuSecuritySetSocketLabel virSecurityManagerSetSocketLabel
 # define qemuSecuritySetTapFDLabel virSecurityManagerSetTapFDLabel
 # define qemuSecurityStackAddNested virSecurityManagerStackAddNested