security_dac: Label host side of NVDIMM

When domain is being started up, we ought to relabel the host
side of NVDIMM so qemu has access to it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

src/security/security_dac.c

@@ -1386,6 +1386,30 @@ virSecurityDACRestoreInputLabel(virSecurityManagerPtr mgr,
 }
 
 
+static int
+virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr,
+                                 virDomainDefPtr def ATTRIBUTE_UNUSED,
+                                 virDomainMemoryDefPtr mem)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    int ret = -1;
+
+    switch ((virDomainMemoryModel) mem->model) {
+    case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+        ret = virSecurityDACRestoreFileLabel(priv, mem->nvdimmPath);
+        break;
+
+    case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+    case VIR_DOMAIN_MEMORY_MODEL_LAST:
+    case VIR_DOMAIN_MEMORY_MODEL_NONE:
+        ret = 0;
+        break;
+    }
+
+    return ret;
+}
+
+
 static int
 virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
                               virDomainDefPtr def,
@@ -1425,6 +1449,13 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
             rc = -1;
     }
 
+    for (i = 0; i < def->nmems; i++) {
+        if (virSecurityDACRestoreMemoryLabel(mgr,
+                                             def,
+                                             def->mems[i]) < 0)
+            rc = -1;
+    }
+
     if (virDomainChrDefForeach(def,
                                false,
                                virSecurityDACRestoreChardevCallback,
@@ -1457,6 +1488,41 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def,
 }
 
 
+static int
+virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr,
+                             virDomainDefPtr def,
+                             virDomainMemoryDefPtr mem)
+
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityLabelDefPtr seclabel;
+    int ret = -1;
+    uid_t user;
+    gid_t group;
+
+    switch ((virDomainMemoryModel) mem->model) {
+    case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+        seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+        if (seclabel && !seclabel->relabel)
+            return 0;
+
+        if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+            return -1;
+
+        ret = virSecurityDACSetOwnership(priv, NULL, mem->nvdimmPath, user, group);
+        break;
+
+    case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+    case VIR_DOMAIN_MEMORY_MODEL_LAST:
+    case VIR_DOMAIN_MEMORY_MODEL_NONE:
+        ret = 0;
+        break;
+    }
+
+    return ret;
+}
+
+
 static int
 virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
                           virDomainDefPtr def,
@@ -1496,6 +1562,13 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
             return -1;
     }
 
+    for (i = 0; i < def->nmems; i++) {
+        if (virSecurityDACSetMemoryLabel(mgr,
+                                         def,
+                                         def->mems[i]) < 0)
+            return -1;
+    }
+
     if (virDomainChrDefForeach(def,
                                true,
                                virSecurityDACSetChardevCallback,