mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-12 07:42:56 +00:00
security: Try harder to run transactions
When a QEMU process dies in the middle of a hotplug, then we fail to restore the seclabels on the device. The problem is that if the thread doing hotplug locks the domain object first and thus blocks the thread that wants to do qemuProcessStop(), the seclabel cleanup code will see vm->pid still set and mount namespace used and therefore try to enter the namespace represented by the PID. But the PID is gone really and thus entering will fail and no restore is done. What we can do is to try enter the namespace (if requested to do so) but if entering fails, fall back to no NS mode. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1814481 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Pavel Mores <pmores@redhat.com>
This commit is contained in:
parent
c799d150d5
commit
ea903036fa
@ -640,15 +640,23 @@ virSecurityDACTransactionCommit(virSecurityManagerPtr mgr G_GNUC_UNUSED,
|
|||||||
|
|
||||||
list->lock = lock;
|
list->lock = lock;
|
||||||
|
|
||||||
|
if (pid != -1) {
|
||||||
|
rc = virProcessRunInMountNamespace(pid,
|
||||||
|
virSecurityDACTransactionRun,
|
||||||
|
list);
|
||||||
|
if (rc < 0) {
|
||||||
|
if (virGetLastErrorCode() == VIR_ERR_SYSTEM_ERROR)
|
||||||
|
pid = -1;
|
||||||
|
else
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (pid == -1) {
|
if (pid == -1) {
|
||||||
if (lock)
|
if (lock)
|
||||||
rc = virProcessRunInFork(virSecurityDACTransactionRun, list);
|
rc = virProcessRunInFork(virSecurityDACTransactionRun, list);
|
||||||
else
|
else
|
||||||
rc = virSecurityDACTransactionRun(pid, list);
|
rc = virSecurityDACTransactionRun(pid, list);
|
||||||
} else {
|
|
||||||
rc = virProcessRunInMountNamespace(pid,
|
|
||||||
virSecurityDACTransactionRun,
|
|
||||||
list);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (rc < 0)
|
if (rc < 0)
|
||||||
|
@ -1163,15 +1163,23 @@ virSecuritySELinuxTransactionCommit(virSecurityManagerPtr mgr G_GNUC_UNUSED,
|
|||||||
|
|
||||||
list->lock = lock;
|
list->lock = lock;
|
||||||
|
|
||||||
|
if (pid != -1) {
|
||||||
|
rc = virProcessRunInMountNamespace(pid,
|
||||||
|
virSecuritySELinuxTransactionRun,
|
||||||
|
list);
|
||||||
|
if (rc < 0) {
|
||||||
|
if (virGetLastErrorCode() == VIR_ERR_SYSTEM_ERROR)
|
||||||
|
pid = -1;
|
||||||
|
else
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (pid == -1) {
|
if (pid == -1) {
|
||||||
if (lock)
|
if (lock)
|
||||||
rc = virProcessRunInFork(virSecuritySELinuxTransactionRun, list);
|
rc = virProcessRunInFork(virSecuritySELinuxTransactionRun, list);
|
||||||
else
|
else
|
||||||
rc = virSecuritySELinuxTransactionRun(pid, list);
|
rc = virSecuritySELinuxTransactionRun(pid, list);
|
||||||
} else {
|
|
||||||
rc = virProcessRunInMountNamespace(pid,
|
|
||||||
virSecuritySELinuxTransactionRun,
|
|
||||||
list);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (rc < 0)
|
if (rc < 0)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user