security_(dac|selinux): Unref remembered security labels on outgoing migration

When 'qemuSecurityRestoreAllLabel' is called on outgoing migration it skips the actual relabeling part of the images in dac/selinux drivers in order to avoid cutting off access to the image. As shared filesystems don't really support the trusted XATTR groups, remembering of security labels never worked on those paths so we never actually had remembered seclabels for images that could be migrated. With recent changes we now support migration from local storage to remote in case the admin declares it as shared. This means that in case when the VM is started on local storage we'd actually store seclabels, but when migrating out the XATTRs remembering the seclabels would not actually be unref'd and thus the seclabels would leak. As we can't know whether a remote host will be able to use the XATTRs or not (but really it won't) and at the same time the destination side of migration will actually call 'qemuSecuritySetAllLabel' setting/refing it's own seclabels we really need to unref them on our side. This patch adds the appropriate *RecallLabel() calls on the code paths in which relabelling is skipped due to migration. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2025-02-22 03:12:22 +00:00 · 2024-08-02 15:23:42 +02:00 · 2024-08-02 15:23:42 +02:00 · eabeae605f
commit eabeae605f
parent 2983dd44c5
2 changed files with 10 additions and 0 deletions
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@ -1022,6 +1022,9 @@ virSecurityDACRestoreImageLabelInt(virSecurityManager *mgr,
        if (rc == 1) {
            VIR_DEBUG("Skipping image label restore on %s because FS is shared",
                      src->path);
+
+            ignore_value(virSecurityDACRecallLabel(priv, src->path, NULL, NULL));
+
            return 0;
        }
    }
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -1837,8 +1837,15 @@ virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr,
        }

        if (rc == 1) {
+            g_autofree char *oldlabel = NULL;
+
            VIR_DEBUG("Skipping image label restore on %s because FS is shared",
                      src->path);
+
+            /* We still want to remove the local reference of the remembered
+             * seclabel. The destination will take its own reference when
+             * starting the migrated VM */
+            ignore_value(virSecuritySELinuxRecallLabel(src->path, &oldlabel));
            return 0;
        }
    }