From ebd004a03dbddc52dd1b47bd6bc4607f553d5e70 Mon Sep 17 00:00:00 2001
From: Eric Farman <farman@linux.ibm.com>
Date: Sat, 1 Apr 2023 02:42:04 +0200
Subject: [PATCH] security: do not remember/recall labels for VFIO MDEVs

Commit dbf1f68410 ("security: do not remember/recall labels for VFIO")
rightly changed the DAC and SELinux labeling parameters to fix a problem
with "VFIO hostdevs" but really only addressed the PCI codepaths.
As a result, we can still encounter this with VFIO MDEVs such as
vfio-ccw and vfio-ap, which can fail on a hotplug:

  [test@host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023-eff72715c4f0
  [test@host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023-eff72715c4f0
  [test@host ~]# cat disk.xml
    <hostdev mode='subsystem' type='mdev' model='vfio-ccw'>
      <source>
        <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/>
      </source>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/>
    </hostdev>
  [test@host ~]# virsh attach-device guest ~/disk.xml
  error: Failed to attach device from /home/test/disk.xml
  error: Requested operation is not valid: Setting different SELinux label on /dev/vfio/3 which is already in use

Make the same changes as reported in commit dbf1f68410, for the mdev paths.

Reported-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/security_dac.c     | 4 ++--
 src/security/security_selinux.c | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 64f771685a..c7dc145621 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1309,7 +1309,7 @@ virSecurityDACSetHostdevLabel(virSecurityManager *mgr,
         if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
             return -1;
 
-        ret = virSecurityDACSetHostdevLabelHelper(vfiodev, true, &cbdata);
+        ret = virSecurityDACSetHostdevLabelHelper(vfiodev, false, &cbdata);
         break;
     }
 
@@ -1465,7 +1465,7 @@ virSecurityDACRestoreHostdevLabel(virSecurityManager *mgr,
         if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
             return -1;
 
-        ret = virSecurityDACRestoreFileLabel(mgr, vfiodev);
+        ret = virSecurityDACRestoreFileLabelInternal(mgr, NULL, vfiodev, false);
         break;
     }
 
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 17797736d0..e3e6a6115f 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2261,7 +2261,7 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManager *mgr,
         if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
             return ret;
 
-        ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, true, &data);
+        ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, false, &data);
         break;
     }
 
@@ -2489,7 +2489,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManager *mgr,
         if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
             return -1;
 
-        ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, true);
+        ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, false);
         break;
     }