qemu_namespace: Only replicate labels on created files

Function qemuNamespaceMknodOne() is trying to replicate a file from the parent namespace as perfectly as possible, with the same permissions, labels, ACLs, etc. If that file already existed it means that the qemu process is probably using it already and the current setting is probably more correct than the ones from the parent namespace. In order to reflect that only replicate the file metadata when it was (re-)created in this function. Resolves: https://issues.redhat.com/browse/RHEL-62174 Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Peter Krempa <pkrempa@redhat.com>
2024-10-24 06:53:11 +00:00 · 2024-10-15 15:12:55 +02:00 · 2024-10-15 15:12:55 +02:00 · f2710260d4
commit f2710260d4
parent 26f249034d
1 changed files with 34 additions and 32 deletions
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@ -1090,43 +1090,45 @@ qemuNamespaceMknodOne(qemuNamespaceMknodItem *data)
        goto cleanup;
    }

-    if (lchown(data->file, data->sb.st_uid, data->sb.st_gid) < 0) {
-        virReportSystemError(errno,
-                             _("Failed to chown device %1$s"),
-                             data->file);
-        goto cleanup;
-    }
-
-    /* Symlinks don't have mode */
-    if (!isLink &&
-        chmod(data->file, data->sb.st_mode) < 0) {
-        virReportSystemError(errno,
-                             _("Failed to set permissions for device %1$s"),
-                             data->file);
-        goto cleanup;
-    }
-
-    if (data->acl &&
-        virFileSetACLs(data->file, data->acl) < 0 &&
-        errno != ENOTSUP) {
-        virReportSystemError(errno,
-                             _("Unable to set ACLs on %1$s"), data->file);
-        goto cleanup;
-    }
-
-# ifdef WITH_SELINUX
-    if (data->tcon &&
-        lsetfilecon_raw(data->file, (const char *)data->tcon) < 0) {
-        VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
-        if (errno != EOPNOTSUPP && errno != ENOTSUP) {
-        VIR_WARNINGS_RESET
+    if (!existed) {
+        if (lchown(data->file, data->sb.st_uid, data->sb.st_gid) < 0) {
            virReportSystemError(errno,
-                                 _("Unable to set SELinux label on %1$s"),
+                                 _("Failed to chown device %1$s"),
                                 data->file);
            goto cleanup;
        }
-    }
+
+        /* Symlinks don't have mode */
+        if (!isLink &&
+            chmod(data->file, data->sb.st_mode) < 0) {
+            virReportSystemError(errno,
+                                 _("Failed to set permissions for device %1$s"),
+                                 data->file);
+            goto cleanup;
+        }
+
+        if (data->acl &&
+            virFileSetACLs(data->file, data->acl) < 0 &&
+            errno != ENOTSUP) {
+            virReportSystemError(errno,
+                                 _("Unable to set ACLs on %1$s"), data->file);
+            goto cleanup;
+        }
+
+# ifdef WITH_SELINUX
+        if (data->tcon &&
+            lsetfilecon_raw(data->file, (const char *)data->tcon) < 0) {
+            VIR_WARNINGS_NO_WLOGICALOP_EQUAL_EXPR
+            if (errno != EOPNOTSUPP && errno != ENOTSUP) {
+            VIR_WARNINGS_RESET
+                virReportSystemError(errno,
+                                     _("Unable to set SELinux label on %1$s"),
+                                     data->file);
+                goto cleanup;
+            }
+        }
 # endif
+    }

    /* Finish mount process started earlier. */
    if ((isReg || isDir) &&