From 458d0a8c5277a2d47368d6e711c8e1b7687f568d Mon Sep 17 00:00:00 2001 From: Michal Privoznik Date: Wed, 11 Sep 2019 07:53:09 +0200 Subject: [PATCH] security: Pass @migrated to virSecurityManagerSetAllLabel In upcoming commits, virSecurityManagerSetAllLabel() will perform rollback in case of failure by calling virSecurityManagerRestoreAllLabel(). But in order to do that, the former needs to have @migrated argument so that it can be passed to the latter. Signed-off-by: Michal Privoznik Reviewed-by: Cole Robinson --- src/lxc/lxc_process.c | 2 +- src/qemu/qemu_process.c | 3 ++- src/qemu/qemu_security.c | 6 ++++-- src/qemu/qemu_security.h | 3 ++- src/security/security_apparmor.c | 3 ++- src/security/security_dac.c | 3 ++- src/security/security_driver.h | 3 ++- src/security/security_manager.c | 6 ++++-- src/security/security_manager.h | 3 ++- src/security/security_nop.c | 3 ++- src/security/security_selinux.c | 3 ++- src/security/security_stack.c | 6 ++++-- tests/qemusecuritytest.c | 2 +- tests/securityselinuxlabeltest.c | 2 +- 14 files changed, 31 insertions(+), 17 deletions(-) diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index 318b4c1653..bf01d51766 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -1346,7 +1346,7 @@ int virLXCProcessStart(virConnectPtr conn, VIR_DEBUG("Setting domain security labels"); if (virSecurityManagerSetAllLabel(driver->securityManager, - vm->def, NULL, false) < 0) + vm->def, NULL, false, false) < 0) goto cleanup; VIR_DEBUG("Setting up consoles"); diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index c6fac01ada..4135418c01 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -6939,7 +6939,8 @@ qemuProcessLaunch(virConnectPtr conn, VIR_DEBUG("Setting domain security labels"); if (qemuSecuritySetAllLabel(driver, vm, - incoming ? incoming->path : NULL) < 0) + incoming ? incoming->path : NULL, + incoming != NULL) < 0) goto cleanup; /* Security manager labeled all devices, therefore diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index 63808c2d17..2aa2b5b9c6 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -32,7 +32,8 @@ VIR_LOG_INIT("qemu.qemu_process"); int qemuSecuritySetAllLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, - const char *stdin_path) + const char *stdin_path, + bool migrated) { int ret = -1; qemuDomainObjPrivatePtr priv = vm->privateData; @@ -47,7 +48,8 @@ qemuSecuritySetAllLabel(virQEMUDriverPtr driver, if (virSecurityManagerSetAllLabel(driver->securityManager, vm->def, stdin_path, - priv->chardevStdioLogd) < 0) + priv->chardevStdioLogd, + migrated) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h index c8a4bd8220..a8c648ece1 100644 --- a/src/qemu/qemu_security.h +++ b/src/qemu/qemu_security.h @@ -26,7 +26,8 @@ int qemuSecuritySetAllLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, - const char *stdin_path); + const char *stdin_path, + bool migrated); void qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 77eee9410c..699590ee00 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -488,7 +488,8 @@ static int AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, const char *stdin_path, - bool chardevStdioLogd ATTRIBUTE_UNUSED) + bool chardevStdioLogd ATTRIBUTE_UNUSED, + bool migrated ATTRIBUTE_UNUSED) { virSecurityLabelDefPtr secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME); diff --git a/src/security/security_dac.c b/src/security/security_dac.c index d6d0a8299b..4270d5409f 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -2053,7 +2053,8 @@ static int virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, const char *stdin_path ATTRIBUTE_UNUSED, - bool chardevStdioLogd) + bool chardevStdioLogd, + bool migrated ATTRIBUTE_UNUSED) { virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityLabelDefPtr secdef; diff --git a/src/security/security_driver.h b/src/security/security_driver.h index b4ffed29ec..3353955813 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -83,7 +83,8 @@ typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr, typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr, virDomainDefPtr sec, const char *stdin_path, - bool chardevStdioLogd); + bool chardevStdioLogd, + bool migrated); typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr, virDomainDefPtr def, bool migrated, diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 7f187c9068..bb083ba9c8 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -852,13 +852,15 @@ int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm, const char *stdin_path, - bool chardevStdioLogd) + bool chardevStdioLogd, + bool migrated) { if (mgr->drv->domainSetSecurityAllLabel) { int ret; virObjectLock(mgr); ret = mgr->drv->domainSetSecurityAllLabel(mgr, vm, stdin_path, - chardevStdioLogd); + chardevStdioLogd, + migrated); virObjectUnlock(mgr); return ret; } diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 0d2375b263..1d4928fae3 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -121,7 +121,8 @@ int virSecurityManagerCheckAllLabel(virSecurityManagerPtr mgr, int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr sec, const char *stdin_path, - bool chardevStdioLogd); + bool chardevStdioLogd, + bool migrated); int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, bool migrated, diff --git a/src/security/security_nop.c b/src/security/security_nop.c index 966b9d41a1..96cdac03d8 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -136,7 +136,8 @@ static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr sec ATTRIBUTE_UNUSED, const char *stdin_path ATTRIBUTE_UNUSED, - bool chardevStdioLogd ATTRIBUTE_UNUSED) + bool chardevStdioLogd ATTRIBUTE_UNUSED, + bool migrated ATTRIBUTE_UNUSED) { return 0; } diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 6e6b758497..ac8b7ae264 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -3133,7 +3133,8 @@ static int virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, const char *stdin_path, - bool chardevStdioLogd) + bool chardevStdioLogd, + bool migrated ATTRIBUTE_UNUSED) { size_t i; virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr); diff --git a/src/security/security_stack.c b/src/security/security_stack.c index d445c0773e..dd055075cb 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -316,7 +316,8 @@ static int virSecurityStackSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm, const char *stdin_path, - bool chardevStdioLogd) + bool chardevStdioLogd, + bool migrated) { virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackItemPtr item = priv->itemsHead; @@ -324,7 +325,8 @@ virSecurityStackSetAllLabel(virSecurityManagerPtr mgr, for (; item; item = item->next) { if (virSecurityManagerSetAllLabel(item->securityManager, vm, - stdin_path, chardevStdioLogd) < 0) + stdin_path, chardevStdioLogd, + migrated) < 0) rc = -1; } diff --git a/tests/qemusecuritytest.c b/tests/qemusecuritytest.c index 2d88979168..9efc15c105 100644 --- a/tests/qemusecuritytest.c +++ b/tests/qemusecuritytest.c @@ -116,7 +116,7 @@ testDomain(const void *opaque) if (setenv(ENVVAR, "1", 0) < 0) return -1; - if (qemuSecuritySetAllLabel(data->driver, vm, NULL) < 0) + if (qemuSecuritySetAllLabel(data->driver, vm, NULL, false) < 0) goto cleanup; qemuSecurityRestoreAllLabel(data->driver, vm, false); diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabeltest.c index 8c3cb29c41..6f9b5c0e70 100644 --- a/tests/securityselinuxlabeltest.c +++ b/tests/securityselinuxlabeltest.c @@ -310,7 +310,7 @@ testSELinuxLabeling(const void *opaque) if (!(def = testSELinuxLoadDef(testname))) goto cleanup; - if (virSecurityManagerSetAllLabel(mgr, def, NULL, false) < 0) + if (virSecurityManagerSetAllLabel(mgr, def, NULL, false, false) < 0) goto cleanup; if (testSELinuxCheckLabels(files, nfiles) < 0)