From 81594afb05a14fa1095ec27addfdc9b807cc7eb3 Mon Sep 17 00:00:00 2001 From: Peter Krempa Date: Wed, 23 Jan 2019 13:37:00 +0100 Subject: [PATCH] qemu: security: Add 'backingChain' flag to qemuSecurity[Set|Restore]ImageLabel The flag will control the VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN flag of the security driver image labeling APIs. Signed-off-by: Peter Krempa Reviewed-by: John Ferlan --- src/qemu/qemu_domain.c | 4 ++-- src/qemu/qemu_security.c | 18 ++++++++++++++---- src/qemu/qemu_security.h | 6 ++++-- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index bbf3802628..d6bf8b4b6e 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -9174,7 +9174,7 @@ qemuDomainDiskChainElementRevoke(virQEMUDriverPtr driver, VIR_WARN("Failed to teardown cgroup for disk path %s", NULLSTR(elem->path)); - if (qemuSecurityRestoreImageLabel(driver, vm, elem) < 0) + if (qemuSecurityRestoreImageLabel(driver, vm, elem, false) < 0) VIR_WARN("Unable to restore security label on %s", NULLSTR(elem->path)); if (qemuDomainNamespaceTeardownDisk(vm, elem) < 0) @@ -9225,7 +9225,7 @@ qemuDomainDiskChainElementPrepare(virQEMUDriverPtr driver, if (qemuSetupImageCgroup(vm, elem) < 0) goto cleanup; - if (qemuSecuritySetImageLabel(driver, vm, elem) < 0) + if (qemuSecuritySetImageLabel(driver, vm, elem, false) < 0) goto cleanup; ret = 0; diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index 90d1293e52..2bc21b55a4 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -157,11 +157,16 @@ qemuSecurityRestoreDiskLabel(virQEMUDriverPtr driver, int qemuSecuritySetImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, - virStorageSourcePtr src) + virStorageSourcePtr src, + bool backingChain) { qemuDomainObjPrivatePtr priv = vm->privateData; pid_t pid = -1; int ret = -1; + virSecurityDomainImageLabelFlags labelFlags = 0; + + if (backingChain) + labelFlags |= VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; @@ -170,7 +175,7 @@ qemuSecuritySetImageLabel(virQEMUDriverPtr driver, goto cleanup; if (virSecurityManagerSetImageLabel(driver->securityManager, - vm->def, src, 0) < 0) + vm->def, src, labelFlags) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, @@ -187,11 +192,16 @@ qemuSecuritySetImageLabel(virQEMUDriverPtr driver, int qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, - virStorageSourcePtr src) + virStorageSourcePtr src, + bool backingChain) { qemuDomainObjPrivatePtr priv = vm->privateData; pid_t pid = -1; int ret = -1; + virSecurityDomainImageLabelFlags labelFlags = 0; + + if (backingChain) + labelFlags |= VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN; if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; @@ -200,7 +210,7 @@ qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver, goto cleanup; if (virSecurityManagerRestoreImageLabel(driver->securityManager, - vm->def, src, 0) < 0) + vm->def, src, labelFlags) < 0) goto cleanup; if (virSecurityManagerTransactionCommit(driver->securityManager, diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h index 5b4fe6eb8f..2a916f5169 100644 --- a/src/qemu/qemu_security.h +++ b/src/qemu/qemu_security.h @@ -44,11 +44,13 @@ int qemuSecurityRestoreDiskLabel(virQEMUDriverPtr driver, int qemuSecuritySetImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, - virStorageSourcePtr src); + virStorageSourcePtr src, + bool backingChain); int qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, - virStorageSourcePtr src); + virStorageSourcePtr src, + bool backingChain); int qemuSecuritySetHostdevLabel(virQEMUDriverPtr driver, virDomainObjPtr vm,