1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-27 07:22:07 +03:00

Clear dynamic seclabels on LXCProcessStart failure

commit a58e1cb4 didn't fix the bug if the security_default_confined is
not set to 1. We now clean up even if there is no seclabel defined or
the default one.
This commit is contained in:
Cédric Bosdonnat 2015-02-06 14:13:43 +01:00
parent 0c77a54e3b
commit 88a1b54208

View File

@ -1022,6 +1022,7 @@ int virLXCProcessStart(virConnectPtr conn,
virCgroupPtr selfcgroup; virCgroupPtr selfcgroup;
int status; int status;
char *pidfile = NULL; char *pidfile = NULL;
bool clearSeclabel = false;
if (virCgroupNewSelf(&selfcgroup) < 0) if (virCgroupNewSelf(&selfcgroup) < 0)
return -1; return -1;
@ -1126,6 +1127,10 @@ int virLXCProcessStart(virConnectPtr conn,
/* If you are using a SecurityDriver with dynamic labelling, /* If you are using a SecurityDriver with dynamic labelling,
then generate a security label for isolation */ then generate a security label for isolation */
VIR_DEBUG("Generating domain security label (if required)"); VIR_DEBUG("Generating domain security label (if required)");
clearSeclabel = vm->def->nseclabels == 0 ||
vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT;
if (vm->def->nseclabels && if (vm->def->nseclabels &&
vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT) vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT)
vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE; vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
@ -1387,7 +1392,8 @@ int virLXCProcessStart(virConnectPtr conn,
virSecurityManagerReleaseLabel(driver->securityManager, vm->def); virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
/* Clear out dynamically assigned labels */ /* Clear out dynamically assigned labels */
if (vm->def->nseclabels && if (vm->def->nseclabels &&
vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { (vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC ||
clearSeclabel)) {
VIR_FREE(vm->def->seclabels[0]->model); VIR_FREE(vm->def->seclabels[0]->model);
VIR_FREE(vm->def->seclabels[0]->label); VIR_FREE(vm->def->seclabels[0]->label);
VIR_FREE(vm->def->seclabels[0]->imagelabel); VIR_FREE(vm->def->seclabels[0]->imagelabel);