shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-09 01:18:00 +03:00
Code Releases Activity

storage_source: Add field for skipping seclabel remembering

Browse Source 
In case of incoming migration where a local directory is shared to other
hosts we'll need to avoid seclabel remembering as the code would
remember the seclabel already allowing access to the image.

As the decision requires a lot of information not available in the
security driver it would either require plumbing in unpleasant callbacks
able to pass in the data or alternatively we can mark this in the
'virStorageSource' struct.

This patch chose to do the latter approach by adding a field called
'seclabelSkipRemember' which will be filled before starting the process
in cases when it will be required.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
This commit is contained in:
Peter Krempa 2024-08-02 15:23:43 +02:00 committed by Andrea Bolognani
parent eabeae605f
commit b581045520
4 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/conf/storage_source_conf.c
View File

@ -820,6 +820,9 @@ virStorageSourceCopy(const virStorageSource *src,
/* storage driver metadata are not copied */
def->drv = NULL;
/* flag to avoid seclabel remember is not copied */
def->seclabelSkipRemember = false;
def->path = g_strdup(src->path);
def->fdgroup = g_strdup(src->fdgroup);
def->volume = g_strdup(src->volume);

9
src/conf/storage_source_conf.h
View File

@ -431,6 +431,15 @@ struct _virStorageSource {
bool thresholdEventWithIndex;
virStorageSourceFDTuple *fdtuple;
/* Setting 'seclabelSkipRemember' to true will cause the security driver to
* not remember the security label even if it otherwise were to be
* remembered. This is needed in cases such as incoming migration for
* shared images where the existing security label may no longer be the
* correct. The security driver otherwise doesn't have enough information
* to do this decision.
*/
bool seclabelSkipRemember;
};
G_DEFINE_AUTOPTR_CLEANUP_FUNC(virStorageSource, virObjectUnref);

3
src/security/security_dac.c
View File

@ -940,6 +940,9 @@ virSecurityDACSetImageLabelInternal(virSecurityManager *mgr,
*/
remember = isChainTop && !src->readonly && !src->shared;
if (src->seclabelSkipRemember)
remember = false;
return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remember);
}

3
src/security/security_selinux.c
View File

@ -1992,6 +1992,9 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr,
ret = virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0], use_label);
} else {
if (src->seclabelSkipRemember)
remember = false;
ret = virSecuritySELinuxSetFilecon(mgr, path, use_label, remember);
}