Add stdin_path to qemudStartVMDaemon() args.

Adjust args to qemudStartVMDaemon() to also specify path to stdin_fd,
so this can be passed to the AppArmor driver via SetSecurityAllLabel().

This updates all calls to qemudStartVMDaemon() as well as setting up
the non-AppArmor security driver *SetSecurityAllLabel() declarations
for the above. This is required for the following
"apparmor-fix-save-restore" patch since AppArmor resolves the passed
file descriptor to the pathname given to open().

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 647c3f4d392d623f41bda3ff608f2f291ab7735b..b2c31332b9269584c59bacb7c9dbbbc14d97803c 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -154,7 +154,8 @@ static int qemudStartVMDaemon(virConnectPtr conn,
                               struct qemud_driver *driver,
                               virDomainObjPtr vm,
                               const char *migrateFrom,
-                              int stdin_fd);
+                              int stdin_fd,
+                              const char *stdin_path);
 
 static void qemudShutdownVMDaemon(struct qemud_driver *driver,
                                   virDomainObjPtr vm,
@@ -3284,7 +3285,8 @@ static int qemudStartVMDaemon(virConnectPtr conn,
                               struct qemud_driver *driver,
                               virDomainObjPtr vm,
                               const char *migrateFrom,
-                              int stdin_fd) {
+                              int stdin_fd,
+                              const char *stdin_path) {
     const char **argv = NULL, **tmp;
     const char **progenv = NULL;
     int i, ret, runflags;
@@ -3332,7 +3334,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
     DEBUG0("Generating setting domain security labels (if required)");
     if (driver->securityDriver &&
         driver->securityDriver->domainSetSecurityAllLabel &&
-        driver->securityDriver->domainSetSecurityAllLabel(vm) < 0)
+        driver->securityDriver->domainSetSecurityAllLabel(vm, stdin_path) < 0)
         goto cleanup;
 
     /* Ensure no historical cgroup for this VM is lying around bogus
@@ -4196,7 +4198,7 @@ static virDomainPtr qemudDomainCreate(virConnectPtr conn, const char *xml,
     if (qemuDomainObjBeginJobWithDriver(driver, vm) < 0)
         goto cleanup; /* XXXX free the 'vm' we created ? */
 
-    if (qemudStartVMDaemon(conn, driver, vm, NULL, -1) < 0) {
+    if (qemudStartVMDaemon(conn, driver, vm, NULL, -1, NULL) < 0) {
         if (qemuDomainObjEndJob(vm) > 0)
             virDomainRemoveInactive(&driver->domains,
                                     vm);
@@ -6212,7 +6214,7 @@ qemudDomainSaveImageStartVM(virConnectPtr conn,
     }
 
     /* Set the migration source and start it up. */
-    ret = qemudStartVMDaemon(conn, driver, vm, "stdio", fd);
+    ret = qemudStartVMDaemon(conn, driver, vm, "stdio", fd, path);
 
     if (intermediate_pid != -1) {
         /* Wait for intermediate process to exit */
@@ -6671,7 +6673,7 @@ static int qemudDomainObjStart(virConnectPtr conn,
             goto cleanup;
     }
 
-    ret = qemudStartVMDaemon(conn, driver, vm, NULL, -1);
+    ret = qemudStartVMDaemon(conn, driver, vm, NULL, -1, NULL);
     if (ret != -1) {
         virDomainEventPtr event =
             virDomainEventNewFromObj(vm,
@@ -10149,7 +10151,7 @@ qemudDomainMigratePrepareTunnel(virConnectPtr dconn,
     /* Start the QEMU daemon, with the same command-line arguments plus
      * -incoming unix:/path/to/file or exec:nc -U /path/to/file
      */
-    internalret = qemudStartVMDaemon(dconn, driver, vm, migrateFrom, -1);
+    internalret = qemudStartVMDaemon(dconn, driver, vm, migrateFrom, -1, NULL);
     VIR_FREE(migrateFrom);
     if (internalret < 0) {
         /* Note that we don't set an error here because qemudStartVMDaemon
@@ -10367,7 +10369,7 @@ qemudDomainMigratePrepare2 (virConnectPtr dconn,
      * -incoming tcp:0.0.0.0:port
      */
     snprintf (migrateFrom, sizeof (migrateFrom), "tcp:0.0.0.0:%d", this_port);
-    if (qemudStartVMDaemon (dconn, driver, vm, migrateFrom, -1) < 0) {
+    if (qemudStartVMDaemon (dconn, driver, vm, migrateFrom, -1, NULL) < 0) {
         /* Note that we don't set an error here because qemudStartVMDaemon
          * should have already done that.
          */
@@ -11855,7 +11857,7 @@ static int qemuDomainRevertToSnapshot(virDomainSnapshotPtr snapshot,
                 goto endjob;
 
             rc = qemudStartVMDaemon(snapshot->domain->conn, driver, vm, NULL,
-                                    -1);
+                                    -1, NULL);
             if (qemuDomainSnapshotSetInactive(vm, driver->snapshotDir) < 0)
                 goto endjob;
             if (rc < 0)

diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
index 52150f7bd482332488beb3755b4ce890aef196d9..ffc9b8d8b53eeefb2d1a658d24d40aebe6de1b2d 100644 (file)
--- a/src/qemu/qemu_security_dac.c
+++ b/src/qemu/qemu_security_dac.c
@@ -365,7 +365,7 @@ qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm,
 
 
 static int
-qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm)
+qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_UNUSED)
 {
     int i;
 

diff --git a/src/qemu/qemu_security_stacked.c b/src/qemu/qemu_security_stacked.c
index 04c1f10b7eea17a713a51b479ff3b3d5c4fa749a..a91222164ebbf3042e2f21f3116790d42a6f4e88 100644 (file)
--- a/src/qemu/qemu_security_stacked.c
+++ b/src/qemu/qemu_security_stacked.c
@@ -196,18 +196,18 @@ qemuSecurityStackedRestoreSecurityHostdevLabel(virDomainObjPtr vm,
 
 
 static int
-qemuSecurityStackedSetSecurityAllLabel(virDomainObjPtr vm)
+qemuSecurityStackedSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path)
 {
     int rc = 0;
 
     if (driver->securitySecondaryDriver &&
         driver->securitySecondaryDriver->domainSetSecurityAllLabel &&
-        driver->securitySecondaryDriver->domainSetSecurityAllLabel(vm) < 0)
+        driver->securitySecondaryDriver->domainSetSecurityAllLabel(vm, stdin_path) < 0)
         rc = -1;
 
     if (driver->securityPrimaryDriver &&
         driver->securityPrimaryDriver->domainSetSecurityAllLabel &&
-        driver->securityPrimaryDriver->domainSetSecurityAllLabel(vm) < 0)
+        driver->securityPrimaryDriver->domainSetSecurityAllLabel(vm, stdin_path) < 0)
         rc = -1;
 
     return rc;

diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 39edc6d4526faabe92bd551b6e9e5e3b18d29258..a9e0c9b61c3e1ada51f560d483ed8ac3642da948 100644 (file)
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -45,7 +45,8 @@ typedef int (*virSecurityDomainRestoreSavedStateLabel) (virDomainObjPtr vm,
 typedef int (*virSecurityDomainGenLabel) (virDomainObjPtr sec);
 typedef int (*virSecurityDomainReserveLabel) (virDomainObjPtr sec);
 typedef int (*virSecurityDomainReleaseLabel) (virDomainObjPtr sec);
-typedef int (*virSecurityDomainSetAllLabel) (virDomainObjPtr sec);
+typedef int (*virSecurityDomainSetAllLabel) (virDomainObjPtr sec,
+                                             const char *stdin_path);
 typedef int (*virSecurityDomainRestoreAllLabel) (virDomainObjPtr vm,
                                                  int migrated);
 typedef int (*virSecurityDomainGetProcessLabel) (virDomainObjPtr vm,

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index d90e17c8e74bf98791e066f037d1c22710dce1a7..0922472f0adfa79b914e12a371a25bba13c76e9d 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -755,7 +755,7 @@ SELinuxSetSecurityProcessLabel(virSecurityDriverPtr drv,
 }
 
 static int
-SELinuxSetSecurityAllLabel(virDomainObjPtr vm)
+SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_UNUSED)
 {
     const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
     int i;