/* Labelling normally operates on src, but we need
* to actually label the dst here, so hack the config */
def->src->path = dst;
- if (virSecurityManagerSetImageLabel(securityDriver, ctrl->def, def->src,
+ if (virSecurityManagerSetImageLabel(securityDriver,
+ NULL, ctrl->def, def->src,
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN) < 0)
goto cleanup;
char *tmpsrc = def->src->path;
def->src->path = data->file;
if (virSecurityManagerSetImageLabel(data->driver->securityManager,
- data->vm->def, def->src,
+ NULL, data->vm->def, def->src,
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN) < 0) {
def->src->path = tmpsrc;
goto cleanup;
}
if (flags & VIR_LXC_PROCESS_CLEANUP_RESTORE_SECLABEL) {
- virSecurityManagerRestoreAllLabel(driver->securityManager,
+ virSecurityManagerRestoreAllLabel(driver->securityManager, NULL,
vm->def, false, false);
}
stopFlags |= VIR_LXC_PROCESS_CLEANUP_RELEASE_SECLABEL;
VIR_DEBUG("Setting domain security labels");
- if (virSecurityManagerSetAllLabel(driver->securityManager,
+ if (virSecurityManagerSetAllLabel(driver->securityManager, NULL,
vm->def, NULL, false, false) < 0)
goto cleanup;
stopFlags |= VIR_LXC_PROCESS_CLEANUP_RESTORE_SECLABEL;
bool need_unlink = false;
unsigned int vfoflags = 0;
int fd = -1;
- int path_shared = virFileIsSharedFS(path);
+ /* Note that it would be pointless to pass
+ * virQEMUDriverConfig.sharedFilesystems here, since those
+ * listed there are by definition paths that can be accessed
+ * as local from the current host. Thus, a second attempt at
+ * opening the file would not make a difference */
+ int path_shared = virFileIsSharedFS(path, NULL);
uid_t uid = geteuid();
gid_t gid = getegid();
virDomainTPMDef *tpm = def->tpms[i];
if (tpm->type == VIR_DOMAIN_TPM_TYPE_EMULATOR)
- qemuExtTPMCleanupHost(tpm, flags, outgoingMigration);
+ qemuExtTPMCleanupHost(driver, tpm, flags, outgoingMigration);
}
}
unsigned int flags)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ virQEMUDriver *driver = priv->driver;
int nsnapshots;
int pauseReason;
size_t i;
}
}
- if (qemuTPMHasSharedStorage(vm->def)&&
+ if (qemuTPMHasSharedStorage(driver, vm->def) &&
!qemuTPMCanMigrateSharedStorage(vm->def)) {
virReportError(VIR_ERR_NO_SUPPORT, "%s",
_("the running swtpm does not support migration with shared storage"));
}
static bool
-qemuMigrationSrcIsSafe(virDomainDef *def,
- virQEMUCaps *qemuCaps,
+qemuMigrationSrcIsSafe(virDomainObj *vm,
const char **migrate_disks,
unsigned int flags)
{
+ qemuDomainObjPrivate *priv = vm->privateData;
+ virQEMUCaps *qemuCaps = priv->qemuCaps;
+ virQEMUDriver *driver = priv->driver;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
bool storagemigration = flags & (VIR_MIGRATE_NON_SHARED_DISK |
VIR_MIGRATE_NON_SHARED_INC);
size_t i;
int rc;
- for (i = 0; i < def->ndisks; i++) {
- virDomainDiskDef *disk = def->disks[i];
+ for (i = 0; i < vm->def->ndisks; i++) {
+ virDomainDiskDef *disk = vm->def->disks[i];
const char *src = virDomainDiskGetSource(disk);
virStorageType actualType = virStorageSourceGetActualType(disk->src);
bool unsafe = false;
/* However, disks on local FS (e.g. ext4) are not safe. */
switch (actualType) {
case VIR_STORAGE_TYPE_FILE:
- if ((rc = virFileIsSharedFS(src)) < 0) {
+ if ((rc = virFileIsSharedFS(src, cfg->sharedFilesystems)) < 0) {
return false;
} else if (rc == 0) {
unsafe = true;
return NULL;
if (!(flags & (VIR_MIGRATE_UNSAFE | VIR_MIGRATE_OFFLINE)) &&
- !qemuMigrationSrcIsSafe(vm->def, priv->qemuCaps, migrate_disks, flags))
+ !qemuMigrationSrcIsSafe(vm, migrate_disks, flags))
return NULL;
if (flags & VIR_MIGRATE_POSTCOPY &&
int ret = -1;
virErrorPtr orig_err = NULL;
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
- qemuDomainObjPrivate *priv = vm->privateData;
qemuDomainJobPrivate *jobPriv = vm->job->privateData;
if (flags & VIR_MIGRATE_POSTCOPY_RESUME) {
goto endjob;
if (!(flags & (VIR_MIGRATE_UNSAFE | VIR_MIGRATE_OFFLINE)) &&
- !qemuMigrationSrcIsSafe(vm->def, priv->qemuCaps, migrate_disks, flags))
+ !qemuMigrationSrcIsSafe(vm, migrate_disks, flags))
goto endjob;
qemuMigrationSrcStoreDomainState(vm);
{
int ret = -1;
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerSetAllLabel(driver->securityManager,
+ cfg->sharedFilesystems,
vm->def,
incomingPath,
priv->chardevStdioLogd,
bool migrated)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
bool transactionStarted = false;
/* In contrast to qemuSecuritySetAllLabel, do not use vm->pid
* domain's namespace is gone as qemu was the only process
* running there. We would not succeed in entering the
* namespace then. */
- if (virSecurityManagerTransactionStart(driver->securityManager) >= 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) >= 0)
transactionStarted = true;
virSecurityManagerRestoreAllLabel(driver->securityManager,
+ cfg->sharedFilesystems,
vm->def,
migrated,
priv->chardevStdioLogd);
bool chainTop)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
int ret = -1;
virSecurityDomainImageLabelFlags labelFlags = 0;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerSetImageLabel(driver->securityManager,
+ cfg->sharedFilesystems,
vm->def, src, labelFlags) < 0)
goto cleanup;
bool backingChain)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
int ret = -1;
virSecurityDomainImageLabelFlags labelFlags = 0;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
+ cfg->sharedFilesystems,
vm->def, src, labelFlags) < 0)
goto cleanup;
virStorageSource *dst)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
if (!priv->rememberOwner)
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- return virSecurityManagerMoveImageMetadata(driver->securityManager, pid, src, dst);
+ return virSecurityManagerMoveImageMetadata(driver->securityManager,
+ cfg->sharedFilesystems,
+ pid, src, dst);
}
virDomainHostdevDef *hostdev)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
int ret = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerSetHostdevLabel(driver->securityManager,
virDomainHostdevDef *hostdev)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
int ret = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
virDomainMemoryDef *mem)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
int ret = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerSetMemoryLabel(driver->securityManager,
virDomainMemoryDef *mem)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
int ret = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerRestoreMemoryLabel(driver->securityManager,
{
qemuDomainObjPrivate *priv = vm->privateData;
virQEMUDriver *driver = priv->driver;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
int ret = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerSetInputLabel(driver->securityManager,
{
qemuDomainObjPrivate *priv = vm->privateData;
virQEMUDriver *driver = priv->driver;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
int ret = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerRestoreInputLabel(driver->securityManager,
{
int ret = -1;
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerSetChardevLabel(driver->securityManager,
{
int ret = -1;
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerRestoreChardevLabel(driver->securityManager,
{
int ret = -1;
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerSetNetdevLabel(driver->securityManager,
{
int ret = -1;
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerRestoreNetdevLabel(driver->securityManager,
bool setTPMStateLabel)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
int ret = -1;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerSetTPMLabels(driver->securityManager,
bool restoreTPMStateLabel)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
int ret = -1;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerRestoreTPMLabels(driver->securityManager,
bool allowSubtree)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
int ret = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
const char *path)
{
qemuDomainObjPrivate *priv = vm->privateData;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
pid_t pid = -1;
int ret = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerDomainRestorePathLabel(driver->securityManager,
const char *path)
{
int ret = -1;
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) {
VIR_DEBUG("Not labeling '%s': mount namespace disabled for domain '%s'",
return 1;
}
- if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(driver->securityManager,
+ cfg->sharedFilesystems) < 0)
goto cleanup;
if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
* @privileged: whether we are running in privileged mode
* @swtpm_user: The uid for the swtpm to run as (drop privileges to from root)
* @swtpm_group: The gid for the swtpm to run as
+ * @sharedFilesystems: list of filesystem to consider shared
* @incomingMigration: whether we have an incoming migration
*
* Create the virCommand use for starting the emulator
bool privileged,
uid_t swtpm_user,
gid_t swtpm_group,
+ char *const *sharedFilesystems,
bool incomingMigration)
{
g_autoptr(virCommand) cmd = NULL;
/* Do not create storage and run swtpm_setup on incoming migration over
* shared storage
*/
- on_shared_storage = virFileIsSharedFS(tpm->data.emulator.storagepath) == 1;
+ on_shared_storage = virFileIsSharedFS(tpm->data.emulator.storagepath, sharedFilesystems) == 1;
if (incomingMigration && on_shared_storage)
create_storage = false;
/**
* qemuTPMEmulatorCleanupHost:
+ * @driver: QEMU driver
* @tpm: TPM definition
* @flags: flags indicating whether to keep or remove TPM persistent state
* @outgoingMigration: whether cleanup is due to an outgoing migration
* Clean up persistent storage for the swtpm.
*/
static void
-qemuTPMEmulatorCleanupHost(virDomainTPMDef *tpm,
+qemuTPMEmulatorCleanupHost(virQEMUDriver *driver,
+ virDomainTPMDef *tpm,
virDomainUndefineFlagsValues flags,
bool outgoingMigration)
{
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
+
/* Never remove the state in case of outgoing migration with shared
* storage.
*/
if (outgoingMigration &&
- virFileIsSharedFS(tpm->data.emulator.storagepath) == 1)
+ virFileIsSharedFS(tpm->data.emulator.storagepath, cfg->sharedFilesystems) == 1)
return;
/*
driver->privileged,
cfg->swtpm_user,
cfg->swtpm_group,
+ cfg->sharedFilesystems,
incomingMigration)))
return -1;
virCommandSetErrorFD(cmd, &errfd);
if (incomingMigration &&
- virFileIsSharedFS(tpm->data.emulator.storagepath) == 1) {
+ virFileIsSharedFS(tpm->data.emulator.storagepath, cfg->sharedFilesystems) == 1) {
/* security labels must have been set up on source already */
setTPMStateLabel = false;
}
bool
-qemuTPMHasSharedStorage(virDomainDef *def)
+qemuTPMHasSharedStorage(virQEMUDriver *driver,
+ virDomainDef *def)
{
+ g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
size_t i;
for (i = 0; i < def->ntpms; i++) {
switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
- return virFileIsSharedFS(tpm->data.emulator.storagepath) == 1;
+ return virFileIsSharedFS(tpm->data.emulator.storagepath,
+ cfg->sharedFilesystems) == 1;
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
case VIR_DOMAIN_TPM_TYPE_EXTERNAL:
case VIR_DOMAIN_TPM_TYPE_LAST:
void
-qemuExtTPMCleanupHost(virDomainTPMDef *tpm,
+qemuExtTPMCleanupHost(virQEMUDriver *driver,
+ virDomainTPMDef *tpm,
virDomainUndefineFlagsValues flags,
bool outgoingMigration)
{
- qemuTPMEmulatorCleanupHost(tpm, flags, outgoingMigration);
+ qemuTPMEmulatorCleanupHost(driver, tpm, flags, outgoingMigration);
}
return;
qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
- if (outgoingMigration && qemuTPMHasSharedStorage(vm->def))
+ if (outgoingMigration && qemuTPMHasSharedStorage(driver, vm->def))
restoreTPMStateLabel = false;
if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0)
ATTRIBUTE_NONNULL(3)
G_GNUC_WARN_UNUSED_RESULT;
-void qemuExtTPMCleanupHost(virDomainTPMDef *tpm,
+void qemuExtTPMCleanupHost(virQEMUDriver *driver,
+ virDomainTPMDef *tpm,
virDomainUndefineFlagsValues flags,
bool outgoingMigration)
- ATTRIBUTE_NONNULL(1);
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2);
int qemuExtTPMStart(virQEMUDriver *driver,
virDomainObj *vm,
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
G_GNUC_WARN_UNUSED_RESULT;
-bool qemuTPMHasSharedStorage(virDomainDef *def)
- ATTRIBUTE_NONNULL(1)
+bool qemuTPMHasSharedStorage(virQEMUDriver *driver,
+ virDomainDef *def)
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2)
G_GNUC_WARN_UNUSED_RESULT;
bool qemuTPMCanMigrateSharedStorage(virDomainDef *def)
static int
AppArmorSetSecurityAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
virDomainDef *def,
const char *incomingPath,
bool chardevStdioLogd G_GNUC_UNUSED,
static int
AppArmorRestoreSecurityAllLabel(virSecurityManager *mgr G_GNUC_UNUSED,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
virDomainDef *def,
bool migrated G_GNUC_UNUSED,
bool chardevStdioLogd G_GNUC_UNUSED)
/* Called when hotplugging */
static int
AppArmorRestoreSecurityImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
virDomainDef *def,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
/* Called when hotplugging */
static int
AppArmorSetSecurityImageLabelInternal(virSecurityManager *mgr,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
virDomainDef *def,
virStorageSource *src)
{
static int
AppArmorSetSecurityImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
return 0;
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
- if (AppArmorSetSecurityImageLabelInternal(mgr, def, n) < 0)
+ if (AppArmorSetSecurityImageLabelInternal(mgr, sharedFilesystems,
+ def, n) < 0)
return -1;
}
typedef struct _virSecurityDACChownList virSecurityDACChownList;
struct _virSecurityDACChownList {
virSecurityManager *manager;
+ char **sharedFilesystems;
virSecurityDACChownItem **items;
size_t nItems;
bool lock;
virSecurityDACChownItemFree(list->items[i]);
g_free(list->items);
virObjectUnref(list->manager);
+ g_strfreev(list->sharedFilesystems);
g_free(list);
}
VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p);
}
- if (!(state = virSecurityManagerMetadataLock(list->manager, paths, npaths)))
+ if (!(state = virSecurityManagerMetadataLock(list->manager,
+ list->sharedFilesystems,
+ paths, npaths)))
return -1;
for (i = 0; i < list->nItems; i++) {
/**
* virSecurityDACTransactionStart:
* @mgr: security manager
+ * @sharedFilesystems: list of filesystem to consider shared
*
* Starts a new transaction. In transaction nothing is chown()-ed until
* TransactionCommit() is called. This is implemented as a list that is
* -1 otherwise.
*/
static int
-virSecurityDACTransactionStart(virSecurityManager *mgr)
+virSecurityDACTransactionStart(virSecurityManager *mgr,
+ char *const *sharedFilesystems)
{
g_autoptr(virSecurityDACChownList) list = NULL;
list = g_new0(virSecurityDACChownList, 1);
list->manager = virObjectRef(mgr);
+ list->sharedFilesystems = g_strdupv((char **) sharedFilesystems);
if (virThreadLocalSet(&chownList, list) < 0) {
virReportSystemError(errno, "%s",
static int
virSecurityDACSetImageLabelInternal(virSecurityManager *mgr,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
virDomainDef *def,
virStorageSource *src,
virStorageSource *parent,
static int
virSecurityDACSetImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags)
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
const bool isChainTop = flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP;
- if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent, isChainTop) < 0)
+ if (virSecurityDACSetImageLabelInternal(mgr, sharedFilesystems,
+ def, n, parent, isChainTop) < 0)
return -1;
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
static int
virSecurityDACRestoreImageLabelInt(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
virStorageSource *src,
bool migrated)
if (!src->path)
return 0;
- if ((rc = virFileIsSharedFS(src->path)) < 0)
+ if ((rc = virFileIsSharedFS(src->path, sharedFilesystems)) < 0)
return -1;
}
static int
virSecurityDACRestoreImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
{
- return virSecurityDACRestoreImageLabelInt(mgr, def, src, false);
+ return virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems,
+ def, src, false);
}
struct virSecurityDACMoveImageMetadataData {
virSecurityManager *mgr;
+ char **sharedFilesystems;
const char *src;
const char *dst;
};
virSecurityManagerMetadataLockState *state;
int ret;
- if (!(state = virSecurityManagerMetadataLock(data->mgr, paths, G_N_ELEMENTS(paths))))
+ if (!(state = virSecurityManagerMetadataLock(data->mgr,
+ data->sharedFilesystems,
+ paths, G_N_ELEMENTS(paths))))
return -1;
ret = virSecurityMoveRememberedLabel(SECURITY_DAC_NAME, data->src, data->dst);
static int
virSecurityDACMoveImageMetadata(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
pid_t pid,
virStorageSource *src,
virStorageSource *dst)
{
virSecurityDACData *priv = virSecurityManagerGetPrivateData(mgr);
- struct virSecurityDACMoveImageMetadataData data = { .mgr = mgr, 0 };
+ struct virSecurityDACMoveImageMetadataData data = {
+ .mgr = mgr,
+ .sharedFilesystems = (char **) sharedFilesystems,
+ 0
+ };
int rc;
/* If dynamicOwnership is turned off, or owner remembering is
static int
virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
bool migrated,
bool chardevStdioLogd)
for (i = 0; i < def->ndisks; i++) {
if (virSecurityDACRestoreImageLabelInt(mgr,
+ sharedFilesystems,
def,
def->disks[i]->src,
migrated) < 0)
}
if (def->os.loader && def->os.loader->nvram) {
- if (virSecurityDACRestoreImageLabelInt(mgr, def, def->os.loader->nvram,
+ if (virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems,
+ def, def->os.loader->nvram,
migrated) < 0)
rc = -1;
}
static int
virSecurityDACSetAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
const char *incomingPath G_GNUC_UNUSED,
bool chardevStdioLogd,
/* XXX fixme - we need to recursively label the entire tree :-( */
if (virDomainDiskGetType(def->disks[i]) == VIR_STORAGE_TYPE_DIR)
continue;
- if (virSecurityDACSetImageLabel(mgr, def, def->disks[i]->src,
+ if (virSecurityDACSetImageLabel(mgr, sharedFilesystems,
+ def, def->disks[i]->src,
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP) < 0)
return -1;
}
if (def->os.loader && def->os.loader->nvram) {
- if (virSecurityDACSetImageLabel(mgr, def, def->os.loader->nvram,
+ if (virSecurityDACSetImageLabel(mgr, sharedFilesystems,
+ def, def->os.loader->nvram,
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP) < 0)
return -1;
typedef int (*virSecurityDriverPreFork) (virSecurityManager *mgr);
-typedef int (*virSecurityDriverTransactionStart) (virSecurityManager *mgr);
+typedef int (*virSecurityDriverTransactionStart) (virSecurityManager *mgr,
+ char *const *sharedFilesystems);
typedef int (*virSecurityDriverTransactionCommit) (virSecurityManager *mgr,
pid_t pid,
bool lock);
typedef int (*virSecurityDomainReleaseLabel) (virSecurityManager *mgr,
virDomainDef *sec);
typedef int (*virSecurityDomainSetAllLabel) (virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *sec,
const char *incomingPath,
bool chardevStdioLogd,
bool migrated);
typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
bool migrated,
bool chardevStdioLogd);
const char *path);
typedef int (*virSecurityDomainSetImageLabel) (virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags);
typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags);
typedef int (*virSecurityDomainMoveImageMetadata) (virSecurityManager *mgr,
+ char *const *sharedFilesystems,
pid_t pid,
virStorageSource *src,
virStorageSource *dst);
/**
* virSecurityManagerTransactionStart:
* @mgr: security manager
+ * @sharedFilesystems: list of filesystem to consider shared
*
* Starts a new transaction. In transaction nothing is changed security
* label until virSecurityManagerTransactionCommit() is called.
* -1 otherwise.
*/
int
-virSecurityManagerTransactionStart(virSecurityManager *mgr)
+virSecurityManagerTransactionStart(virSecurityManager *mgr,
+ char *const *sharedFilesystems)
{
VIR_LOCK_GUARD lock = virObjectLockGuard(mgr);
if (!mgr->drv->transactionStart)
return 0;
- return mgr->drv->transactionStart(mgr);
+ return mgr->drv->transactionStart(mgr, sharedFilesystems);
}
/**
* virSecurityManagerRestoreImageLabel:
* @mgr: security manager object
+ * @sharedFilesystems: list of filesystem to consider shared
* @vm: domain definition object
* @src: disk source definition to operate on
* @flags: bitwise or of 'virSecurityDomainImageLabelFlags'
*/
int
virSecurityManagerRestoreImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *vm,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags)
return -1;
}
- return mgr->drv->domainRestoreSecurityImageLabel(mgr, vm, src, flags);
+ return mgr->drv->domainRestoreSecurityImageLabel(mgr, sharedFilesystems,
+ vm, src, flags);
}
/**
* virSecurityManagerMoveImageMetadata:
* @mgr: security manager
+ * @sharedFilesystems: list of filesystem to consider shared
* @pid: domain's PID
* @src: source of metadata
* @dst: destination to move metadata to
*/
int
virSecurityManagerMoveImageMetadata(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
pid_t pid,
virStorageSource *src,
virStorageSource *dst)
if (!mgr->drv->domainMoveImageMetadata)
return 0;
- return mgr->drv->domainMoveImageMetadata(mgr, pid, src, dst);
+ return mgr->drv->domainMoveImageMetadata(mgr, sharedFilesystems,
+ pid, src, dst);
}
/**
* virSecurityManagerSetImageLabel:
* @mgr: security manager object
+ * @sharedFilesystems: list of filesystem to consider shared
* @vm: domain definition object
* @src: disk source definition to operate on
* @flags: bitwise or of 'virSecurityDomainImageLabelFlags'
*/
int
virSecurityManagerSetImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *vm,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags)
return -1;
}
- return mgr->drv->domainSetSecurityImageLabel(mgr, vm, src, flags);
+ return mgr->drv->domainSetSecurityImageLabel(mgr, sharedFilesystems,
+ vm, src, flags);
}
int
virSecurityManagerSetAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *vm,
const char *incomingPath,
bool chardevStdioLogd,
return -1;
}
- return mgr->drv->domainSetSecurityAllLabel(mgr, vm, incomingPath,
+ return mgr->drv->domainSetSecurityAllLabel(mgr, sharedFilesystems,
+ vm, incomingPath,
chardevStdioLogd, migrated);
}
int
virSecurityManagerRestoreAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *vm,
bool migrated,
bool chardevStdioLogd)
return -1;
}
- return mgr->drv->domainRestoreSecurityAllLabel(mgr, vm, migrated,
+ return mgr->drv->domainRestoreSecurityAllLabel(mgr, sharedFilesystems,
+ vm, migrated,
chardevStdioLogd);
}
/**
* virSecurityManagerMetadataLock:
* @mgr: security manager object
+ * @sharedFilesystems: list of filesystem to consider shared
* @paths: paths to lock
* @npaths: number of items in @paths array
*
*/
virSecurityManagerMetadataLockState *
virSecurityManagerMetadataLock(virSecurityManager *mgr G_GNUC_UNUSED,
+ char *const *sharedFilesystems,
const char **paths,
size_t npaths)
{
}
#endif /* !WIN32 */
- if (virFileIsSharedFS(p)) {
+ if (virFileIsSharedFS(p, sharedFilesystems)) {
/* Probably a root squashed NFS. */
continue;
}
int virSecurityManagerPreFork(virSecurityManager *mgr);
void virSecurityManagerPostFork(virSecurityManager *mgr);
-int virSecurityManagerTransactionStart(virSecurityManager *mgr);
+int virSecurityManagerTransactionStart(virSecurityManager *mgr,
+ char *const *sharedFilesystems);
int virSecurityManagerTransactionCommit(virSecurityManager *mgr,
pid_t pid,
bool lock);
int virSecurityManagerCheckAllLabel(virSecurityManager *mgr,
virDomainDef *sec);
int virSecurityManagerSetAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *sec,
const char *incomingPath,
bool chardevStdioLogd,
bool migrated);
int virSecurityManagerRestoreAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
bool migrated,
bool chardevStdioLogd);
} virSecurityDomainImageLabelFlags;
int virSecurityManagerSetImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *vm,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags);
int virSecurityManagerRestoreImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *vm,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags);
int virSecurityManagerMoveImageMetadata(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
pid_t pid,
virStorageSource *src,
virStorageSource *dst);
virSecurityManagerMetadataLockState *
virSecurityManagerMetadataLock(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
const char **paths,
size_t npaths);
static int
virSecurityDomainSetAllLabelNop(virSecurityManager *mgr G_GNUC_UNUSED,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
virDomainDef *sec G_GNUC_UNUSED,
const char *incomingPath G_GNUC_UNUSED,
bool chardevStdioLogd G_GNUC_UNUSED,
static int
virSecurityDomainRestoreAllLabelNop(virSecurityManager *mgr G_GNUC_UNUSED,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
virDomainDef *vm G_GNUC_UNUSED,
bool migrated G_GNUC_UNUSED,
bool chardevStdioLogd G_GNUC_UNUSED)
static int
virSecurityDomainRestoreImageLabelNop(virSecurityManager *mgr G_GNUC_UNUSED,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
virDomainDef *def G_GNUC_UNUSED,
virStorageSource *src G_GNUC_UNUSED,
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
static int
virSecurityDomainSetImageLabelNop(virSecurityManager *mgr G_GNUC_UNUSED,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
virDomainDef *def G_GNUC_UNUSED,
virStorageSource *src G_GNUC_UNUSED,
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
static int
virSecurityDomainMoveImageMetadataNop(virSecurityManager *mgr G_GNUC_UNUSED,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
pid_t pid G_GNUC_UNUSED,
virStorageSource *src G_GNUC_UNUSED,
virStorageSource *dst G_GNUC_UNUSED)
typedef struct _virSecuritySELinuxContextList virSecuritySELinuxContextList;
struct _virSecuritySELinuxContextList {
virSecurityManager *manager;
+ char **sharedFilesystems;
virSecuritySELinuxContextItem **items;
size_t nItems;
bool lock;
g_free(list->items);
virObjectUnref(list->manager);
+ g_strfreev(list->sharedFilesystems);
g_free(list);
}
VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p);
}
- if (!(state = virSecurityManagerMetadataLock(list->manager, paths, npaths)))
+ if (!(state = virSecurityManagerMetadataLock(list->manager,
+ list->sharedFilesystems,
+ paths, npaths)))
goto cleanup;
for (i = 0; i < list->nItems; i++) {
/**
* virSecuritySELinuxTransactionStart:
* @mgr: security manager
+ * @sharedFilesystems: list of filesystem to consider shared
*
* Starts a new transaction. In transaction nothing is changed context
* until TransactionCommit() is called. This is implemented as a list
* -1 otherwise.
*/
static int
-virSecuritySELinuxTransactionStart(virSecurityManager *mgr)
+virSecuritySELinuxTransactionStart(virSecurityManager *mgr,
+ char *const *sharedFilesystems)
{
virSecuritySELinuxContextList *list;
list = g_new0(virSecuritySELinuxContextList, 1);
list->manager = virObjectRef(mgr);
+ list->sharedFilesystems = g_strdupv((char **) sharedFilesystems);
if (virThreadLocalSet(&contextList, list) < 0) {
virReportSystemError(errno, "%s",
static int
virSecuritySELinuxRestoreImageLabelInt(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
virStorageSource *src,
bool migrated)
if (!src->path)
return 0;
- if ((rc = virFileIsSharedFS(src->path)) < 0)
+ if ((rc = virFileIsSharedFS(src->path, sharedFilesystems)) < 0)
return -1;
}
static int
virSecuritySELinuxRestoreImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
{
- return virSecuritySELinuxRestoreImageLabelInt(mgr, def, src, false);
+ return virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+ def, src, false);
}
static int
virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr,
+ char *const *sharedFilesystems G_GNUC_UNUSED,
virDomainDef *def,
virStorageSource *src,
virStorageSource *parent,
static int
virSecuritySELinuxSetImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags)
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
const bool isChainTop = flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP;
- if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent, isChainTop) < 0)
+ if (virSecuritySELinuxSetImageLabelInternal(mgr, sharedFilesystems,
+ def, n, parent,
+ isChainTop) < 0)
return -1;
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
struct virSecuritySELinuxMoveImageMetadataData {
virSecurityManager *mgr;
+ char **sharedFilesystems;
const char *src;
const char *dst;
};
virSecurityManagerMetadataLockState *state;
int ret;
- if (!(state = virSecurityManagerMetadataLock(data->mgr, paths, G_N_ELEMENTS(paths))))
+ if (!(state = virSecurityManagerMetadataLock(data->mgr,
+ data->sharedFilesystems,
+ paths, G_N_ELEMENTS(paths))))
return -1;
ret = virSecurityMoveRememberedLabel(SECURITY_SELINUX_NAME, data->src, data->dst);
static int
virSecuritySELinuxMoveImageMetadata(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
pid_t pid,
virStorageSource *src,
virStorageSource *dst)
{
- struct virSecuritySELinuxMoveImageMetadataData data = { .mgr = mgr, 0 };
+ struct virSecuritySELinuxMoveImageMetadataData data = {
+ .mgr = mgr,
+ .sharedFilesystems = (char **) sharedFilesystems,
+ 0
+ };
int rc;
if (src && virStorageSourceIsLocalStorage(src))
static int
virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
bool migrated,
bool chardevStdioLogd)
for (i = 0; i < def->ndisks; i++) {
virDomainDiskDef *disk = def->disks[i];
- if (virSecuritySELinuxRestoreImageLabelInt(mgr, def, disk->src,
+ if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+ def, disk->src,
migrated) < 0)
rc = -1;
}
}
if (def->os.loader && def->os.loader->nvram) {
- if (virSecuritySELinuxRestoreImageLabelInt(mgr, def, def->os.loader->nvram,
+ if (virSecuritySELinuxRestoreImageLabelInt(mgr, sharedFilesystems,
+ def, def->os.loader->nvram,
migrated) < 0)
rc = -1;
}
static int
virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *def,
const char *incomingPath G_GNUC_UNUSED,
bool chardevStdioLogd,
def->disks[i]->dst);
continue;
}
- if (virSecuritySELinuxSetImageLabel(mgr, def, def->disks[i]->src,
+ if (virSecuritySELinuxSetImageLabel(mgr, sharedFilesystems,
+ def, def->disks[i]->src,
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP) < 0)
return -1;
}
if (def->os.loader && def->os.loader->nvram) {
- if (virSecuritySELinuxSetImageLabel(mgr, def, def->os.loader->nvram,
+ if (virSecuritySELinuxSetImageLabel(mgr, sharedFilesystems,
+ def, def->os.loader->nvram,
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP) < 0)
return -1;
static int
-virSecurityStackTransactionStart(virSecurityManager *mgr)
+virSecurityStackTransactionStart(virSecurityManager *mgr,
+ char *const *sharedFilesystems)
{
virSecurityStackData *priv = virSecurityManagerGetPrivateData(mgr);
virSecurityStackItem *item = priv->itemsHead;
for (; item; item = item->next) {
- if (virSecurityManagerTransactionStart(item->securityManager) < 0)
+ if (virSecurityManagerTransactionStart(item->securityManager,
+ sharedFilesystems) < 0)
goto rollback;
}
static int
virSecurityStackSetAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *vm,
const char *incomingPath,
bool chardevStdioLogd,
virSecurityStackItem *item = priv->itemsHead;
for (; item; item = item->next) {
- if (virSecurityManagerSetAllLabel(item->securityManager, vm,
- incomingPath, chardevStdioLogd,
+ if (virSecurityManagerSetAllLabel(item->securityManager,
+ sharedFilesystems,
+ vm, incomingPath, chardevStdioLogd,
migrated) < 0)
goto rollback;
}
rollback:
for (item = item->prev; item; item = item->prev) {
if (virSecurityManagerRestoreAllLabel(item->securityManager,
+ sharedFilesystems,
vm,
migrated,
chardevStdioLogd) < 0) {
static int
virSecurityStackRestoreAllLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *vm,
bool migrated,
bool chardevStdioLogd)
int rc = 0;
for (; item; item = item->next) {
- if (virSecurityManagerRestoreAllLabel(item->securityManager, vm,
- migrated, chardevStdioLogd) < 0)
+ if (virSecurityManagerRestoreAllLabel(item->securityManager,
+ sharedFilesystems,
+ vm,
+ migrated,
+ chardevStdioLogd) < 0)
rc = -1;
}
static int
virSecurityStackSetImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *vm,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags)
virSecurityStackItem *item = priv->itemsHead;
for (; item; item = item->next) {
- if (virSecurityManagerSetImageLabel(item->securityManager, vm, src,
- flags) < 0)
+ if (virSecurityManagerSetImageLabel(item->securityManager,
+ sharedFilesystems,
+ vm, src, flags) < 0)
goto rollback;
}
rollback:
for (item = item->prev; item; item = item->prev) {
if (virSecurityManagerRestoreImageLabel(item->securityManager,
+ sharedFilesystems,
vm,
src,
flags) < 0) {
static int
virSecurityStackRestoreImageLabel(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
virDomainDef *vm,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags)
for (; item; item = item->next) {
if (virSecurityManagerRestoreImageLabel(item->securityManager,
+ sharedFilesystems,
vm, src, flags) < 0)
rc = -1;
}
static int
virSecurityStackMoveImageMetadata(virSecurityManager *mgr,
+ char *const *sharedFilesystems,
pid_t pid,
virStorageSource *src,
virStorageSource *dst)
for (; item; item = item->next) {
if (virSecurityManagerMoveImageMetadata(item->securityManager,
+ sharedFilesystems,
pid, src, dst) < 0)
rc = -1;
}
goto error;
/* On Linux we can also verify the FS-type of the
- * directory. (this is a NOP on other platforms). */
- if (virFileIsSharedFS(path) <= 0)
+ * directory. (this is a NOP on other platforms).
+ *
+ * Note that it would be pointless to pass
+ * virQEMUDriverConfig.sharedFilesystems here, since those
+ * listed there are by definition paths that can be accessed
+ * as local from the current host. Thus, a second attempt at
+ * opening the file would not make a difference */
+ if (virFileIsSharedFS(path, NULL) <= 0)
goto error;
}
return NULL;
}
-int virFileIsSharedFS(const char *path)
+int virFileIsSharedFS(const char *path,
+ char *const *overrides G_GNUC_UNUSED)
{
return virFileIsSharedFSType(path,
VIR_FILE_SHFS_NFS |
};
int virFileIsSharedFSType(const char *path, unsigned int fstypes) ATTRIBUTE_NONNULL(1);
-int virFileIsSharedFS(const char *path) ATTRIBUTE_NONNULL(1);
+int virFileIsSharedFS(const char *path,
+ char *const *overrides) ATTRIBUTE_NONNULL(1);
int virFileIsClusterFS(const char *path) ATTRIBUTE_NONNULL(1);
int virFileIsMountPoint(const char *file) ATTRIBUTE_NONNULL(1);
int virFileIsCDROM(const char *path)
if (!(def = testSELinuxLoadDef(testname)))
goto cleanup;
- if (virSecurityManagerSetAllLabel(mgr, def, NULL, false, false) < 0)
+ if (virSecurityManagerSetAllLabel(mgr, NULL, def, NULL, false, false) < 0)
goto cleanup;
if (testSELinuxCheckLabels(files, nfiles) < 0)
goto cleanup;
}
- actual = virFileIsSharedFS(data->filename);
+ actual = virFileIsSharedFS(data->filename, NULL);
if (actual != data->expected) {
fprintf(stderr, "Unexpected FS type. Expected %d got %d\n",
projects / libvirt.git / commitdiff