Add a domain argument to SVirt *RestoreImageLabel

When James Morris originally submitted his sVirt patches (as seen in
libvirt 0.6.1), he did not require on disk labelling for
virSecurityDomainRestoreImageLabel. A later commit[2] changed this
behavior to assume on disk labelling, which halts implementations for
path-based MAC systems such as AppArmor and TOMOYO where
vm->def->seclabel is required to obtain the label.

* src/security/security_driver.h src/qemu/qemu_driver.c
  src/security/security_selinux.c: adds the 'virDomainObjPtr vm'
  argument back to *RestoreImageLabel

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 95e672bd7c2bc23af3568b53c77e96ae8d0b248a..f03f0543113b3ddf99bd7bda0ef4f0e415a3c19d 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -5160,7 +5160,7 @@ static int qemudDomainDetachDevice(virDomainPtr dom,
          dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) {
         ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev);
         if (driver->securityDriver)
-            driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, dev->data.disk);
+            driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev->data.disk);
         if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0)
             VIR_WARN0("Fail to restore disk device ownership");
     } else if (dev->type == VIR_DOMAIN_DEVICE_NET) {

diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 40f9d95ec5947fd8798a399a16a8b51b2d17da24..fde2978de792442146455d4693f7278863988537 100644 (file)
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -32,6 +32,7 @@ typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void);
 typedef int (*virSecurityDriverOpen) (virConnectPtr conn,
                                       virSecurityDriverPtr drv);
 typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn,
+                                                   virDomainObjPtr vm,
                                                    virDomainDiskDefPtr disk);
 typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
                                                virDomainObjPtr vm,

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index d08d502faac71695ed0f2c23c76e25b1775837c5..7e0f71aeebeec05dfe9946cb3a057e5cf761bc3b 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -378,6 +378,7 @@ err:
 
 static int
 SELinuxRestoreSecurityImageLabel(virConnectPtr conn,
+                                 virDomainObjPtr vm ATTRIBUTE_UNUSED,
                                  virDomainDiskDefPtr disk)
 {
     /* Don't restore labels on readoly/shared disks, because
@@ -608,7 +609,8 @@ SELinuxRestoreSecurityLabel(virConnectPtr conn,
                 rc = -1;
         }
         for (i = 0 ; i < vm->def->ndisks ; i++) {
-            if (SELinuxRestoreSecurityImageLabel(conn, vm->def->disks[i]) < 0)
+            if (SELinuxRestoreSecurityImageLabel(conn, vm,
+                                                 vm->def->disks[i]) < 0)
                 rc = -1;
         }
         VIR_FREE(secdef->model);