qemu_tpm: Set log file label on migration

Recently, the QEMU driver gained support for migration with TPM
state on a shared volume (e.g. NFS). As a part of that, the
destination side avoids setting seclabels on it to avoid cutting
off the source while it is still using it. Makes sense, except
for a wee bit: the secdriver API does a bit more - it also sets
label on the swtpm log file. And this one definitely needs to be
labeled (it lives under /var/log/swtpm/libvirt/qemu/..., i.e. not
on a shared volume).

Previously, qemuSecurityStartTPMEmulator() took care of that. But
during rework to shared volume migration, the code was changed so
now plain qemuSecurityCommandRun() would be run (i.e. no
relabelling).

But after previous commits, we can now chose whether the TPM
state should be relabelled or just the log file.

Fixes: 2e669ec789231d39e0d5f5f6a201d2a661b8070c
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2130192#c7
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 8dba716ef226d36ce05afcb55dbbfd7afdf9eb4b..0939f64e4e0a9d7515dc550b56faffaa4ad97ed2 100644 (file)
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -926,6 +926,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     g_autofree char *pidfile = NULL;
     virTimeBackOffVar timebackoff;
     const unsigned long long timeout = 1000; /* ms */
+    bool setTPMStateLabel = true;
     int cmdret = 0;
     pid_t pid = -1;
 
@@ -955,14 +956,12 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
     if (incomingMigration &&
         virFileIsSharedFS(tpm->data.emulator.storagepath) == 1) {
         /* security labels must have been set up on source already */
-        if (qemuSecurityCommandRun(driver, vm, cmd,
-                                   cfg->swtpm_user, cfg->swtpm_group,
-                                   NULL, &cmdret) < 0) {
-            goto error;
-        }
-    } else if (qemuSecurityStartTPMEmulator(driver, vm, cmd,
-                                            cfg->swtpm_user, cfg->swtpm_group,
-                                            true, NULL, &cmdret) < 0) {
+        setTPMStateLabel = false;
+    }
+
+    if (qemuSecurityStartTPMEmulator(driver, vm, cmd,
+                                     cfg->swtpm_user, cfg->swtpm_group,
+                                     setTPMStateLabel, NULL, &cmdret) < 0) {
         goto error;
     }
 
@@ -1133,13 +1132,16 @@ qemuExtTPMStop(virQEMUDriver *driver,
 {
     g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver);
     g_autofree char *shortName = virDomainDefGetShortName(vm->def);
+    bool restoreTPMStateLabel = true;
 
     if (!shortName)
         return;
 
     qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
-    if (!(outgoingMigration && qemuTPMHasSharedStorage(vm->def)))
-        qemuSecurityCleanupTPMEmulator(driver, vm, true);
+    if (outgoingMigration || qemuTPMHasSharedStorage(vm->def))
+        restoreTPMStateLabel = false;
+
+    qemuSecurityCleanupTPMEmulator(driver, vm, restoreTPMStateLabel);
 }