qemu: Label master key file

When creating the master key, we used mode 0600 (which we should) but
because we were creating it as root, the file is not readable by any
qemu running as non-root.  Fortunately, it's just a matter of labelling
the file.  We are generating the file path few times already, so let's
label it in the same function that has access to the path already.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index fa31954616b2178b7a13ee07bfb30712bfa50ce3..ed1e0e5029255ce4e1e9b663be6fdfd6d187b5d9 100644 (file)
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -504,11 +504,13 @@ qemuDomainGetMasterKeyFilePath(const char *libDir)
  * Returns 0 on success, -1 on failure with error message indicating failure
  */
 static int
-qemuDomainWriteMasterKeyFile(qemuDomainObjPrivatePtr priv)
+qemuDomainWriteMasterKeyFile(virQEMUDriverPtr driver,
+                             virDomainObjPtr vm)
 {
     char *path;
     int fd = -1;
     int ret = -1;
+    qemuDomainObjPrivatePtr priv = vm->privateData;
 
     if (!(path = qemuDomainGetMasterKeyFilePath(priv->libDir)))
         return -1;
@@ -525,6 +527,10 @@ qemuDomainWriteMasterKeyFile(qemuDomainObjPrivatePtr priv)
         goto cleanup;
     }
 
+    if (virSecurityManagerDomainSetDirLabel(driver->securityManager,
+                                            vm->def, path) < 0)
+        goto cleanup;
+
     ret = 0;
 
  cleanup:
@@ -697,8 +703,11 @@ qemuDomainMasterKeyRemove(qemuDomainObjPrivatePtr priv)
  * Returns: 0 on success, -1 w/ error message on failure
  */
 int
-qemuDomainMasterKeyCreate(qemuDomainObjPrivatePtr priv)
+qemuDomainMasterKeyCreate(virQEMUDriverPtr driver,
+                          virDomainObjPtr vm)
 {
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+
     /* If we don't have the capability, then do nothing. */
     if (!virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_OBJECT_SECRET))
         return 0;
@@ -709,7 +718,7 @@ qemuDomainMasterKeyCreate(qemuDomainObjPrivatePtr priv)
 
     priv->masterKeyLen = QEMU_DOMAIN_MASTER_KEY_LEN;
 
-    if (qemuDomainWriteMasterKeyFile(priv) < 0)
+    if (qemuDomainWriteMasterKeyFile(driver, vm) < 0)
         goto error;
 
     return 0;

diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index d8d57d32df5d90585ce76372a3ec3f3a71801597..7d2c4fd92ae4ed42c9f49177a80596d9754ae4f5 100644 (file)
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -584,7 +584,8 @@ char *qemuDomainGetMasterKeyFilePath(const char *libDir);
 
 int qemuDomainMasterKeyReadFile(qemuDomainObjPrivatePtr priv);
 
-int qemuDomainMasterKeyCreate(qemuDomainObjPrivatePtr priv);
+int qemuDomainMasterKeyCreate(virQEMUDriverPtr driver,
+                              virDomainObjPtr vm);
 
 void qemuDomainMasterKeyRemove(qemuDomainObjPrivatePtr priv);
 

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 3da23ce3d8e31e8de3bc21337491515e8e7ffef8..81d86c2d1aa27bdf62e771233733ad5d1b234707 100644 (file)
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -5213,7 +5213,7 @@ qemuProcessPrepareHost(virQEMUDriverPtr driver,
         goto cleanup;
 
     VIR_DEBUG("Create domain masterKey");
-    if (qemuDomainMasterKeyCreate(priv) < 0)
+    if (qemuDomainMasterKeyCreate(driver, vm) < 0)
         goto cleanup;
 
     ret = 0;