Skip bulk relabelling of resources in SELinux driver when used with LXC

The virSecurityManager{Set,Restore}AllLabel methods are invoked
at domain startup/shutdown to relabel resources associated with
a domain. This works fine with QEMU, but with LXC they are in
fact both currently no-ops since LXC does not support disks,
hostdevs, or kernel/initrd files. Worse, when LXC gains support
for disks/hostdevs, they will do the wrong thing, since they
run in host context, not container context. Thus this patch
turns then into a formal no-op when used with LXC. The LXC
controller will call out to specific security manager labelling
APIs as required during startup.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 5c125feb0d3fa3f46a452e7ea37d40c349a4b7ee..13ef3a58cca8a53d091b02922e97758680329068 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -62,6 +62,7 @@ struct _virSecuritySELinuxData {
     char *file_context;
     char *content_context;
     virHashTablePtr mcs;
+    bool skipAllLabel;
 };
 
 struct _virSecuritySELinuxCallbackData {
@@ -364,6 +365,8 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
     virConfPtr selinux_conf;
     virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
 
+    data->skipAllLabel = true;
+
     selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
     if (!selinux_conf) {
         virReportSystemError(errno,
@@ -439,6 +442,8 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
     char *ptr;
     virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
 
+    data->skipAllLabel = false;
+
     if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT, &(data->domain_context)) < 0) {
         virReportSystemError(errno,
                              _("cannot read SELinux virtual domain context file '%s'"),
@@ -1478,11 +1483,12 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
 
 
 static int
-virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
                                           virDomainDefPtr def,
                                           int migrated ATTRIBUTE_UNUSED)
 {
     virSecurityLabelDefPtr secdef;
+    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
     int i;
     int rc = 0;
 
@@ -1492,7 +1498,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
     if (secdef == NULL)
         return -1;
 
-    if (secdef->norelabel)
+    if (secdef->norelabel || data->skipAllLabel)
         return 0;
 
     for (i = 0 ; i < def->nhostdevs ; i++) {
@@ -1850,7 +1856,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
     if (secdef == NULL)
         return -1;
 
-    if (secdef->norelabel)
+    if (secdef->norelabel || data->skipAllLabel)
         return 0;
 
     for (i = 0 ; i < def->ndisks ; i++) {