qemu_security: Fully implement qemuSecurityDomainSetPathLabel

Even though the current use of the function does not require full
implementation with transactions (none of the callers pass a path
somewhere under /dev), it doesn't hurt either. Moreover, in
future patches the paradigm is going to shift so that any API
that touches a file is required to use transactions.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>

diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index e12f05f9d172dcabe98df8d542e95741f3defc22..2fd8a2a268cd586539dbb1d7fdd95e623863098d 100644 (file)
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -808,8 +808,7 @@ qemuDomainWriteMasterKeyFile(virQEMUDriverPtr driver,
         goto cleanup;
     }
 
-    if (qemuSecurityDomainSetPathLabel(driver->securityManager,
-                                       vm->def, path, false) < 0)
+    if (qemuSecurityDomainSetPathLabel(driver, vm, path, false) < 0)
         goto cleanup;
 
     ret = 0;

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 6d608e4ef52b74ba7a3646e569f0094d7997784b..7d13bd410798251e18448c1651c5fe1c85fc7c42 100644 (file)
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -2790,8 +2790,7 @@ qemuProcessStartManagedPRDaemon(virDomainObjPtr vm)
         virCgroupAddMachineTask(priv->cgroup, cpid) < 0)
         goto cleanup;
 
-    if (qemuSecurityDomainSetPathLabel(driver->securityManager,
-                                       vm->def, socketPath, true) < 0)
+    if (qemuSecurityDomainSetPathLabel(driver, vm, socketPath, true) < 0)
         goto cleanup;
 
     priv->prDaemonRunning = true;
@@ -3653,7 +3652,7 @@ qemuProcessNeedMemoryBackingPath(virDomainDefPtr def,
 
 static int
 qemuProcessBuildDestroyMemoryPathsImpl(virQEMUDriverPtr driver,
-                                       virDomainDefPtr def,
+                                       virDomainObjPtr vm,
                                        const char *path,
                                        bool build)
 {
@@ -3668,8 +3667,7 @@ qemuProcessBuildDestroyMemoryPathsImpl(virQEMUDriverPtr driver,
             return -1;
         }
 
-        if (qemuSecurityDomainSetPathLabel(driver->securityManager,
-                                           def, path, true) < 0)
+        if (qemuSecurityDomainSetPathLabel(driver, vm, path, true) < 0)
             return -1;
     } else {
         if (virFileDeleteTree(path) < 0)
@@ -3705,7 +3703,7 @@ qemuProcessBuildDestroyMemoryPaths(virQEMUDriverPtr driver,
             if (!path)
                 goto cleanup;
 
-            if (qemuProcessBuildDestroyMemoryPathsImpl(driver, vm->def,
+            if (qemuProcessBuildDestroyMemoryPathsImpl(driver, vm,
                                                        path, build) < 0)
                 goto cleanup;
 
@@ -3717,7 +3715,7 @@ qemuProcessBuildDestroyMemoryPaths(virQEMUDriverPtr driver,
         if (qemuGetMemoryBackingDomainPath(vm->def, cfg, &path) < 0)
             goto cleanup;
 
-        if (qemuProcessBuildDestroyMemoryPathsImpl(driver, vm->def,
+        if (qemuProcessBuildDestroyMemoryPathsImpl(driver, vm,
                                                    path, build) < 0)
             goto cleanup;
 
@@ -4909,8 +4907,7 @@ qemuProcessMakeDir(virQEMUDriverPtr driver,
         goto cleanup;
     }
 
-    if (qemuSecurityDomainSetPathLabel(driver->securityManager,
-                                       vm->def, path, true) < 0)
+    if (qemuSecurityDomainSetPathLabel(driver, vm, path, true) < 0)
         goto cleanup;
 
     ret = 0;

diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index af3be42854eb4951414baf3ef5c98e212895cce7..268def309a583de842baa0edc90100d464339e31 100644 (file)
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -493,3 +493,33 @@ qemuSecurityCleanupTPMEmulator(virQEMUDriverPtr driver,
 {
     virSecurityManagerRestoreTPMLabels(driver->securityManager, def);
 }
+
+
+int
+qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
+                               virDomainObjPtr vm,
+                               const char *path,
+                               bool allowSubtree)
+{
+    int ret = -1;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+
+    if (virSecurityManagerDomainSetPathLabel(driver->securityManager,
+                                             vm->def,
+                                             path,
+                                             allowSubtree) < 0)
+        goto cleanup;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}

diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index a189b6382856900344d5f75bddfdfaeadbb1c782..fd11fbdd9d7132cd390c85ee4b8e4d489f590642 100644 (file)
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -95,12 +95,16 @@ int qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver,
 void qemuSecurityCleanupTPMEmulator(virQEMUDriverPtr driver,
                                     virDomainDefPtr def);
 
+int qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
+                                   virDomainObjPtr vm,
+                                   const char *path,
+                                   bool allowSubtree);
+
 /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
  * new APIs here. If an API can touch a /dev file add a proper wrapper instead.
  */
 # define qemuSecurityCheckAllLabel virSecurityManagerCheckAllLabel
 # define qemuSecurityClearSocketLabel virSecurityManagerClearSocketLabel
-# define qemuSecurityDomainSetPathLabel virSecurityManagerDomainSetPathLabel
 # define qemuSecurityGenLabel virSecurityManagerGenLabel
 # define qemuSecurityGetBaseLabel virSecurityManagerGetBaseLabel
 # define qemuSecurityGetDOI virSecurityManagerGetDOI