qemu: properly label outgoing pipe for tunneled migration

Commit 3261761 made it possible to use pipes instead of sockets
for outgoing tunneled migration; however, it caused a regression
because the pipe was never given a SELinux label.

* src/qemu/qemu_migration.c (doTunnelMigrate): Label outgoing pipe.

diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index a2dc97cc379162c2211aa8c830ab3608cc352ddf..38b05a9bff50f009c7559624de5d9d87f2c9ae49 100644 (file)
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -24,6 +24,7 @@
 #include <sys/time.h>
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
+#include <fcntl.h>
 
 #include "qemu_migration.h"
 #include "qemu_monitor.h"
@@ -1691,13 +1692,13 @@ static int doTunnelMigrate(struct qemud_driver *driver,
         spec.dest.fd.qemu = -1;
         spec.dest.fd.local = -1;
 
-        if (pipe(fds) == 0) {
+        if (pipe2(fds, O_CLOEXEC) == 0) {
             spec.dest.fd.qemu = fds[1];
             spec.dest.fd.local = fds[0];
         }
         if (spec.dest.fd.qemu == -1 ||
-            virSetCloseExec(spec.dest.fd.qemu) < 0 ||
-            virSetCloseExec(spec.dest.fd.local) < 0) {
+            virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
+                                              spec.dest.fd.qemu) < 0) {
             virReportSystemError(errno, "%s",
                         _("cannot create pipe for tunnelled migration"));
             goto cleanup;