In a few cases we might set seclabels on a path outside of
namespaces. For instance, when restoring a domain from a file,
the file is opened, relabelled and only then the namespace is
created and the FD is passed to QEMU (see v6.3.0-rc1~108 for more
info). Therefore, when restoring the label on the restore file,
we must ignore domain namespaces and restore the label directly
in the host.
This bug demonstrates itself when restoring a domain from a block
device. We don't create the block device inside the domain
namespace and thus the following error is reported at the end of
(otherwise successful) restore:
error : virProcessRunInFork:1236 : internal error: child reported (status=125): unable to stat: /dev/sda: No such file or directory
error : virProcessRunInFork:1240 : unable to stat: /dev/sda: No such file or directory
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_FAILED,
asyncJob, VIR_QEMU_PROCESS_STOP_MIGRATED);
}
- if (qemuSecurityDomainRestorePathLabel(driver, vm, path) < 0)
+ if (qemuSecurityDomainRestorePathLabel(driver, vm, path, true) < 0)
VIR_WARN("failed to restore save state label on %s", path);
return ret;
}
int
qemuSecurityDomainRestorePathLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- const char *path)
+ const char *path,
+ bool ignoreNS)
{
qemuDomainObjPrivatePtr priv = vm->privateData;
pid_t pid = -1;
int ret = -1;
- if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
+ if (!ignoreNS &&
+ qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
if (virSecurityManagerTransactionStart(driver->securityManager) < 0)
int qemuSecurityDomainRestorePathLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
- const char *path);
+ const char *path,
+ bool ignoreNS);
int qemuSecurityCommandRun(virQEMUDriverPtr driver,
virDomainObjPtr vm,
projects / libvirt.git / commitdiff