9:56 a.m.
This is basically just a continuation of the previous commit.
Now that the security driver APIs have a boolean flag that
controls setting/restoring seclabel of either both TPM state and
log files, or just the log file, propagate this boolean into
those APIs that start/stop swtpm emulator. For now, just pass
true. The juicy bits are soon to come.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_security.c | 13 +++++++++----
src/qemu/qemu_security.h | 4 +++-
src/qemu/qemu_tpm.c | 4 ++--
3 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index d9a1ee5f56..def4061488 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -507,6 +507,7 @@ qemuSecurityRestoreNetdevLabel(virQEMUDriver *driver,
* @cmd: the command to run
* @uid: the uid to run the emulator
* @gid: the gid to run the emulator
+ * @setTPMStateLabel: whether TPM state should be labelled, or just logfile
* @existstatus: pointer to int returning exit status of process
* @cmdret: pointer to int returning result of virCommandRun
*
@@ -523,6 +524,7 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
virCommand *cmd,
uid_t uid,
gid_t gid,
+ bool setTPMStateLabel,
int *exitstatus,
int *cmdret)
{
@@ -535,7 +537,7 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
transactionStarted = true;
if (virSecurityManagerSetTPMLabels(driver->securityManager,
- vm->def, true) < 0) {
+ vm->def, setTPMStateLabel) < 0) {
virSecurityManagerTransactionAbort(driver->securityManager);
return -1;
}
@@ -560,7 +562,8 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
virSecurityManagerTransactionStart(driver->securityManager) >= 0)
transactionStarted = true;
- virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def, true);
+ virSecurityManagerRestoreTPMLabels(driver->securityManager,
+ vm->def, setTPMStateLabel);
if (transactionStarted &&
virSecurityManagerTransactionCommit(driver->securityManager,
@@ -575,7 +578,8 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
void
qemuSecurityCleanupTPMEmulator(virQEMUDriver *driver,
- virDomainObj *vm)
+ virDomainObj *vm,
+ bool restoreTPMStateLabel)
{
qemuDomainObjPrivate *priv = vm->privateData;
bool transactionStarted = false;
@@ -583,7 +587,8 @@ qemuSecurityCleanupTPMEmulator(virQEMUDriver *driver,
if (virSecurityManagerTransactionStart(driver->securityManager) >= 0)
transactionStarted = true;
- virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def, true);
+ virSecurityManagerRestoreTPMLabels(driver->securityManager,
+ vm->def, restoreTPMStateLabel);
if (transactionStarted &&
virSecurityManagerTransactionCommit(driver->securityManager,
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index e01d4699e6..969a47fc17 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -90,11 +90,13 @@ int qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
virCommand *cmd,
uid_t uid,
gid_t gid,
+ bool setTPMStateLabel,
int *exitstatus,
int *cmdret);
void qemuSecurityCleanupTPMEmulator(virQEMUDriver *driver,
- virDomainObj *vm);
+ virDomainObj *vm,
+ bool restoreTPMStateLabel);
int qemuSecuritySetSavedStateLabel(virQEMUDriver *driver,
virDomainObj *vm,
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index d2f5bfb055..8dba716ef2 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -962,7 +962,7 @@ qemuTPMEmulatorStart(virQEMUDriver *driver,
}
} else if (qemuSecurityStartTPMEmulator(driver, vm, cmd,
cfg->swtpm_user, cfg->swtpm_group,
- NULL, &cmdret) < 0) {
+ true, NULL, &cmdret) < 0) {
goto error;
}
@@ -1139,7 +1139,7 @@ qemuExtTPMStop(virQEMUDriver *driver,
qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
if (!(outgoingMigration && qemuTPMHasSharedStorage(vm->def)))
- qemuSecurityCleanupTPMEmulator(driver, vm);
+ qemuSecurityCleanupTPMEmulator(driver, vm, true);
}
--
2.37.4