[libvirt] [PATCH for 5.7.0 3/3] qemu_blockjob: Restore seclabels more frequently on job events
If a block job reaches failed/cancelled state, or is completed
without pivot then qemu no longer uses the mirror image. Since
we've set its seclabels we must restore them back to avoid
leaking perms/XATTRs.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741456
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_blockjob.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
index 80302fb139..8411d8e223 100644
--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
@@ -656,6 +656,13 @@ qemuBlockJobEventProcessLegacyCompleted(virQEMUDriverPtr driver,
} else {
if (disk->mirror) {
virDomainLockImageDetach(driver->lockManager, vm, disk->mirror);
+
+ /* QEMU no longer uses the image, so we can restore its label. */
+ if (qemuSecurityRestoreImageLabel(driver, vm, disk->mirror, true) < 0)
{
+ VIR_WARN("Unable to restore security labels on vm %s disk %s",
+ vm->def->name, NULLSTR(disk->mirror->path));
+ }
+
virObjectUnref(disk->mirror);
}
}
@@ -725,6 +732,13 @@ qemuBlockJobEventProcessLegacy(virQEMUDriverPtr driver,
case VIR_DOMAIN_BLOCK_JOB_CANCELED:
if (disk->mirror) {
virDomainLockImageDetach(driver->lockManager, vm, disk->mirror);
+
+ /* QEMU no longer uses the image, so we can restore its label. */
+ if (qemuSecurityRestoreImageLabel(driver, vm, disk->mirror, true) < 0)
{
+ VIR_WARN("Unable to restore security labels on vm %s disk %s",
+ vm->def->name, NULLSTR(disk->mirror->path));
+ }
+
virObjectUnref(disk->mirror);
disk->mirror = NULL;
}
@@ -1124,7 +1138,8 @@ qemuBlockJobProcessEventConcludedCopyAbort(virQEMUDriverPtr driver,
static void
-qemuBlockJobProcessEventFailedActiveCommit(virDomainObjPtr vm,
+qemuBlockJobProcessEventFailedActiveCommit(virQEMUDriverPtr driver,
+ virDomainObjPtr vm,
qemuBlockJobDataPtr job)
{
VIR_DEBUG("active commit job '%s' on VM '%s' failed",
job->name, vm->def->name);
@@ -1132,6 +1147,12 @@ qemuBlockJobProcessEventFailedActiveCommit(virDomainObjPtr vm,
if (!job->disk)
return;
+ /* QEMU no longer uses the image, so we can restore its label. */
+ if (qemuSecurityRestoreImageLabel(driver, vm, job->disk->mirror, true) < 0)
{
+ VIR_WARN("Unable to restore security labels on vm %s disk %s",
+ vm->def->name, NULLSTR(job->disk->mirror->path));
+ }
+
virObjectUnref(job->disk->mirror);
job->disk->mirror = NULL;
}
@@ -1227,7 +1248,7 @@ qemuBlockJobEventProcessConcludedTransition(qemuBlockJobDataPtr
job,
break;
case QEMU_BLOCKJOB_TYPE_ACTIVE_COMMIT:
- qemuBlockJobProcessEventFailedActiveCommit(vm, job);
+ qemuBlockJobProcessEventFailedActiveCommit(driver, vm, job);
break;
case QEMU_BLOCKJOB_TYPE_CREATE:
--
2.21.0