On Thu, Apr 02, 2026 at 11:12:39 -0400, Cole Robinson via Devel wrote:
This matches the behavior of qemuDomainGetImageIds() which we are about to convert to. I think it's safe to depend on the security driver to have already validated this for us.
Prior to this series, 'qemuDomainGetImageIds()' was used only on code paths where the VM was already running (thus the user/group configured in the seclabel was validated). (only exception is the very much unused/useless API qemuDomainBlockPeek where it was used but thus had the bug) OTOH 'qemuDomainOpenFile' is used on code paths where the VM was not yet started and thus the value is not validated by the security driver at that point. User can thus have an invalid seclabel: <seclabel type='static' model='dac' relabel='yes'> <label>aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa</label> </seclabel> configured in the definition; or for that matter e.g. user/group with unknown name and this would then silently ignore the error in the API call, but would spam the log with the error. qemuDomainGetImageIds or however you rename it thus should be fixed to report errors if you want to use it this way.
Signed-off-by: Cole Robinson <crobinso@redhat.com> --- src/qemu/qemu_domain.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 6695f32c01..a0f41c436e 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -10703,9 +10703,8 @@ qemuDomainOpenFile(virQEMUDriverConfig *cfg,
if (def && (seclabel = virDomainDefGetSecurityLabelDef(def, "dac")) != NULL && - seclabel->label != NULL && - (virParseOwnershipIds(seclabel->label, &user, &group) < 0)) - return -EINVAL; + seclabel->label != NULL) + virParseOwnershipIds(seclabel->label, &user, &group);
return virQEMUFileOpenAs(user, group, dynamicOwnership, path, oflags, needUnlink); -- 2.53.0