[libvirt] [PATCH] Fix security driver handling of FIFOs with QEMU
When setting up a FIFO for QEMU, it allows either a pair
of fifos used unidirectionally, or a single fifo used
bidirectionally. Look for the bidirectional fifo first
when labelling since that is more useful
* src/security/security_dac.c,
src/security/security_selinux.c: Fix fifo handling
---
src/security/security_dac.c | 19 ++++++++++++-------
src/security/security_selinux.c | 19 ++++++++++++-------
2 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index fba2d1d..b8642d2 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -406,14 +406,19 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
break;
case VIR_DOMAIN_CHR_TYPE_PIPE:
- if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
- (virAsprintf(&out, "%s.out", dev->data.file.path) < 0))
{
- virReportOOMError();
- goto done;
+ if (virFileExists(dev->data.file.path)) {
+ if (virSecurityDACSetOwnership(dev->data.file.path, priv->user,
priv->group) < 0)
+ goto done;
+ } else {
+ if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0)
||
+ (virAsprintf(&out, "%s.out", dev->data.file.path) <
0)) {
+ virReportOOMError();
+ goto done;
+ }
+ if ((virSecurityDACSetOwnership(in, priv->user, priv->group) < 0)
||
+ (virSecurityDACSetOwnership(out, priv->user, priv->group) < 0))
+ goto done;
}
- if ((virSecurityDACSetOwnership(in, priv->user, priv->group) < 0) ||
- (virSecurityDACSetOwnership(out, priv->user, priv->group) < 0))
- goto done;
ret = 0;
break;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 216208e..476bbbf 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -733,14 +733,19 @@ SELinuxSetSecurityChardevLabel(virDomainObjPtr vm,
break;
case VIR_DOMAIN_CHR_TYPE_PIPE:
- if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
- (virAsprintf(&out, "%s.out", dev->data.file.path) < 0))
{
- virReportOOMError();
- goto done;
+ if (virFileExists(dev->data.file.path)) {
+ if (SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel) < 0)
+ goto done;
+ } else {
+ if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0)
||
+ (virAsprintf(&out, "%s.out", dev->data.file.path) <
0)) {
+ virReportOOMError();
+ goto done;
+ }
+ if ((SELinuxSetFilecon(in, secdef->imagelabel) < 0) ||
+ (SELinuxSetFilecon(out, secdef->imagelabel) < 0))
+ goto done;
}
- if ((SELinuxSetFilecon(in, secdef->imagelabel) < 0) ||
- (SELinuxSetFilecon(out, secdef->imagelabel) < 0))
- goto done;
ret = 0;
break;
--
1.7.4.4