Re: [libvirt] [PATCHv2 2/2] security_dac: Honor norelabel attribute

17 Apr 2014

On 04/04/2014 02:34 PM, Michal Privoznik wrote:
...
The inspiration for this patch comes from a question on the list
asking if there's a way to not label some disks. Well, in DAC driver
there's not. Even if user have requested norelabel:
<disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/some/dummy/path/test.bin'>
        <seclabel model='dac' relabel='no'/>
      </source>
      <target dev='vdb' bus='virtio'/>
      <readonly/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </disk>
the DAC driver ignores this completely.
I've found a bug for this:
https://bugzilla.redhat.com/show_bug.cgi?id=999301
...
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/security/security_dac.c | 92 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 73 insertions(+), 19 deletions(-)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 8835d49..f15a0e9 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -286,7 +286,7 @@ virSecurityDACRestoreSecurityFileLabel(const char *path)
static int
-virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
+virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk,
                                    const char *path,
                                    size_t depth ATTRIBUTE_UNUSED,
                                    void *opaque)
@@ -295,11 +295,23 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
     virSecurityManagerPtr mgr = cbdata->manager;
     virSecurityLabelDefPtr secdef = cbdata->secdef;
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityDeviceLabelDefPtr disk_seclabel;
     uid_t user;
     gid_t group;
-    if (virSecurityDACGetImageIds(secdef, priv, &user, &group) < 0)
-        return -1;
+    disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
+                                                        SECURITY_DAC_NAME);
+
+    if (disk_seclabel && disk_seclabel->norelabel)
+        return 0;
What if the domain label has relabel='no', but the disk label has relabel='yes'?
...
+
+    if (disk_seclabel && disk_seclabel->label) {
+        if (virParseOwnershipIds(disk_seclabel->label, &user, &group) < 0)
+            return -1;
+    } else {
+        if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
+            return -1;
+    }
return virSecurityDACSetOwnership(path, user, group);
 }
Jan

    

Re: [libvirt] [PATCHv2 2/2] security_dac: Honor norelabel attribute

Ján Tomko