Re: [libvirt] [PATCHv6 8/8] blockjob: allow mirroring under SELinux
On 04/23/2012 08:49 PM, Eric Blake wrote:
This copies heavily from qemuDomainSnapshotCreateSingleDiskActive(),
in order to set the SELinux label, obtain locking manager lease, and
audit the fact that we hand a new file over to qemu. Alas, releasing
the lease and label at the end of the mirroring is a trickier
prospect (we would have to know the backing chain of both source and
destination, and be sure not to revoke rights to any part of the
chain that is shared), so for now, virDomainBlockJobAbort still
leaves things locked and labeled.
* src/qemu/qemu_driver.c (qemuDomainBlockCopy): Set up labeling.
---
Given today's fix for snapshot, and that this code heavily copied from
snapshot, I will be squashing this in:
diff --git i/src/qemu/qemu_driver.c w/src/qemu/qemu_driver.c
index a2f88fd..da4ad7e 100644
--- i/src/qemu/qemu_driver.c
+++ w/src/qemu/qemu_driver.c
@@ -12031,6 +12031,7 @@ qemuDomainBlockCopy(virDomainPtr dom, const char
*path,
char *mirrorFormat = NULL;
char *origsrc = NULL;
char *origdriver = NULL;
+ virCgroupPtr cgroup = NULL;
/* Preliminaries: find the disk we are editing, sanity checks */
virCheckFlags(VIR_DOMAIN_BLOCK_REBASE_SHALLOW |
@@ -12049,6 +12050,13 @@ qemuDomainBlockCopy(virDomainPtr dom, const
char *path,
_("domain is not running"));
goto cleanup;
}
+ if (qemuCgroupControllerActive(driver,
VIR_CGROUP_CONTROLLER_DEVICES) &&
+ virCgroupForDomain(driver->cgroup, vm->def->name, &cgroup, 0)) {
+ qemuReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unable to find cgroup for %s"),
+ vm->def->name);
+ goto cleanup;
+ }
device = qemuDiskPathToAlias(vm, path, &idx);
if (!device) {
@@ -12154,8 +12162,15 @@ qemuDomainBlockCopy(virDomainPtr dom, const
char *path,
if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0)
goto endjob;
+ if (cgroup && qemuSetupDiskCgroup(driver, vm, cgroup, disk) < 0) {
+ if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
+ VIR_WARN("Unable to release lock on %s", dest);
+ goto cleanup;
+ }
if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def,
disk) < 0) {
+ if (cgroup && qemuTeardownDiskCgroup(driver, vm, cgroup, disk) < 0)
+ VIR_WARN("Failed to teardown cgroup for disk path %s", dest);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", dest);
goto endjob;
@@ -12167,6 +12182,8 @@ qemuDomainBlockCopy(virDomainPtr dom, const char
*path,
virDomainAuditDisk(vm, NULL, dest, "mirror", ret >= 0);
qemuDomainObjExitMonitorWithDriver(driver, vm);
if (ret < 0) {
+ if (cgroup && qemuTeardownDiskCgroup(driver, vm, cgroup, disk) < 0)
+ VIR_WARN("Failed to teardown cgroup for disk path %s", dest);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", dest);
@@ -12202,6 +12219,8 @@ endjob:
}
cleanup:
+ if (cgroup)
+ virCgroupFree(&cgroup);
VIR_FREE(device);
if (vm)
virDomainObjUnlock(vm);
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 620 bytes)