On 06/27/13 20:51, Daniel P. Berrange wrote:
On Wed, Jun 26, 2013 at 03:01:49PM +0200, Peter Krempa wrote:
The method labels the file descriptor even if dynamic labeling/relabeling is turned off. This is needed for files created by libvirt and then passed along to qemu as a FD. --- src/libvirt_private.syms | 1 + src/security/security_dac.c | 9 +++++++++ src/security/security_driver.h | 4 ++++ src/security/security_manager.c | 16 ++++++++++++++++ src/security/security_manager.h | 3 +++ src/security/security_nop.c | 1 + src/security/security_selinux.c | 21 +++++++++++++++++++++ src/security/security_stack.c | 19 +++++++++++++++++++ 8 files changed, 74 insertions(+)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 7802dda..5894259 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2446,6 +2446,26 @@ virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr, return opts; }
+static int +virSecuritySELinuxSetCreatedFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainDefPtr def, + int fd) +{ + virSecurityLabelDefPtr secdef; + + if ((secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME))) { + if (!secdef->imagelabel) + secdef->imagelabel = virSecuritySELinuxGenImageLabel(mgr, def);
This is really dubious. None of the methods except for GenSecurityLabel should be making changes to the secdef state.
There is already an exception: virSecuritySELinuxGetSecurityMountOptions().
+ } else { + return -1; + }
The style with nested if()s here is not following the pattern used in other methods here either.
hmmmm ... ok
+ + if (secdef->imagelabel == NULL) + return 0; + + return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel); +}
In general I'm not really convinced we should be adding a new method here, as opposed to making the existing SetImageFDLabel do the right thing.
I was going to suggest expanding the function prototype with a bool that would allow to choose whether to label the image always or only if relabeling is enabled but looking through the code I noticed that actually every caller would need to have this flag enabled. There are currently 4 places this method is called: qemuDumpToFd() - labels a FD of a freshly created file for the memory dump qemuMigrationToFile() - again a new file FD is labeled, used for (managed) save and dumping of memory doTunnelMigrate() - the FD's of a pipe used for extracting data into the stream are labeled, again this would probably fail with static labeling. qemuProcessStart() - the migration FD is labelled on process start. I think it's safe (and necessary) to relabel these even if relabeling is disabled and thus we can change the function to always label FD's. Do you agree?
Daniel
Peter