Refactor the existing code to allow re-using it for the per-image label
restore too.
---
src/security/security_selinux.c | 60 ++++++++++++++++++++++++-----------------
1 file changed, 35 insertions(+), 25 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7740e69..7b534b2 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1123,18 +1123,21 @@
virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
static int
virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
virDomainDefPtr def,
- virDomainDiskDefPtr disk,
+ virStorageSourcePtr src,
bool migrated)
{
virSecurityLabelDefPtr seclabel;
virSecurityDeviceLabelDefPtr disk_seclabel;
- const char *src = virDomainDiskGetSource(disk);
+
+ if (!src->path ||
+ virStorageSourceGetActualType(src) == VIR_STORAGE_TYPE_NETWORK)
+ return 0;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (seclabel == NULL)
return 0;
- disk_seclabel = virStorageSourceGetSecurityLabelDef(disk->src,
+ disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
SECURITY_SELINUX_NAME);
if (seclabel->norelabel || (disk_seclabel &&
disk_seclabel->norelabel))
return 0;
@@ -1144,40 +1147,35 @@
virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
* be tracked in domain XML, at which point labelskip should be a
* per-file attribute instead of a disk attribute. */
if (disk_seclabel && disk_seclabel->labelskip &&
- !disk->src->backingStore)
+ !src->backingStore)
return 0;
- /* Don't restore labels on readoly/shared disks, because
- * other VMs may still be accessing these
- * Alternatively we could iterate over all running
- * domains and try to figure out if it is in use, but
- * this would not work for clustered filesystems, since
- * we can't see running VMs using the file on other nodes
- * Safest bet is thus to skip the restore step.
+ /* Don't restore labels on readoly/shared disks, because other VMs may
+ * still be accessing these Alternatively we could iterate over all running
+ * domains and try to figure out if it is in use, but this would not work
+ * for clustered filesystems, since we can't see running VMs using the file
+ * on other nodes Safest bet is thus to skip the restore step.
*/
- if (disk->src->readonly || disk->src->shared)
+ if (src->readonly || src->shared)
return 0;
- if (!src || virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK)
- return 0;
- /* If we have a shared FS & doing migrated, we must not
- * change ownership, because that kills access on the
- * destination host which is sub-optimal for the guest
- * VM's I/O attempts :-)
+ /* If we have a shared FS & doing migrated, we must not change ownership,
+ * because that kills access on the destination host which is sub-optimal
+ * for the guest VM's I/O attempts :-)
*/
if (migrated) {
- int rc = virFileIsSharedFS(src);
+ int rc = virFileIsSharedFS(src->path);
if (rc < 0)
return -1;
if (rc == 1) {
VIR_DEBUG("Skipping image label restore on %s because FS is
shared",
- src);
+ src->path);
return 0;
}
}
- return virSecuritySELinuxRestoreSecurityFileLabel(mgr, src);
+ return virSecuritySELinuxRestoreSecurityFileLabel(mgr, src->path);
}
@@ -1186,7 +1184,17 @@ virSecuritySELinuxRestoreSecurityDiskLabel(virSecurityManagerPtr
mgr,
virDomainDefPtr def,
virDomainDiskDefPtr disk)
{
- return virSecuritySELinuxRestoreSecurityImageLabelInt(mgr, def, disk, false);
+ return virSecuritySELinuxRestoreSecurityImageLabelInt(mgr, def, disk->src,
+ false);
+}
+
+
+static int
+virSecuritySELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virStorageSourcePtr src)
+{
+ return virSecuritySELinuxRestoreSecurityImageLabelInt(mgr, def, src, false);
}
@@ -1867,9 +1875,9 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr
mgr,
rc = -1;
}
for (i = 0; i < def->ndisks; i++) {
- if (virSecuritySELinuxRestoreSecurityImageLabelInt(mgr,
- def,
- def->disks[i],
+ virDomainDiskDefPtr disk = def->disks[i];
+
+ if (virSecuritySELinuxRestoreSecurityImageLabelInt(mgr, def, disk->src,
migrated) < 0)
rc = -1;
}
@@ -2429,6 +2437,8 @@ virSecurityDriver virSecurityDriverSELinux = {
.domainSetSecurityDiskLabel = virSecuritySELinuxSetSecurityDiskLabel,
.domainRestoreSecurityDiskLabel = virSecuritySELinuxRestoreSecurityDiskLabel,
+ .domainRestoreSecurityImageLabel = virSecuritySELinuxRestoreSecurityImageLabel,
+
.domainSetSecurityDaemonSocketLabel =
virSecuritySELinuxSetSecurityDaemonSocketLabel,
.domainSetSecuritySocketLabel = virSecuritySELinuxSetSecuritySocketLabel,
.domainClearSecuritySocketLabel = virSecuritySELinuxClearSecuritySocketLabel,
--
1.9.3