[PATCH 0/2] security: Handle non top parents better
See 2/2 for explanation. Michal Prívozník (2): security: Introduce VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT flag qemu: Tell secdrivers which images are top parent src/qemu/qemu_backup.c | 4 ++-- src/qemu/qemu_blockjob.c | 6 ++++-- src/qemu/qemu_checkpoint.c | 6 ++++-- src/qemu/qemu_domain.c | 15 +++++++++++++-- src/qemu/qemu_domain.h | 3 ++- src/qemu/qemu_driver.c | 15 ++++++++++----- src/qemu/qemu_process.c | 2 +- src/qemu/qemu_security.c | 6 +++++- src/qemu/qemu_security.h | 3 ++- src/security/security_dac.c | 16 +++++++++++----- src/security/security_manager.h | 1 + src/security/security_selinux.c | 18 ++++++++++++------ 12 files changed, 67 insertions(+), 28 deletions(-) -- 2.24.1
Our decision whether to remember seclabel for a disk image depends on a few factors. If the image is readonly or shared or not top parent of a backing chain the remembering is suppressed for the image. However, the virSecurityManagerSetImageLabel() is too low level to determine whether passed @src is top parent or not. Even though it has domain definition available, in some cases (like snapshots or block copy) the @src is added to the definition only after the operation succeeded. Therefore, introduce a flag which callers can use to help us with the decision. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/security_dac.c | 16 +++++++++++----- src/security/security_manager.h | 1 + src/security/security_selinux.c | 18 ++++++++++++------ 3 files changed, 24 insertions(+), 11 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index f412054d0e..3f8b04b307 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -889,14 +889,14 @@ static int virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr, virDomainDefPtr def, virStorageSourcePtr src, - virStorageSourcePtr parent) + virStorageSourcePtr parent, + bool is_topparent) { virSecurityLabelDefPtr secdef; virSecurityDeviceLabelDefPtr disk_seclabel; virSecurityDeviceLabelDefPtr parent_seclabel = NULL; virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); bool remember; - bool is_toplevel = parent == src || parent->externalDataStore == src; uid_t user; gid_t group; @@ -954,7 +954,7 @@ virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr, * but the top layer, or read only image, or disk explicitly * marked as shared. */ - remember = is_toplevel && !src->readonly && !src->shared; + remember = is_topparent && !src->readonly && !src->shared; return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remember); } @@ -967,10 +967,13 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerPtr mgr, virStorageSourcePtr parent, virSecurityDomainImageLabelFlags flags) { + bool is_topparent = flags & VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT; virStorageSourcePtr n; + flags &= ~VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT; + for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) { - if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent) < 0) + if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent, is_topparent) < 0) return -1; if (n->externalDataStore && @@ -983,6 +986,8 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerPtr mgr, if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) break; + + is_topparent = false; } return 0; @@ -2114,7 +2119,8 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, if (virDomainDiskGetType(def->disks[i]) == VIR_STORAGE_TYPE_DIR) continue; if (virSecurityDACSetImageLabel(mgr, def, def->disks[i]->src, - VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN) < 0) + VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN | + VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT) < 0) return -1; } diff --git a/src/security/security_manager.h b/src/security/security_manager.h index b92ea5dc87..11904fda89 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -151,6 +151,7 @@ virSecurityManagerPtr* virSecurityManagerGetNested(virSecurityManagerPtr mgr); typedef enum { VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN = 1 << 0, + VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT = 1 << 1, } virSecurityDomainImageLabelFlags; int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 2241a35e6e..0aa0c2bb71 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1824,7 +1824,8 @@ static int virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr, virDomainDefPtr def, virStorageSourcePtr src, - virStorageSourcePtr parent) + virStorageSourcePtr parent, + bool is_topparent) { virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr); virSecurityLabelDefPtr secdef; @@ -1832,7 +1833,6 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr, virSecurityDeviceLabelDefPtr parent_seclabel = NULL; char *use_label = NULL; bool remember; - bool is_toplevel = parent == src || parent->externalDataStore == src; g_autofree char *vfioGroupDev = NULL; const char *path = src->path; int ret; @@ -1856,7 +1856,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr, * but the top layer, or read only image, or disk explicitly * marked as shared. */ - remember = is_toplevel && !src->readonly && !src->shared; + remember = is_topparent && !src->readonly && !src->shared; disk_seclabel = virStorageSourceGetSecurityLabelDef(src, SECURITY_SELINUX_NAME); @@ -1873,7 +1873,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr, return 0; use_label = parent_seclabel->label; - } else if (is_toplevel) { + } else if (parent == src || parent->externalDataStore == src) { if (src->shared) { use_label = data->file_context; } else if (src->readonly) { @@ -1927,10 +1927,13 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManagerPtr mgr, virStorageSourcePtr parent, virSecurityDomainImageLabelFlags flags) { + bool is_topparent = flags & VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT; virStorageSourcePtr n; + flags &= ~VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT; + for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) { - if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent) < 0) + if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent, is_topparent) < 0) return -1; if (n->externalDataStore && @@ -1943,6 +1946,8 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManagerPtr mgr, if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) break; + + is_topparent = false; } return 0; @@ -3146,7 +3151,8 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr, continue; } if (virSecuritySELinuxSetImageLabel(mgr, def, def->disks[i]->src, - VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN) < 0) + VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN | + VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT) < 0) return -1; } /* XXX fixme process def->fss if relabel == true */ -- 2.24.1
On Thu, Feb 27, 2020 at 13:07:35 +0100, Michal Privoznik wrote:
Our decision whether to remember seclabel for a disk image depends on a few factors. If the image is readonly or shared or not top parent of a backing chain the remembering is suppressed
Note that 'top parent' is a term used in the block commit code and the top parent image there does not necessarily refer to the top of the disk backing chain. As of such you should refrain from using that term and use e.g. 'chain top'. Or perhaps better 'parentChainTop' or a variation. The secdriver code takes the 'parent' argument which is the top level image in the chain we want to relabel, but parent does not necessarily refer to the topmost image and you actually want to know if 'parent' is the topmost image.
for the image. However, the virSecurityManagerSetImageLabel() is too low level to determine whether passed @src is top parent or not. Even though it has domain definition available, in some cases (like snapshots or block copy) the @src is added to the definition only after the operation succeeded. Therefore, introduce a flag which callers can use to help us with the decision.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/security/security_dac.c | 16 +++++++++++----- src/security/security_manager.h | 1 + src/security/security_selinux.c | 18 ++++++++++++------ 3 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c index f412054d0e..3f8b04b307 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -889,14 +889,14 @@ static int virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr, virDomainDefPtr def, virStorageSourcePtr src, - virStorageSourcePtr parent) + virStorageSourcePtr parent, + bool is_topparent) { virSecurityLabelDefPtr secdef; virSecurityDeviceLabelDefPtr disk_seclabel; virSecurityDeviceLabelDefPtr parent_seclabel = NULL; virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); bool remember; - bool is_toplevel = parent == src || parent->externalDataStore == src; uid_t user; gid_t group;
@@ -954,7 +954,7 @@ virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr, * but the top layer, or read only image, or disk explicitly * marked as shared. */ - remember = is_toplevel && !src->readonly && !src->shared; + remember = is_topparent && !src->readonly && !src->shared;
return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remember); } @@ -967,10 +967,13 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerPtr mgr, virStorageSourcePtr parent, virSecurityDomainImageLabelFlags flags) { + bool is_topparent = flags & VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT; virStorageSourcePtr n;
+ flags &= ~VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
Clearing this here ...
+ for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) { - if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent) < 0) + if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent, is_topparent) < 0) return -1;
if (n->externalDataStore &&
... would skip the remembering for the top level image's external data store file imagelabel. Since the data store is equivalent to the top level image in terms of labelling we should restore the label there as well.
@@ -983,6 +986,8 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerPtr mgr,
[...]
diff --git a/src/security/security_manager.h b/src/security/security_manager.h index b92ea5dc87..11904fda89 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -151,6 +151,7 @@ virSecurityManagerPtr* virSecurityManagerGetNested(virSecurityManagerPtr mgr);
typedef enum { VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN = 1 << 0, + VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT = 1 << 1,
Please add a comment stating what that flag means in addition to the name change.
} virSecurityDomainImageLabelFlags;
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 2241a35e6e..0aa0c2bb71 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c
[...]
@@ -1873,7 +1873,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr, return 0;
use_label = parent_seclabel->label; - } else if (is_toplevel) { + } else if (parent == src || parent->externalDataStore == src) { if (src->shared) { use_label = data->file_context; } else if (src->readonly) { @@ -1927,10 +1927,13 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManagerPtr mgr, virStorageSourcePtr parent, virSecurityDomainImageLabelFlags flags) { + bool is_topparent = flags & VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT; virStorageSourcePtr n;
+ flags &= ~VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT; + for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) { - if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent) < 0) + if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent, is_topparent) < 0) return -1;
if (n->externalDataStore &&
Same as in the DAC driver.
@@ -1943,6 +1946,8 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManagerPtr mgr,
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) break; + + is_topparent = false; }
return 0;
When preparing images for block jobs we modify their seclabels so that QEMU can open them. However, as mentioned in the previous commit, secdrivers base some it their decisions whether the image they are working on is top parent or not. Fortunately, in places where we call secdrivers we know this and the information can be passed to secdrivers. This fixes the problem described in the linked bugzilla. The problem is the following: after the first blockcommit from the base to one of the parents the XATTRs on the base image are not cleared and therefore the second attempt to do another blockcommit fails. This is caused by blockcommit code calling qemuSecuritySetImageLabel() over the base image and never calling the corresponding qemuSecurityRestoreImageLabel(). A naive fix would be to call the restore function. But this is not possible, because that would deny QEMU the access to the base image. Fortunately, we can use the fact that seclabels are remembered only for the top parent and not for the rest of the backing chain. And thanks to the previous commit we can tell secdrivers which images are top parents. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1803551 Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/qemu/qemu_backup.c | 4 ++-- src/qemu/qemu_blockjob.c | 6 ++++-- src/qemu/qemu_checkpoint.c | 6 ++++-- src/qemu/qemu_domain.c | 15 +++++++++++++-- src/qemu/qemu_domain.h | 3 ++- src/qemu/qemu_driver.c | 15 ++++++++++----- src/qemu/qemu_process.c | 2 +- src/qemu/qemu_security.c | 6 +++++- src/qemu/qemu_security.h | 3 ++- 9 files changed, 43 insertions(+), 17 deletions(-) diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c index 2cc6ff7a42..8b66ee8d1f 100644 --- a/src/qemu/qemu_backup.c +++ b/src/qemu/qemu_backup.c @@ -469,8 +469,8 @@ qemuBackupDiskPrepareOneStorage(virDomainObjPtr vm, dd->created = true; } - if (qemuDomainStorageSourceAccessAllow(priv->driver, vm, dd->store, false, - true) < 0) + if (qemuDomainStorageSourceAccessAllow(priv->driver, vm, dd->store, + false, true, true) < 0) return -1; dd->labelled = true; diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c index 71df0d1ab2..9db1b71a3e 100644 --- a/src/qemu/qemu_blockjob.c +++ b/src/qemu/qemu_blockjob.c @@ -1105,9 +1105,11 @@ qemuBlockJobProcessEventCompletedCommit(virQEMUDriverPtr driver, return; /* revert access to images */ - qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base, true, false); + qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base, + true, false, false); if (job->data.commit.topparent != job->disk->src) - qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.topparent, true, false); + qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.topparent, + true, false, false); baseparent->backingStore = NULL; job->data.commit.topparent->backingStore = job->data.commit.base; diff --git a/src/qemu/qemu_checkpoint.c b/src/qemu/qemu_checkpoint.c index c06bfe6a21..fe54af74ec 100644 --- a/src/qemu/qemu_checkpoint.c +++ b/src/qemu/qemu_checkpoint.c @@ -298,7 +298,8 @@ qemuCheckpointDiscardBitmaps(virDomainObjPtr vm, for (next = reopenimages; next; next = next->next) { virStorageSourcePtr src = next->data; - if (qemuDomainStorageSourceAccessAllow(driver, vm, src, false, false) < 0) + if (qemuDomainStorageSourceAccessAllow(driver, vm, src, + false, false, false) < 0) goto relabel; relabelimages = g_slist_prepend(relabelimages, src); @@ -313,7 +314,8 @@ qemuCheckpointDiscardBitmaps(virDomainObjPtr vm, for (next = relabelimages; next; next = next->next) { virStorageSourcePtr src = next->data; - ignore_value(qemuDomainStorageSourceAccessAllow(driver, vm, src, true, false)); + ignore_value(qemuDomainStorageSourceAccessAllow(driver, vm, src, + true, false, false)); } return rc; diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 3dfa71650d..32e8220d98 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -11589,6 +11589,8 @@ typedef enum { QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE = 1 << 4, /* VM already has access to the source and we are just modifying it */ QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_MODIFY_ACCESS = 1 << 5, + /* whether the image is top parent of backing chain */ + QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PARENT = 1 << 6, } qemuDomainStorageSourceAccessFlags; @@ -11666,6 +11668,7 @@ qemuDomainStorageSourceAccessModify(virQEMUDriverPtr driver, bool force_ro = flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_FORCE_READ_ONLY; bool force_rw = flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_FORCE_READ_WRITE; bool revoke = flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_REVOKE; + bool topparent = flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PARENT; int rc; bool was_readonly = src->readonly; bool revoke_cgroup = false; @@ -11712,7 +11715,7 @@ qemuDomainStorageSourceAccessModify(virQEMUDriverPtr driver, revoke_namespace = true; } - if (qemuSecuritySetImageLabel(driver, vm, src, chain) < 0) + if (qemuSecuritySetImageLabel(driver, vm, src, chain, topparent) < 0) goto revoke; revoke_label = true; @@ -11817,6 +11820,7 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriverPtr driver, * @elem: source structure to set access for * @readonly: setup read-only access if true * @newSource: @elem describes a storage source which @vm can't access yet + * @topparent: @elem is top parent of backing chain * * Allow a VM access to a single element of a disk backing chain; this helper * ensures that the lock manager, cgroup device controller, and security manager @@ -11824,13 +11828,17 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriverPtr driver, * * When modifying permissions of @elem which @vm can already access (is in the * backing chain) @newSource needs to be set to false. + * + * When the @elem is top parent of a backing chain, then @topparent must be + * true, otherwise it must be false. */ int qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr driver, virDomainObjPtr vm, virStorageSourcePtr elem, bool readonly, - bool newSource) + bool newSource, + bool topparent) { qemuDomainStorageSourceAccessFlags flags = QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE; @@ -11842,6 +11850,9 @@ qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr driver, if (!newSource) flags |= QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_MODIFY_ACCESS; + if (topparent) + flags |= QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PARENT; + return qemuDomainStorageSourceAccessModify(driver, vm, elem, flags); } diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index f8fb48f2ff..f679cdbf09 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -896,7 +896,8 @@ int qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr driver, virDomainObjPtr vm, virStorageSourcePtr elem, bool readonly, - bool newSource); + bool newSource, + bool topparent); int qemuDomainPrepareStorageSourceBlockdev(virDomainDiskDefPtr disk, virStorageSourcePtr src, diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 35ade1ef37..39c29a0d47 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -15141,7 +15141,8 @@ qemuDomainSnapshotDiskPrepareOne(virQEMUDriverPtr driver, } /* set correct security, cgroup and locking options on the new image */ - if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src, false, true) < 0) + if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src, + false, true, true) < 0) return -1; dd->prepared = true; @@ -18489,9 +18490,11 @@ qemuDomainBlockCommit(virDomainPtr dom, * operation succeeds, but doing that requires tracking the * operation in XML across libvirtd restarts. */ clean_access = true; - if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, false, false) < 0 || + if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, + false, false, false) < 0 || (top_parent && top_parent != disk->src && - qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, false, false) < 0)) + qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, + false, false, false) < 0)) goto endjob; if (!(job = qemuBlockJobDiskNewCommit(vm, disk, top_parent, topSource, @@ -18551,9 +18554,11 @@ qemuDomainBlockCommit(virDomainPtr dom, virErrorPtr orig_err; virErrorPreserveLast(&orig_err); /* Revert access to read-only, if possible. */ - qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, true, false); + qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, + true, false, false); if (top_parent && top_parent != disk->src) - qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, true, false); + qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, + true, false, false); virErrorRestore(&orig_err); } diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index d9035055e8..425a21d77e 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -7851,7 +7851,7 @@ qemuProcessRefreshLegacyBlockjob(void *payload, (qemuDomainNamespaceSetupDisk(vm, disk->mirror) < 0 || qemuSetupImageChainCgroup(vm, disk->mirror) < 0 || qemuSecuritySetImageLabel(priv->driver, vm, disk->mirror, - true) < 0)) + true, false) < 0)) goto cleanup; } } diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index 2aa2b5b9c6..ad9d0b8012 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -98,7 +98,8 @@ int qemuSecuritySetImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virStorageSourcePtr src, - bool backingChain) + bool backingChain, + bool topparent) { qemuDomainObjPrivatePtr priv = vm->privateData; pid_t pid = -1; @@ -108,6 +109,9 @@ qemuSecuritySetImageLabel(virQEMUDriverPtr driver, if (backingChain) labelFlags |= VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN; + if (topparent) + labelFlags |= VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT; + if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) pid = vm->pid; diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h index a8c648ece1..90ff660257 100644 --- a/src/qemu/qemu_security.h +++ b/src/qemu/qemu_security.h @@ -36,7 +36,8 @@ void qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver, int qemuSecuritySetImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, virStorageSourcePtr src, - bool backingChain); + bool backingChain, + bool topparent); int qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, -- 2.24.1
On Thu, Feb 27, 2020 at 13:07:36 +0100, Michal Privoznik wrote:
When preparing images for block jobs we modify their seclabels so that QEMU can open them. However, as mentioned in the previous commit, secdrivers base some it their decisions whether the image they are working on is top parent or not. Fortunately, in places
top of the backing chain
where we call secdrivers we know this and the information can be passed to secdrivers.
This fixes the problem described in the linked bugzilla. The
That's what patches usually do. Either state the problem or omit this sentece.
problem is the following: after the first blockcommit from the base to one of the parents the XATTRs on the base image are not cleared and therefore the second attempt to do another
Oh you do state the problem. So just omit that sentence.
blockcommit fails. This is caused by blockcommit code calling qemuSecuritySetImageLabel() over the base image and never calling the corresponding qemuSecurityRestoreImageLabel(). A naive fix would be to call the restore function. But this is not possible, because that would deny QEMU the access to the base image.
Well this kind of misleads. We want to modify the security label so that the VM has read-write or read-only access. The security label is then corrected by the call to another qemuSecuritySetImageLabel. You then correctly mention that using qemuSecurityRestoreImageLabel would cut the access to the image.
Fortunately, we can use the fact that seclabels are remembered only for the top parent and not for the rest of the backing
'top of backing chain'
chain. And thanks to the previous commit we can tell secdrivers which images are top parents.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1803551
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> --- src/qemu/qemu_backup.c | 4 ++-- src/qemu/qemu_blockjob.c | 6 ++++-- src/qemu/qemu_checkpoint.c | 6 ++++-- src/qemu/qemu_domain.c | 15 +++++++++++++-- src/qemu/qemu_domain.h | 3 ++- src/qemu/qemu_driver.c | 15 ++++++++++----- src/qemu/qemu_process.c | 2 +- src/qemu/qemu_security.c | 6 +++++- src/qemu/qemu_security.h | 3 ++- 9 files changed, 43 insertions(+), 17 deletions(-)
[...]
diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c index 71df0d1ab2..9db1b71a3e 100644 --- a/src/qemu/qemu_blockjob.c +++ b/src/qemu/qemu_blockjob.c @@ -1105,9 +1105,11 @@ qemuBlockJobProcessEventCompletedCommit(virQEMUDriverPtr driver, return;
/* revert access to images */ - qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base, true, false); + qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base, + true, false, false); if (job->data.commit.topparent != job->disk->src) - qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.topparent, true, false); + qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.topparent, + true, false, false);
Here you see the misleading name. This is called to relabel an image called 'topparent' but yet set the 'topparent' flag to false.
baseparent->backingStore = NULL; job->data.commit.topparent->backingStore = job->data.commit.base;
[...]
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 3dfa71650d..32e8220d98 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -11589,6 +11589,8 @@ typedef enum { QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE = 1 << 4, /* VM already has access to the source and we are just modifying it */ QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_MODIFY_ACCESS = 1 << 5, + /* whether the image is top parent of backing chain */ + QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PARENT = 1 << 6,
whether the image is the top image of the backing chain (e.g. disk source) QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_CHAIN_TOP
} qemuDomainStorageSourceAccessFlags;
@@ -11817,6 +11820,7 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriverPtr driver, * @elem: source structure to set access for * @readonly: setup read-only access if true * @newSource: @elem describes a storage source which @vm can't access yet + * @topparent: @elem is top parent of backing chain * * Allow a VM access to a single element of a disk backing chain; this helper * ensures that the lock manager, cgroup device controller, and security manager @@ -11824,13 +11828,17 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriverPtr driver, * * When modifying permissions of @elem which @vm can already access (is in the * backing chain) @newSource needs to be set to false. + * + * When the @elem is top parent of a backing chain, then @topparent must be + * true, otherwise it must be false.
You want to specify this better. The flag must be set if the image is the topmost image of a given backing chain or meant to become the topmost image (for e.g. snapshots, or blockcopy or even in the end for active layer block commit, where we discard the top of the backing chain so one of the intermediates (the base) becomes the top of the chain.
*/ int qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr driver, virDomainObjPtr vm, virStorageSourcePtr elem, bool readonly, - bool newSource) + bool newSource, + bool topparent) { qemuDomainStorageSourceAccessFlags flags = QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE;
[...]
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 35ade1ef37..39c29a0d47 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -15141,7 +15141,8 @@ qemuDomainSnapshotDiskPrepareOne(virQEMUDriverPtr driver, }
/* set correct security, cgroup and locking options on the new image */ - if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src, false, true) < 0) + if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src, + false, true, true) < 0) return -1;
dd->prepared = true; @@ -18489,9 +18490,11 @@ qemuDomainBlockCommit(virDomainPtr dom, * operation succeeds, but doing that requires tracking the * operation in XML across libvirtd restarts. */ clean_access = true; - if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, false, false) < 0 || + if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, + false, false, false) < 0 ||
base may become the top layer of the chain after finishing the blockjob if we are doing an active commit. The finalizing code AFAIK does not relabel that image any more.
(top_parent && top_parent != disk->src && - qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, false, false) < 0)) + qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, + false, false, false) < 0)) goto endjob;
if (!(job = qemuBlockJobDiskNewCommit(vm, disk, top_parent, topSource, @@ -18551,9 +18554,11 @@ qemuDomainBlockCommit(virDomainPtr dom, virErrorPtr orig_err; virErrorPreserveLast(&orig_err); /* Revert access to read-only, if possible. */ - qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, true, false); + qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, + true, false, false);
Now this is fun. If this were an active block commit, the 'base' will no longer want to become the top image, so this might require some more trickery.
if (top_parent && top_parent != disk->src) - qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, true, false); + qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, + true, false, false);
virErrorRestore(&orig_err); } diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index d9035055e8..425a21d77e 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -7851,7 +7851,7 @@ qemuProcessRefreshLegacyBlockjob(void *payload, (qemuDomainNamespaceSetupDisk(vm, disk->mirror) < 0 || qemuSetupImageChainCgroup(vm, disk->mirror) < 0 || qemuSecuritySetImageLabel(priv->driver, vm, disk->mirror, - true) < 0)) + true, false) < 0))
disk->mirror is the top of the chain. It may eventually even become the source of the disk
goto cleanup; } }
This patch is not fixing qemuDomainStorageSourceChainAccessAllow which is also introducing new images (with backing chain) and neither the revoke functions used in hot-unplug where we remove the top image or in block copy finalizing where we unplug the whole old disk chain.
participants (2)
-
Michal Privoznik -
Peter Krempa