6:07 a.m.
See 2/2 for explanation.
Michal Prívozník (2):
security: Introduce VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT flag
qemu: Tell secdrivers which images are top parent
src/qemu/qemu_backup.c | 4 ++--
src/qemu/qemu_blockjob.c | 6 ++++--
src/qemu/qemu_checkpoint.c | 6 ++++--
src/qemu/qemu_domain.c | 15 +++++++++++++--
src/qemu/qemu_domain.h | 3 ++-
src/qemu/qemu_driver.c | 15 ++++++++++-----
src/qemu/qemu_process.c | 2 +-
src/qemu/qemu_security.c | 6 +++++-
src/qemu/qemu_security.h | 3 ++-
src/security/security_dac.c | 16 +++++++++++-----
src/security/security_manager.h | 1 +
src/security/security_selinux.c | 18 ++++++++++++------
12 files changed, 67 insertions(+), 28 deletions(-)
--
2.24.1
6:07 a.m.
New subject: [PATCH 1/2] security: Introduce VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT flag
Our decision whether to remember seclabel for a disk image
depends on a few factors. If the image is readonly or shared or
not top parent of a backing chain the remembering is suppressed
for the image. However, the virSecurityManagerSetImageLabel() is
too low level to determine whether passed @src is top parent or
not. Even though it has domain definition available, in some
cases (like snapshots or block copy) the @src is added to the
definition only after the operation succeeded. Therefore,
introduce a flag which callers can use to help us with the
decision.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/security/security_dac.c | 16 +++++++++++-----
src/security/security_manager.h | 1 +
src/security/security_selinux.c | 18 ++++++++++++------
3 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index f412054d0e..3f8b04b307 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -889,14 +889,14 @@ static int
virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virStorageSourcePtr src,
- virStorageSourcePtr parent)
+ virStorageSourcePtr parent,
+ bool is_topparent)
{
virSecurityLabelDefPtr secdef;
virSecurityDeviceLabelDefPtr disk_seclabel;
virSecurityDeviceLabelDefPtr parent_seclabel = NULL;
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
bool remember;
- bool is_toplevel = parent == src || parent->externalDataStore == src;
uid_t user;
gid_t group;
@@ -954,7 +954,7 @@ virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr,
* but the top layer, or read only image, or disk explicitly
* marked as shared.
*/
- remember = is_toplevel && !src->readonly && !src->shared;
+ remember = is_topparent && !src->readonly && !src->shared;
return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remember);
}
@@ -967,10 +967,13 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerPtr mgr,
virStorageSourcePtr parent,
virSecurityDomainImageLabelFlags flags)
{
+ bool is_topparent = flags & VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
virStorageSourcePtr n;
+ flags &= ~VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
+
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
- if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent) < 0)
+ if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent, is_topparent) <
0)
return -1;
if (n->externalDataStore &&
@@ -983,6 +986,8 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerPtr mgr,
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
break;
+
+ is_topparent = false;
}
return 0;
@@ -2114,7 +2119,8 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
if (virDomainDiskGetType(def->disks[i]) == VIR_STORAGE_TYPE_DIR)
continue;
if (virSecurityDACSetImageLabel(mgr, def, def->disks[i]->src,
- VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)
< 0)
+ VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
+ VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT) < 0)
return -1;
}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index b92ea5dc87..11904fda89 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -151,6 +151,7 @@ virSecurityManagerPtr*
virSecurityManagerGetNested(virSecurityManagerPtr mgr);
typedef enum {
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN = 1 << 0,
+ VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT = 1 << 1,
} virSecurityDomainImageLabelFlags;
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 2241a35e6e..0aa0c2bb71 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1824,7 +1824,8 @@ static int
virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virStorageSourcePtr src,
- virStorageSourcePtr parent)
+ virStorageSourcePtr parent,
+ bool is_topparent)
{
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
virSecurityLabelDefPtr secdef;
@@ -1832,7 +1833,6 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
virSecurityDeviceLabelDefPtr parent_seclabel = NULL;
char *use_label = NULL;
bool remember;
- bool is_toplevel = parent == src || parent->externalDataStore == src;
g_autofree char *vfioGroupDev = NULL;
const char *path = src->path;
int ret;
@@ -1856,7 +1856,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
* but the top layer, or read only image, or disk explicitly
* marked as shared.
*/
- remember = is_toplevel && !src->readonly && !src->shared;
+ remember = is_topparent && !src->readonly && !src->shared;
disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
SECURITY_SELINUX_NAME);
@@ -1873,7 +1873,7 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
return 0;
use_label = parent_seclabel->label;
- } else if (is_toplevel) {
+ } else if (parent == src || parent->externalDataStore == src) {
if (src->shared) {
use_label = data->file_context;
} else if (src->readonly) {
@@ -1927,10 +1927,13 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManagerPtr
mgr,
virStorageSourcePtr parent,
virSecurityDomainImageLabelFlags flags)
{
+ bool is_topparent = flags & VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
virStorageSourcePtr n;
+ flags &= ~VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
+
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
- if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent) < 0)
+ if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent, is_topparent)
< 0)
return -1;
if (n->externalDataStore &&
@@ -1943,6 +1946,8 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManagerPtr mgr,
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
break;
+
+ is_topparent = false;
}
return 0;
@@ -3146,7 +3151,8 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
continue;
}
if (virSecuritySELinuxSetImageLabel(mgr, def, def->disks[i]->src,
-
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN) < 0)
+ VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN
|
+ VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT) <
0)
return -1;
}
/* XXX fixme process def->fss if relabel == true */
--
2.24.1
2:03 a.m.
New subject: [PATCH 1/2] security: Introduce VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT flag
On Thu, Feb 27, 2020 at 13:07:35 +0100, Michal Privoznik wrote:
Our decision whether to remember seclabel for a disk image
depends on a few factors. If the image is readonly or shared or
not top parent of a backing chain the remembering is suppressed
Note that 'top parent' is a term used in the block commit code and the
top parent image there does not necessarily refer to the top of the disk
backing chain. As of such you should refrain from using that term and
use e.g. 'chain top'. Or perhaps better 'parentChainTop' or a variation.
The secdriver code takes the 'parent' argument which is the top level
image in the chain we want to relabel, but parent does not necessarily
refer to the topmost image and you actually want to know if 'parent' is
the topmost image.
for the image. However, the virSecurityManagerSetImageLabel() is
too low level to determine whether passed @src is top parent or
not. Even though it has domain definition available, in some
cases (like snapshots or block copy) the @src is added to the
definition only after the operation succeeded. Therefore,
introduce a flag which callers can use to help us with the
decision.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/security/security_dac.c | 16 +++++++++++-----
src/security/security_manager.h | 1 +
src/security/security_selinux.c | 18 ++++++++++++------
3 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index f412054d0e..3f8b04b307 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -889,14 +889,14 @@ static int
virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr,
virDomainDefPtr def,
virStorageSourcePtr src,
- virStorageSourcePtr parent)
+ virStorageSourcePtr parent,
+ bool is_topparent)
{
virSecurityLabelDefPtr secdef;
virSecurityDeviceLabelDefPtr disk_seclabel;
virSecurityDeviceLabelDefPtr parent_seclabel = NULL;
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
bool remember;
- bool is_toplevel = parent == src || parent->externalDataStore == src;
uid_t user;
gid_t group;
@@ -954,7 +954,7 @@ virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr,
* but the top layer, or read only image, or disk explicitly
* marked as shared.
*/
- remember = is_toplevel && !src->readonly && !src->shared;
+ remember = is_topparent && !src->readonly && !src->shared;
return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remember);
}
@@ -967,10 +967,13 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerPtr mgr,
virStorageSourcePtr parent,
virSecurityDomainImageLabelFlags flags)
{
+ bool is_topparent = flags & VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
virStorageSourcePtr n;
+ flags &= ~VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
Clearing this here ...
+
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
- if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent) < 0)
+ if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent, is_topparent) <
0)
return -1;
if (n->externalDataStore &&
... would skip the remembering for the top level image's external data
store file imagelabel. Since the data store is equivalent to the top
level image in terms of labelling we should restore the label there as
well.
@@ -983,6 +986,8 @@
virSecurityDACSetImageLabelRelative(virSecurityManagerPtr mgr,
[...]
diff --git a/src/security/security_manager.h
b/src/security/security_manager.h
index b92ea5dc87..11904fda89 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -151,6 +151,7 @@ virSecurityManagerPtr*
virSecurityManagerGetNested(virSecurityManagerPtr mgr);
typedef enum {
VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN = 1 << 0,
+ VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT = 1 << 1,
Please add a comment stating what that flag means in addition to the
name change.
} virSecurityDomainImageLabelFlags;
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 2241a35e6e..0aa0c2bb71 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
[...]
@@ -1873,7 +1873,7 @@
virSecuritySELinuxSetImageLabelInternal(virSecurityManagerPtr mgr,
return 0;
use_label = parent_seclabel->label;
- } else if (is_toplevel) {
+ } else if (parent == src || parent->externalDataStore == src) {
if (src->shared) {
use_label = data->file_context;
} else if (src->readonly) {
@@ -1927,10 +1927,13 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManagerPtr
mgr,
virStorageSourcePtr parent,
virSecurityDomainImageLabelFlags flags)
{
+ bool is_topparent = flags & VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
virStorageSourcePtr n;
+ flags &= ~VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
+
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
- if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent) < 0)
+ if (virSecuritySELinuxSetImageLabelInternal(mgr, def, n, parent, is_topparent)
< 0)
return -1;
if (n->externalDataStore &&
Same as in the DAC driver.
@@ -1943,6 +1946,8 @@
virSecuritySELinuxSetImageLabelRelative(virSecurityManagerPtr mgr,
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
break;
+
+ is_topparent = false;
}
return 0;
6:07 a.m.
New subject: [PATCH 2/2] qemu: Tell secdrivers which images are top parent
When preparing images for block jobs we modify their seclabels so
that QEMU can open them. However, as mentioned in the previous
commit, secdrivers base some it their decisions whether the image
they are working on is top parent or not. Fortunately, in places
where we call secdrivers we know this and the information can be
passed to secdrivers.
This fixes the problem described in the linked bugzilla. The
problem is the following: after the first blockcommit from the
base to one of the parents the XATTRs on the base image are not
cleared and therefore the second attempt to do another
blockcommit fails. This is caused by blockcommit code calling
qemuSecuritySetImageLabel() over the base image and never calling
the corresponding qemuSecurityRestoreImageLabel(). A naive fix
would be to call the restore function. But this is not possible,
because that would deny QEMU the access to the base image.
Fortunately, we can use the fact that seclabels are remembered
only for the top parent and not for the rest of the backing
chain. And thanks to the previous commit we can tell secdrivers
which images are top parents.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1803551
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_backup.c | 4 ++--
src/qemu/qemu_blockjob.c | 6 ++++--
src/qemu/qemu_checkpoint.c | 6 ++++--
src/qemu/qemu_domain.c | 15 +++++++++++++--
src/qemu/qemu_domain.h | 3 ++-
src/qemu/qemu_driver.c | 15 ++++++++++-----
src/qemu/qemu_process.c | 2 +-
src/qemu/qemu_security.c | 6 +++++-
src/qemu/qemu_security.h | 3 ++-
9 files changed, 43 insertions(+), 17 deletions(-)
diff --git a/src/qemu/qemu_backup.c b/src/qemu/qemu_backup.c
index 2cc6ff7a42..8b66ee8d1f 100644
--- a/src/qemu/qemu_backup.c
+++ b/src/qemu/qemu_backup.c
@@ -469,8 +469,8 @@ qemuBackupDiskPrepareOneStorage(virDomainObjPtr vm,
dd->created = true;
}
- if (qemuDomainStorageSourceAccessAllow(priv->driver, vm, dd->store, false,
- true) < 0)
+ if (qemuDomainStorageSourceAccessAllow(priv->driver, vm, dd->store,
+ false, true, true) < 0)
return -1;
dd->labelled = true;
diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
index 71df0d1ab2..9db1b71a3e 100644
--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
@@ -1105,9 +1105,11 @@ qemuBlockJobProcessEventCompletedCommit(virQEMUDriverPtr driver,
return;
/* revert access to images */
- qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base, true,
false);
+ qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base,
+ true, false, false);
if (job->data.commit.topparent != job->disk->src)
- qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.topparent,
true, false);
+ qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.topparent,
+ true, false, false);
baseparent->backingStore = NULL;
job->data.commit.topparent->backingStore = job->data.commit.base;
diff --git a/src/qemu/qemu_checkpoint.c b/src/qemu/qemu_checkpoint.c
index c06bfe6a21..fe54af74ec 100644
--- a/src/qemu/qemu_checkpoint.c
+++ b/src/qemu/qemu_checkpoint.c
@@ -298,7 +298,8 @@ qemuCheckpointDiscardBitmaps(virDomainObjPtr vm,
for (next = reopenimages; next; next = next->next) {
virStorageSourcePtr src = next->data;
- if (qemuDomainStorageSourceAccessAllow(driver, vm, src, false, false) < 0)
+ if (qemuDomainStorageSourceAccessAllow(driver, vm, src,
+ false, false, false) < 0)
goto relabel;
relabelimages = g_slist_prepend(relabelimages, src);
@@ -313,7 +314,8 @@ qemuCheckpointDiscardBitmaps(virDomainObjPtr vm,
for (next = relabelimages; next; next = next->next) {
virStorageSourcePtr src = next->data;
- ignore_value(qemuDomainStorageSourceAccessAllow(driver, vm, src, true, false));
+ ignore_value(qemuDomainStorageSourceAccessAllow(driver, vm, src,
+ true, false, false));
}
return rc;
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 3dfa71650d..32e8220d98 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -11589,6 +11589,8 @@ typedef enum {
QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE = 1 << 4,
/* VM already has access to the source and we are just modifying it */
QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_MODIFY_ACCESS = 1 << 5,
+ /* whether the image is top parent of backing chain */
+ QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PARENT = 1 << 6,
} qemuDomainStorageSourceAccessFlags;
@@ -11666,6 +11668,7 @@ qemuDomainStorageSourceAccessModify(virQEMUDriverPtr driver,
bool force_ro = flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_FORCE_READ_ONLY;
bool force_rw = flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_FORCE_READ_WRITE;
bool revoke = flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_REVOKE;
+ bool topparent = flags & QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PARENT;
int rc;
bool was_readonly = src->readonly;
bool revoke_cgroup = false;
@@ -11712,7 +11715,7 @@ qemuDomainStorageSourceAccessModify(virQEMUDriverPtr driver,
revoke_namespace = true;
}
- if (qemuSecuritySetImageLabel(driver, vm, src, chain) < 0)
+ if (qemuSecuritySetImageLabel(driver, vm, src, chain, topparent) < 0)
goto revoke;
revoke_label = true;
@@ -11817,6 +11820,7 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriverPtr driver,
* @elem: source structure to set access for
* @readonly: setup read-only access if true
* @newSource: @elem describes a storage source which @vm can't access yet
+ * @topparent: @elem is top parent of backing chain
*
* Allow a VM access to a single element of a disk backing chain; this helper
* ensures that the lock manager, cgroup device controller, and security manager
@@ -11824,13 +11828,17 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriverPtr driver,
*
* When modifying permissions of @elem which @vm can already access (is in the
* backing chain) @newSource needs to be set to false.
+ *
+ * When the @elem is top parent of a backing chain, then @topparent must be
+ * true, otherwise it must be false.
*/
int
qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virStorageSourcePtr elem,
bool readonly,
- bool newSource)
+ bool newSource,
+ bool topparent)
{
qemuDomainStorageSourceAccessFlags flags =
QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE;
@@ -11842,6 +11850,9 @@ qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr driver,
if (!newSource)
flags |= QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_MODIFY_ACCESS;
+ if (topparent)
+ flags |= QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PARENT;
+
return qemuDomainStorageSourceAccessModify(driver, vm, elem, flags);
}
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index f8fb48f2ff..f679cdbf09 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -896,7 +896,8 @@ int qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virStorageSourcePtr elem,
bool readonly,
- bool newSource);
+ bool newSource,
+ bool topparent);
int qemuDomainPrepareStorageSourceBlockdev(virDomainDiskDefPtr disk,
virStorageSourcePtr src,
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 35ade1ef37..39c29a0d47 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -15141,7 +15141,8 @@ qemuDomainSnapshotDiskPrepareOne(virQEMUDriverPtr driver,
}
/* set correct security, cgroup and locking options on the new image */
- if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src, false, true) < 0)
+ if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src,
+ false, true, true) < 0)
return -1;
dd->prepared = true;
@@ -18489,9 +18490,11 @@ qemuDomainBlockCommit(virDomainPtr dom,
* operation succeeds, but doing that requires tracking the
* operation in XML across libvirtd restarts. */
clean_access = true;
- if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, false, false) < 0
||
+ if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource,
+ false, false, false) < 0 ||
(top_parent && top_parent != disk->src &&
- qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, false, false) <
0))
+ qemuDomainStorageSourceAccessAllow(driver, vm, top_parent,
+ false, false, false) < 0))
goto endjob;
if (!(job = qemuBlockJobDiskNewCommit(vm, disk, top_parent, topSource,
@@ -18551,9 +18554,11 @@ qemuDomainBlockCommit(virDomainPtr dom,
virErrorPtr orig_err;
virErrorPreserveLast(&orig_err);
/* Revert access to read-only, if possible. */
- qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, true, false);
+ qemuDomainStorageSourceAccessAllow(driver, vm, baseSource,
+ true, false, false);
if (top_parent && top_parent != disk->src)
- qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, true, false);
+ qemuDomainStorageSourceAccessAllow(driver, vm, top_parent,
+ true, false, false);
virErrorRestore(&orig_err);
}
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index d9035055e8..425a21d77e 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7851,7 +7851,7 @@ qemuProcessRefreshLegacyBlockjob(void *payload,
(qemuDomainNamespaceSetupDisk(vm, disk->mirror) < 0 ||
qemuSetupImageChainCgroup(vm, disk->mirror) < 0 ||
qemuSecuritySetImageLabel(priv->driver, vm, disk->mirror,
- true) < 0))
+ true, false) < 0))
goto cleanup;
}
}
diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index 2aa2b5b9c6..ad9d0b8012 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -98,7 +98,8 @@ int
qemuSecuritySetImageLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virStorageSourcePtr src,
- bool backingChain)
+ bool backingChain,
+ bool topparent)
{
qemuDomainObjPrivatePtr priv = vm->privateData;
pid_t pid = -1;
@@ -108,6 +109,9 @@ qemuSecuritySetImageLabel(virQEMUDriverPtr driver,
if (backingChain)
labelFlags |= VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN;
+ if (topparent)
+ labelFlags |= VIR_SECURITY_DOMAIN_IMAGE_TOP_PARENT;
+
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
pid = vm->pid;
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index a8c648ece1..90ff660257 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -36,7 +36,8 @@ void qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver,
int qemuSecuritySetImageLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virStorageSourcePtr src,
- bool backingChain);
+ bool backingChain,
+ bool topparent);
int qemuSecurityRestoreImageLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
--
2.24.1
2:24 a.m.
New subject: [PATCH 2/2] qemu: Tell secdrivers which images are top parent
On Thu, Feb 27, 2020 at 13:07:36 +0100, Michal Privoznik wrote:
When preparing images for block jobs we modify their seclabels so
that QEMU can open them. However, as mentioned in the previous
commit, secdrivers base some it their decisions whether the image
they are working on is top parent or not. Fortunately, in places
top of the backing chain
where we call secdrivers we know this and the information can be
passed to secdrivers.
This fixes the problem described in the linked bugzilla. The
That's what patches usually do. Either state the problem or omit this
sentece.
problem is the following: after the first blockcommit from the
base to one of the parents the XATTRs on the base image are not
cleared and therefore the second attempt to do another
Oh you do state the problem. So just omit that sentence.
blockcommit fails. This is caused by blockcommit code calling
qemuSecuritySetImageLabel() over the base image and never calling
the corresponding qemuSecurityRestoreImageLabel(). A naive fix
would be to call the restore function. But this is not possible,
because that would deny QEMU the access to the base image.
Well this kind of misleads. We want to modify the security label so that
the VM has read-write or read-only access. The security label is then
corrected by the call to another qemuSecuritySetImageLabel. You then
correctly mention that using qemuSecurityRestoreImageLabel would cut the
access to the image.
Fortunately, we can use the fact that seclabels are remembered
only for the top parent and not for the rest of the backing
'top of backing chain'
chain. And thanks to the previous commit we can tell secdrivers
which images are top parents.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1803551
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_backup.c | 4 ++--
src/qemu/qemu_blockjob.c | 6 ++++--
src/qemu/qemu_checkpoint.c | 6 ++++--
src/qemu/qemu_domain.c | 15 +++++++++++++--
src/qemu/qemu_domain.h | 3 ++-
src/qemu/qemu_driver.c | 15 ++++++++++-----
src/qemu/qemu_process.c | 2 +-
src/qemu/qemu_security.c | 6 +++++-
src/qemu/qemu_security.h | 3 ++-
9 files changed, 43 insertions(+), 17 deletions(-)
[...]
diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
index 71df0d1ab2..9db1b71a3e 100644
--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
@@ -1105,9 +1105,11 @@ qemuBlockJobProcessEventCompletedCommit(virQEMUDriverPtr driver,
return;
/* revert access to images */
- qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base, true,
false);
+ qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.base,
+ true, false, false);
if (job->data.commit.topparent != job->disk->src)
- qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.topparent,
true, false);
+ qemuDomainStorageSourceAccessAllow(driver, vm, job->data.commit.topparent,
+ true, false, false);
Here you see the misleading name. This is called to relabel an image
called 'topparent' but yet set the 'topparent' flag to false.
baseparent->backingStore = NULL;
job->data.commit.topparent->backingStore = job->data.commit.base;
[...]
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 3dfa71650d..32e8220d98 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -11589,6 +11589,8 @@ typedef enum {
QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE = 1 << 4,
/* VM already has access to the source and we are just modifying it */
QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_MODIFY_ACCESS = 1 << 5,
+ /* whether the image is top parent of backing chain */
+ QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_TOP_PARENT = 1 << 6,
whether the image is the top image of the backing chain (e.g. disk source)
QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_CHAIN_TOP
} qemuDomainStorageSourceAccessFlags;
@@ -11817,6 +11820,7 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriverPtr driver,
* @elem: source structure to set access for
* @readonly: setup read-only access if true
* @newSource: @elem describes a storage source which @vm can't access yet
+ * @topparent: @elem is top parent of backing chain
*
* Allow a VM access to a single element of a disk backing chain; this helper
* ensures that the lock manager, cgroup device controller, and security manager
@@ -11824,13 +11828,17 @@ qemuDomainStorageSourceAccessRevoke(virQEMUDriverPtr driver,
*
* When modifying permissions of @elem which @vm can already access (is in the
* backing chain) @newSource needs to be set to false.
+ *
+ * When the @elem is top parent of a backing chain, then @topparent must be
+ * true, otherwise it must be false.
You want to specify this better. The flag must be set if the image is
the topmost image of a given backing chain or meant to become the
topmost image (for e.g. snapshots, or blockcopy or even in the end for
active layer block commit, where we discard the top of the backing chain
so one of the intermediates (the base) becomes the top of the chain.
*/
int
qemuDomainStorageSourceAccessAllow(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virStorageSourcePtr elem,
bool readonly,
- bool newSource)
+ bool newSource,
+ bool topparent)
{
qemuDomainStorageSourceAccessFlags flags =
QEMU_DOMAIN_STORAGE_SOURCE_ACCESS_SKIP_REVOKE;
[...]
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 35ade1ef37..39c29a0d47 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -15141,7 +15141,8 @@ qemuDomainSnapshotDiskPrepareOne(virQEMUDriverPtr driver,
}
/* set correct security, cgroup and locking options on the new image */
- if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src, false, true) < 0)
+ if (qemuDomainStorageSourceAccessAllow(driver, vm, dd->src,
+ false, true, true) < 0)
return -1;
dd->prepared = true;
@@ -18489,9 +18490,11 @@ qemuDomainBlockCommit(virDomainPtr dom,
* operation succeeds, but doing that requires tracking the
* operation in XML across libvirtd restarts. */
clean_access = true;
- if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, false, false) < 0
||
+ if (qemuDomainStorageSourceAccessAllow(driver, vm, baseSource,
+ false, false, false) < 0 ||
base may become the top layer of the chain after finishing the blockjob
if we are doing an active commit. The finalizing code AFAIK does not
relabel that image any more.
(top_parent && top_parent != disk->src
&&
- qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, false, false) <
0))
+ qemuDomainStorageSourceAccessAllow(driver, vm, top_parent,
+ false, false, false) < 0))
goto endjob;
if (!(job = qemuBlockJobDiskNewCommit(vm, disk, top_parent, topSource,
@@ -18551,9 +18554,11 @@ qemuDomainBlockCommit(virDomainPtr dom,
virErrorPtr orig_err;
virErrorPreserveLast(&orig_err);
/* Revert access to read-only, if possible. */
- qemuDomainStorageSourceAccessAllow(driver, vm, baseSource, true, false);
+ qemuDomainStorageSourceAccessAllow(driver, vm, baseSource,
+ true, false, false);
Now this is fun. If this were an active block commit, the 'base' will no
longer want to become the top image, so this might require some more
trickery.
if (top_parent && top_parent != disk->src)
- qemuDomainStorageSourceAccessAllow(driver, vm, top_parent, true, false);
+ qemuDomainStorageSourceAccessAllow(driver, vm, top_parent,
+ true, false, false);
virErrorRestore(&orig_err);
}
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index d9035055e8..425a21d77e 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7851,7 +7851,7 @@ qemuProcessRefreshLegacyBlockjob(void *payload,
(qemuDomainNamespaceSetupDisk(vm, disk->mirror) < 0 ||
qemuSetupImageChainCgroup(vm, disk->mirror) < 0 ||
qemuSecuritySetImageLabel(priv->driver, vm, disk->mirror,
- true) < 0))
+ true, false) < 0))
disk->mirror is the top of the chain. It may eventually even become the
source of the disk
goto cleanup;
}
}
This patch is not fixing qemuDomainStorageSourceChainAccessAllow which
is also introducing new images (with backing chain) and neither the
revoke functions used in hot-unplug where we remove the top image or in
block copy finalizing where we unplug the whole old disk chain.
1728
days inactive
1729
days old
4 comments
2 participants
participants (2)
-
Michal Privoznik -
Peter Krempa