[libvirt] [PATCH v3] selinux: relabel tapfd in qemuPhysIfaceConnect
Relabeling tapfd right after the tap device is created. qemuPhysIfaceConnect is common function called both for static netdevs and for hotplug netdevs. --- src/qemu/qemu_command.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 0c0c400..81bed38 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -170,12 +170,21 @@ qemuPhysIfaceConnect(virDomainDefPtr def, vmop, driver->stateDir, virDomainNetGetActualBandwidth(net)); if (rc >= 0) { + if (virSecurityManagerSetTapFDLabel(driver->securityManager, + def, rc) < 0) + goto error; + virDomainAuditNetDevice(def, net, res_ifname, true); VIR_FREE(net->ifname); net->ifname = res_ifname; } return rc; + +error: + VIR_FREE(res_ifname); + VIR_FORCE_CLOSE(rc); + return -1; } @@ -5425,10 +5434,6 @@ qemuBuildCommandLine(virConnectPtr conn, if (tapfd < 0) goto error; - if (virSecurityManagerSetTapFDLabel(driver->securityManager, - def, tapfd) < 0) - goto error; - last_good_net = i; virCommandTransferFD(cmd, tapfd); -- 1.7.11.4
On 10/18/2012 12:56 PM, Guannan Ren wrote:
Relabeling tapfd right after the tap device is created. qemuPhysIfaceConnect is common function called both for static netdevs and for hotplug netdevs. --- src/qemu/qemu_command.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 0c0c400..81bed38 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -170,12 +170,21 @@ qemuPhysIfaceConnect(virDomainDefPtr def, vmop, driver->stateDir, virDomainNetGetActualBandwidth(net)); if (rc >= 0) { + if (virSecurityManagerSetTapFDLabel(driver->securityManager, + def, rc) < 0) + goto error; + virDomainAuditNetDevice(def, net, res_ifname, true); VIR_FREE(net->ifname); net->ifname = res_ifname; }
return rc; + +error: + VIR_FREE(res_ifname); + VIR_FORCE_CLOSE(rc);
Sorry for dragging this on so much, but... If you just close the tapfd here, the macvtap device itself will still exist, and if it's in passthrough mode, the physdev will still have its mac address set to the guest's mac address, *and* if it was associated with an 802.1QbX switch, that association will still be live and there will still be a callback for it registered. Instead of directly closing the tapfd, you need to do the opposite of virNetDevMacVLanCreateWithVPortProfile, which is error: ignore_value(virNetDevMacVLanDeleteWithVPortProfile( res_ifname, &net->mac, virDomainNetGetActualDirectDev(net), virDomainNetGetActualDirectMode(net), virDomainNetGetActualVirtPortProfile(net), driver->stateDir)); VIR_FREE(res_ifname); return -1; (I *think* I got all those args correct, but you should check them to be sure)
+ return -1; }
@@ -5425,10 +5434,6 @@ qemuBuildCommandLine(virConnectPtr conn, if (tapfd < 0) goto error;
- if (virSecurityManagerSetTapFDLabel(driver->securityManager, - def, tapfd) < 0) - goto error; - last_good_net = i; virCommandTransferFD(cmd, tapfd);
Relabeling tapfd right after the tap device is created. qemuPhysIfaceConnect is common function called both for static netdevs and for hotplug netdevs. --- src/qemu/qemu_command.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 9096b3c..0623c58 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -170,12 +170,26 @@ qemuPhysIfaceConnect(virDomainDefPtr def, vmop, driver->stateDir, virDomainNetGetActualBandwidth(net)); if (rc >= 0) { + if (virSecurityManagerSetTapFDLabel(driver->securityManager, + def, rc) < 0) + goto error; + virDomainAuditNetDevice(def, net, res_ifname, true); VIR_FREE(net->ifname); net->ifname = res_ifname; } return rc; + +error: + ignore_value(virNetDevMacVLanDeleteWithVPortProfile( + res_ifname, &net->mac, + virDomainNetGetActualDirectDev(net), + virDomainNetGetActualDirectMode(net), + virDomainNetGetActualVirtPortProfile(net), + driver->stateDir)); + VIR_FREE(res_ifname); + return -1; } @@ -5446,10 +5460,6 @@ qemuBuildCommandLine(virConnectPtr conn, if (tapfd < 0) goto error; - if (virSecurityManagerSetTapFDLabel(driver->securityManager, - def, tapfd) < 0) - goto error; - last_good_net = i; virCommandTransferFD(cmd, tapfd); -- 1.7.11.4
On 10/19/2012 04:44 AM, Guannan Ren wrote:
Relabeling tapfd right after the tap device is created. qemuPhysIfaceConnect is common function called both for static netdevs and for hotplug netdevs. --- src/qemu/qemu_command.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 9096b3c..0623c58 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -170,12 +170,26 @@ qemuPhysIfaceConnect(virDomainDefPtr def, vmop, driver->stateDir, virDomainNetGetActualBandwidth(net)); if (rc >= 0) { + if (virSecurityManagerSetTapFDLabel(driver->securityManager, + def, rc) < 0) + goto error; + virDomainAuditNetDevice(def, net, res_ifname, true); VIR_FREE(net->ifname); net->ifname = res_ifname; }
return rc; + +error: + ignore_value(virNetDevMacVLanDeleteWithVPortProfile( + res_ifname, &net->mac, + virDomainNetGetActualDirectDev(net), + virDomainNetGetActualDirectMode(net), + virDomainNetGetActualVirtPortProfile(net), + driver->stateDir)); + VIR_FREE(res_ifname); + return -1; }
@@ -5446,10 +5460,6 @@ qemuBuildCommandLine(virConnectPtr conn, if (tapfd < 0) goto error;
- if (virSecurityManagerSetTapFDLabel(driver->securityManager, - def, tapfd) < 0) - goto error; - last_good_net = i; virCommandTransferFD(cmd, tapfd);
ACK.
On 10/19/2012 11:55 PM, Laine Stump wrote:
On 10/19/2012 04:44 AM, Guannan Ren wrote:
Relabeling tapfd right after the tap device is created. qemuPhysIfaceConnect is common function called both for static netdevs and for hotplug netdevs. --- src/qemu/qemu_command.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 9096b3c..0623c58 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -170,12 +170,26 @@ qemuPhysIfaceConnect(virDomainDefPtr def, vmop, driver->stateDir, virDomainNetGetActualBandwidth(net)); if (rc >= 0) { + if (virSecurityManagerSetTapFDLabel(driver->securityManager, + def, rc) < 0) + goto error; + virDomainAuditNetDevice(def, net, res_ifname, true); VIR_FREE(net->ifname); net->ifname = res_ifname; }
return rc; + +error: + ignore_value(virNetDevMacVLanDeleteWithVPortProfile( + res_ifname, &net->mac, + virDomainNetGetActualDirectDev(net), + virDomainNetGetActualDirectMode(net), + virDomainNetGetActualVirtPortProfile(net), + driver->stateDir)); + VIR_FREE(res_ifname); + return -1; }
@@ -5446,10 +5460,6 @@ qemuBuildCommandLine(virConnectPtr conn, if (tapfd < 0) goto error;
- if (virSecurityManagerSetTapFDLabel(driver->securityManager, - def, tapfd) < 0) - goto error; - last_good_net = i; virCommandTransferFD(cmd, tapfd);
ACK.
Thanks and pushed. Guannan
participants (2)
-
Guannan Ren -
Laine Stump