11:56 a.m.
Relabeling tapfd right after the tap device is created.
qemuPhysIfaceConnect is common function called both for static
netdevs and for hotplug netdevs.
---
src/qemu/qemu_command.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 0c0c400..81bed38 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -170,12 +170,21 @@ qemuPhysIfaceConnect(virDomainDefPtr def,
vmop, driver->stateDir,
virDomainNetGetActualBandwidth(net));
if (rc >= 0) {
+ if (virSecurityManagerSetTapFDLabel(driver->securityManager,
+ def, rc) < 0)
+ goto error;
+
virDomainAuditNetDevice(def, net, res_ifname, true);
VIR_FREE(net->ifname);
net->ifname = res_ifname;
}
return rc;
+
+error:
+ VIR_FREE(res_ifname);
+ VIR_FORCE_CLOSE(rc);
+ return -1;
}
@@ -5425,10 +5434,6 @@ qemuBuildCommandLine(virConnectPtr conn,
if (tapfd < 0)
goto error;
- if (virSecurityManagerSetTapFDLabel(driver->securityManager,
- def, tapfd) < 0)
- goto error;
-
last_good_net = i;
virCommandTransferFD(cmd, tapfd);
--
1.7.11.4
12:36 p.m.
On 10/18/2012 12:56 PM, Guannan Ren wrote:
Relabeling tapfd right after the tap device is created.
qemuPhysIfaceConnect is common function called both for static
netdevs and for hotplug netdevs.
---
src/qemu/qemu_command.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 0c0c400..81bed38 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -170,12 +170,21 @@ qemuPhysIfaceConnect(virDomainDefPtr def,
vmop, driver->stateDir,
virDomainNetGetActualBandwidth(net));
if (rc >= 0) {
+ if (virSecurityManagerSetTapFDLabel(driver->securityManager,
+ def, rc) < 0)
+ goto error;
+
virDomainAuditNetDevice(def, net, res_ifname, true);
VIR_FREE(net->ifname);
net->ifname = res_ifname;
}
return rc;
+
+error:
+ VIR_FREE(res_ifname);
+ VIR_FORCE_CLOSE(rc);
Sorry for dragging this on so much, but...
If you just close the tapfd here, the macvtap device itself will still
exist, and if it's in passthrough mode, the physdev will still have its
mac address set to the guest's mac address, *and* if it was associated
with an 802.1QbX switch, that association will still be live and there
will still be a callback for it registered.
Instead of directly closing the tapfd, you need to do the opposite of
virNetDevMacVLanCreateWithVPortProfile, which is
error:
ignore_value(virNetDevMacVLanDeleteWithVPortProfile(
res_ifname, &net->mac,
virDomainNetGetActualDirectDev(net),
virDomainNetGetActualDirectMode(net),
virDomainNetGetActualVirtPortProfile(net),
driver->stateDir));
VIR_FREE(res_ifname);
return -1;
(I *think* I got all those args correct, but you should check them to be
sure)
+ return -1;
}
@@ -5425,10 +5434,6 @@ qemuBuildCommandLine(virConnectPtr conn,
if (tapfd < 0)
goto error;
- if (virSecurityManagerSetTapFDLabel(driver->securityManager,
- def, tapfd) < 0)
- goto error;
-
last_good_net = i;
virCommandTransferFD(cmd, tapfd);
3:44 a.m.
New subject: [libvirt] [PATCH v4] selinux: relabel tapfd in qemuPhysIfaceConnect
Relabeling tapfd right after the tap device is created.
qemuPhysIfaceConnect is common function called both for static
netdevs and for hotplug netdevs.
---
src/qemu/qemu_command.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 9096b3c..0623c58 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -170,12 +170,26 @@ qemuPhysIfaceConnect(virDomainDefPtr def,
vmop, driver->stateDir,
virDomainNetGetActualBandwidth(net));
if (rc >= 0) {
+ if (virSecurityManagerSetTapFDLabel(driver->securityManager,
+ def, rc) < 0)
+ goto error;
+
virDomainAuditNetDevice(def, net, res_ifname, true);
VIR_FREE(net->ifname);
net->ifname = res_ifname;
}
return rc;
+
+error:
+ ignore_value(virNetDevMacVLanDeleteWithVPortProfile(
+ res_ifname, &net->mac,
+ virDomainNetGetActualDirectDev(net),
+ virDomainNetGetActualDirectMode(net),
+ virDomainNetGetActualVirtPortProfile(net),
+ driver->stateDir));
+ VIR_FREE(res_ifname);
+ return -1;
}
@@ -5446,10 +5460,6 @@ qemuBuildCommandLine(virConnectPtr conn,
if (tapfd < 0)
goto error;
- if (virSecurityManagerSetTapFDLabel(driver->securityManager,
- def, tapfd) < 0)
- goto error;
-
last_good_net = i;
virCommandTransferFD(cmd, tapfd);
--
1.7.11.4
10:55 a.m.
New subject: [libvirt] [PATCH v4] selinux: relabel tapfd in qemuPhysIfaceConnect
On 10/19/2012 04:44 AM, Guannan Ren wrote:
Relabeling tapfd right after the tap device is created.
qemuPhysIfaceConnect is common function called both for static
netdevs and for hotplug netdevs.
---
src/qemu/qemu_command.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 9096b3c..0623c58 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -170,12 +170,26 @@ qemuPhysIfaceConnect(virDomainDefPtr def,
vmop, driver->stateDir,
virDomainNetGetActualBandwidth(net));
if (rc >= 0) {
+ if (virSecurityManagerSetTapFDLabel(driver->securityManager,
+ def, rc) < 0)
+ goto error;
+
virDomainAuditNetDevice(def, net, res_ifname, true);
VIR_FREE(net->ifname);
net->ifname = res_ifname;
}
return rc;
+
+error:
+ ignore_value(virNetDevMacVLanDeleteWithVPortProfile(
+ res_ifname, &net->mac,
+ virDomainNetGetActualDirectDev(net),
+ virDomainNetGetActualDirectMode(net),
+ virDomainNetGetActualVirtPortProfile(net),
+ driver->stateDir));
+ VIR_FREE(res_ifname);
+ return -1;
}
@@ -5446,10 +5460,6 @@ qemuBuildCommandLine(virConnectPtr conn,
if (tapfd < 0)
goto error;
- if (virSecurityManagerSetTapFDLabel(driver->securityManager,
- def, tapfd) < 0)
- goto error;
-
last_good_net = i;
virCommandTransferFD(cmd, tapfd);
ACK.
11:05 a.m.
New subject: [libvirt] [PATCH v4] selinux: relabel tapfd in qemuPhysIfaceConnect
On 10/19/2012 11:55 PM, Laine Stump wrote:
On 10/19/2012 04:44 AM, Guannan Ren wrote:
> Relabeling tapfd right after the tap device is created.
> qemuPhysIfaceConnect is common function called both for static
> netdevs and for hotplug netdevs.
> ---
> src/qemu/qemu_command.c | 18 ++++++++++++++----
> 1 file changed, 14 insertions(+), 4 deletions(-)
>
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 9096b3c..0623c58 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -170,12 +170,26 @@ qemuPhysIfaceConnect(virDomainDefPtr def,
> vmop, driver->stateDir,
> virDomainNetGetActualBandwidth(net));
> if (rc >= 0) {
> + if (virSecurityManagerSetTapFDLabel(driver->securityManager,
> + def, rc) < 0)
> + goto error;
> +
> virDomainAuditNetDevice(def, net, res_ifname, true);
> VIR_FREE(net->ifname);
> net->ifname = res_ifname;
> }
>
> return rc;
> +
> +error:
> + ignore_value(virNetDevMacVLanDeleteWithVPortProfile(
> + res_ifname, &net->mac,
> + virDomainNetGetActualDirectDev(net),
> + virDomainNetGetActualDirectMode(net),
> + virDomainNetGetActualVirtPortProfile(net),
> + driver->stateDir));
> + VIR_FREE(res_ifname);
> + return -1;
> }
>
>
> @@ -5446,10 +5460,6 @@ qemuBuildCommandLine(virConnectPtr conn,
> if (tapfd < 0)
> goto error;
>
> - if (virSecurityManagerSetTapFDLabel(driver->securityManager,
> - def, tapfd) < 0)
> - goto error;
> -
> last_good_net = i;
> virCommandTransferFD(cmd, tapfd);
>
ACK.
Thanks and pushed.
Guannan
4418
days inactive
4419
days old
4 comments
2 participants
participants (2)
-
Guannan Ren -
Laine Stump