[libvirt] [PATCH] Fix sec label setup when attaching to QEMU processes

When attaching to a QEMU process, the def->seclabels array is going to be empty. The qemuProcessAttach method must thus populate it with data for the security drivers. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/qemu/qemu_process.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 1f00840..7d41c93 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4479,6 +4479,7 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED, virDomainPausedReason reason; virSecurityLabelPtr seclabel = NULL; virSecurityLabelDefPtr seclabeldef = NULL; + bool seclabelgen = false; virSecurityManagerPtr* sec_managers = NULL; const char *model; virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); @@ -4529,10 +4530,16 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED, goto error; for (i = 0; sec_managers[i]; i++) { + seclabelgen = false; + VIR_ERROR("Iter %zu", i); model = virSecurityManagerGetModel(sec_managers[i]); seclabeldef = virDomainDefGetSecurityLabelDef(vm->def, model); - if (seclabeldef == NULL) - goto error; + VIR_ERROR("model %s def %p", model, seclabeldef); + if (seclabeldef == NULL) { + if (!(seclabeldef = virDomainDefGenSecurityLabelDef(model))) + goto error; + seclabelgen = true; + } seclabeldef->type = VIR_DOMAIN_SECLABEL_STATIC; if (VIR_ALLOC(seclabel) < 0) goto error; @@ -4546,6 +4553,12 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED, if (VIR_STRDUP(seclabeldef->label, seclabel->label) < 0) goto error; VIR_FREE(seclabel); + + if (seclabelgen) { + if (VIR_APPEND_ELEMENT(vm->def->seclabels, vm->def->nseclabels, seclabeldef) < 0) + goto error; + seclabelgen = false; + } } VIR_DEBUG("Creating domain log file"); @@ -4692,6 +4705,8 @@ error: VIR_FORCE_CLOSE(logfile); VIR_FREE(seclabel); VIR_FREE(sec_managers); + if (seclabelgen) + virSecurityLabelDefFree(seclabeldef); virDomainChrSourceDefFree(monConfig); virObjectUnref(cfg); virObjectUnref(caps); -- 1.8.5.3

On 03/11/2014 09:17 AM, Daniel P. Berrange wrote:
When attaching to a QEMU process, the def->seclabels array is going to be empty. The qemuProcessAttach method must thus populate it with data for the security drivers.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/qemu/qemu_process.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-)
@@ -4529,10 +4530,16 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED, goto error;
for (i = 0; sec_managers[i]; i++) { + seclabelgen = false; + VIR_ERROR("Iter %zu", i); model = virSecurityManagerGetModel(sec_managers[i]); seclabeldef = virDomainDefGetSecurityLabelDef(vm->def, model); - if (seclabeldef == NULL) - goto error; + VIR_ERROR("model %s def %p", model, seclabeldef);
Do you really want VIR_ERROR() in here, or was this debug printf? Everything else makes sense; ACK. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org

On Tue, Mar 11, 2014 at 10:06:37AM -0600, Eric Blake wrote:
On 03/11/2014 09:17 AM, Daniel P. Berrange wrote:
When attaching to a QEMU process, the def->seclabels array is going to be empty. The qemuProcessAttach method must thus populate it with data for the security drivers.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/qemu/qemu_process.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-)
@@ -4529,10 +4530,16 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED, goto error;
for (i = 0; sec_managers[i]; i++) { + seclabelgen = false; + VIR_ERROR("Iter %zu", i); model = virSecurityManagerGetModel(sec_managers[i]); seclabeldef = virDomainDefGetSecurityLabelDef(vm->def, model); - if (seclabeldef == NULL) - goto error; + VIR_ERROR("model %s def %p", model, seclabeldef);
Do you really want VIR_ERROR() in here, or was this debug printf?
Everything else makes sense; ACK.
Lol, no, this was leftover debug cruft. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange
-
Eric Blake