7:14 a.m.
When starting a domain, if we find out domain requests security drivers
we do not have loaded, we fail. However we don't check for this during
reconnect, so any operation relying on security driver functionality would fail.
If someone e.g. starts a domain with selinux driver loaded, then they turn off
the security driver in config, restart the daemon and call dump/save/..,
QEMU returns an error.
As we shouldn't kill the domain, we should at least log an error to let the
user know that domain reconnect wasn't completely clean.
https://bugzilla.redhat.com/show_bug.cgi?id=1183893
---
src/qemu/qemu_process.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 56719eb..8da79e5 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -3747,6 +3747,12 @@ qemuProcessReconnect(void *opaque)
if ((qemuDomainAssignAddresses(obj->def, priv->qemuCaps, obj)) < 0)
goto error;
+ /* if domain requests security driver we haven't loaded, report error, but
+ * do not kill the domain
+ */
+ ignore_value(virSecurityManagerCheckAllLabel(driver->securityManager,
+ obj->def));
+
if (virSecurityManagerReserveLabel(driver->securityManager, obj->def,
obj->pid) < 0)
goto error;
--
1.9.3
8:09 a.m.
On Tue, May 05, 2015 at 02:14:24PM +0200, Erik Skultety wrote:
When starting a domain, if we find out domain requests security
drivers
we do not have loaded, we fail. However we don't check for this during
reconnect, so any operation relying on security driver functionality would fail.
If someone e.g. starts a domain with selinux driver loaded, then they turn off
the security driver in config, restart the daemon and call dump/save/..,
QEMU returns an error.
As we shouldn't kill the domain, we should at least log an error to let the
user know that domain reconnect wasn't completely clean.
https://bugzilla.redhat.com/show_bug.cgi?id=1183893
---
src/qemu/qemu_process.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 56719eb..8da79e5 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -3747,6 +3747,12 @@ qemuProcessReconnect(void *opaque)
if ((qemuDomainAssignAddresses(obj->def, priv->qemuCaps, obj)) < 0)
goto error;
+ /* if domain requests security driver we haven't loaded, report error, but
+ * do not kill the domain
+ */
+ ignore_value(virSecurityManagerCheckAllLabel(driver->securityManager,
+ obj->def));
+
Shouldn't you reset any possible error after that?
if (virSecurityManagerReserveLabel(driver->securityManager,
obj->def, obj->pid) < 0)
goto error;
--
1.9.3
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
5:21 a.m.
On Tue, May 05, 2015 at 03:09:12PM +0200, Martin Kletzander wrote:
On Tue, May 05, 2015 at 02:14:24PM +0200, Erik Skultety wrote:
>When starting a domain, if we find out domain requests security drivers
>we do not have loaded, we fail. However we don't check for this during
>reconnect, so any operation relying on security driver functionality would fail.
>If someone e.g. starts a domain with selinux driver loaded, then they turn off
>the security driver in config, restart the daemon and call dump/save/..,
>QEMU returns an error.
>As we shouldn't kill the domain, we should at least log an error to let the
>user know that domain reconnect wasn't completely clean.
>
>https://bugzilla.redhat.com/show_bug.cgi?id=1183893
>---
> src/qemu/qemu_process.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
ACK
>diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
>index 56719eb..8da79e5 100644
>--- a/src/qemu/qemu_process.c
>+++ b/src/qemu/qemu_process.c
>@@ -3747,6 +3747,12 @@ qemuProcessReconnect(void *opaque)
> if ((qemuDomainAssignAddresses(obj->def, priv->qemuCaps, obj)) <
0)
> goto error;
>
>+ /* if domain requests security driver we haven't loaded, report error, but
>+ * do not kill the domain
>+ */
>+ ignore_value(virSecurityManagerCheckAllLabel(driver->securityManager,
>+ obj->def));
>+
Shouldn't you reset any possible error after that?
Why? It's already logged and nobody will ever look at it after this
function (called in a separate thread) ends.
Jan
3474
days inactive
3490
days old
2 comments
3 participants
participants (3)
-
Erik Skultety -
Ján Tomko -
Martin Kletzander