security_selinux: Track if transaction is restore

It is going to be important to know if the current transaction we are running is a restore operation or set label operation so that we know whether to call virSecurityGetRememberedLabel() or virSecuritySetRememberedLabel(). That is, whether we are in a restore and therefore have to fetch the remembered label, or we are in set operation and therefore have to store the original label. Signed-off-by: N Michal Privoznik <mprivozn@redhat.com> Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: N Ján Tomko <jtomko@redhat.com>

security_selinux: Track if transaction is restore
It is going to be important to know if the current transaction we are running is a restore operation or set label operation so that we know whether to call virSecurityGetRememberedLabel() or virSecuritySetRememberedLabel(). That is, whether we are in a restore and therefore have to fetch the remembered label, or we are in set operation and therefore have to store the original label. Signed-off-by: N Michal Privoznik <mprivozn@redhat.com> Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com> Reviewed-by: N Ján Tomko <jtomko@redhat.com>
1e9c4724 · Michal Privoznik · d7420430 · 1e9c4724
显示空白变更内容
内联并排

Showing with 25 addition and 11 deletion

src/security/security_selinux.c src/security/security_selinux.c +25 -11

未找到文件。
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -81,6 +81,7 @@ struct _virSecuritySELinuxContextItem {
    char *path;
    char *tcon;
    bool optional;
+    bool restore;
 };

 typedef struct _virSecuritySELinuxContextList virSecuritySELinuxContextList;
@@ -119,7 +120,8 @@ static int
 virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
                                    const char *path,
                                    const char *tcon,
-                                    bool optional)
+                                    bool optional,
+                                    bool restore)
 {
    int ret = -1;
    virSecuritySELinuxContextItemPtr item = NULL;
@@ -131,6 +133,7 @@ virSecuritySELinuxContextListAppend(virSecuritySELinuxContextListPtr list,
        goto cleanup;

    item->optional = optional;
+    item->restore = restore;

    if (VIR_APPEND_ELEMENT(list->items, list->nItems, item) < 0)
        goto cleanup;
@@ -174,7 +177,8 @@ virSecuritySELinuxContextListFree(void *opaque)
 static int
 virSecuritySELinuxTransactionAppend(const char *path,
                                    const char *tcon,
-                                    bool optional)
+                                    bool optional,
+                                    bool restore)
 {
    virSecuritySELinuxContextListPtr list;

@@ -182,7 +186,7 @@ virSecuritySELinuxTransactionAppend(const char *path,
    if (!list)
        return 0;

-    if (virSecuritySELinuxContextListAppend(list, path, tcon, optional) < 0)
+    if (virSecuritySELinuxContextListAppend(list, path, tcon, optional, restore) < 0)
        return -1;

    return 1;
@@ -194,6 +198,11 @@ static int virSecuritySELinuxSetFileconHelper(const char *path,
                                              bool optional,
                                              bool privileged);

+
+static int virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
+                                              const char *path);
+
+
 /**
 * virSecuritySELinuxTransactionRun:
 * @pid: process pid
@@ -238,13 +247,18 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
        virSecuritySELinuxContextItemPtr item = list->items[i];

        /* TODO Implement rollback */
-        if (virSecuritySELinuxSetFileconHelper(item->path,
+        if (!item->restore) {
+            rv = virSecuritySELinuxSetFileconHelper(item->path,
                                                    item->tcon,
                                                    item->optional,
-                                               privileged) < 0) {
-            rv = -1;
-            break;
+                                                    privileged);
+        } else {
+            rv = virSecuritySELinuxRestoreFileLabel(list->manager,
+                                                    item->path);
        }
+
+        if (rv < 0)
+            break;
    }

    if (list->lock)
@@ -1261,7 +1275,7 @@ virSecuritySELinuxSetFileconHelper(const char *path, const char *tcon,
 {
    int rc;

-    if ((rc = virSecuritySELinuxTransactionAppend(path, tcon, optional)) < 0)
+    if ((rc = virSecuritySELinuxTransactionAppend(path, tcon, optional, false)) < 0)
        return -1;
    else if (rc > 0)
        return 0;
@@ -1383,7 +1397,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
        goto cleanup;
    }

-    if ((rc = virSecuritySELinuxTransactionAppend(path, fcon, false)) < 0)
+    if ((rc = virSecuritySELinuxTransactionAppend(path, fcon, false, true)) < 0)
        return -1;
    else if (rc > 0)
        return 0;