提交 78612aa5 编写于 作者: M Michal Privoznik

qemu_hotplug: Relabel memdev

Now that we have APIs for relabel memdevs on hotplug, fill in the
missing implementation in qemu hotplug code.

The qemuSecurity wrappers might look like overkill for now,
because qemu namespace code does not deal with the nvdimms yet.
Nor does our cgroup code.  But hey, there's cgroup_device_acl
variable in qemu.conf. If users add their /dev/pmem* device in
there, the device is allowed in cgroups and created in the
namespace so they can successfully passthrough it to the domain.
It doesn't look like overkill after all, does it?
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
上级 679bf501
...@@ -2215,6 +2215,7 @@ qemuDomainAttachMemory(virQEMUDriverPtr driver, ...@@ -2215,6 +2215,7 @@ qemuDomainAttachMemory(virQEMUDriverPtr driver,
char *objalias = NULL; char *objalias = NULL;
const char *backendType; const char *backendType;
bool objAdded = false; bool objAdded = false;
bool teardownlabel = false;
virJSONValuePtr props = NULL; virJSONValuePtr props = NULL;
virObjectEventPtr event; virObjectEventPtr event;
int id; int id;
...@@ -2244,15 +2245,15 @@ qemuDomainAttachMemory(virQEMUDriverPtr driver, ...@@ -2244,15 +2245,15 @@ qemuDomainAttachMemory(virQEMUDriverPtr driver,
priv->qemuCaps, vm->def, mem, NULL, true) < 0) priv->qemuCaps, vm->def, mem, NULL, true) < 0)
goto cleanup; goto cleanup;
if (virDomainMemoryInsert(vm->def, mem) < 0) { if (qemuSecuritySetMemoryLabel(driver, vm, mem) < 0)
virJSONValueFree(props);
goto cleanup; goto cleanup;
} teardownlabel = true;
if (qemuDomainAdjustMaxMemLock(vm) < 0) { if (virDomainMemoryInsert(vm->def, mem) < 0)
virJSONValueFree(props); goto cleanup;
if (qemuDomainAdjustMaxMemLock(vm) < 0)
goto removedef; goto removedef;
}
qemuDomainObjEnterMonitor(driver, vm); qemuDomainObjEnterMonitor(driver, vm);
rv = qemuMonitorAddObject(priv->mon, backendType, objalias, props); rv = qemuMonitorAddObject(priv->mon, backendType, objalias, props);
...@@ -2288,6 +2289,12 @@ qemuDomainAttachMemory(virQEMUDriverPtr driver, ...@@ -2288,6 +2289,12 @@ qemuDomainAttachMemory(virQEMUDriverPtr driver,
audit: audit:
virDomainAuditMemory(vm, oldmem, newmem, "update", ret == 0); virDomainAuditMemory(vm, oldmem, newmem, "update", ret == 0);
cleanup: cleanup:
if (mem && ret < 0) {
if (teardownlabel && qemuSecurityRestoreMemoryLabel(driver, vm, mem) < 0)
VIR_WARN("Unable to restore security label on memdev");
}
virJSONValueFree(props);
virObjectUnref(cfg); virObjectUnref(cfg);
VIR_FREE(devstr); VIR_FREE(devstr);
VIR_FREE(objalias); VIR_FREE(objalias);
...@@ -3748,6 +3755,9 @@ qemuDomainRemoveMemoryDevice(virQEMUDriverPtr driver, ...@@ -3748,6 +3755,9 @@ qemuDomainRemoveMemoryDevice(virQEMUDriverPtr driver,
if ((idx = virDomainMemoryFindByDef(vm->def, mem)) >= 0) if ((idx = virDomainMemoryFindByDef(vm->def, mem)) >= 0)
virDomainMemoryRemove(vm->def, idx); virDomainMemoryRemove(vm->def, idx);
if (qemuSecurityRestoreMemoryLabel(driver, vm, mem) < 0)
VIR_WARN("Unable to restore security label on memdev");
virDomainMemoryDefFree(mem); virDomainMemoryDefFree(mem);
/* fix the balloon size */ /* fix the balloon size */
......
...@@ -245,3 +245,59 @@ qemuSecurityRestoreHostdevLabel(virQEMUDriverPtr driver, ...@@ -245,3 +245,59 @@ qemuSecurityRestoreHostdevLabel(virQEMUDriverPtr driver,
virSecurityManagerTransactionAbort(driver->securityManager); virSecurityManagerTransactionAbort(driver->securityManager);
return ret; return ret;
} }
int
qemuSecuritySetMemoryLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainMemoryDefPtr mem)
{
int ret = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionStart(driver->securityManager) < 0)
goto cleanup;
if (virSecurityManagerSetMemoryLabel(driver->securityManager,
vm->def,
mem) < 0)
goto cleanup;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionCommit(driver->securityManager,
vm->pid) < 0)
goto cleanup;
ret = 0;
cleanup:
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
int
qemuSecurityRestoreMemoryLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainMemoryDefPtr mem)
{
int ret = -1;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionStart(driver->securityManager) < 0)
goto cleanup;
if (virSecurityManagerRestoreMemoryLabel(driver->securityManager,
vm->def,
mem) < 0)
goto cleanup;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionCommit(driver->securityManager,
vm->pid) < 0)
goto cleanup;
ret = 0;
cleanup:
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
...@@ -62,6 +62,14 @@ int qemuSecurityRestoreHostdevLabel(virQEMUDriverPtr driver, ...@@ -62,6 +62,14 @@ int qemuSecurityRestoreHostdevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm, virDomainObjPtr vm,
virDomainHostdevDefPtr hostdev); virDomainHostdevDefPtr hostdev);
int qemuSecuritySetMemoryLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainMemoryDefPtr mem);
int qemuSecurityRestoreMemoryLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainMemoryDefPtr mem);
/* Please note that for these APIs there is no wrapper yet. Do NOT blindly add /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
* new APIs here. If an API can touch a /dev file add a proper wrapper instead. * new APIs here. If an API can touch a /dev file add a proper wrapper instead.
*/ */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册