security_dac: Lock metadata when running transaction

Lock all the paths we want to relabel to mutually exclude other libvirt daemons. The only hitch here is that directories can't be locked. Therefore, when relabeling a directory do not lock it (this happens only when setting up some domain private paths anyway, e.g. huge pages directory). Signed-off-by: N Michal Privoznik <mprivozn@redhat.com> Reviewed-by: N John Ferlan <jferlan@redhat.com>

security_dac: Lock metadata when running transaction
Lock all the paths we want to relabel to mutually exclude other libvirt daemons. The only hitch here is that directories can't be locked. Therefore, when relabeling a directory do not lock it (this happens only when setting up some domain private paths anyway, e.g. huge pages directory). Signed-off-by: N Michal Privoznik <mprivozn@redhat.com> Reviewed-by: N John Ferlan <jferlan@redhat.com>
7a9ca0fa · Michal Privoznik · 6e22ab27 · 7a9ca0fa
隐藏空白更改
内联并排

Showing with 31 addition and 3 deletion

src/security/security_dac.c src/security/security_dac.c +31 -3

未找到文件。
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -192,7 +192,8 @@ static int virSecurityDACRestoreFileLabelInternal(virSecurityManagerPtr mgr,
 *
 * This is the callback that runs in the same namespace as the domain we are
 * relabelling. For given transaction (@opaque) it relabels all the paths on
- * the list.
+ * the list. Depending on security manager configuration it might lock paths
+ * we will relabel.
 *
 * Returns: 0 on success
 *         -1 otherwise.
@@ -202,8 +203,26 @@ virSecurityDACTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
                             void *opaque)
 {
    virSecurityDACChownListPtr list = opaque;
+    const char **paths = NULL;
+    size_t npaths = 0;
    size_t i;
    int rv = 0;
+    int ret = -1;
+
+    if (VIR_ALLOC_N(paths, list->nItems) < 0)
+        return -1;
+
+    for (i = 0; i < list->nItems; i++) {
+        const char *p = list->items[i]->path;
+
+        if (virFileIsDir(p))
+            continue;
+
+        VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p);
+    }
+
+    if (virSecurityManagerMetadataLock(list->manager, paths, npaths) < 0)
+        goto cleanup;

    for (i = 0; i < list->nItems; i++) {
        virSecurityDACChownItemPtr item = list->items[i];
@@ -222,10 +241,19 @@ virSecurityDACTransactionRun(pid_t pid ATTRIBUTE_UNUSED,
        }

        if (rv < 0)
-            return -1;
+            break;
    }

-    return 0;
+    if (virSecurityManagerMetadataUnlock(list->manager, paths, npaths) < 0)
+        goto cleanup;
+
+    if (rv < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    VIR_FREE(paths);
+    return ret;
 }