提交 8f0a1572 编写于 作者: J Jiri Denemark

security: Do not restore labels on device tree binary

A device tree binary file specified by /domain/os/dtb element is a
read-only resource similar to kernel and initrd files. We shouldn't
restore its label when destroying a domain to avoid breaking other
domains configure with the same device tree.
Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
上级 68acc701
...@@ -1128,10 +1128,6 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, ...@@ -1128,10 +1128,6 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0) virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0)
rc = -1; rc = -1;
if (def->os.dtb &&
virSecurityDACRestoreFileLabel(priv, def->os.dtb) < 0)
rc = -1;
return rc; return rc;
} }
......
...@@ -2034,10 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr, ...@@ -2034,10 +2034,6 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram) < 0) virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
rc = -1; rc = -1;
if (def->os.dtb &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb) < 0)
rc = -1;
return rc; return rc;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册