qemu_security: Fully implement qemuSecurity{Set,Restore}SavedStateLabel

Even though the current use of the functions does not require full implementation with transactions (none of the callers passes a path somewhere under /dev), it doesn't hurt either. Moreover, in future patches the paradigm is going to shift so that any API that touches a file is required to use transactions. Signed-off-by: N Michal Privoznik <mprivozn@redhat.com> Reviewed-by: N John Ferlan <jferlan@redhat.com>

qemu_security: Fully implement qemuSecurity{Set,Restore}SavedStateLabel
Even though the current use of the functions does not require full implementation with transactions (none of the callers passes a path somewhere under /dev), it doesn't hurt either. Moreover, in future patches the paradigm is going to shift so that any API that touches a file is required to use transactions. Signed-off-by: N Michal Privoznik <mprivozn@redhat.com> Reviewed-by: N John Ferlan <jferlan@redhat.com>
e2c23982 · Michal Privoznik · da24db2d · e2c23982 · e2c23982 · e2c23982
隐藏空白更改
内联并排

Showing with 67 addition and 6 deletion

src/qemu/qemu_driver.c src/qemu/qemu_driver.c +3 -4

src/qemu/qemu_security.c src/qemu/qemu_security.c +56 -0

src/qemu/qemu_security.h src/qemu/qemu_security.h +8 -2

未找到文件。
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -4043,7 +4043,7 @@ qemuDomainScreenshot(virDomainPtr dom,
    }
    unlink_tmp = true;
-    qemuSecuritySetSavedStateLabel(driver->securityManager, vm->def, tmp);
+    qemuSecuritySetSavedStateLabel(driver, vm, tmp);
    qemuDomainObjEnterMonitor(driver, vm);
    if (qemuMonitorScreendump(priv->mon, videoAlias, screen, tmp) < 0) {
@@ -6662,8 +6662,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
    virObjectUnref(cookie);
    virCommandFree(cmd);
    VIR_FREE(errbuf);
-    if (qemuSecurityRestoreSavedStateLabel(driver->securityManager,
+    if (qemuSecurityRestoreSavedStateLabel(driver, vm, path) < 0)
-                                           vm->def, path) < 0)
        VIR_WARN("failed to restore save state label on %s", path);
    virObjectUnref(cfg);
    return ret;
@@ -11828,7 +11827,7 @@ qemuDomainMemoryPeek(virDomainPtr dom,
        goto endjob;
    }
-    qemuSecuritySetSavedStateLabel(driver->securityManager, vm->def, tmp);
+    qemuSecuritySetSavedStateLabel(driver, vm, tmp);
    priv = vm->privateData;
    qemuDomainObjEnterMonitor(driver, vm);

--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -523,3 +523,59 @@ qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
    virSecurityManagerTransactionAbort(driver->securityManager);
    return ret;
 }
+int
+qemuSecuritySetSavedStateLabel(virQEMUDriverPtr driver,
+                                   virDomainObjPtr vm,
+                                   const char *savefile)
+{
+    int ret = -1;
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+    if (virSecurityManagerSetSavedStateLabel(driver->securityManager,
+                                             vm->def,
+                                             savefile) < 0)
+        goto cleanup;
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
+int
+qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
+                                       virDomainObjPtr vm,
+                                       const char *savefile)
+{
+    int ret = -1;
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+    if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
+                                                 vm->def,
+                                                 savefile) < 0)
+        goto cleanup;
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -100,6 +100,14 @@ int qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
                                   const char *path,
                                   bool allowSubtree);
+int qemuSecuritySetSavedStateLabel(virQEMUDriverPtr driver,
+                                   virDomainObjPtr vm,
+                                   const char *savefile);
+int qemuSecurityRestoreSavedStateLabel(virQEMUDriverPtr driver,
+                                       virDomainObjPtr vm,
+                                       const char *savefile);
 /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
 * new APIs here. If an API can touch a /dev file add a proper wrapper instead.
 */
@@ -119,11 +127,9 @@ int qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
 # define qemuSecurityPreFork virSecurityManagerPreFork
 # define qemuSecurityReleaseLabel virSecurityManagerReleaseLabel
 # define qemuSecurityReserveLabel virSecurityManagerReserveLabel
-# define qemuSecurityRestoreSavedStateLabel virSecurityManagerRestoreSavedStateLabel
 # define qemuSecuritySetChildProcessLabel virSecurityManagerSetChildProcessLabel
 # define qemuSecuritySetDaemonSocketLabel virSecurityManagerSetDaemonSocketLabel
 # define qemuSecuritySetImageFDLabel virSecurityManagerSetImageFDLabel
-# define qemuSecuritySetSavedStateLabel virSecurityManagerSetSavedStateLabel
 # define qemuSecuritySetSocketLabel virSecurityManagerSetSocketLabel
 # define qemuSecuritySetTapFDLabel virSecurityManagerSetTapFDLabel
 # define qemuSecurityStackAddNested virSecurityManagerStackAddNested