qemu: properly label outgoing pipe for tunneled migration

Commit 32617617 made it possible to use pipes instead of sockets for outgoing tunneled migration; however, it caused a regression because the pipe was never given a SELinux label. * src/qemu/qemu_migration.c (doTunnelMigrate): Label outgoing pipe.

qemu: properly label outgoing pipe for tunneled migration
Commit 32617617 made it possible to use pipes instead of sockets for outgoing tunneled migration; however, it caused a regression because the pipe was never given a SELinux label. * src/qemu/qemu_migration.c (doTunnelMigrate): Label outgoing pipe.
e6b8bc81 · Eric Blake · bae460fc · e6b8bc81
隐藏空白更改
内联并排

Showing with 4 addition and 3 deletion

src/qemu/qemu_migration.c src/qemu/qemu_migration.c +4 -3

未找到文件。
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -24,6 +24,7 @@
 #include <sys/time.h>
 #include <gnutls/gnutls.h>
 #include <gnutls/x509.h>
+#include <fcntl.h>
 #include "qemu_migration.h"
 #include "qemu_monitor.h"
@@ -1691,13 +1692,13 @@ static int doTunnelMigrate(struct qemud_driver *driver,
        spec.dest.fd.qemu = -1;
        spec.dest.fd.local = -1;
-        if (pipe(fds) == 0) {
+        if (pipe2(fds, O_CLOEXEC) == 0) {
            spec.dest.fd.qemu = fds[1];
            spec.dest.fd.local = fds[0];
        }
        if (spec.dest.fd.qemu == -1 ||
-            virSetCloseExec(spec.dest.fd.qemu) < 0 ||
+            virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
-            virSetCloseExec(spec.dest.fd.local) < 0) {
+                                              spec.dest.fd.qemu) < 0) {
            virReportSystemError(errno, "%s",
                        _("cannot create pipe for tunnelled migration"));
            goto cleanup;