qemuSecurityDomainRestorePathLabel: Introduce @ignoreNS argument

In a few cases we might set seclabels on a path outside of namespaces. For instance, when restoring a domain from a file, the file is opened, relabelled and only then the namespace is created and the FD is passed to QEMU (see v6.3.0-rc1~108 for more info). Therefore, when restoring the label on the restore file, we must ignore domain namespaces and restore the label directly in the host. This bug demonstrates itself when restoring a domain from a block device. We don't create the block device inside the domain namespace and thus the following error is reported at the end of (otherwise successful) restore: error : virProcessRunInFork:1236 : internal error: child reported (status=125): unable to stat: /dev/sda: No such file or directory error : virProcessRunInFork:1240 : unable to stat: /dev/sda: No such file or directory Signed-off-by: N Michal Privoznik <mprivozn@redhat.com> Reviewed-by: N Erik Skultety <eskultet@redhat.com>

qemuSecurityDomainRestorePathLabel: Introduce @ignoreNS argument
In a few cases we might set seclabels on a path outside of namespaces. For instance, when restoring a domain from a file, the file is opened, relabelled and only then the namespace is created and the FD is passed to QEMU (see v6.3.0-rc1~108 for more info). Therefore, when restoring the label on the restore file, we must ignore domain namespaces and restore the label directly in the host. This bug demonstrates itself when restoring a domain from a block device. We don't create the block device inside the domain namespace and thus the following error is reported at the end of (otherwise successful) restore: error : virProcessRunInFork:1236 : internal error: child reported (status=125): unable to stat: /dev/sda: No such file or directory error : virProcessRunInFork:1240 : unable to stat: /dev/sda: No such file or directory Signed-off-by: N Michal Privoznik <mprivozn@redhat.com> Reviewed-by: N Erik Skultety <eskultet@redhat.com>
f03a38bd · Michal Privoznik · 6a0eaeba · f03a38bd · f03a38bd · f03a38bd
隐藏空白更改
内联并排

Showing with 7 addition and 4 deletion

src/qemu/qemu_driver.c src/qemu/qemu_driver.c +1 -1

src/qemu/qemu_security.c src/qemu/qemu_security.c +4 -2

src/qemu/qemu_security.h src/qemu/qemu_security.h +2 -1

未找到文件。
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6958,7 +6958,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
        qemuProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_FAILED,
                        asyncJob, VIR_QEMU_PROCESS_STOP_MIGRATED);
    }
-    if (qemuSecurityDomainRestorePathLabel(driver, vm, path) < 0)
+    if (qemuSecurityDomainRestorePathLabel(driver, vm, path, true) < 0)
        VIR_WARN("failed to restore save state label on %s", path);
    return ret;
 }

--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -617,13 +617,15 @@ qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
 int
 qemuSecurityDomainRestorePathLabel(virQEMUDriverPtr driver,
                                   virDomainObjPtr vm,
-                                   const char *path)
+                                   const char *path,
+                                   bool ignoreNS)
 {
    qemuDomainObjPrivatePtr priv = vm->privateData;
    pid_t pid = -1;
    int ret = -1;
-    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
+    if (!ignoreNS &&
+        qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT))
        pid = vm->pid;
    if (virSecurityManagerTransactionStart(driver->securityManager) < 0)

--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -103,7 +103,8 @@ int qemuSecurityDomainSetPathLabel(virQEMUDriverPtr driver,
 int qemuSecurityDomainRestorePathLabel(virQEMUDriverPtr driver,
                                       virDomainObjPtr vm,
-                                       const char *path);
+                                       const char *path,
+                                       bool ignoreNS);
 int qemuSecurityCommandRun(virQEMUDriverPtr driver,
                           virDomainObjPtr vm,