Re: [PATCH] Follow up fix of commit a58e1cb4

Cedric Bosdonnat <cbosdonnat@xxxxxxxx> · Mon, 09 Feb 2015 10:56:52 +0100

Hi Jan,

On Mon, 2015-02-09 at 10:04 +0100, Ján Tomko wrote:
> On Fri, Feb 06, 2015 at 02:28:15PM +0100, Cédric Bosdonnat wrote:
> > commit a58e1cb4 didn't fix the bug if the security_default_confined is
> > not set to 1. We now clean up even if there is no seclabel defined or
> > the default one.
> > ---
> >  src/lxc/lxc_process.c | 8 +++++++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> > 
> 
> The commit summary is too vague, it would look better to me
> describing what the commit does, e.g.:
> Clear dynamic seclabels on LXCProcessStart failure
> 
> ACK if you use a more specific commit summary.

Pushed with your summary. Thanks for the review.

--
Cedric

> Jan
> 
> > diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
> > index b385423..19ea7f3 100644
> > --- a/src/lxc/lxc_process.c
> > +++ b/src/lxc/lxc_process.c
> > @@ -1022,6 +1022,7 @@ int virLXCProcessStart(virConnectPtr conn,
> >      virCgroupPtr selfcgroup;
> >      int status;
> >      char *pidfile = NULL;
> > +    bool clearSeclabel = false;
> >  
> >      if (virCgroupNewSelf(&selfcgroup) < 0)
> >          return -1;
> > @@ -1126,6 +1127,10 @@ int virLXCProcessStart(virConnectPtr conn,
> >      /* If you are using a SecurityDriver with dynamic labelling,
> >         then generate a security label for isolation */
> >      VIR_DEBUG("Generating domain security label (if required)");
> > +
> > +    clearSeclabel = vm->def->nseclabels == 0 ||
> > +                    vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT;
> > +
> >      if (vm->def->nseclabels &&
> >          vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DEFAULT)
> >          vm->def->seclabels[0]->type = VIR_DOMAIN_SECLABEL_NONE;
> > @@ -1387,7 +1392,8 @@ int virLXCProcessStart(virConnectPtr conn,
> >          virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
> >          /* Clear out dynamically assigned labels */
> >          if (vm->def->nseclabels &&
> > -            vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
> > +            (vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC ||
> > +            clearSeclabel)) {
> >              VIR_FREE(vm->def->seclabels[0]->model);
> >              VIR_FREE(vm->def->seclabels[0]->label);
> >              VIR_FREE(vm->def->seclabels[0]->imagelabel);
> > -- 
> > 2.1.4
> > 
> > --
> > libvir-list mailing list
> > libvir-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/libvir-list

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list