When domain is being started up, we ought to relabel the host
side of NVDIMM so qemu has access to it.
Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
src/security/security_dac.c | 73 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 73 insertions(+)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 442ce70..253cbbf 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1073,6 +1073,30 @@ virSecurityDACRestoreInputLabel(virSecurityManagerPtr mgr,
static int
+virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ virDomainMemoryDefPtr mem)
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ int ret = -1;
+
+ switch ((virDomainMemoryModel) mem->model) {
+ case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+ ret = virSecurityDACRestoreFileLabel(priv, mem->path);
+ break;
+
+ case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_LAST:
+ case VIR_DOMAIN_MEMORY_MODEL_NONE:
+ ret = 0;
+ break;
+ }
+
+ return ret;
+}
+
+
+static int
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
bool migrated)
@@ -1111,6 +1135,13 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
rc = -1;
}
+ for (i = 0; i < def->nmems; i++) {
+ if (virSecurityDACRestoreMemoryLabel(mgr,
+ def,
+ def->mems[i]) < 0)
+ rc = -1;
+ }
+
if (virDomainChrDefForeach(def,
false,
virSecurityDACRestoreChardevCallback,
@@ -1144,6 +1175,41 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def,
static int
+virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainMemoryDefPtr mem)
+
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityLabelDefPtr seclabel;
+ int ret = -1;
+ uid_t user;
+ gid_t group;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+ if (seclabel && !seclabel->relabel)
+ return 0;
+
+ switch ((virDomainMemoryModel) mem->model) {
+ case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+ return -1;
+
+ ret = virSecurityDACSetOwnership(priv, NULL, mem->path, user, group);
+ break;
+
+ case VIR_DOMAIN_MEMORY_MODEL_DIMM:
+ case VIR_DOMAIN_MEMORY_MODEL_LAST:
+ case VIR_DOMAIN_MEMORY_MODEL_NONE:
+ ret = 0;
+ break;
+ }
+
+ return ret;
+}
+
+
+static int
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
const char *stdin_path ATTRIBUTE_UNUSED)
@@ -1182,6 +1248,13 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
return -1;
}
+ for (i = 0; i < def->nmems; i++) {
+ if (virSecurityDACSetMemoryLabel(mgr,
+ def,
+ def->mems[i]) < 0)
+ return -1;
+ }
+
if (virDomainChrDefForeach(def,
true,
virSecurityDACSetChardevCallback,
--
2.8.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list