[PATCH for v5.3.0 16/17] qemu: Move image security metadata on snapshot activity

Michal Privoznik <mprivozn@xxxxxxxxxx> · Thu, 28 Mar 2019 16:04:28 +0100

Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
 src/qemu/qemu_blockjob.c |  6 ++++++
 src/qemu/qemu_driver.c   | 17 ++++++++++++++---
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c
index fa7e4c8625..1b4e30ba01 100644
--- a/src/qemu/qemu_blockjob.c
+++ b/src/qemu/qemu_blockjob.c
@@ -37,6 +37,7 @@
 #include "locking/domain_lock.h"
 #include "viralloc.h"
 #include "virstring.h"
+#include "qemu_security.h"
 
 #define VIR_FROM_THIS VIR_FROM_QEMU
 
@@ -275,6 +276,11 @@ qemuBlockJobEventProcessLegacyCompleted(virQEMUDriverPtr driver,
          * want to only revoke the non-shared portion of the chain); so for
          * now, we leak the access to the original.  */
         virDomainLockImageDetach(driver->lockManager, vm, disk->src);
+
+        /* Move secret driver metadata */
+        if (qemuSecurityMoveImageMetadata(driver, vm, disk->src, disk->mirror) < 0)
+            VIR_WARN("Unable to move disk metadata on vm %s", vm->def->name);
+
         virObjectUnref(disk->src);
         disk->src = disk->mirror;
     } else {
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 62d8d977c5..1af6272c71 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -15173,22 +15173,33 @@ qemuDomainSnapshotUpdateDiskSourcesRenumber(virStorageSourcePtr src)
 
 /**
  * qemuDomainSnapshotUpdateDiskSources:
+ * @driver: QEMU driver
+ * @vm: domain object
  * @dd: snapshot disk data object
  * @persist: set to true if persistent config of the VM was changed
  *
  * Updates disk definition after a successful snapshot.
  */
 static void
-qemuDomainSnapshotUpdateDiskSources(qemuDomainSnapshotDiskDataPtr dd,
+qemuDomainSnapshotUpdateDiskSources(virQEMUDriverPtr driver,
+                                    virDomainObjPtr vm,
+                                    qemuDomainSnapshotDiskDataPtr dd,
                                     bool *persist)
 {
-    if (!dd->src)
+    if (!dd->src) {
+        /* Remove old metadata */
+        if (qemuSecurityMoveImageMetadata(driver, vm, dd->disk->src, NULL) < 0)
+            VIR_WARN("Unable to remove disk metadata on vm %s", vm->def->name);
         return;
+    }
 
     /* storage driver access won'd be needed */
     if (dd->initialized)
         virStorageFileDeinit(dd->src);
 
+    if (qemuSecurityMoveImageMetadata(driver, vm, dd->disk->src, dd->src) < 0)
+        VIR_WARN("Unable to move disk metadata on vm %s", vm->def->name);
+
     /* the old disk image is now readonly */
     dd->disk->src->readonly = true;
 
@@ -15313,7 +15324,7 @@ qemuDomainSnapshotCreateDiskActive(virQEMUDriverPtr driver,
             virDomainAuditDisk(vm, dd->disk->src, dd->src, "snapshot", ret >= 0);
 
             if (ret == 0)
-                qemuDomainSnapshotUpdateDiskSources(dd, &persist);
+                qemuDomainSnapshotUpdateDiskSources(driver, vm, dd, &persist);
         }
 
         if (ret < 0)
-- 
2.19.2

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list






