Re: [PATCH 2/9] security: add virSecurityManagerUpdateImageLabel

Michal Prívozník <mprivozn@xxxxxxxxxx> · Thu, 9 Sep 2021 16:47:42 +0200

On 9/9/21 1:45 PM, Peng Liang wrote:
> On 9/9/2021 7:01 PM, Michal Prívozník wrote:
>> On 8/23/21 4:41 AM, Peng Liang wrote:
>>> Signed-off-by: Peng Liang <liangpeng10@xxxxxxxxxx>
>>> ---
>>>  src/libvirt_private.syms        |  1 +
>>>  src/security/security_driver.h  |  5 +++++
>>>  src/security/security_manager.c | 29 +++++++++++++++++++++++++++++
>>>  src/security/security_manager.h |  5 +++++
>>>  4 files changed, 40 insertions(+)
>>>
>>
>>
>>> diff --git a/src/security/security_manager.c b/src/security/security_manager.c
>>> index 9906c1691d0f..b580704d3abf 100644
>>> --- a/src/security/security_manager.c
>>> +++ b/src/security/security_manager.c
>>> @@ -476,6 +476,35 @@ virSecurityManagerMoveImageMetadata(virSecurityManager *mgr,
>>>  }
>>>  
>>>  
>>> +/**
>>> + * virSecurityManagerUpdateImageLabel:
>>> + * @mgr: security manager object
>>> + * @vm: domain definition object
>>> + * @src: disk source definition to operate on
>>> + * @flags: bitwise or of 'virSecurityDomainImageLabelFlags'
>>> + *
>>> + * Update security label from @src according to @flags.
>>> + *
>>> + * Returns: 0 on success, -1 on error.
>>> + */
>>> +int
>>> +virSecurityManagerUpdateImageLabel(virSecurityManager *mgr,
>>> +                                   virDomainDef *vm,
>>> +                                   virStorageSource *src,
>>> +                                   virSecurityDomainImageLabelFlags flags)
>>> +{
>>> +    if (mgr->drv->domainUpdateSecurityImageLabel) {
>>> +        int ret;
>>> +        virObjectLock(mgr);
>>> +        ret = mgr->drv->domainUpdateSecurityImageLabel(mgr, vm, src, flags);
>>> +        virObjectUnlock(mgr);
>>> +        return ret;
>>> +    }
>>> +
>>> +    return 0;
>>> +}
>>> +
>>> +
>>
>> Is there a reason why this needs to be inside virSecurityManager? We
>> already have virSecurityMoveRememberedLabel() that lives outside of it,
>> in security_util.c and conceptually this function belongs there.
>>
>> Michal
>>
>> .
>>
> Maybe all security managers' labels need to be updated during migration,
> so I add it here.

Ah, you are correct. The timestamp XATTR is specific to secdriver so DAC
and SELinux have their own timestamps. So your approach is in fact
correct. For your v2 can you please also implement SELinux? I think it's
going to be 1:1 copy of DAC code.

Michal