Re: [PATCH 2/9] security: add virSecurityManagerUpdateImageLabel

Peng Liang <liangpeng10@xxxxxxxxxx> · Fri, 10 Sep 2021 09:42:49 +0800

On 9/9/2021 10:47 PM, Michal Prívozník wrote:
> On 9/9/21 1:45 PM, Peng Liang wrote:
>> On 9/9/2021 7:01 PM, Michal Prívozník wrote:
>>> On 8/23/21 4:41 AM, Peng Liang wrote:
>>>> Signed-off-by: Peng Liang <liangpeng10@xxxxxxxxxx>
>>>> ---
>>>>  src/libvirt_private.syms        |  1 +
>>>>  src/security/security_driver.h  |  5 +++++
>>>>  src/security/security_manager.c | 29 +++++++++++++++++++++++++++++
>>>>  src/security/security_manager.h |  5 +++++
>>>>  4 files changed, 40 insertions(+)
>>>>
>>>
>>>
>>>> diff --git a/src/security/security_manager.c b/src/security/security_manager.c
>>>> index 9906c1691d0f..b580704d3abf 100644
>>>> --- a/src/security/security_manager.c
>>>> +++ b/src/security/security_manager.c
>>>> @@ -476,6 +476,35 @@ virSecurityManagerMoveImageMetadata(virSecurityManager *mgr,
>>>>  }
>>>>  
>>>>  
>>>> +/**
>>>> + * virSecurityManagerUpdateImageLabel:
>>>> + * @mgr: security manager object
>>>> + * @vm: domain definition object
>>>> + * @src: disk source definition to operate on
>>>> + * @flags: bitwise or of 'virSecurityDomainImageLabelFlags'
>>>> + *
>>>> + * Update security label from @src according to @flags.
>>>> + *
>>>> + * Returns: 0 on success, -1 on error.
>>>> + */
>>>> +int
>>>> +virSecurityManagerUpdateImageLabel(virSecurityManager *mgr,
>>>> +                                   virDomainDef *vm,
>>>> +                                   virStorageSource *src,
>>>> +                                   virSecurityDomainImageLabelFlags flags)
>>>> +{
>>>> +    if (mgr->drv->domainUpdateSecurityImageLabel) {
>>>> +        int ret;
>>>> +        virObjectLock(mgr);
>>>> +        ret = mgr->drv->domainUpdateSecurityImageLabel(mgr, vm, src, flags);
>>>> +        virObjectUnlock(mgr);
>>>> +        return ret;
>>>> +    }
>>>> +
>>>> +    return 0;
>>>> +}
>>>> +
>>>> +
>>>
>>> Is there a reason why this needs to be inside virSecurityManager? We
>>> already have virSecurityMoveRememberedLabel() that lives outside of it,
>>> in security_util.c and conceptually this function belongs there.
>>>
>>> Michal
>>>
>>> .
>>>
>> Maybe all security managers' labels need to be updated during migration,
>> so I add it here.
> 
> Ah, you are correct. The timestamp XATTR is specific to secdriver so DAC
> and SELinux have their own timestamps. So your approach is in fact
> correct. For your v2 can you please also implement SELinux? I think it's
> going to be 1:1 copy of DAC code.
> 
> Michal
> 
> .
> 

OK，I'll add and test it in v2.
Thanks for your reviewing!

Peng