When migrating with shared fs, the image labels has been remembered in
the src host. If the dst host trys to remember image labels again, then
the origin labels remembered in the src host will lost.
Signed-off-by: Peng Liang <liangpeng10@xxxxxxxxxx>
---
src/security/security_dac.c | 32 +++++++++++++++++++++++---------
src/security/security_selinux.c | 33 ++++++++++++++++++++++++---------
2 files changed, 47 insertions(+), 18 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 2c0e12a6f810..65cdf348e4c1 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -867,7 +867,8 @@ virSecurityDACSetImageLabelSingle(virSecurityManager *mgr,
virDomainDef *def,
virStorageSource *src,
virStorageSource *parent,
- bool isChainTop)
+ bool isChainTop,
+ bool migrated)
{
virSecurityLabelDef *secdef;
virSecurityDeviceLabelDef *disk_seclabel;
@@ -931,7 +932,8 @@ virSecurityDACSetImageLabelSingle(virSecurityManager *mgr,
* but the top layer, or read only image, or disk explicitly
* marked as shared.
*/
- remember = isChainTop && !src->readonly && !src->shared;
+ remember = isChainTop && !src->readonly && !src->shared &&
+ !(migrated && virFileIsSharedFS(src->path) > 0);
return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remember);
}
@@ -942,14 +944,15 @@ virSecurityDACSetImageLabelRelative(virSecurityManager *mgr,
virDomainDef *def,
virStorageSource *src,
virStorageSource *parent,
- virSecurityDomainImageLabelFlags flags)
+ virSecurityDomainImageLabelFlags flags,
+ bool migrated)
{
virStorageSource *n;
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
const bool isChainTop = flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP;
- if (virSecurityDACSetImageLabelSingle(mgr, def, n, parent, isChainTop) < 0)
+ if (virSecurityDACSetImageLabelSingle(mgr, def, n, parent, isChainTop, migrated) < 0)
return -1;
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
@@ -961,13 +964,23 @@ virSecurityDACSetImageLabelRelative(virSecurityManager *mgr,
return 0;
}
+static int
+virSecurityDACSetImageLabelInt(virSecurityManager *mgr,
+ virDomainDef *def,
+ virStorageSource *src,
+ virSecurityDomainImageLabelFlags flags,
+ bool migrated)
+{
+ return virSecurityDACSetImageLabelRelative(mgr, def, src, src, flags, migrated);
+}
+
static int
virSecurityDACSetImageLabel(virSecurityManager *mgr,
virDomainDef *def,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags)
{
- return virSecurityDACSetImageLabelRelative(mgr, def, src, src, flags);
+ return virSecurityDACSetImageLabelInt(mgr, def, src, flags, false);
}
static int
@@ -2118,7 +2131,7 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
virDomainDef *def,
const char *incomingPath G_GNUC_UNUSED,
bool chardevStdioLogd,
- bool migrated G_GNUC_UNUSED)
+ bool migrated)
{
virSecurityDACData *priv = virSecurityManagerGetPrivateData(mgr);
virSecurityLabelDef *secdef;
@@ -2140,9 +2153,10 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
/* XXX fixme - we need to recursively label the entire tree :-( */
if (virDomainDiskGetType(def->disks[i]) == VIR_STORAGE_TYPE_DIR)
continue;
- if (virSecurityDACSetImageLabel(mgr, def, def->disks[i]->src,
- VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
- VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP) < 0)
+ if (virSecurityDACSetImageLabelInt(mgr, def, def->disks[i]->src,
+ VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
+ VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP,
+ migrated) < 0)
return -1;
}
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index f6fa412de89a..78d0e610f68c 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1809,7 +1809,8 @@ virSecuritySELinuxSetImageLabelSingle(virSecurityManager *mgr,
virDomainDef *def,
virStorageSource *src,
virStorageSource *parent,
- bool isChainTop)
+ bool isChainTop,
+ bool migrated)
{
virSecuritySELinuxData *data = virSecurityManagerGetPrivateData(mgr);
virSecurityLabelDef *secdef;
@@ -1840,7 +1841,8 @@ virSecuritySELinuxSetImageLabelSingle(virSecurityManager *mgr,
* but the top layer, or read only image, or disk explicitly
* marked as shared.
*/
- remember = isChainTop && !src->readonly && !src->shared;
+ remember = isChainTop && !src->readonly && !src->shared &&
+ !(migrated && virFileIsSharedFS(src->path) > 0);
disk_seclabel = virStorageSourceGetSecurityLabelDef(src,
SECURITY_SELINUX_NAME);
@@ -1905,14 +1907,15 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManager *mgr,
virDomainDef *def,
virStorageSource *src,
virStorageSource *parent,
- virSecurityDomainImageLabelFlags flags)
+ virSecurityDomainImageLabelFlags flags,
+ bool migrated)
{
virStorageSource *n;
for (n = src; virStorageSourceIsBacking(n); n = n->backingStore) {
const bool isChainTop = flags & VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP;
- if (virSecuritySELinuxSetImageLabelSingle(mgr, def, n, parent, isChainTop) < 0)
+ if (virSecuritySELinuxSetImageLabelSingle(mgr, def, n, parent, isChainTop, migrated) < 0)
return -1;
if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
@@ -1925,13 +1928,24 @@ virSecuritySELinuxSetImageLabelRelative(virSecurityManager *mgr,
}
+static int
+virSecuritySELinuxSetImageLabelInt(virSecurityManager *mgr,
+ virDomainDef *def,
+ virStorageSource *src,
+ virSecurityDomainImageLabelFlags flags,
+ bool migrated)
+{
+ return virSecuritySELinuxSetImageLabelRelative(mgr, def, src, src, flags, migrated);
+}
+
+
static int
virSecuritySELinuxSetImageLabel(virSecurityManager *mgr,
virDomainDef *def,
virStorageSource *src,
virSecurityDomainImageLabelFlags flags)
{
- return virSecuritySELinuxSetImageLabelRelative(mgr, def, src, src, flags);
+ return virSecuritySELinuxSetImageLabelInt(mgr, def, src, flags, false);
}
struct virSecuritySELinuxMoveImageMetadataData {
@@ -3156,7 +3170,7 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
virDomainDef *def,
const char *incomingPath G_GNUC_UNUSED,
bool chardevStdioLogd,
- bool migrated G_GNUC_UNUSED)
+ bool migrated)
{
size_t i;
virSecuritySELinuxData *data = virSecurityManagerGetPrivateData(mgr);
@@ -3180,9 +3194,10 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
def->disks[i]->dst);
continue;
}
- if (virSecuritySELinuxSetImageLabel(mgr, def, def->disks[i]->src,
- VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
- VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP) < 0)
+ if (virSecuritySELinuxSetImageLabelInt(mgr, def, def->disks[i]->src,
+ VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN |
+ VIR_SECURITY_DOMAIN_IMAGE_PARENT_CHAIN_TOP,
+ migrated) < 0)
return -1;
}
/* XXX fixme process def->fss if relabel == true */
--
2.31.1
