The virSecurityDomainSetTPMLabels() and
virSecurityDomainRestoreTPMLabels() APIs set/restore label on two
files/directories:
1) the TPM state (tpm->data.emulator.storagepath), and
2) the TPM log file (tpm->data.emulator.logfile).
Soon there will be a need to set the label on the log file but
not on the state. Therefore, extend these APIs for a boolean flag
that when set does both, but when unset does only 2).
Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
src/qemu/qemu_security.c | 6 ++---
src/security/security_driver.h | 6 +++--
src/security/security_manager.c | 10 +++++----
src/security/security_manager.h | 6 +++--
src/security/security_selinux.c | 40 +++++++++++++++++++++------------
src/security/security_stack.c | 12 +++++-----
6 files changed, 50 insertions(+), 30 deletions(-)
diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index 5b7d5f30c2..d9a1ee5f56 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -535,7 +535,7 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
transactionStarted = true;
if (virSecurityManagerSetTPMLabels(driver->securityManager,
- vm->def) < 0) {
+ vm->def, true) < 0) {
virSecurityManagerTransactionAbort(driver->securityManager);
return -1;
}
@@ -560,7 +560,7 @@ qemuSecurityStartTPMEmulator(virQEMUDriver *driver,
virSecurityManagerTransactionStart(driver->securityManager) >= 0)
transactionStarted = true;
- virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def);
+ virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def, true);
if (transactionStarted &&
virSecurityManagerTransactionCommit(driver->securityManager,
@@ -583,7 +583,7 @@ qemuSecurityCleanupTPMEmulator(virQEMUDriver *driver,
if (virSecurityManagerTransactionStart(driver->securityManager) >= 0)
transactionStarted = true;
- virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def);
+ virSecurityManagerRestoreTPMLabels(driver->securityManager, vm->def, true);
if (transactionStarted &&
virSecurityManagerTransactionCommit(driver->securityManager,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index a1fc23be38..fe6982ceca 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -154,9 +154,11 @@ typedef int (*virSecurityDomainRestoreChardevLabel) (virSecurityManager *mgr,
virDomainChrSourceDef *dev_source,
bool chardevStdioLogd);
typedef int (*virSecurityDomainSetTPMLabels) (virSecurityManager *mgr,
- virDomainDef *def);
+ virDomainDef *def,
+ bool setTPMStateLabel);
typedef int (*virSecurityDomainRestoreTPMLabels) (virSecurityManager *mgr,
- virDomainDef *def);
+ virDomainDef *def,
+ bool restoreTPMStateLabel);
typedef int (*virSecurityDomainSetNetdevLabel) (virSecurityManager *mgr,
virDomainDef *def,
virDomainNetDef *net);
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 572e400a48..2f8e89cb04 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -1188,27 +1188,29 @@ virSecurityManagerRestoreChardevLabel(virSecurityManager *mgr,
int
virSecurityManagerSetTPMLabels(virSecurityManager *mgr,
- virDomainDef *vm)
+ virDomainDef *vm,
+ bool setTPMStateLabel)
{
VIR_LOCK_GUARD lock = virObjectLockGuard(mgr);
if (!mgr->drv->domainSetSecurityTPMLabels)
return 0;
- return mgr->drv->domainSetSecurityTPMLabels(mgr, vm);
+ return mgr->drv->domainSetSecurityTPMLabels(mgr, vm, setTPMStateLabel);
}
int
virSecurityManagerRestoreTPMLabels(virSecurityManager *mgr,
- virDomainDef *vm)
+ virDomainDef *vm,
+ bool restoreTPMStateLabel)
{
VIR_LOCK_GUARD lock = virObjectLockGuard(mgr);
if (!mgr->drv->domainRestoreSecurityTPMLabels)
return 0;
- return mgr->drv->domainRestoreSecurityTPMLabels(mgr, vm);
+ return mgr->drv->domainRestoreSecurityTPMLabels(mgr, vm, restoreTPMStateLabel);
}
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index bb3855efef..60597ffc0a 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -214,10 +214,12 @@ int virSecurityManagerRestoreChardevLabel(virSecurityManager *mgr,
bool chardevStdioLogd);
int virSecurityManagerSetTPMLabels(virSecurityManager *mgr,
- virDomainDef *vm);
+ virDomainDef *vm,
+ bool setTPMStateLabel);
int virSecurityManagerRestoreTPMLabels(virSecurityManager *mgr,
- virDomainDef *vm);
+ virDomainDef *vm,
+ bool restoreTPMStateLabel);
int virSecurityManagerSetNetdevLabel(virSecurityManager *mgr,
virDomainDef *vm,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 92e85c92e0..415a26a386 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3526,7 +3526,8 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManager *mgr,
static int
virSecuritySELinuxSetTPMLabels(virSecurityManager *mgr,
- virDomainDef *def)
+ virDomainDef *def,
+ bool setTPMStateLabel)
{
int ret = 0;
size_t i;
@@ -3540,13 +3541,18 @@ virSecuritySELinuxSetTPMLabels(virSecurityManager *mgr,
if (def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR)
continue;
- ret = virSecuritySELinuxSetFileLabels(
- mgr, def->tpms[i]->data.emulator.storagepath,
- seclabel);
- if (ret == 0 && def->tpms[i]->data.emulator.logfile)
- ret = virSecuritySELinuxSetFileLabels(
- mgr, def->tpms[i]->data.emulator.logfile,
- seclabel);
+ if (setTPMStateLabel) {
+ ret = virSecuritySELinuxSetFileLabels(mgr,
+ def->tpms[i]->data.emulator.storagepath,
+ seclabel);
+ }
+
+ if (ret == 0 &&
+ def->tpms[i]->data.emulator.logfile) {
+ ret = virSecuritySELinuxSetFileLabels(mgr,
+ def->tpms[i]->data.emulator.logfile,
+ seclabel);
+ }
}
return ret;
@@ -3555,7 +3561,8 @@ virSecuritySELinuxSetTPMLabels(virSecurityManager *mgr,
static int
virSecuritySELinuxRestoreTPMLabels(virSecurityManager *mgr,
- virDomainDef *def)
+ virDomainDef *def,
+ bool restoreTPMStateLabel)
{
int ret = 0;
size_t i;
@@ -3564,11 +3571,16 @@ virSecuritySELinuxRestoreTPMLabels(virSecurityManager *mgr,
if (def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR)
continue;
- ret = virSecuritySELinuxRestoreFileLabels(
- mgr, def->tpms[i]->data.emulator.storagepath);
- if (ret == 0 && def->tpms[i]->data.emulator.logfile)
- ret = virSecuritySELinuxRestoreFileLabels(
- mgr, def->tpms[i]->data.emulator.logfile);
+ if (restoreTPMStateLabel) {
+ ret = virSecuritySELinuxRestoreFileLabels(mgr,
+ def->tpms[i]->data.emulator.storagepath);
+ }
+
+ if (ret == 0 &&
+ def->tpms[i]->data.emulator.logfile) {
+ ret = virSecuritySELinuxRestoreFileLabels(mgr,
+ def->tpms[i]->data.emulator.logfile);
+ }
}
return ret;
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 0c72f93a20..560f797030 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -916,14 +916,15 @@ virSecurityStackDomainRestoreChardevLabel(virSecurityManager *mgr,
static int
virSecurityStackSetTPMLabels(virSecurityManager *mgr,
- virDomainDef *vm)
+ virDomainDef *vm,
+ bool setTPMStateLabel)
{
virSecurityStackData *priv = virSecurityManagerGetPrivateData(mgr);
virSecurityStackItem *item = priv->itemsHead;
for (; item; item = item->next) {
if (virSecurityManagerSetTPMLabels(item->securityManager,
- vm) < 0)
+ vm, setTPMStateLabel) < 0)
goto rollback;
}
@@ -932,7 +933,7 @@ virSecurityStackSetTPMLabels(virSecurityManager *mgr,
rollback:
for (item = item->prev; item; item = item->prev) {
if (virSecurityManagerRestoreTPMLabels(item->securityManager,
- vm) < 0) {
+ vm, setTPMStateLabel) < 0) {
VIR_WARN("Unable to restore TPM label after failed set label "
"call virDriver=%s driver=%s domain=%s",
virSecurityManagerGetVirtDriver(mgr),
@@ -946,7 +947,8 @@ virSecurityStackSetTPMLabels(virSecurityManager *mgr,
static int
virSecurityStackRestoreTPMLabels(virSecurityManager *mgr,
- virDomainDef *vm)
+ virDomainDef *vm,
+ bool restoreTPMStateLabel)
{
virSecurityStackData *priv = virSecurityManagerGetPrivateData(mgr);
virSecurityStackItem *item = priv->itemsHead;
@@ -954,7 +956,7 @@ virSecurityStackRestoreTPMLabels(virSecurityManager *mgr,
for (; item; item = item->next) {
if (virSecurityManagerRestoreTPMLabels(item->securityManager,
- vm) < 0)
+ vm, restoreTPMStateLabel) < 0)
rc = -1;
}
--
2.37.4
