Re: [PATCH 07/10] qemu: Propagate shared_filesystems

Peter Krempa <pkrempa@xxxxxxxxxx> · Wed, 20 Mar 2024 13:10:00 +0100

On Wed, Mar 20, 2024 at 10:19:12 +0100, Andrea Bolognani wrote:
> virFileIsSharedFS() is the function that ultimately decides
> whether a filesystem should be considered shared, but the list
> of manually configured shared filesystems is part of the QEMU
> driver's configuration, so we need to pass the information
> through several layers in order to make use of it.
> 
> Note that with this change the list is propagated all the way
> through, but its contents are still ignored, so the behavior
> remains the same for now.
> 
> Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
> ---
>  src/lxc/lxc_controller.c         |  2 +-
>  src/lxc/lxc_driver.c             |  2 +-
>  src/lxc/lxc_process.c            |  4 ++--
>  src/qemu/qemu_domain.c           |  2 +-
>  src/qemu/qemu_extdevice.c        |  2 +-
>  src/qemu/qemu_migration.c        | 12 ++++++++----
>  src/qemu/qemu_security.c         | 14 ++++++++++++--
>  src/qemu/qemu_tpm.c              | 27 ++++++++++++++++++---------
>  src/qemu/qemu_tpm.h              |  8 +++++---
>  src/security/security_apparmor.c |  2 ++
>  src/security/security_dac.c      | 17 +++++++++++++----
>  src/security/security_driver.h   |  4 ++++
>  src/security/security_manager.c  | 20 ++++++++++++++------
>  src/security/security_manager.h  |  4 ++++
>  src/security/security_nop.c      |  4 ++++
>  src/security/security_selinux.c  | 18 +++++++++++++++---
>  src/security/security_stack.c    | 16 ++++++++++++----
>  src/util/virfile.c               |  5 +++--
>  src/util/virfile.h               |  3 ++-
>  tests/securityselinuxlabeltest.c |  2 +-
>  tests/virfiletest.c              |  2 +-
>  21 files changed, 124 insertions(+), 46 deletions(-)

[...]

> @@ -1355,7 +1363,7 @@ virSecurityManagerMetadataLock(virSecurityManager *mgr G_GNUC_UNUSED,
>              }
>  #endif /* !WIN32 */
>  
> -            if (virFileIsSharedFS(p)) {
> +            if (virFileIsSharedFS(p, NULL)) {

As virSecurityManagerMetadataLock is passed all of the functions that
security labelling is happening on it feels weird to have one instance
where it's not. Any reason you didn't pass it in? It should not matter
as locally the files shouldn't return an error.

If you have a reason, explain it in a comment please.

>                  /* Probably a root squashed NFS. */
>                  continue;
>              }

Rest looks good
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx