From: Peter Krempa <pkrempa@xxxxxxxxxx> In case of incoming migration where a local directory is shared to other hosts we'll need to avoid seclabel remembering as the code would remember the seclabel already allowing access to the image. As the decision requires a lot of information not available in the security driver it would either require plumbing in unpleasant callbacks able to pass in the data or alternatively we can mark this in the 'virStorageSource' struct. This patch chose to do the latter approach by adding a field called 'seclabelSkipRemember' which will be filled before starting the process in cases when it will be required. Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> Reviewed-by: Andrea Bolognani <abologna@xxxxxxxxxx> Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx> --- src/conf/storage_source_conf.c | 3 +++ src/conf/storage_source_conf.h | 9 +++++++++ src/security/security_dac.c | 3 +++ src/security/security_selinux.c | 3 +++ 4 files changed, 18 insertions(+) diff --git a/src/conf/storage_source_conf.c b/src/conf/storage_source_conf.c index 908bc5fab2..5b9a80f100 100644 --- a/src/conf/storage_source_conf.c +++ b/src/conf/storage_source_conf.c @@ -820,6 +820,9 @@ virStorageSourceCopy(const virStorageSource *src, /* storage driver metadata are not copied */ def->drv = NULL; + /* flag to avoid seclabel remember is not copied */ + def->seclabelSkipRemember = false; + def->path = g_strdup(src->path); def->fdgroup = g_strdup(src->fdgroup); def->volume = g_strdup(src->volume); diff --git a/src/conf/storage_source_conf.h b/src/conf/storage_source_conf.h index 05b4bda16c..a507116007 100644 --- a/src/conf/storage_source_conf.h +++ b/src/conf/storage_source_conf.h @@ -431,6 +431,15 @@ struct _virStorageSource { bool thresholdEventWithIndex; virStorageSourceFDTuple *fdtuple; + + /* Setting 'seclabelSkipRemember' to true will cause the security driver to + * not remember the security label even if it otherwise were to be + * remembered. This is needed in cases such as incoming migration for + * shared images where the existing security label may no longer be the + * correct. The security driver otherwise doesn't have enough information + * to do this decision. + */ + bool seclabelSkipRemember; }; G_DEFINE_AUTOPTR_CLEANUP_FUNC(virStorageSource, virObjectUnref); diff --git a/src/security/security_dac.c b/src/security/security_dac.c index c327e4c9e0..fdc11876c9 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -940,6 +940,9 @@ virSecurityDACSetImageLabelInternal(virSecurityManager *mgr, */ remember = isChainTop && !src->readonly && !src->shared; + if (src->seclabelSkipRemember) + remember = false; + return virSecurityDACSetOwnership(mgr, src, NULL, user, group, remember); } diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 779a52ac11..3e213a553b 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1992,6 +1992,9 @@ virSecuritySELinuxSetImageLabelInternal(virSecurityManager *mgr, ret = virSecuritySELinuxFSetFilecon(src->fdtuple->fds[0], use_label); } else { + if (src->seclabelSkipRemember) + remember = false; + ret = virSecuritySELinuxSetFilecon(mgr, path, use_label, remember); } -- 2.46.0