Signed-off-by: Nikolai Barybin <nikolai.barybin@xxxxxxxxxxxxx> --- src/security/security_dac.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index a179378a78..0505f4e4a3 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -969,6 +969,13 @@ virSecurityDACSetImageLabel(virSecurityManager *mgr, def, n, parent, isChainTop) < 0) return -1; + /* Unlike backing images, data files are not designed to be shared by + * anyone. Thus, we always consider them as chain top. */ + if (n->dataFileStore && + virSecurityDACSetImageLabelInternal(mgr, sharedFilesystems, def, + n->dataFileStore, n, true) < 0) + return -1; + if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN)) break; @@ -1065,8 +1072,16 @@ virSecurityDACRestoreImageLabel(virSecurityManager *mgr, virStorageSource *src, virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED) { - return virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems, - def, src, false); + if (virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems, + def, src, false) < 0) + return -1; + + if (src->dataFileStore && + virSecurityDACRestoreImageLabelInt(mgr, sharedFilesystems, + def, src->dataFileStore, false) < 0) + return -1; + + return 0; } @@ -1946,6 +1961,14 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr, def->disks[i]->src, migrated) < 0) rc = -1; + + if (def->disks[i]->src->dataFileStore && + virSecurityDACRestoreImageLabelInt(mgr, + sharedFilesystems, + def, + def->disks[i]->src->dataFileStore, + migrated) < 0) + rc = -1; } for (i = 0; i < def->ngraphics; i++) { -- 2.43.5