[PATCH] Change security driver APIs to use virDomainDefPtr instead of virDomainObjPtr

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

When sVirt is integrated with the LXC driver, it will be neccessary
to invoke the security driver APIs using only a virDomainDefPtr
since the lxc_container.c code has no virDomainObjPtr available.
Aside from two functions which want obj->pid, every bit of the
security driver code only touches obj->def. So we don't need to
pass a virDomainObjPtr into the security drivers, a virDomainDefPtr
is sufficient. Two functions also gain a 'pid_t pid' argument.

* src/qemu/qemu_driver.c, src/qemu/qemu_hotplug.c,
  src/qemu/qemu_migration.c, src/qemu/qemu_process.c,
  src/security/security_apparmor.c,
  src/security/security_dac.c,
  src/security/security_driver.h,
  src/security/security_manager.c,
  src/security/security_manager.h,
  src/security/security_nop.c,
  src/security/security_selinux.c,
  src/security/security_stack.c: Change all security APIs to use a
  virDomainDefPtr instead of virDomainObjPtr
---
 src/qemu/qemu_driver.c           |   10 +-
 src/qemu/qemu_hotplug.c          |   28 ++--
 src/qemu/qemu_migration.c        |   12 +-
 src/qemu/qemu_process.c          |   24 ++--
 src/security/security_apparmor.c |  136 ++++++++++----------
 src/security/security_dac.c      |   91 +++++++-------
 src/security/security_driver.h   |   36 +++---
 src/security/security_manager.c  |   40 +++---
 src/security/security_manager.h  |   36 +++---
 src/security/security_nop.c      |   36 +++---
 src/security/security_selinux.c  |  260 +++++++++++++++++++-------------------
 src/security/security_stack.c    |   44 ++++---
 12 files changed, 381 insertions(+), 372 deletions(-)

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 6cfdd1d..6e001ce 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -3096,7 +3096,7 @@ qemuDomainScreenshot(virDomainPtr dom,
     }
     unlink_tmp = true;
 
-    virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp);
+    virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp);
 
     qemuDomainObjEnterMonitor(driver, vm);
     if (qemuMonitorScreendump(priv->mon, tmp) < 0) {
@@ -3868,7 +3868,7 @@ static int qemudDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr sec
      */
     if (virDomainObjIsActive(vm)) {
         if (virSecurityManagerGetProcessLabel(driver->securityManager,
-                                              vm, seclabel) < 0) {
+                                              vm->def, vm->pid, seclabel) < 0) {
             qemuReportError(VIR_ERR_INTERNAL_ERROR,
                             "%s", _("Failed to get security label"));
             goto cleanup;
@@ -4167,7 +4167,7 @@ qemuDomainSaveImageStartVM(virConnectPtr conn,
 out:
     virCommandFree(cmd);
     if (virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
-                                                 vm, path) < 0)
+                                                 vm->def, path) < 0)
         VIR_WARN("failed to restore save state label on %s", path);
 
     return ret;
@@ -7584,7 +7584,7 @@ qemudDomainMemoryPeek (virDomainPtr dom,
         goto endjob;
     }
 
-    virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm, tmp);
+    virSecurityManagerSetSavedStateLabel(qemu_driver->securityManager, vm->def, tmp);
 
     priv = vm->privateData;
     qemuDomainObjEnterMonitor(driver, vm);
@@ -9064,7 +9064,7 @@ qemuDomainSnapshotCreateSingleDiskActive(struct qemud_driver *driver,
 
     if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0)
         goto cleanup;
-    if (virSecurityManagerSetImageLabel(driver->securityManager, vm,
+    if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def,
                                         disk) < 0) {
         if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
             VIR_WARN("Unable to release lock on %s", source);
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index 96c0070..684fede 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -88,7 +88,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver,
         return -1;
 
     if (virSecurityManagerSetImageLabel(driver->securityManager,
-                                        vm, disk) < 0) {
+                                        vm->def, disk) < 0) {
         if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
             VIR_WARN("Unable to release lock on %s", disk->src);
         return -1;
@@ -120,7 +120,7 @@ int qemuDomainChangeEjectableMedia(struct qemud_driver *driver,
         goto error;
 
     if (virSecurityManagerRestoreImageLabel(driver->securityManager,
-                                            vm, origdisk) < 0)
+                                            vm->def, origdisk) < 0)
         VIR_WARN("Unable to restore security label on ejected image %s", origdisk->src);
 
     if (virDomainLockDiskDetach(driver->lockManager, vm, origdisk) < 0)
@@ -141,7 +141,7 @@ error:
     VIR_FREE(driveAlias);
 
     if (virSecurityManagerRestoreImageLabel(driver->securityManager,
-                                            vm, disk) < 0)
+                                            vm->def, disk) < 0)
         VIR_WARN("Unable to restore security label on new media %s", disk->src);
 
     if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@@ -209,7 +209,7 @@ int qemuDomainAttachPciDiskDevice(virConnectPtr conn,
         return -1;
 
     if (virSecurityManagerSetImageLabel(driver->securityManager,
-                                        vm, disk) < 0) {
+                                        vm->def, disk) < 0) {
         if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
             VIR_WARN("Unable to release lock on %s", disk->src);
         return -1;
@@ -283,7 +283,7 @@ error:
         VIR_WARN("Unable to release PCI address on %s", disk->src);
 
     if (virSecurityManagerRestoreImageLabel(driver->securityManager,
-                                            vm, disk) < 0)
+                                            vm->def, disk) < 0)
         VIR_WARN("Unable to restore security label on %s", disk->src);
 
     if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@@ -439,7 +439,7 @@ int qemuDomainAttachSCSIDisk(virConnectPtr conn,
         return -1;
 
     if (virSecurityManagerSetImageLabel(driver->securityManager,
-                                        vm, disk) < 0) {
+                                        vm->def, disk) < 0) {
         if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
             VIR_WARN("Unable to release lock on %s", disk->src);
         return -1;
@@ -530,7 +530,7 @@ error:
     VIR_FREE(drivestr);
 
     if (virSecurityManagerRestoreImageLabel(driver->securityManager,
-                                            vm, disk) < 0)
+                                            vm->def, disk) < 0)
         VIR_WARN("Unable to restore security label on %s", disk->src);
 
     if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@@ -562,7 +562,7 @@ int qemuDomainAttachUsbMassstorageDevice(virConnectPtr conn,
         return -1;
 
     if (virSecurityManagerSetImageLabel(driver->securityManager,
-                                        vm, disk) < 0) {
+                                        vm->def, disk) < 0) {
         if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
             VIR_WARN("Unable to release lock on %s", disk->src);
         return -1;
@@ -623,7 +623,7 @@ error:
     VIR_FREE(drivestr);
 
     if (virSecurityManagerRestoreImageLabel(driver->securityManager,
-                                            vm, disk) < 0)
+                                            vm->def, disk) < 0)
         VIR_WARN("Unable to restore security label on %s", disk->src);
 
     if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
@@ -1112,7 +1112,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver,
 
 
     if (virSecurityManagerSetHostdevLabel(driver->securityManager,
-                                          vm, hostdev) < 0)
+                                          vm->def, hostdev) < 0)
         return -1;
 
     switch (hostdev->source.subsys.type) {
@@ -1139,7 +1139,7 @@ int qemuDomainAttachHostDevice(struct qemud_driver *driver,
 
 error:
     if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
-                                              vm, hostdev) < 0)
+                                              vm->def, hostdev) < 0)
         VIR_WARN("Unable to restore host device labelling on hotplug fail");
 
     return -1;
@@ -1572,7 +1572,7 @@ int qemuDomainDetachPciDiskDevice(struct qemud_driver *driver,
     virDomainDiskDefFree(detach);
 
     if (virSecurityManagerRestoreImageLabel(driver->securityManager,
-                                            vm, dev->data.disk) < 0)
+                                            vm->def, dev->data.disk) < 0)
         VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
 
     if (cgroup != NULL) {
@@ -1654,7 +1654,7 @@ int qemuDomainDetachDiskDevice(struct qemud_driver *driver,
     virDomainDiskDefFree(detach);
 
     if (virSecurityManagerRestoreImageLabel(driver->securityManager,
-                                            vm, dev->data.disk) < 0)
+                                            vm->def, dev->data.disk) < 0)
         VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
 
     if (cgroup != NULL) {
@@ -2162,7 +2162,7 @@ int qemuDomainDetachHostDevice(struct qemud_driver *driver,
     }
 
     if (virSecurityManagerRestoreHostdevLabel(driver->securityManager,
-                                              vm, dev->data.hostdev) < 0)
+                                              vm->def, dev->data.hostdev) < 0)
         VIR_WARN("Failed to restore host device labelling");
 
     return ret;
diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 8ae989a..b3ef894 100644
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1749,13 +1749,13 @@ static int doNativeMigrate(struct qemud_driver *driver,
             virReportOOMError();
             goto cleanup;
         }
-        if (virSecurityManagerSetSocketLabel(driver->securityManager, vm) < 0)
+        if (virSecurityManagerSetSocketLabel(driver->securityManager, vm->def) < 0)
             goto cleanup;
         if (virNetSocketNewConnectTCP(uribits->server, tmp, &sock) == 0) {
             spec.dest.fd.qemu = virNetSocketDupFD(sock, true);
             virNetSocketFree(sock);
         }
-        if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0 ||
+        if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0 ||
             spec.dest.fd.qemu == -1)
             goto cleanup;
     } else {
@@ -1822,7 +1822,7 @@ static int doTunnelMigrate(struct qemud_driver *driver,
             spec.dest.fd.local = fds[0];
         }
         if (spec.dest.fd.qemu == -1 ||
-            virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
+            virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
                                               spec.dest.fd.qemu) < 0) {
             virReportSystemError(errno, "%s",
                         _("cannot create pipe for tunnelled migration"));
@@ -2842,7 +2842,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
          * doesn't have to open() the file, so while we still have to
          * grant SELinux access, we can do it on fd and avoid cleanup
          * later, as well as skip futzing with cgroup.  */
-        if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm,
+        if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def,
                                               compressor ? pipeFD[1] : fd) < 0)
             goto cleanup;
         bypassSecurityDriver = true;
@@ -2876,7 +2876,7 @@ qemuMigrationToFile(struct qemud_driver *driver, virDomainObjPtr vm,
         }
         if ((!bypassSecurityDriver) &&
             virSecurityManagerSetSavedStateLabel(driver->securityManager,
-                                                 vm, path) < 0)
+                                                 vm->def, path) < 0)
             goto cleanup;
         restoreLabel = true;
     }
@@ -2951,7 +2951,7 @@ cleanup:
     virCommandFree(cmd);
     if (restoreLabel && (!bypassSecurityDriver) &&
         virSecurityManagerRestoreSavedStateLabel(driver->securityManager,
-                                                 vm, path) < 0)
+                                                 vm->def, path) < 0)
         VIR_WARN("failed to restore save state label on %s", path);
 
     if (cgroup != NULL) {
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 2563f97..58ce333 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -839,7 +839,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm)
     qemuMonitorPtr mon = NULL;
 
     if (virSecurityManagerSetDaemonSocketLabel(driver->securityManager,
-                                               vm) < 0) {
+                                               vm->def) < 0) {
         VIR_ERROR(_("Failed to set security context for monitor for %s"),
                   vm->def->name);
         goto error;
@@ -872,7 +872,7 @@ qemuConnectMonitor(struct qemud_driver *driver, virDomainObjPtr vm)
     }
     priv->mon = mon;
 
-    if (virSecurityManagerClearSocketLabel(driver->securityManager, vm) < 0) {
+    if (virSecurityManagerClearSocketLabel(driver->securityManager, vm->def) < 0) {
         VIR_ERROR(_("Failed to clear security context for monitor for %s"),
                   vm->def->name);
         goto error;
@@ -2163,7 +2163,7 @@ static int qemuProcessHook(void *data)
      * sockets the lock driver opens that we don't want
      * labelled. So far we're ok though.
      */
-    if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm) < 0)
+    if (virSecurityManagerSetSocketLabel(h->driver->securityManager, h->vm->def) < 0)
         goto cleanup;
     if (virDomainLockProcessStart(h->driver->lockManager,
                                   h->vm,
@@ -2171,7 +2171,7 @@ static int qemuProcessHook(void *data)
                                   true,
                                   &fd) < 0)
         goto cleanup;
-    if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm) < 0)
+    if (virSecurityManagerClearSocketLabel(h->driver->securityManager, h->vm->def) < 0)
         goto cleanup;
 
     if (qemuProcessLimits(h->driver) < 0)
@@ -2194,7 +2194,7 @@ static int qemuProcessHook(void *data)
         return -1;
 
     VIR_DEBUG("Setting up security labelling");
-    if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm) < 0)
+    if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm->def) < 0)
         goto cleanup;
 
     ret = 0;
@@ -2656,7 +2656,7 @@ qemuProcessReconnect(void *opaque)
             goto error;
     }
 
-    if (virSecurityManagerReserveLabel(driver->securityManager, obj) < 0)
+    if (virSecurityManagerReserveLabel(driver->securityManager, obj->def, obj->pid) < 0)
         goto error;
 
     if (qemuProcessNotifyNets(obj->def) < 0)
@@ -2894,7 +2894,7 @@ int qemuProcessStart(virConnectPtr conn,
     /* If you are using a SecurityDriver with dynamic labelling,
        then generate a security label for isolation */
     VIR_DEBUG("Generating domain security label (if required)");
-    if (virSecurityManagerGenLabel(driver->securityManager, vm) < 0) {
+    if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) {
         virDomainAuditSecurityLabel(vm, false);
         goto cleanup;
     }
@@ -3128,7 +3128,7 @@ int qemuProcessStart(virConnectPtr conn,
 
     VIR_DEBUG("Setting domain security labels");
     if (virSecurityManagerSetAllLabel(driver->securityManager,
-                                      vm, stdin_path) < 0)
+                                      vm->def, stdin_path) < 0)
         goto cleanup;
 
     if (stdin_fd != -1) {
@@ -3145,7 +3145,7 @@ int qemuProcessStart(virConnectPtr conn,
             goto cleanup;
         }
         if (S_ISFIFO(stdin_sb.st_mode) &&
-            virSecurityManagerSetImageFDLabel(driver->securityManager, vm, stdin_fd) < 0)
+            virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, stdin_fd) < 0)
             goto cleanup;
     }
 
@@ -3398,8 +3398,8 @@ void qemuProcessStop(struct qemud_driver *driver,
 
     /* Reset Security Labels */
     virSecurityManagerRestoreAllLabel(driver->securityManager,
-                                      vm, migrated);
-    virSecurityManagerReleaseLabel(driver->securityManager, vm);
+                                      vm->def, migrated);
+    virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
 
     /* Clear out dynamically assigned labels */
     if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
@@ -3548,7 +3548,7 @@ int qemuProcessAttach(virConnectPtr conn ATTRIBUTE_UNUSED,
     if (VIR_ALLOC(seclabel) < 0)
         goto no_memory;
     if (virSecurityManagerGetProcessLabel(driver->securityManager,
-                                          vm, seclabel) < 0)
+                                          vm->def, vm->pid, seclabel) < 0)
         goto cleanup;
     if (!(vm->def->seclabel.model = strdup(driver->caps->host.secModel.model)))
         goto no_memory;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 299dcc6..4848d85 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -47,7 +47,7 @@
 /* Data structure to pass to *FileIterate so we have everything we need */
 struct SDPDOP {
     virSecurityManagerPtr mgr;
-    virDomainObjPtr vm;
+    virDomainDefPtr def;
 };
 
 /*
@@ -159,7 +159,7 @@ profile_status_file(const char *str)
 static int
 load_profile(virSecurityManagerPtr mgr,
              const char *profile,
-             virDomainObjPtr vm,
+             virDomainDefPtr def,
              const char *fn,
              bool append)
 {
@@ -170,7 +170,7 @@ load_profile(virSecurityManagerPtr mgr,
     const char *probe = virSecurityManagerGetAllowDiskFormatProbing(mgr)
         ? "1" : "0";
 
-    xml = virDomainDefFormat(vm->def, VIR_DOMAIN_XML_SECURE);
+    xml = virDomainDefFormat(def, VIR_DOMAIN_XML_SECURE);
     if (!xml)
         goto clean;
 
@@ -212,12 +212,12 @@ remove_profile(const char *profile)
 }
 
 static char *
-get_profile_name(virDomainObjPtr vm)
+get_profile_name(virDomainDefPtr def)
 {
     char uuidstr[VIR_UUID_STRING_BUFLEN];
     char *name = NULL;
 
-    virUUIDFormat(vm->def->uuid, uuidstr);
+    virUUIDFormat(def->uuid, uuidstr);
     if (virAsprintf(&name, "%s%s", AA_PREFIX, uuidstr) < 0) {
         virReportOOMError();
         return NULL;
@@ -257,23 +257,23 @@ cleanup:
  */
 static int
 reload_profile(virSecurityManagerPtr mgr,
-               virDomainObjPtr vm,
+               virDomainDefPtr def,
                const char *fn,
                bool append)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     int rc = -1;
     char *profile_name = NULL;
 
     if (secdef->norelabel)
         return 0;
 
-    if ((profile_name = get_profile_name(vm)) == NULL)
+    if ((profile_name = get_profile_name(def)) == NULL)
         return rc;
 
     /* Update the profile only if it is loaded */
     if (profile_loaded(secdef->imagelabel) >= 0) {
-        if (load_profile(mgr, secdef->imagelabel, vm, fn, append) < 0) {
+        if (load_profile(mgr, secdef->imagelabel, def, fn, append) < 0) {
             virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                    _("cannot update AppArmor profile "
                                      "\'%s\'"),
@@ -294,10 +294,10 @@ AppArmorSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
                            const char *file, void *opaque)
 {
     struct SDPDOP *ptr = opaque;
-    virDomainObjPtr vm = ptr->vm;
+    virDomainDefPtr def = ptr->def;
 
-    if (reload_profile(ptr->mgr, vm, file, true) < 0) {
-        const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    if (reload_profile(ptr->mgr, def, file, true) < 0) {
+        const virSecurityLabelDefPtr secdef = &def->seclabel;
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                _("cannot update AppArmor profile "
                                  "\'%s\'"),
@@ -312,10 +312,10 @@ AppArmorSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
                            const char *file, void *opaque)
 {
     struct SDPDOP *ptr = opaque;
-    virDomainObjPtr vm = ptr->vm;
+    virDomainDefPtr def = ptr->def;
 
-    if (reload_profile(ptr->mgr, vm, file, true) < 0) {
-        const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    if (reload_profile(ptr->mgr, def, file, true) < 0) {
+        const virSecurityLabelDefPtr secdef = &def->seclabel;
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                _("cannot update AppArmor profile "
                                  "\'%s\'"),
@@ -390,56 +390,56 @@ AppArmorSecurityManagerGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
 */
 static int
 AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                         virDomainObjPtr vm)
+                         virDomainDefPtr def)
 {
     int rc = -1;
     char *profile_name = NULL;
 
-    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
+    if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
         return 0;
 
-    if (vm->def->seclabel.baselabel) {
+    if (def->seclabel.baselabel) {
         virSecurityReportError(VIR_ERR_CONFIG_UNSUPPORTED,
                                "%s", _("Cannot set a base label with AppArmour"));
         return rc;
     }
 
-    if ((vm->def->seclabel.label) ||
-        (vm->def->seclabel.model) || (vm->def->seclabel.imagelabel)) {
+    if ((def->seclabel.label) ||
+        (def->seclabel.model) || (def->seclabel.imagelabel)) {
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                "%s",
                                _("security label already defined for VM"));
         return rc;
     }
 
-    if ((profile_name = get_profile_name(vm)) == NULL)
+    if ((profile_name = get_profile_name(def)) == NULL)
         return rc;
 
-    vm->def->seclabel.label = strndup(profile_name, strlen(profile_name));
-    if (!vm->def->seclabel.label) {
+    def->seclabel.label = strndup(profile_name, strlen(profile_name));
+    if (!def->seclabel.label) {
         virReportOOMError();
         goto clean;
     }
 
     /* set imagelabel the same as label (but we won't use it) */
-    vm->def->seclabel.imagelabel = strndup(profile_name,
+    def->seclabel.imagelabel = strndup(profile_name,
                                            strlen(profile_name));
-    if (!vm->def->seclabel.imagelabel) {
+    if (!def->seclabel.imagelabel) {
         virReportOOMError();
         goto err;
     }
 
-    vm->def->seclabel.model = strdup(SECURITY_APPARMOR_NAME);
-    if (!vm->def->seclabel.model) {
+    def->seclabel.model = strdup(SECURITY_APPARMOR_NAME);
+    if (!def->seclabel.model) {
         virReportOOMError();
         goto err;
     }
 
     /* Now that we have a label, load the profile into the kernel. */
-    if (load_profile(mgr, vm->def->seclabel.label, vm, NULL, false) < 0) {
+    if (load_profile(mgr, def->seclabel.label, def, NULL, false) < 0) {
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                _("cannot load AppArmor profile "
-                               "\'%s\'"), vm->def->seclabel.label);
+                               "\'%s\'"), def->seclabel.label);
         goto err;
     }
 
@@ -447,9 +447,9 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     goto clean;
 
   err:
-    VIR_FREE(vm->def->seclabel.label);
-    VIR_FREE(vm->def->seclabel.imagelabel);
-    VIR_FREE(vm->def->seclabel.model);
+    VIR_FREE(def->seclabel.label);
+    VIR_FREE(def->seclabel.imagelabel);
+    VIR_FREE(def->seclabel.model);
 
   clean:
     VIR_FREE(profile_name);
@@ -459,15 +459,15 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
-                            virDomainObjPtr vm, const char *stdin_path)
+                            virDomainDefPtr def, const char *stdin_path)
 {
-    if (vm->def->seclabel.norelabel)
+    if (def->seclabel.norelabel)
         return 0;
 
     /* Reload the profile if stdin_path is specified. Note that
        GenSecurityLabel() will have already been run. */
     if (stdin_path)
-        return reload_profile(mgr, vm, stdin_path, true);
+        return reload_profile(mgr, def, stdin_path, true);
 
     return 0;
 }
@@ -477,13 +477,14 @@ AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr,
  */
 static int
 AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                virDomainObjPtr vm,
+                                virDomainDefPtr def,
+                                pid_t pid,
                                 virSecurityLabelPtr sec)
 {
     int rc = -1;
     char *profile_name = NULL;
 
-    if ((profile_name = get_profile_name(vm)) == NULL)
+    if ((profile_name = get_profile_name(def)) == NULL)
         return rc;
 
     if (virStrcpy(sec->label, profile_name,
@@ -511,9 +512,9 @@ AppArmorGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
  */
 static int
 AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                             virDomainObjPtr vm)
+                             virDomainDefPtr def)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
     VIR_FREE(secdef->model);
     VIR_FREE(secdef->label);
@@ -525,10 +526,10 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                virDomainObjPtr vm,
+                                virDomainDefPtr def,
                                 int migrated ATTRIBUTE_UNUSED)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     int rc = 0;
 
     if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
@@ -545,13 +546,13 @@ AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
  * LOCALSTATEDIR/log/libvirt/qemu/<vm name>.log
  */
 static int
-AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm)
+AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     int rc = -1;
     char *profile_name = NULL;
 
-    if ((profile_name = get_profile_name(vm)) == NULL)
+    if ((profile_name = get_profile_name(def)) == NULL)
         return rc;
 
     if (STRNEQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@@ -579,21 +580,21 @@ AppArmorSetSecurityProcessLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm)
 
 static int
 AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                     virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                                     virDomainDefPtr vm ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int
 AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                               virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                               virDomainDefPtr def ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int
 AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                 virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                                 virDomainDefPtr def ATTRIBUTE_UNUSED)
 {
     return 0;
 }
@@ -602,18 +603,18 @@ AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 /* Called when hotplugging */
 static int
 AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
-                                  virDomainObjPtr vm,
+                                  virDomainDefPtr def,
                                   virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
 {
-    return reload_profile(mgr, vm, NULL, false);
+    return reload_profile(mgr, def, NULL, false);
 }
 
 /* Called when hotplugging */
 static int
 AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
-                              virDomainObjPtr vm, virDomainDiskDefPtr disk)
+                              virDomainDefPtr def, virDomainDiskDefPtr disk)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     int rc = -1;
     char *profile_name;
 
@@ -631,12 +632,12 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
             return rc;
         }
 
-        if ((profile_name = get_profile_name(vm)) == NULL)
+        if ((profile_name = get_profile_name(def)) == NULL)
             return rc;
 
         /* update the profile only if it is loaded */
         if (profile_loaded(secdef->imagelabel) >= 0) {
-            if (load_profile(mgr, secdef->imagelabel, vm, disk->src,
+            if (load_profile(mgr, secdef->imagelabel, def, disk->src,
                              false) < 0) {
                 virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                      _("cannot update AppArmor profile "
@@ -673,7 +674,8 @@ AppArmorSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                             virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                             virDomainDefPtr def ATTRIBUTE_UNUSED,
+                             pid_t pid ATTRIBUTE_UNUSED)
 {
     /* NOOP. Nothing to reserve with AppArmor */
     return 0;
@@ -681,11 +683,11 @@ AppArmorReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
-                                virDomainObjPtr vm,
+                                virDomainDefPtr def,
                                 virDomainHostdevDefPtr dev)
 
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     struct SDPDOP *ptr;
     int ret = -1;
 
@@ -701,7 +703,7 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
     if (VIR_ALLOC(ptr) < 0)
         return -1;
     ptr->mgr = mgr;
-    ptr->vm = vm;
+    ptr->def = def;
 
     switch (dev->source.subsys.type) {
     case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
@@ -743,44 +745,44 @@ done:
 
 static int
 AppArmorRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
-                                    virDomainObjPtr vm,
+                                    virDomainDefPtr def,
                                     virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
 
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     if (secdef->norelabel)
         return 0;
 
-    return reload_profile(mgr, vm, NULL, false);
+    return reload_profile(mgr, def, NULL, false);
 }
 
 static int
 AppArmorSetSavedStateLabel(virSecurityManagerPtr mgr,
-                           virDomainObjPtr vm,
+                           virDomainDefPtr def,
                            const char *savefile)
 {
-    return reload_profile(mgr, vm, savefile, true);
+    return reload_profile(mgr, def, savefile, true);
 }
 
 
 static int
 AppArmorRestoreSavedStateLabel(virSecurityManagerPtr mgr,
-                               virDomainObjPtr vm,
+                               virDomainDefPtr def,
                                const char *savefile ATTRIBUTE_UNUSED)
 {
-    return reload_profile(mgr, vm, NULL, false);
+    return reload_profile(mgr, def, NULL, false);
 }
 
 static int
 AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
-                        virDomainObjPtr vm,
+                        virDomainDefPtr def,
                         int fd)
 {
     int rc = -1;
     char *proc = NULL;
     char *fd_path = NULL;
 
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
     if (secdef->imagelabel == NULL)
         return 0;
@@ -796,7 +798,7 @@ AppArmorSetImageFDLabel(virSecurityManagerPtr mgr,
         return rc;
     }
 
-    return reload_profile(mgr, vm, fd_path, true);
+    return reload_profile(mgr, def, fd_path, true);
 }
 
 virSecurityDriver virAppArmorSecurityDriver = {
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 0e75319..9c0017b 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -171,7 +171,7 @@ virSecurityDACSetSecurityFileLabel(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
 
 static int
 virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
-                                    virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                    virDomainDefPtr def ATTRIBUTE_UNUSED,
                                     virDomainDiskDefPtr disk)
 
 {
@@ -190,7 +190,7 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
-                                           virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                           virDomainDefPtr def ATTRIBUTE_UNUSED,
                                            virDomainDiskDefPtr disk,
                                            int migrated)
 {
@@ -235,10 +235,10 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
 
 static int
 virSecurityDACRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
-                                        virDomainObjPtr vm,
+                                        virDomainDefPtr def,
                                         virDomainDiskDefPtr disk)
 {
-    return virSecurityDACRestoreSecurityImageLabelInt(mgr, vm, disk, 0);
+    return virSecurityDACRestoreSecurityImageLabelInt(mgr, def, disk, 0);
 }
 
 
@@ -268,7 +268,7 @@ virSecurityDACSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
 
 static int
 virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                      virDomainDefPtr def ATTRIBUTE_UNUSED,
                                       virDomainHostdevDefPtr dev)
 {
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -338,7 +338,7 @@ virSecurityDACRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
 
 static int
 virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
-                                           virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                           virDomainDefPtr def ATTRIBUTE_UNUSED,
                                            virDomainHostdevDefPtr dev)
 
 {
@@ -489,7 +489,7 @@ virSecurityDACRestoreChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
 
 static int
 virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm,
+                                      virDomainDefPtr def,
                                       int migrated)
 {
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -501,34 +501,34 @@ virSecurityDACRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
 
 
     VIR_DEBUG("Restoring security label on %s migrated=%d",
-              vm->def->name, migrated);
+              def->name, migrated);
 
-    for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+    for (i = 0 ; i < def->nhostdevs ; i++) {
         if (virSecurityDACRestoreSecurityHostdevLabel(mgr,
-                                                      vm,
-                                                      vm->def->hostdevs[i]) < 0)
+                                                      def,
+                                                      def->hostdevs[i]) < 0)
             rc = -1;
     }
-    for (i = 0 ; i < vm->def->ndisks ; i++) {
+    for (i = 0 ; i < def->ndisks ; i++) {
         if (virSecurityDACRestoreSecurityImageLabelInt(mgr,
-                                                       vm,
-                                                       vm->def->disks[i],
+                                                       def,
+                                                       def->disks[i],
                                                        migrated) < 0)
             rc = -1;
     }
 
-    if (virDomainChrDefForeach(vm->def,
+    if (virDomainChrDefForeach(def,
                                false,
                                virSecurityDACRestoreChardevCallback,
                                mgr) < 0)
         rc = -1;
 
-    if (vm->def->os.kernel &&
-        virSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
+    if (def->os.kernel &&
+        virSecurityDACRestoreSecurityFileLabel(def->os.kernel) < 0)
         rc = -1;
 
-    if (vm->def->os.initrd &&
-        virSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
+    if (def->os.initrd &&
+        virSecurityDACRestoreSecurityFileLabel(def->os.initrd) < 0)
         rc = -1;
 
     return rc;
@@ -548,7 +548,7 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
 
 static int
 virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
-                                  virDomainObjPtr vm,
+                                  virDomainDefPtr def,
                                   const char *stdin_path ATTRIBUTE_UNUSED)
 {
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -557,36 +557,36 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
     if (!priv->dynamicOwnership)
         return 0;
 
-    for (i = 0 ; i < vm->def->ndisks ; i++) {
+    for (i = 0 ; i < def->ndisks ; i++) {
         /* XXX fixme - we need to recursively label the entire tree :-( */
-        if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
+        if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR)
             continue;
         if (virSecurityDACSetSecurityImageLabel(mgr,
-                                                vm,
-                                                vm->def->disks[i]) < 0)
+                                                def,
+                                                def->disks[i]) < 0)
             return -1;
     }
-    for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+    for (i = 0 ; i < def->nhostdevs ; i++) {
         if (virSecurityDACSetSecurityHostdevLabel(mgr,
-                                                  vm,
-                                                  vm->def->hostdevs[i]) < 0)
+                                                  def,
+                                                  def->hostdevs[i]) < 0)
             return -1;
     }
 
-    if (virDomainChrDefForeach(vm->def,
+    if (virDomainChrDefForeach(def,
                                true,
                                virSecurityDACSetChardevCallback,
                                mgr) < 0)
         return -1;
 
-    if (vm->def->os.kernel &&
-        virSecurityDACSetOwnership(vm->def->os.kernel,
+    if (def->os.kernel &&
+        virSecurityDACSetOwnership(def->os.kernel,
                                     priv->user,
                                     priv->group) < 0)
         return -1;
 
-    if (vm->def->os.initrd &&
-        virSecurityDACSetOwnership(vm->def->os.initrd,
+    if (def->os.initrd &&
+        virSecurityDACSetOwnership(def->os.initrd,
                                     priv->user,
                                     priv->group) < 0)
         return -1;
@@ -597,7 +597,7 @@ virSecurityDACSetSecurityAllLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr,
-                                 virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                 virDomainDefPtr def ATTRIBUTE_UNUSED,
                                  const char *savefile)
 {
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -608,7 +608,7 @@ virSecurityDACSetSavedStateLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr,
-                                     virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                     virDomainDefPtr def ATTRIBUTE_UNUSED,
                                      const char *savefile)
 {
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -622,11 +622,11 @@ virSecurityDACRestoreSavedStateLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityDACSetProcessLabel(virSecurityManagerPtr mgr,
-                              virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                              virDomainDefPtr def ATTRIBUTE_UNUSED)
 {
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
 
-    VIR_DEBUG("Dropping privileges of VM to %u:%u",
+    VIR_DEBUG("Dropping privileges of DEF to %u:%u",
               (unsigned int) priv->user, (unsigned int) priv->group);
 
     if (virSetUIDGID(priv->user, priv->group) < 0)
@@ -645,28 +645,30 @@ virSecurityDACVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 virSecurityDACGenLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                       virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                       virDomainDefPtr def ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int
 virSecurityDACReleaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                           virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                           virDomainDefPtr def ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int
 virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                           virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                           virDomainDefPtr def ATTRIBUTE_UNUSED,
+                           pid_t pid ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int
 virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                              virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                              virDomainDefPtr def ATTRIBUTE_UNUSED,
+                              pid_t pid ATTRIBUTE_UNUSED,
                               virSecurityLabelPtr seclabel ATTRIBUTE_UNUSED)
 {
     return 0;
@@ -674,7 +676,7 @@ virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                   virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                                   virDomainDefPtr vm ATTRIBUTE_UNUSED)
 {
     return 0;
 }
@@ -682,7 +684,7 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                             virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                             virDomainDefPtr def ATTRIBUTE_UNUSED)
 {
     return 0;
 }
@@ -690,20 +692,19 @@ virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                 virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                               virDomainDefPtr def ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int
 virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                              virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                              virDomainDefPtr def ATTRIBUTE_UNUSED,
                               int fd ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
-
 virSecurityDriver virSecurityDriverDAC = {
     sizeof(virSecurityDACData),
     "virDAC",
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index aea90b0..f0ace1c 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -39,50 +39,52 @@ typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr);
 typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr);
 
 typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
-                                                   virDomainObjPtr vm,
+                                                   virDomainDefPtr def,
                                                    virDomainDiskDefPtr disk);
 typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
-                                                     virDomainObjPtr vm);
+                                                     virDomainDefPtr vm);
 typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
-                                                virDomainObjPtr vm);
+                                                virDomainDefPtr def);
 typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
-                                                virDomainObjPtr vm);
+                                                virDomainDefPtr def);
 typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
-                                               virDomainObjPtr vm,
+                                               virDomainDefPtr def,
                                                virDomainDiskDefPtr disk);
 typedef int (*virSecurityDomainRestoreHostdevLabel) (virSecurityManagerPtr mgr,
-                                                     virDomainObjPtr vm,
+                                                     virDomainDefPtr def,
                                                      virDomainHostdevDefPtr dev);
 typedef int (*virSecurityDomainSetHostdevLabel) (virSecurityManagerPtr mgr,
-                                                 virDomainObjPtr vm,
+                                                 virDomainDefPtr def,
                                                  virDomainHostdevDefPtr dev);
 typedef int (*virSecurityDomainSetSavedStateLabel) (virSecurityManagerPtr mgr,
-                                                    virDomainObjPtr vm,
+                                                    virDomainDefPtr def,
                                                     const char *savefile);
 typedef int (*virSecurityDomainRestoreSavedStateLabel) (virSecurityManagerPtr mgr,
-                                                        virDomainObjPtr vm,
+                                                        virDomainDefPtr def,
                                                         const char *savefile);
 typedef int (*virSecurityDomainGenLabel) (virSecurityManagerPtr mgr,
-                                          virDomainObjPtr sec);
+                                          virDomainDefPtr sec);
 typedef int (*virSecurityDomainReserveLabel) (virSecurityManagerPtr mgr,
-                                              virDomainObjPtr sec);
+                                              virDomainDefPtr sec,
+                                              pid_t pid);
 typedef int (*virSecurityDomainReleaseLabel) (virSecurityManagerPtr mgr,
-                                              virDomainObjPtr sec);
+                                              virDomainDefPtr sec);
 typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr,
-                                             virDomainObjPtr sec,
+                                             virDomainDefPtr sec,
                                              const char *stdin_path);
 typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr,
-                                                 virDomainObjPtr vm,
+                                                 virDomainDefPtr def,
                                                  int migrated);
 typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr,
-                                                 virDomainObjPtr vm,
+                                                 virDomainDefPtr def,
+                                                 pid_t pid,
                                                  virSecurityLabelPtr sec);
 typedef int (*virSecurityDomainSetProcessLabel) (virSecurityManagerPtr mgr,
-                                                 virDomainObjPtr vm);
+                                                 virDomainDefPtr def);
 typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
                                                 virDomainDefPtr def);
 typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
-                                                 virDomainObjPtr vm,
+                                                 virDomainDefPtr def,
                                                  int fd);
 
 struct _virSecurityDriver {
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index cae9b83..2e4956a 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -150,7 +150,7 @@ bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
 }
 
 int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
-                                        virDomainObjPtr vm,
+                                        virDomainDefPtr vm,
                                         virDomainDiskDefPtr disk)
 {
     if (mgr->drv->domainRestoreSecurityImageLabel)
@@ -161,7 +161,7 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
-                                           virDomainObjPtr vm)
+                                           virDomainDefPtr vm)
 {
     if (mgr->drv->domainSetSecurityDaemonSocketLabel)
         return mgr->drv->domainSetSecurityDaemonSocketLabel(mgr, vm);
@@ -171,7 +171,7 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
-                                     virDomainObjPtr vm)
+                                     virDomainDefPtr vm)
 {
     if (mgr->drv->domainSetSecuritySocketLabel)
         return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
@@ -181,7 +181,7 @@ int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
-                                       virDomainObjPtr vm)
+                                       virDomainDefPtr vm)
 {
     if (mgr->drv->domainClearSecuritySocketLabel)
         return mgr->drv->domainClearSecuritySocketLabel(mgr, vm);
@@ -191,7 +191,7 @@ int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
-                                    virDomainObjPtr vm,
+                                    virDomainDefPtr vm,
                                     virDomainDiskDefPtr disk)
 {
     if (mgr->drv->domainSetSecurityImageLabel)
@@ -202,7 +202,7 @@ int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
-                                          virDomainObjPtr vm,
+                                          virDomainDefPtr vm,
                                           virDomainHostdevDefPtr dev)
 {
     if (mgr->drv->domainRestoreSecurityHostdevLabel)
@@ -213,7 +213,7 @@ int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm,
+                                      virDomainDefPtr vm,
                                       virDomainHostdevDefPtr dev)
 {
     if (mgr->drv->domainSetSecurityHostdevLabel)
@@ -224,7 +224,7 @@ int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
-                                         virDomainObjPtr vm,
+                                         virDomainDefPtr vm,
                                          const char *savefile)
 {
     if (mgr->drv->domainSetSavedStateLabel)
@@ -235,7 +235,7 @@ int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
-                                             virDomainObjPtr vm,
+                                             virDomainDefPtr vm,
                                              const char *savefile)
 {
     if (mgr->drv->domainRestoreSavedStateLabel)
@@ -246,7 +246,7 @@ int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
-                               virDomainObjPtr vm)
+                               virDomainDefPtr vm)
 {
     if (mgr->drv->domainGenSecurityLabel)
         return mgr->drv->domainGenSecurityLabel(mgr, vm);
@@ -256,17 +256,18 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
-                                   virDomainObjPtr vm)
+                                   virDomainDefPtr vm,
+                                   pid_t pid)
 {
     if (mgr->drv->domainReserveSecurityLabel)
-        return mgr->drv->domainReserveSecurityLabel(mgr, vm);
+        return mgr->drv->domainReserveSecurityLabel(mgr, vm, pid);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
 }
 
 int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
-                                   virDomainObjPtr vm)
+                                   virDomainDefPtr vm)
 {
     if (mgr->drv->domainReleaseSecurityLabel)
         return mgr->drv->domainReleaseSecurityLabel(mgr, vm);
@@ -276,7 +277,7 @@ int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
-                                  virDomainObjPtr vm,
+                                  virDomainDefPtr vm,
                                   const char *stdin_path)
 {
     if (mgr->drv->domainSetSecurityAllLabel)
@@ -287,7 +288,7 @@ int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm,
+                                      virDomainDefPtr vm,
                                       int migrated)
 {
     if (mgr->drv->domainRestoreSecurityAllLabel)
@@ -298,18 +299,19 @@ int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm,
+                                      virDomainDefPtr vm,
+                                      pid_t pid,
                                       virSecurityLabelPtr sec)
 {
     if (mgr->drv->domainGetSecurityProcessLabel)
-        return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, sec);
+        return mgr->drv->domainGetSecurityProcessLabel(mgr, vm, pid, sec);
 
     virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
     return -1;
 }
 
 int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm)
+                                      virDomainDefPtr vm)
 {
     if (mgr->drv->domainSetSecurityProcessLabel)
         return mgr->drv->domainSetSecurityProcessLabel(mgr, vm);
@@ -337,7 +339,7 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
 }
 
 int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm,
+                                      virDomainDefPtr vm,
                                       int fd)
 {
     if (mgr->drv->domainSetSecurityImageFDLabel)
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 12cd498..6731d59 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -51,50 +51,52 @@ const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
 bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
 
 int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
-                                        virDomainObjPtr vm,
+                                        virDomainDefPtr def,
                                         virDomainDiskDefPtr disk);
 int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
-                                           virDomainObjPtr vm);
+                                           virDomainDefPtr vm);
 int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
-                                     virDomainObjPtr vm);
+                                     virDomainDefPtr def);
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
-                                       virDomainObjPtr vm);
+                                       virDomainDefPtr def);
 int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
-                                    virDomainObjPtr vm,
+                                    virDomainDefPtr def,
                                     virDomainDiskDefPtr disk);
 int virSecurityManagerRestoreHostdevLabel(virSecurityManagerPtr mgr,
-                                          virDomainObjPtr vm,
+                                          virDomainDefPtr def,
                                           virDomainHostdevDefPtr dev);
 int virSecurityManagerSetHostdevLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm,
+                                      virDomainDefPtr def,
                                       virDomainHostdevDefPtr dev);
 int virSecurityManagerSetSavedStateLabel(virSecurityManagerPtr mgr,
-                                         virDomainObjPtr vm,
+                                         virDomainDefPtr def,
                                          const char *savefile);
 int virSecurityManagerRestoreSavedStateLabel(virSecurityManagerPtr mgr,
-                                             virDomainObjPtr vm,
+                                             virDomainDefPtr def,
                                              const char *savefile);
 int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
-                               virDomainObjPtr sec);
+                               virDomainDefPtr sec);
 int virSecurityManagerReserveLabel(virSecurityManagerPtr mgr,
-                                   virDomainObjPtr sec);
+                                   virDomainDefPtr sec,
+                                   pid_t pid);
 int virSecurityManagerReleaseLabel(virSecurityManagerPtr mgr,
-                                   virDomainObjPtr sec);
+                                   virDomainDefPtr sec);
 int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr,
-                                  virDomainObjPtr sec,
+                                  virDomainDefPtr sec,
                                   const char *stdin_path);
 int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm,
+                                      virDomainDefPtr def,
                                       int migrated);
 int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm,
+                                      virDomainDefPtr def,
+                                      pid_t pid,
                                       virSecurityLabelPtr sec);
 int virSecurityManagerSetProcessLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm);
+                                      virDomainDefPtr def);
 int virSecurityManagerVerify(virSecurityManagerPtr mgr,
                              virDomainDefPtr def);
 int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm,
+                                      virDomainDefPtr def,
                                       int fd);
 
 #endif /* VIR_SECURITY_MANAGER_H__ */
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index a68a6c0..c3bd426 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -47,104 +47,106 @@ static const char * virSecurityDriverGetDOINop(virSecurityManagerPtr mgr ATTRIBU
 }
 
 static int virSecurityDomainRestoreImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                                 virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                                 virDomainDefPtr vm ATTRIBUTE_UNUSED,
                                                  virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                                    virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                                                    virDomainDefPtr vm ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                              virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                                              virDomainDefPtr vm ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                                virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                                                virDomainDefPtr vm ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainSetImageLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                             virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                             virDomainDefPtr vm ATTRIBUTE_UNUSED,
                                              virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainRestoreHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                                   virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                                   virDomainDefPtr vm ATTRIBUTE_UNUSED,
                                                    virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainSetHostdevLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                               virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                               virDomainDefPtr vm ATTRIBUTE_UNUSED,
                                                virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainSetSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                                  virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                                  virDomainDefPtr vm ATTRIBUTE_UNUSED,
                                                   const char *savefile ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 static int virSecurityDomainRestoreSavedStateLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                                      virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                                      virDomainDefPtr vm ATTRIBUTE_UNUSED,
                                                       const char *savefile ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainGenLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                        virDomainObjPtr sec ATTRIBUTE_UNUSED)
+                                        virDomainDefPtr sec ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainReserveLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                            virDomainObjPtr sec ATTRIBUTE_UNUSED)
+                                            virDomainDefPtr sec ATTRIBUTE_UNUSED,
+                                            pid_t pid ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainReleaseLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                            virDomainObjPtr sec ATTRIBUTE_UNUSED)
+                                            virDomainDefPtr sec ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                           virDomainObjPtr sec ATTRIBUTE_UNUSED,
+                                           virDomainDefPtr sec ATTRIBUTE_UNUSED,
                                            const char *stdin_path ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                               virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                               virDomainDefPtr vm ATTRIBUTE_UNUSED,
                                                int migrated ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 static int virSecurityDomainGetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                               virDomainObjPtr vm ATTRIBUTE_UNUSED,
+                                               virDomainDefPtr vm ATTRIBUTE_UNUSED,
+                                               pid_t pid ATTRIBUTE_UNUSED,
                                                virSecurityLabelPtr sec ATTRIBUTE_UNUSED)
 {
     return 0;
 }
 
 static int virSecurityDomainSetProcessLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                               virDomainObjPtr vm ATTRIBUTE_UNUSED)
+                                               virDomainDefPtr vm ATTRIBUTE_UNUSED)
 {
     return 0;
 }
@@ -156,7 +158,7 @@ static int virSecurityDomainVerifyNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED
 }
 
 static int virSecurityDomainSetFDLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                          virDomainObjPtr sec ATTRIBUTE_UNUSED,
+                                          virDomainDefPtr sec ATTRIBUTE_UNUSED,
                                           int fd ATTRIBUTE_UNUSED)
 {
     return 0;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 78c0d45..8b7c0ed 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -162,7 +162,7 @@ SELinuxInitialize(void)
 
 static int
 SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                        virDomainObjPtr vm)
+                        virDomainDefPtr def)
 {
     int rc = -1;
     char *mcs = NULL;
@@ -171,40 +171,40 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     int c2 = 0;
     context_t ctx = NULL;
 
-    if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
-        !vm->def->seclabel.baselabel &&
-        vm->def->seclabel.model) {
+    if ((def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
+        !def->seclabel.baselabel &&
+        def->seclabel.model) {
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                "%s", _("security model already defined for VM"));
         return rc;
     }
 
-    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
-        vm->def->seclabel.label) {
+    if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+        def->seclabel.label) {
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                "%s", _("security label already defined for VM"));
         return rc;
     }
 
-    if (vm->def->seclabel.imagelabel) {
+    if (def->seclabel.imagelabel) {
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                "%s", _("security image label already defined for VM"));
         return rc;
     }
 
-    if (vm->def->seclabel.model &&
-        STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) {
+    if (def->seclabel.model &&
+        STRNEQ(def->seclabel.model, SECURITY_SELINUX_NAME)) {
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                _("security label model %s is not supported with selinux"),
-                               vm->def->seclabel.model);
+                               def->seclabel.model);
         return rc;
     }
 
-    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
-        if (!(ctx = context_new(vm->def->seclabel.label)) ) {
+    if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
+        if (!(ctx = context_new(def->seclabel.label)) ) {
             virReportSystemError(errno,
                                  _("unable to allocate socket security context '%s'"),
-                                 vm->def->seclabel.label);
+                                 def->seclabel.label);
             return rc;
         }
 
@@ -237,25 +237,25 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
             }
         } while (mcsAdd(mcs) == -1);
 
-        vm->def->seclabel.label =
-            SELinuxGenNewContext(vm->def->seclabel.baselabel ?
-                                 vm->def->seclabel.baselabel :
+        def->seclabel.label =
+            SELinuxGenNewContext(def->seclabel.baselabel ?
+                                 def->seclabel.baselabel :
                                  default_domain_context, mcs);
-        if (! vm->def->seclabel.label)  {
+        if (! def->seclabel.label)  {
             virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                    _("cannot generate selinux context for %s"), mcs);
             goto cleanup;
         }
     }
-    vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
-    if (!vm->def->seclabel.imagelabel)  {
+    def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
+    if (!def->seclabel.imagelabel)  {
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
                                _("cannot generate selinux context for %s"), mcs);
         goto cleanup;
     }
 
-    if (!vm->def->seclabel.model &&
-        !(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
+    if (!def->seclabel.model &&
+        !(def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
         virReportOOMError();
         goto cleanup;
     }
@@ -264,12 +264,12 @@ SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 cleanup:
     if (rc != 0) {
-        if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
-            VIR_FREE(vm->def->seclabel.label);
-        VIR_FREE(vm->def->seclabel.imagelabel);
-        if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
-            !vm->def->seclabel.baselabel)
-            VIR_FREE(vm->def->seclabel.model);
+        if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
+            VIR_FREE(def->seclabel.label);
+        VIR_FREE(def->seclabel.imagelabel);
+        if (def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
+            !def->seclabel.baselabel)
+            VIR_FREE(def->seclabel.model);
     }
 
     if (ctx)
@@ -278,28 +278,29 @@ cleanup:
     VIR_FREE(mcs);
 
     VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
-              NULLSTR(vm->def->seclabel.model),
-              NULLSTR(vm->def->seclabel.label),
-              NULLSTR(vm->def->seclabel.imagelabel),
-              NULLSTR(vm->def->seclabel.baselabel));
+              NULLSTR(def->seclabel.model),
+              NULLSTR(def->seclabel.label),
+              NULLSTR(def->seclabel.imagelabel),
+              NULLSTR(def->seclabel.baselabel));
 
     return rc;
 }
 
 static int
 SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                            virDomainObjPtr vm)
+                            virDomainDefPtr def,
+                            pid_t pid)
 {
     security_context_t pctx;
     context_t ctx = NULL;
     const char *mcs;
 
-    if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
+    if (def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
         return 0;
 
-    if (getpidcon(vm->pid, &pctx) == -1) {
+    if (getpidcon(pid, &pctx) == -1) {
         virReportSystemError(errno,
-                             _("unable to get PID %d security context"), vm->pid);
+                             _("unable to get PID %d security context"), pid);
         return -1;
     }
 
@@ -360,15 +361,16 @@ static const char *SELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNU
 
 static int
 SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                               virDomainObjPtr vm,
+                               virDomainDefPtr def ATTRIBUTE_UNUSED,
+                               pid_t pid,
                                virSecurityLabelPtr sec)
 {
     security_context_t ctx;
 
-    if (getpidcon(vm->pid, &ctx) == -1) {
+    if (getpidcon(pid, &ctx) == -1) {
         virReportSystemError(errno,
                              _("unable to get PID %d security context"),
-                             vm->pid);
+                             pid);
         return -1;
     }
 
@@ -543,11 +545,11 @@ err:
 
 static int
 SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                    virDomainObjPtr vm,
+                                    virDomainDefPtr def,
                                     virDomainDiskDefPtr disk,
                                     int migrated)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
     if (secdef->norelabel)
         return 0;
@@ -588,10 +590,10 @@ SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
-                                 virDomainObjPtr vm,
+                                 virDomainDefPtr def,
                                  virDomainDiskDefPtr disk)
 {
-    return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0);
+    return SELinuxRestoreSecurityImageLabelInt(mgr, def, disk, 0);
 }
 
 
@@ -626,11 +628,11 @@ SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
 
 static int
 SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
-                             virDomainObjPtr vm,
+                             virDomainDefPtr def,
                              virDomainDiskDefPtr disk)
 
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
 
     if (secdef->norelabel)
@@ -648,8 +650,8 @@ static int
 SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
                            const char *file, void *opaque)
 {
-    virDomainObjPtr vm = opaque;
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    virDomainDefPtr def = opaque;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
     return SELinuxSetFilecon(file, secdef->imagelabel);
 }
@@ -658,19 +660,19 @@ static int
 SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
                            const char *file, void *opaque)
 {
-    virDomainObjPtr vm = opaque;
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    virDomainDefPtr def = opaque;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
     return SELinuxSetFilecon(file, secdef->imagelabel);
 }
 
 static int
 SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                               virDomainObjPtr vm,
+                               virDomainDefPtr def,
                                virDomainHostdevDefPtr dev)
 
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     int ret = -1;
 
     if (secdef->norelabel)
@@ -687,7 +689,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
         if (!usb)
             goto done;
 
-        ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm);
+        ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, def);
         usbFreeDevice(usb);
         break;
     }
@@ -701,7 +703,7 @@ SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
         if (!pci)
             goto done;
 
-        ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm);
+        ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, def);
         pciFreeDevice(pci);
 
         break;
@@ -735,11 +737,11 @@ SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
 
 static int
 SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                                   virDomainObjPtr vm,
+                                   virDomainDefPtr def,
                                    virDomainHostdevDefPtr dev)
 
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     int ret = -1;
 
     if (secdef->norelabel)
@@ -788,11 +790,11 @@ done:
 
 
 static int
-SELinuxSetSecurityChardevLabel(virDomainObjPtr vm,
+SELinuxSetSecurityChardevLabel(virDomainDefPtr def,
                                virDomainChrSourceDefPtr dev)
 
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     char *in = NULL, *out = NULL;
     int ret = -1;
 
@@ -834,11 +836,11 @@ done:
 }
 
 static int
-SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
+SELinuxRestoreSecurityChardevLabel(virDomainDefPtr def,
                                    virDomainChrSourceDefPtr dev)
 
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     char *in = NULL, *out = NULL;
     int ret = -1;
 
@@ -882,27 +884,24 @@ done:
 
 
 static int
-SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def,
                                       virDomainChrDefPtr dev,
-                                      void *opaque)
+                                      void *opaque ATTRIBUTE_UNUSED)
 {
-    virDomainObjPtr vm = opaque;
-
     /* This is taken care of by processing of def->serials */
     if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
         dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
         return 0;
 
-    return SELinuxRestoreSecurityChardevLabel(vm, &dev->source);
+    return SELinuxRestoreSecurityChardevLabel(def, &dev->source);
 }
 
 
 static int
-SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
                                         virDomainSmartcardDefPtr dev,
-                                        void *opaque)
+                                        void *opaque ATTRIBUTE_UNUSED)
 {
-    virDomainObjPtr vm = opaque;
     const char *database;
 
     switch (dev->type) {
@@ -916,7 +915,7 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
         return SELinuxRestoreSecurityFileLabel(database);
 
     case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
-        return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);
+        return SELinuxRestoreSecurityChardevLabel(def, &dev->data.passthru);
 
     default:
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
@@ -931,50 +930,50 @@ SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
 
 static int
 SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                               virDomainObjPtr vm,
+                               virDomainDefPtr def,
                                int migrated ATTRIBUTE_UNUSED)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     int i;
     int rc = 0;
 
-    VIR_DEBUG("Restoring security label on %s", vm->def->name);
+    VIR_DEBUG("Restoring security label on %s", def->name);
 
     if (secdef->norelabel)
         return 0;
 
-    for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+    for (i = 0 ; i < def->nhostdevs ; i++) {
         if (SELinuxRestoreSecurityHostdevLabel(mgr,
-                                               vm,
-                                               vm->def->hostdevs[i]) < 0)
+                                               def,
+                                               def->hostdevs[i]) < 0)
             rc = -1;
     }
-    for (i = 0 ; i < vm->def->ndisks ; i++) {
+    for (i = 0 ; i < def->ndisks ; i++) {
         if (SELinuxRestoreSecurityImageLabelInt(mgr,
-                                                vm,
-                                                vm->def->disks[i],
+                                                def,
+                                                def->disks[i],
                                                 migrated) < 0)
             rc = -1;
     }
 
-    if (virDomainChrDefForeach(vm->def,
+    if (virDomainChrDefForeach(def,
                                false,
                                SELinuxRestoreSecurityChardevCallback,
-                               vm) < 0)
+                               NULL) < 0)
         rc = -1;
 
-    if (virDomainSmartcardDefForeach(vm->def,
+    if (virDomainSmartcardDefForeach(def,
                                      false,
                                      SELinuxRestoreSecuritySmartcardCallback,
-                                     vm) < 0)
+                                     NULL) < 0)
         rc = -1;
 
-    if (vm->def->os.kernel &&
-        SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
+    if (def->os.kernel &&
+        SELinuxRestoreSecurityFileLabel(def->os.kernel) < 0)
         rc = -1;
 
-    if (vm->def->os.initrd &&
-        SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
+    if (def->os.initrd &&
+        SELinuxRestoreSecurityFileLabel(def->os.initrd) < 0)
         rc = -1;
 
     return rc;
@@ -982,9 +981,9 @@ SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                            virDomainObjPtr vm)
+                            virDomainDefPtr def)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
     if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
         if (secdef->label != NULL) {
@@ -1006,10 +1005,10 @@ SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                          virDomainObjPtr vm,
+                          virDomainDefPtr def,
                           const char *savefile)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
     if (secdef->norelabel)
         return 0;
@@ -1020,10 +1019,10 @@ SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                              virDomainObjPtr vm,
+                              virDomainDefPtr def,
                               const char *savefile)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
     if (secdef->norelabel)
         return 0;
@@ -1058,12 +1057,12 @@ SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 static int
 SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
-                               virDomainObjPtr vm)
+                               virDomainDefPtr def)
 {
     /* TODO: verify DOI */
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
-    if (vm->def->seclabel.label == NULL)
+    if (def->seclabel.label == NULL)
         return 0;
 
     if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@@ -1089,16 +1088,16 @@ SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
 
 static int
 SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
-                                    virDomainObjPtr vm)
+                                    virDomainDefPtr def)
 {
     /* TODO: verify DOI */
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     context_t execcon = NULL;
     context_t proccon = NULL;
     security_context_t scon = NULL;
     int rc = -1;
 
-    if (vm->def->seclabel.label == NULL)
+    if (def->seclabel.label == NULL)
         return 0;
 
     if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@@ -1139,7 +1138,7 @@ SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
     }
 
     VIR_DEBUG("Setting VM %s socket context %s",
-              vm->def->name, context_str(proccon));
+              def->name, context_str(proccon));
     if (setsockcreatecon(context_str(proccon)) == -1) {
         virReportSystemError(errno,
                              _("unable to set socket security context '%s'"),
@@ -1160,9 +1159,9 @@ done:
 
 static int
 SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
-                              virDomainObjPtr vm)
+                              virDomainDefPtr vm)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &vm->seclabel;
     int rc = -1;
 
     if (secdef->label == NULL)
@@ -1178,7 +1177,7 @@ SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
     }
 
     VIR_DEBUG("Setting VM %s socket context %s",
-              vm->def->name, secdef->label);
+              vm->name, secdef->label);
     if (setsockcreatecon(secdef->label) == -1) {
         virReportSystemError(errno,
                              _("unable to set socket security context '%s'"),
@@ -1197,12 +1196,12 @@ done:
 
 static int
 SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
-                                virDomainObjPtr vm)
+                                virDomainDefPtr def)
 {
     /* TODO: verify DOI */
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
-    if (vm->def->seclabel.label == NULL)
+    if (def->seclabel.label == NULL)
         return 0;
 
     if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
@@ -1227,27 +1226,24 @@ SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
 
 
 static int
-SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxSetSecurityChardevCallback(virDomainDefPtr def,
                                   virDomainChrDefPtr dev,
-                                  void *opaque)
+                                  void *opaque ATTRIBUTE_UNUSED)
 {
-    virDomainObjPtr vm = opaque;
-
     /* This is taken care of by processing of def->serials */
     if (dev->deviceType == VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE &&
         dev->targetType == VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL)
         return 0;
 
-    return SELinuxSetSecurityChardevLabel(vm, &dev->source);
+    return SELinuxSetSecurityChardevLabel(def, &dev->source);
 }
 
 
 static int
-SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
+SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def,
                                     virDomainSmartcardDefPtr dev,
-                                    void *opaque)
+                                    void *opaque ATTRIBUTE_UNUSED)
 {
-    virDomainObjPtr vm = opaque;
     const char *database;
 
     switch (dev->type) {
@@ -1261,7 +1257,7 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
         return SELinuxSetFilecon(database, default_content_context);
 
     case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
-        return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);
+        return SELinuxSetSecurityChardevLabel(def, &dev->data.passthru);
 
     default:
         virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
@@ -1276,53 +1272,53 @@ SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
 
 static int
 SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
-                           virDomainObjPtr vm,
+                           virDomainDefPtr def,
                            const char *stdin_path)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
     int i;
 
     if (secdef->norelabel)
         return 0;
 
-    for (i = 0 ; i < vm->def->ndisks ; i++) {
+    for (i = 0 ; i < def->ndisks ; i++) {
         /* XXX fixme - we need to recursively label the entire tree :-( */
-        if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
+        if (def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
             VIR_WARN("Unable to relabel directory tree %s for disk %s",
-                     vm->def->disks[i]->src, vm->def->disks[i]->dst);
+                     def->disks[i]->src, def->disks[i]->dst);
             continue;
         }
         if (SELinuxSetSecurityImageLabel(mgr,
-                                         vm, vm->def->disks[i]) < 0)
+                                         def, def->disks[i]) < 0)
             return -1;
     }
-    /* XXX fixme process  vm->def->fss if relabel == true */
+    /* XXX fixme process  def->fss if relabel == true */
 
-    for (i = 0 ; i < vm->def->nhostdevs ; i++) {
+    for (i = 0 ; i < def->nhostdevs ; i++) {
         if (SELinuxSetSecurityHostdevLabel(mgr,
-                                           vm,
-                                           vm->def->hostdevs[i]) < 0)
+                                           def,
+                                           def->hostdevs[i]) < 0)
             return -1;
     }
 
-    if (virDomainChrDefForeach(vm->def,
+    if (virDomainChrDefForeach(def,
                                true,
                                SELinuxSetSecurityChardevCallback,
-                               vm) < 0)
+                               NULL) < 0)
         return -1;
 
-    if (virDomainSmartcardDefForeach(vm->def,
+    if (virDomainSmartcardDefForeach(def,
                                      true,
                                      SELinuxSetSecuritySmartcardCallback,
-                                     vm) < 0)
+                                     NULL) < 0)
         return -1;
 
-    if (vm->def->os.kernel &&
-        SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
+    if (def->os.kernel &&
+        SELinuxSetFilecon(def->os.kernel, default_content_context) < 0)
         return -1;
 
-    if (vm->def->os.initrd &&
-        SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
+    if (def->os.initrd &&
+        SELinuxSetFilecon(def->os.initrd, default_content_context) < 0)
         return -1;
 
     if (stdin_path) {
@@ -1337,10 +1333,10 @@ SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
 
 static int
 SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
-                       virDomainObjPtr vm,
+                       virDomainDefPtr def,
                        int fd)
 {
-    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    const virSecurityLabelDefPtr secdef = &def->seclabel;
 
     if (secdef->imagelabel == NULL)
         return 0;
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 3f601c1..c82865f 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -106,7 +106,7 @@ virSecurityStackVerify(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackGenLabel(virSecurityManagerPtr mgr,
-                         virDomainObjPtr vm)
+                         virDomainDefPtr vm)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     int rc = 0;
@@ -131,7 +131,7 @@ virSecurityStackGenLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackReleaseLabel(virSecurityManagerPtr mgr,
-                             virDomainObjPtr vm)
+                             virDomainDefPtr vm)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     int rc = 0;
@@ -150,16 +150,17 @@ virSecurityStackReleaseLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackReserveLabel(virSecurityManagerPtr mgr,
-                             virDomainObjPtr vm)
+                             virDomainDefPtr vm,
+                             pid_t pid)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     int rc = 0;
 
-    if (virSecurityManagerReserveLabel(priv->primary, vm) < 0)
+    if (virSecurityManagerReserveLabel(priv->primary, vm, pid) < 0)
         rc = -1;
 #if 0
     /* XXX See note in GenLabel */
-    if (virSecurityManagerReserveLabel(priv->secondary, vm) < 0)
+    if (virSecurityManagerReserveLabel(priv->secondary, vm, pid) < 0)
         rc = -1;
 #endif
 
@@ -169,7 +170,7 @@ virSecurityStackReserveLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr,
-                                      virDomainObjPtr vm,
+                                      virDomainDefPtr vm,
                                       virDomainDiskDefPtr disk)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -186,7 +187,7 @@ virSecurityStackSetSecurityImageLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
-                                          virDomainObjPtr vm,
+                                          virDomainDefPtr vm,
                                           virDomainDiskDefPtr disk)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -203,7 +204,7 @@ virSecurityStackRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
-                                        virDomainObjPtr vm,
+                                        virDomainDefPtr vm,
                                         virDomainHostdevDefPtr dev)
 
 {
@@ -221,7 +222,7 @@ virSecurityStackSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
-                                            virDomainObjPtr vm,
+                                            virDomainDefPtr vm,
                                             virDomainHostdevDefPtr dev)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -238,7 +239,7 @@ virSecurityStackRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr,
-                                    virDomainObjPtr vm,
+                                    virDomainDefPtr vm,
                                     const char *stdin_path)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -255,7 +256,7 @@ virSecurityStackSetSecurityAllLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
-                                        virDomainObjPtr vm,
+                                        virDomainDefPtr vm,
                                         int migrated)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -272,7 +273,7 @@ virSecurityStackRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr,
-                                   virDomainObjPtr vm,
+                                   virDomainDefPtr vm,
                                    const char *savefile)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -289,7 +290,7 @@ virSecurityStackSetSavedStateLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr,
-                                       virDomainObjPtr vm,
+                                       virDomainDefPtr vm,
                                        const char *savefile)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
@@ -306,7 +307,7 @@ virSecurityStackRestoreSavedStateLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr,
-                                virDomainObjPtr vm)
+                                virDomainDefPtr vm)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     int rc = 0;
@@ -321,17 +322,18 @@ virSecurityStackSetProcessLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr,
-                                virDomainObjPtr vm,
+                                virDomainDefPtr vm,
+                                pid_t pid,
                                 virSecurityLabelPtr seclabel)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     int rc = 0;
 
 #if 0
-    if (virSecurityManagerGetProcessLabel(priv->secondary, vm, seclabel) < 0)
+    if (virSecurityManagerGetProcessLabel(priv->secondary, vm, pid, seclabel) < 0)
         rc = -1;
 #endif
-    if (virSecurityManagerGetProcessLabel(priv->primary, vm, seclabel) < 0)
+    if (virSecurityManagerGetProcessLabel(priv->primary, vm, pid, seclabel) < 0)
         rc = -1;
 
     return rc;
@@ -340,7 +342,7 @@ virSecurityStackGetProcessLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
-                                     virDomainObjPtr vm)
+                                     virDomainDefPtr vm)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     int rc = 0;
@@ -356,7 +358,7 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
-                               virDomainObjPtr vm)
+                               virDomainDefPtr vm)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     int rc = 0;
@@ -372,7 +374,7 @@ virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
-                                 virDomainObjPtr vm)
+                                 virDomainDefPtr vm)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     int rc = 0;
@@ -387,7 +389,7 @@ virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
 
 static int
 virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
-                                virDomainObjPtr vm,
+                                virDomainDefPtr vm,
                                 int fd)
 {
     virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
-- 
1.7.6.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]