Re: [PATCHv6 8/8] blockjob: allow mirroring under SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/23/2012 08:49 PM, Eric Blake wrote:
> This copies heavily from qemuDomainSnapshotCreateSingleDiskActive(),
> in order to set the SELinux label, obtain locking manager lease, and
> audit the fact that we hand a new file over to qemu.  Alas, releasing
> the lease and label at the end of the mirroring is a trickier
> prospect (we would have to know the backing chain of both source and
> destination, and be sure not to revoke rights to any part of the
> chain that is shared), so for now, virDomainBlockJobAbort still
> leaves things locked and labeled.
> 
> * src/qemu/qemu_driver.c (qemuDomainBlockCopy): Set up labeling.
> ---

Given today's fix for snapshot, and that this code heavily copied from
snapshot, I will be squashing this in:

diff --git i/src/qemu/qemu_driver.c w/src/qemu/qemu_driver.c
index a2f88fd..da4ad7e 100644
--- i/src/qemu/qemu_driver.c
+++ w/src/qemu/qemu_driver.c
@@ -12031,6 +12031,7 @@ qemuDomainBlockCopy(virDomainPtr dom, const char
*path,
     char *mirrorFormat = NULL;
     char *origsrc = NULL;
     char *origdriver = NULL;
+    virCgroupPtr cgroup = NULL;

     /* Preliminaries: find the disk we are editing, sanity checks */
     virCheckFlags(VIR_DOMAIN_BLOCK_REBASE_SHALLOW |
@@ -12049,6 +12050,13 @@ qemuDomainBlockCopy(virDomainPtr dom, const
char *path,
                         _("domain is not running"));
         goto cleanup;
     }
+    if (qemuCgroupControllerActive(driver,
VIR_CGROUP_CONTROLLER_DEVICES) &&
+        virCgroupForDomain(driver->cgroup, vm->def->name, &cgroup, 0)) {
+        qemuReportError(VIR_ERR_INTERNAL_ERROR,
+                        _("Unable to find cgroup for %s"),
+                        vm->def->name);
+        goto cleanup;
+    }

     device = qemuDiskPathToAlias(vm, path, &idx);
     if (!device) {
@@ -12154,8 +12162,15 @@ qemuDomainBlockCopy(virDomainPtr dom, const
char *path,

     if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0)
         goto endjob;
+    if (cgroup && qemuSetupDiskCgroup(driver, vm, cgroup, disk) < 0) {
+        if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
+            VIR_WARN("Unable to release lock on %s", dest);
+        goto cleanup;
+    }
     if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def,
                                         disk) < 0) {
+        if (cgroup && qemuTeardownDiskCgroup(driver, vm, cgroup, disk) < 0)
+            VIR_WARN("Failed to teardown cgroup for disk path %s", dest);
         if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
             VIR_WARN("Unable to release lock on %s", dest);
         goto endjob;
@@ -12167,6 +12182,8 @@ qemuDomainBlockCopy(virDomainPtr dom, const char
*path,
     virDomainAuditDisk(vm, NULL, dest, "mirror", ret >= 0);
     qemuDomainObjExitMonitorWithDriver(driver, vm);
     if (ret < 0) {
+        if (cgroup && qemuTeardownDiskCgroup(driver, vm, cgroup, disk) < 0)
+            VIR_WARN("Failed to teardown cgroup for disk path %s", dest);
         if (virSecurityManagerRestoreImageLabel(driver->securityManager,
                                                 vm->def, disk) < 0)
             VIR_WARN("Unable to restore security label on %s", dest);
@@ -12202,6 +12219,8 @@ endjob:
     }

 cleanup:
+    if (cgroup)
+        virCgroupFree(&cgroup);
     VIR_FREE(device);
     if (vm)
         virDomainObjUnlock(vm);

-- 
Eric Blake   eblake@xxxxxxxxxx    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]