Re: [PATCH v3] selinux: relabel tapfd in qemuPhysIfaceConnect

Laine Stump <laine@xxxxxxxxx> · Thu, 18 Oct 2012 13:36:45 -0400

On 10/18/2012 12:56 PM, Guannan Ren wrote:
> Relabeling tapfd right after the tap device is created.
> qemuPhysIfaceConnect is common function called both for static
> netdevs and for hotplug netdevs.
> ---
>  src/qemu/qemu_command.c | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
>
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 0c0c400..81bed38 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -170,12 +170,21 @@ qemuPhysIfaceConnect(virDomainDefPtr def,
>          vmop, driver->stateDir,
>          virDomainNetGetActualBandwidth(net));
>      if (rc >= 0) {
> +        if (virSecurityManagerSetTapFDLabel(driver->securityManager,
> +                                            def, rc) < 0)
> +            goto error;
> +
>          virDomainAuditNetDevice(def, net, res_ifname, true);
>          VIR_FREE(net->ifname);
>          net->ifname = res_ifname;
>      }
>  
>      return rc;
> +
> +error:
> +    VIR_FREE(res_ifname);
> +    VIR_FORCE_CLOSE(rc);

Sorry for dragging this on so much, but...

If you just close the tapfd here, the macvtap device itself will still
exist, and if it's in passthrough mode, the physdev will still have its
mac address set to the guest's mac address, *and* if it was associated
with an 802.1QbX switch, that association will still be live and there
will still be a callback for it registered.

Instead of directly closing the tapfd, you need to do the opposite of
virNetDevMacVLanCreateWithVPortProfile, which is

error:
  ignore_value(virNetDevMacVLanDeleteWithVPortProfile(
                   res_ifname, &net->mac,
                   virDomainNetGetActualDirectDev(net),
                   virDomainNetGetActualDirectMode(net),
                   virDomainNetGetActualVirtPortProfile(net),
                   driver->stateDir));
  VIR_FREE(res_ifname);
  return -1;

(I *think* I got all those args correct, but you should check them to be
sure)

> +    return -1;
>  }
>  
>  
> @@ -5425,10 +5434,6 @@ qemuBuildCommandLine(virConnectPtr conn,
>                  if (tapfd < 0)
>                      goto error;
>  
> -                if (virSecurityManagerSetTapFDLabel(driver->securityManager,
> -                                                    def, tapfd) < 0)
> -                    goto error;
> -
>                  last_good_net = i;
>                  virCommandTransferFD(cmd, tapfd);
>  

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list