From nobody Mon Dec 15 23:30:17 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1496068336472362.96631754712155; Mon, 29 May 2017 07:32:16 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 459428123E; Mon, 29 May 2017 14:32:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E88727E2C3; Mon, 29 May 2017 14:32:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 918E5180BAF4; Mon, 29 May 2017 14:32:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v4TEVvdV016373 for ; Mon, 29 May 2017 10:31:57 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0630D1850C; Mon, 29 May 2017 14:31:57 +0000 (UTC) Received: from antique-work.brq.redhat.com (dhcp129-230.brq.redhat.com [10.34.129.230]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5BEB91851E for ; Mon, 29 May 2017 14:31:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 459428123E Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx01.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 459428123E From: Pavel Hrdina To: libvir-list@redhat.com Date: Mon, 29 May 2017 16:31:50 +0200 Message-Id: <84aff98f892166e9e4b8ab074bb9f5edb3db4774.1496068215.git.phrdina@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 4/4] security: don't relabel chardev source if virtlogd is used as stdio handler X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Mon, 29 May 2017 14:32:15 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" In the case that virtlogd is used as stdio handler we pass to QEMU only FD to a PIPE connected to virtlogd instead of the file itself. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1430988 Signed-off-by: Pavel Hrdina --- Notes: new in v2 src/lxc/lxc_process.c | 6 ++--- src/qemu/qemu_security.c | 9 +++++-- src/security/security_apparmor.c | 7 ++++-- src/security/security_dac.c | 54 +++++++++++++++++++++++++++++++-----= ---- src/security/security_driver.h | 6 +++-- src/security/security_manager.c | 12 ++++++--- src/security/security_manager.h | 6 +++-- src/security/security_nop.c | 6 +++-- src/security/security_selinux.c | 53 ++++++++++++++++++++++++++++++------= --- src/security/security_stack.c | 12 ++++++--- tests/securityselinuxlabeltest.c | 2 +- 11 files changed, 127 insertions(+), 46 deletions(-) diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c index d8727c3b43..2658ea61f8 100644 --- a/src/lxc/lxc_process.c +++ b/src/lxc/lxc_process.c @@ -852,7 +852,7 @@ int virLXCProcessStop(virLXCDriverPtr driver, } =20 virSecurityManagerRestoreAllLabel(driver->securityManager, - vm->def, false); + vm->def, false, false); virSecurityManagerReleaseLabel(driver->securityManager, vm->def); /* Clear out dynamically assigned labels */ if (vm->def->nseclabels && @@ -1349,7 +1349,7 @@ int virLXCProcessStart(virConnectPtr conn, =20 VIR_DEBUG("Setting domain security labels"); if (virSecurityManagerSetAllLabel(driver->securityManager, - vm->def, NULL) < 0) + vm->def, NULL, false) < 0) goto cleanup; =20 VIR_DEBUG("Setting up consoles"); @@ -1578,7 +1578,7 @@ int virLXCProcessStart(virConnectPtr conn, virLXCProcessStop(driver, vm, VIR_DOMAIN_SHUTOFF_FAILED); } else { virSecurityManagerRestoreAllLabel(driver->securityManager, - vm->def, false); + vm->def, false, false); virSecurityManagerReleaseLabel(driver->securityManager, vm->de= f); /* Clear out dynamically assigned labels */ if (vm->def->nseclabels && diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c index 61934f9905..6fc3b0bb6e 100644 --- a/src/qemu/qemu_security.c +++ b/src/qemu/qemu_security.c @@ -38,6 +38,7 @@ qemuSecuritySetAllLabel(virQEMUDriverPtr driver, const char *stdin_path) { int ret =3D -1; + qemuDomainObjPrivatePtr priv =3D vm->privateData; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && virSecurityManagerTransactionStart(driver->securityManager) < 0) @@ -45,7 +46,8 @@ qemuSecuritySetAllLabel(virQEMUDriverPtr driver, =20 if (virSecurityManagerSetAllLabel(driver->securityManager, vm->def, - stdin_path) < 0) + stdin_path, + priv->chardevStdioLogd) < 0) goto cleanup; =20 if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) && @@ -65,6 +67,8 @@ qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver, virDomainObjPtr vm, bool migrated) { + qemuDomainObjPrivatePtr priv =3D vm->privateData; + /* In contrast to qemuSecuritySetAllLabel, do not use * secdriver transactions here. This function is called from * qemuProcessStop() which is meant to do cleanup after qemu @@ -73,7 +77,8 @@ qemuSecurityRestoreAllLabel(virQEMUDriverPtr driver, * in entering the namespace then. */ virSecurityManagerRestoreAllLabel(driver->securityManager, vm->def, - migrated); + migrated, + priv->chardevStdioLogd); } =20 =20 diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 62672b0af0..5afe0c5c85 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -489,7 +489,9 @@ AppArmorGenSecurityLabel(virSecurityManagerPtr mgr ATTR= IBUTE_UNUSED, =20 static int AppArmorSetSecurityAllLabel(virSecurityManagerPtr mgr, - virDomainDefPtr def, const char *stdin_path) + virDomainDefPtr def, + const char *stdin_path, + bool chardevStdioLogd ATTRIBUTE_UNUSED) { virSecurityLabelDefPtr secdef =3D virDomainDefGetSecurityLabelDef(def, SECURITY_APPARMOR_NAME= ); @@ -567,7 +569,8 @@ AppArmorReleaseSecurityLabel(virSecurityManagerPtr mgr = ATTRIBUTE_UNUSED, static int AppArmorRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr def, - bool migrated ATTRIBUTE_UNUSED) + bool migrated ATTRIBUTE_UNUSED, + bool chardevStdioLogd ATTRIBUTE_UNUSED) { int rc =3D 0; virSecurityLabelDefPtr secdef =3D diff --git a/src/security/security_dac.c b/src/security/security_dac.c index fd4d8f5047..79941f480a 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1159,7 +1159,8 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerP= tr mgr, static int virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, - virDomainChrSourceDefPtr dev_source) + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd) =20 { virSecurityDACDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); @@ -1178,6 +1179,9 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr m= gr, if (chr_seclabel && !chr_seclabel->relabel) return 0; =20 + if (!chr_seclabel && chardevStdioLogd) + return 0; + if (chr_seclabel && chr_seclabel->label) { if (virParseOwnershipIds(chr_seclabel->label, &user, &group) < 0) return -1; @@ -1243,7 +1247,8 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr m= gr, static int virSecurityDACRestoreChardevLabel(virSecurityManagerPtr mgr, virDomainDefPtr def ATTRIBUTE_UNUSED, - virDomainChrSourceDefPtr dev_source) + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd) { virSecurityDACDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); virSecurityDeviceLabelDefPtr chr_seclabel =3D NULL; @@ -1256,6 +1261,9 @@ virSecurityDACRestoreChardevLabel(virSecurityManagerP= tr mgr, if (chr_seclabel && !chr_seclabel->relabel) return 0; =20 + if (!chr_seclabel && chardevStdioLogd) + return 0; + switch ((virDomainChrType) dev_source->type) { case VIR_DOMAIN_CHR_TYPE_DEV: case VIR_DOMAIN_CHR_TYPE_FILE: @@ -1298,14 +1306,21 @@ virSecurityDACRestoreChardevLabel(virSecurityManage= rPtr mgr, } =20 =20 +struct _virSecuritySELinuxChardevCallbackData { + virSecurityManagerPtr mgr; + bool chardevStdioLogd; +}; + + static int virSecurityDACRestoreChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev ATTRIBUTE_UNUS= ED, void *opaque) { - virSecurityManagerPtr mgr =3D opaque; + struct _virSecuritySELinuxChardevCallbackData *data =3D opaque; =20 - return virSecurityDACRestoreChardevLabel(mgr, def, dev->source); + return virSecurityDACRestoreChardevLabel(data->mgr, def, dev->source, + data->chardevStdioLogd); } =20 =20 @@ -1319,7 +1334,8 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr m= gr, switch (tpm->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: ret =3D virSecurityDACSetChardevLabel(mgr, def, - &tpm->data.passthrough.source); + &tpm->data.passthrough.source, + false); break; case VIR_DOMAIN_TPM_TYPE_LAST: break; @@ -1339,7 +1355,8 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerP= tr mgr, switch (tpm->type) { case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: ret =3D virSecurityDACRestoreChardevLabel(mgr, def, - &tpm->data.passthrough.sou= rce); + &tpm->data.passthrough.sou= rce, + false); break; case VIR_DOMAIN_TPM_TYPE_LAST: break; @@ -1436,7 +1453,8 @@ virSecurityDACRestoreMemoryLabel(virSecurityManagerPt= r mgr, static int virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, - bool migrated) + bool migrated, + bool chardevStdioLogd) { virSecurityDACDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); virSecurityLabelDefPtr secdef; @@ -1479,10 +1497,15 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr= mgr, rc =3D -1; } =20 + struct _virSecuritySELinuxChardevCallbackData chardevData =3D { + .mgr =3D mgr, + .chardevStdioLogd =3D chardevStdioLogd, + }; + if (virDomainChrDefForeach(def, false, virSecurityDACRestoreChardevCallback, - mgr) < 0) + &chardevData) < 0) rc =3D -1; =20 if (def->tpm) { @@ -1505,9 +1528,10 @@ virSecurityDACSetChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev ATTRIBUTE_UNUSED, void *opaque) { - virSecurityManagerPtr mgr =3D opaque; + struct _virSecuritySELinuxChardevCallbackData *data =3D opaque; =20 - return virSecurityDACSetChardevLabel(mgr, def, dev->source); + return virSecurityDACSetChardevLabel(data->mgr, def, dev->source, + data->chardevStdioLogd); } =20 =20 @@ -1549,7 +1573,8 @@ virSecurityDACSetMemoryLabel(virSecurityManagerPtr mg= r, static int virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, - const char *stdin_path ATTRIBUTE_UNUSED) + const char *stdin_path ATTRIBUTE_UNUSED, + bool chardevStdioLogd) { virSecurityDACDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); virSecurityLabelDefPtr secdef; @@ -1592,10 +1617,15 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, return -1; } =20 + struct _virSecuritySELinuxChardevCallbackData chardevData =3D { + .mgr =3D mgr, + .chardevStdioLogd =3D chardevStdioLogd, + }; + if (virDomainChrDefForeach(def, true, virSecurityDACSetChardevCallback, - mgr) < 0) + &chardevData) < 0) return -1; =20 if (def->tpm) { diff --git a/src/security/security_driver.h b/src/security/security_driver.h index 0f5cce5f8d..0b3b452486 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -91,10 +91,12 @@ typedef int (*virSecurityDomainReleaseLabel) (virSecuri= tyManagerPtr mgr, virDomainDefPtr sec); typedef int (*virSecurityDomainSetAllLabel) (virSecurityManagerPtr mgr, virDomainDefPtr sec, - const char *stdin_path); + const char *stdin_path, + bool chardevStdioLogd); typedef int (*virSecurityDomainRestoreAllLabel) (virSecurityManagerPtr mgr, virDomainDefPtr def, - bool migrated); + bool migrated, + bool chardevStdioLogd); typedef int (*virSecurityDomainGetProcessLabel) (virSecurityManagerPtr mgr, virDomainDefPtr def, pid_t pid, diff --git a/src/security/security_manager.c b/src/security/security_manage= r.c index 90d491c1bc..013bbc37ef 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -856,12 +856,14 @@ int virSecurityManagerCheckAllLabel(virSecurityManage= rPtr mgr, int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm, - const char *stdin_path) + const char *stdin_path, + bool chardevStdioLogd) { if (mgr->drv->domainSetSecurityAllLabel) { int ret; virObjectLock(mgr); - ret =3D mgr->drv->domainSetSecurityAllLabel(mgr, vm, stdin_path); + ret =3D mgr->drv->domainSetSecurityAllLabel(mgr, vm, stdin_path, + chardevStdioLogd); virObjectUnlock(mgr); return ret; } @@ -874,12 +876,14 @@ virSecurityManagerSetAllLabel(virSecurityManagerPtr m= gr, int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm, - bool migrated) + bool migrated, + bool chardevStdioLogd) { if (mgr->drv->domainRestoreSecurityAllLabel) { int ret; virObjectLock(mgr); - ret =3D mgr->drv->domainRestoreSecurityAllLabel(mgr, vm, migrated); + ret =3D mgr->drv->domainRestoreSecurityAllLabel(mgr, vm, migrated, + chardevStdioLogd); virObjectUnlock(mgr); return ret; } diff --git a/src/security/security_manager.h b/src/security/security_manage= r.h index 238e66cd0b..01296d339e 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -130,10 +130,12 @@ int virSecurityManagerCheckAllLabel(virSecurityManage= rPtr mgr, virDomainDefPtr sec); int virSecurityManagerSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr sec, - const char *stdin_path); + const char *stdin_path, + bool chardevStdioLogd); int virSecurityManagerRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, - bool migrated); + bool migrated, + bool chardevStdioLogd); int virSecurityManagerGetProcessLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, pid_t pid, diff --git a/src/security/security_nop.c b/src/security/security_nop.c index 0a9b515288..527be11e5a 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -151,7 +151,8 @@ virSecurityDomainReleaseLabelNop(virSecurityManagerPtr = mgr ATTRIBUTE_UNUSED, static int virSecurityDomainSetAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainDefPtr sec ATTRIBUTE_UNUSED, - const char *stdin_path ATTRIBUTE_UNUSED) + const char *stdin_path ATTRIBUTE_UNUSED, + bool chardevStdioLogd ATTRIBUTE_UNUSED) { return 0; } @@ -159,7 +160,8 @@ virSecurityDomainSetAllLabelNop(virSecurityManagerPtr m= gr ATTRIBUTE_UNUSED, static int virSecurityDomainRestoreAllLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UN= USED, virDomainDefPtr vm ATTRIBUTE_UNUSED, - bool migrated ATTRIBUTE_UNUSED) + bool migrated ATTRIBUTE_UNUSED, + bool chardevStdioLogd ATTRIBUTE_UNUSED) { return 0; } diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 75f387b3fa..26137f6d8d 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2179,7 +2179,8 @@ virSecuritySELinuxRestoreHostdevLabel(virSecurityMana= gerPtr mgr, static int virSecuritySELinuxSetChardevLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, - virDomainChrSourceDefPtr dev_source) + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd) =20 { virSecurityLabelDefPtr seclabel; @@ -2198,6 +2199,9 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerP= tr mgr, if (chr_seclabel && !chr_seclabel->relabel) return 0; =20 + if (!chr_seclabel && chardevStdioLogd) + return 0; + if (chr_seclabel) imagelabel =3D chr_seclabel->label; if (!imagelabel) @@ -2252,7 +2256,8 @@ virSecuritySELinuxSetChardevLabel(virSecurityManagerP= tr mgr, static int virSecuritySELinuxRestoreChardevLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, - virDomainChrSourceDefPtr dev_source) + virDomainChrSourceDefPtr dev_source, + bool chardevStdioLogd) =20 { virSecurityLabelDefPtr seclabel; @@ -2269,6 +2274,9 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityMana= gerPtr mgr, if (chr_seclabel && !chr_seclabel->relabel) return 0; =20 + if (!chr_seclabel && chardevStdioLogd) + return 0; + switch (dev_source->type) { case VIR_DOMAIN_CHR_TYPE_DEV: case VIR_DOMAIN_CHR_TYPE_FILE: @@ -2312,14 +2320,21 @@ virSecuritySELinuxRestoreChardevLabel(virSecurityMa= nagerPtr mgr, } =20 =20 +struct _virSecuritySELinuxChardevCallbackData { + virSecurityManagerPtr mgr; + bool chardevStdioLogd; +}; + + static int virSecuritySELinuxRestoreSecurityChardevCallback(virDomainDefPtr def, virDomainChrDefPtr dev AT= TRIBUTE_UNUSED, void *opaque) { - virSecurityManagerPtr mgr =3D opaque; + struct _virSecuritySELinuxChardevCallbackData *data =3D opaque; =20 - return virSecuritySELinuxRestoreChardevLabel(mgr, def, dev->source); + return virSecuritySELinuxRestoreChardevLabel(data->mgr, def, dev->sour= ce, + data->chardevStdioLogd); } =20 =20 @@ -2342,7 +2357,8 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(vi= rDomainDefPtr def, return virSecuritySELinuxRestoreFileLabel(mgr, database); =20 case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: - return virSecuritySELinuxRestoreChardevLabel(mgr, def, dev->data.p= assthru); + return virSecuritySELinuxRestoreChardevLabel(mgr, def, + dev->data.passthru, f= alse); =20 default: virReportError(VIR_ERR_INTERNAL_ERROR, @@ -2369,7 +2385,8 @@ virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr = mgr, int virtType) static int virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, - bool migrated) + bool migrated, + bool chardevStdioLogd) { virSecurityLabelDefPtr secdef; virSecuritySELinuxDataPtr data =3D virSecurityManagerGetPrivateData(mg= r); @@ -2414,10 +2431,15 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManage= rPtr mgr, rc =3D -1; } =20 + struct _virSecuritySELinuxChardevCallbackData chardevData =3D { + .mgr =3D mgr, + .chardevStdioLogd =3D chardevStdioLogd + }; + if (virDomainChrDefForeach(def, false, virSecuritySELinuxRestoreSecurityChardevCal= lback, - mgr) < 0) + &chardevData) < 0) rc =3D -1; =20 if (virDomainSmartcardDefForeach(def, @@ -2706,9 +2728,10 @@ virSecuritySELinuxSetSecurityChardevCallback(virDoma= inDefPtr def, virDomainChrDefPtr dev ATTRIB= UTE_UNUSED, void *opaque) { - virSecurityManagerPtr mgr =3D opaque; + struct _virSecuritySELinuxChardevCallbackData *data =3D opaque; =20 - return virSecuritySELinuxSetChardevLabel(mgr, def, dev->source); + return virSecuritySELinuxSetChardevLabel(data->mgr, def, dev->source, + data->chardevStdioLogd); } =20 =20 @@ -2733,7 +2756,7 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDom= ainDefPtr def, =20 case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH: return virSecuritySELinuxSetChardevLabel(mgr, def, - dev->data.passthru); + dev->data.passthru, false= ); =20 default: virReportError(VIR_ERR_INTERNAL_ERROR, @@ -2749,7 +2772,8 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDom= ainDefPtr def, static int virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, - const char *stdin_path) + const char *stdin_path, + bool chardevStdioLogd) { size_t i; virSecuritySELinuxDataPtr data =3D virSecurityManagerGetPrivateData(mg= r); @@ -2797,10 +2821,15 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr= mgr, return -1; } =20 + struct _virSecuritySELinuxChardevCallbackData chardevData =3D { + .mgr =3D mgr, + .chardevStdioLogd =3D chardevStdioLogd + }; + if (virDomainChrDefForeach(def, true, virSecuritySELinuxSetSecurityChardevCallbac= k, - mgr) < 0) + &chardevData) < 0) return -1; =20 if (virDomainSmartcardDefForeach(def, diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 9a1a7b30c5..53eee1692f 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -350,14 +350,16 @@ virSecurityStackRestoreHostdevLabel(virSecurityManage= rPtr mgr, static int virSecurityStackSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm, - const char *stdin_path) + const char *stdin_path, + bool chardevStdioLogd) { virSecurityStackDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); virSecurityStackItemPtr item =3D priv->itemsHead; int rc =3D 0; =20 for (; item; item =3D item->next) { - if (virSecurityManagerSetAllLabel(item->securityManager, vm, stdin= _path) < 0) + if (virSecurityManagerSetAllLabel(item->securityManager, vm, + stdin_path, chardevStdioLogd) < = 0) rc =3D -1; } =20 @@ -368,14 +370,16 @@ virSecurityStackSetAllLabel(virSecurityManagerPtr mgr, static int virSecurityStackRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr vm, - bool migrated) + bool migrated, + bool chardevStdioLogd) { virSecurityStackDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); virSecurityStackItemPtr item =3D priv->itemsHead; int rc =3D 0; =20 for (; item; item =3D item->next) { - if (virSecurityManagerRestoreAllLabel(item->securityManager, vm, m= igrated) < 0) + if (virSecurityManagerRestoreAllLabel(item->securityManager, vm, + migrated, chardevStdioLogd) = < 0) rc =3D -1; } =20 diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabelt= est.c index 3e134991f2..ddcc954429 100644 --- a/tests/securityselinuxlabeltest.c +++ b/tests/securityselinuxlabeltest.c @@ -313,7 +313,7 @@ testSELinuxLabeling(const void *opaque) if (!(def =3D testSELinuxLoadDef(testname))) goto cleanup; =20 - if (virSecurityManagerSetAllLabel(mgr, def, NULL) < 0) + if (virSecurityManagerSetAllLabel(mgr, def, NULL, false) < 0) goto cleanup; =20 if (testSELinuxCheckLabels(files, nfiles) < 0) --=20 2.13.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list