From 2b57478ef0a0a983cc6a47b98300c8359f9708d0 Mon Sep 17 00:00:00 2001
From: Jamie Strandboge <jamie@ubuntu.com>
Date: Fri, 4 Jun 2010 12:20:29 -0400
Subject: [PATCH] Add stdin_path to qemudStartVMDaemon() args.
Adjust args to qemudStartVMDaemon() to also specify path to stdin_fd,
so this can be passed to the AppArmor driver via SetSecurityAllLabel().
This updates all calls to qemudStartVMDaemon() as well as setting up
the non-AppArmor security driver *SetSecurityAllLabel() declarations
for the above. This is required for the following
"apparmor-fix-save-restore" patch since AppArmor resolves the passed
file descriptor to the pathname given to open().
---
src/qemu/qemu_driver.c | 20 +++++++++++---------
src/qemu/qemu_security_dac.c | 2 +-
src/qemu/qemu_security_stacked.c | 6 +++---
src/security/security_driver.h | 3 ++-
src/security/security_selinux.c | 2 +-
5 files changed, 18 insertions(+), 15 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 647c3f4d39..b2c31332b9 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -154,7 +154,8 @@ static int qemudStartVMDaemon(virConnectPtr conn,
struct qemud_driver *driver,
virDomainObjPtr vm,
const char *migrateFrom,
- int stdin_fd);
+ int stdin_fd,
+ const char *stdin_path);
static void qemudShutdownVMDaemon(struct qemud_driver *driver,
virDomainObjPtr vm,
@@ -3284,7 +3285,8 @@ static int qemudStartVMDaemon(virConnectPtr conn,
struct qemud_driver *driver,
virDomainObjPtr vm,
const char *migrateFrom,
- int stdin_fd) {
+ int stdin_fd,
+ const char *stdin_path) {
const char **argv = NULL, **tmp;
const char **progenv = NULL;
int i, ret, runflags;
@@ -3332,7 +3334,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
DEBUG0("Generating setting domain security labels (if required)");
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityAllLabel &&
- driver->securityDriver->domainSetSecurityAllLabel(vm) < 0)
+ driver->securityDriver->domainSetSecurityAllLabel(vm, stdin_path) < 0)
goto cleanup;
/* Ensure no historical cgroup for this VM is lying around bogus
@@ -4196,7 +4198,7 @@ static virDomainPtr qemudDomainCreate(virConnectPtr conn, const char *xml,
if (qemuDomainObjBeginJobWithDriver(driver, vm) < 0)
goto cleanup; /* XXXX free the 'vm' we created ? */
- if (qemudStartVMDaemon(conn, driver, vm, NULL, -1) < 0) {
+ if (qemudStartVMDaemon(conn, driver, vm, NULL, -1, NULL) < 0) {
if (qemuDomainObjEndJob(vm) > 0)
virDomainRemoveInactive(&driver->domains,
vm);
@@ -6212,7 +6214,7 @@ qemudDomainSaveImageStartVM(virConnectPtr conn,
}
/* Set the migration source and start it up. */
- ret = qemudStartVMDaemon(conn, driver, vm, "stdio", fd);
+ ret = qemudStartVMDaemon(conn, driver, vm, "stdio", fd, path);
if (intermediate_pid != -1) {
/* Wait for intermediate process to exit */
@@ -6671,7 +6673,7 @@ static int qemudDomainObjStart(virConnectPtr conn,
goto cleanup;
}
- ret = qemudStartVMDaemon(conn, driver, vm, NULL, -1);
+ ret = qemudStartVMDaemon(conn, driver, vm, NULL, -1, NULL);
if (ret != -1) {
virDomainEventPtr event =
virDomainEventNewFromObj(vm,
@@ -10149,7 +10151,7 @@ qemudDomainMigratePrepareTunnel(virConnectPtr dconn,
/* Start the QEMU daemon, with the same command-line arguments plus
* -incoming unix:/path/to/file or exec:nc -U /path/to/file
*/
- internalret = qemudStartVMDaemon(dconn, driver, vm, migrateFrom, -1);
+ internalret = qemudStartVMDaemon(dconn, driver, vm, migrateFrom, -1, NULL);
VIR_FREE(migrateFrom);
if (internalret < 0) {
/* Note that we don't set an error here because qemudStartVMDaemon
@@ -10367,7 +10369,7 @@ qemudDomainMigratePrepare2 (virConnectPtr dconn,
* -incoming tcp:0.0.0.0:port
*/
snprintf (migrateFrom, sizeof (migrateFrom), "tcp:0.0.0.0:%d", this_port);
- if (qemudStartVMDaemon (dconn, driver, vm, migrateFrom, -1) < 0) {
+ if (qemudStartVMDaemon (dconn, driver, vm, migrateFrom, -1, NULL) < 0) {
/* Note that we don't set an error here because qemudStartVMDaemon
* should have already done that.
*/
@@ -11855,7 +11857,7 @@ static int qemuDomainRevertToSnapshot(virDomainSnapshotPtr snapshot,
goto endjob;
rc = qemudStartVMDaemon(snapshot->domain->conn, driver, vm, NULL,
- -1);
+ -1, NULL);
if (qemuDomainSnapshotSetInactive(vm, driver->snapshotDir) < 0)
goto endjob;
if (rc < 0)
diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
index 52150f7bd4..ffc9b8d8b5 100644
--- a/src/qemu/qemu_security_dac.c
+++ b/src/qemu/qemu_security_dac.c
@@ -365,7 +365,7 @@ qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm,
static int
-qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm)
+qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_UNUSED)
{
int i;
diff --git a/src/qemu/qemu_security_stacked.c b/src/qemu/qemu_security_stacked.c
index 04c1f10b7e..a91222164e 100644
--- a/src/qemu/qemu_security_stacked.c
+++ b/src/qemu/qemu_security_stacked.c
@@ -196,18 +196,18 @@ qemuSecurityStackedRestoreSecurityHostdevLabel(virDomainObjPtr vm,
static int
-qemuSecurityStackedSetSecurityAllLabel(virDomainObjPtr vm)
+qemuSecurityStackedSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path)
{
int rc = 0;
if (driver->securitySecondaryDriver &&
driver->securitySecondaryDriver->domainSetSecurityAllLabel &&
- driver->securitySecondaryDriver->domainSetSecurityAllLabel(vm) < 0)
+ driver->securitySecondaryDriver->domainSetSecurityAllLabel(vm, stdin_path) < 0)
rc = -1;
if (driver->securityPrimaryDriver &&
driver->securityPrimaryDriver->domainSetSecurityAllLabel &&
- driver->securityPrimaryDriver->domainSetSecurityAllLabel(vm) < 0)
+ driver->securityPrimaryDriver->domainSetSecurityAllLabel(vm, stdin_path) < 0)
rc = -1;
return rc;
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 39edc6d452..a9e0c9b61c 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -45,7 +45,8 @@ typedef int (*virSecurityDomainRestoreSavedStateLabel) (virDomainObjPtr vm,
typedef int (*virSecurityDomainGenLabel) (virDomainObjPtr sec);
typedef int (*virSecurityDomainReserveLabel) (virDomainObjPtr sec);
typedef int (*virSecurityDomainReleaseLabel) (virDomainObjPtr sec);
-typedef int (*virSecurityDomainSetAllLabel) (virDomainObjPtr sec);
+typedef int (*virSecurityDomainSetAllLabel) (virDomainObjPtr sec,
+ const char *stdin_path);
typedef int (*virSecurityDomainRestoreAllLabel) (virDomainObjPtr vm,
int migrated);
typedef int (*virSecurityDomainGetProcessLabel) (virDomainObjPtr vm,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index d90e17c8e7..0922472f0a 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -755,7 +755,7 @@ SELinuxSetSecurityProcessLabel(virSecurityDriverPtr drv,
}
static int
-SELinuxSetSecurityAllLabel(virDomainObjPtr vm)
+SELinuxSetSecurityAllLabel(virDomainObjPtr vm, const char *stdin_path ATTRIBUTE_UNUSED)
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int i;