Skip bulk relabelling of resources in SELinux driver when used with LXC

The virSecurityManager{Set,Restore}AllLabel methods are invoked at domain startup/shutdown to relabel resources associated with a domain. This works fine with QEMU, but with LXC they are in fact both currently no-ops since LXC does not support disks, hostdevs, or kernel/initrd files. Worse, when LXC gains support for disks/hostdevs, they will do the wrong thing, since they run in host context, not container context. Thus this patch turns then into a formal no-op when used with LXC. The LXC controller will call out to specific security manager labelling APIs as required during startup. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-11-28 13:54:39 +00:00 · 2012-11-28 13:54:39 +00:00 · 89c5a9d0e8
parent e89c68b8bb
commit 89c5a9d0e8
1 changed files with 9 additions and 3 deletions
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@ -62,6 +62,7 @@ struct _virSecuritySELinuxData {
    char *file_context;
    char *content_context;
    virHashTablePtr mcs;
+    bool skipAllLabel;
 };

 struct _virSecuritySELinuxCallbackData {
@ -364,6 +365,8 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
    virConfPtr selinux_conf;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

+    data->skipAllLabel = true;
+
    selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
    if (!selinux_conf) {
        virReportSystemError(errno,
@ -439,6 +442,8 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
    char *ptr;
    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);

+    data->skipAllLabel = false;
+
    if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT, &(data->domain_context)) < 0) {
        virReportSystemError(errno,
                             _("cannot read SELinux virtual domain context file '%s'"),
@ -1478,11 +1483,12 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,


 static int
-virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
                                          virDomainDefPtr def,
                                          int migrated ATTRIBUTE_UNUSED)
 {
    virSecurityLabelDefPtr secdef;
+    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
    int i;
    int rc = 0;

@ -1492,7 +1498,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
    if (secdef == NULL)
        return -1;

-    if (secdef->norelabel)
+    if (secdef->norelabel || data->skipAllLabel)
        return 0;

    for (i = 0 ; i < def->nhostdevs ; i++) {
@ -1850,7 +1856,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
    if (secdef == NULL)
        return -1;

-    if (secdef->norelabel)
+    if (secdef->norelabel || data->skipAllLabel)
        return 0;

    for (i = 0 ; i < def->ndisks ; i++) {