[libvirt] [PATCHv6 8/8] blockjob: allow mirroring under SELinux
Eric Blake
eblake at redhat.com
Mon May 7 23:26:52 UTC 2012
On 04/23/2012 08:49 PM, Eric Blake wrote:
> This copies heavily from qemuDomainSnapshotCreateSingleDiskActive(),
> in order to set the SELinux label, obtain locking manager lease, and
> audit the fact that we hand a new file over to qemu. Alas, releasing
> the lease and label at the end of the mirroring is a trickier
> prospect (we would have to know the backing chain of both source and
> destination, and be sure not to revoke rights to any part of the
> chain that is shared), so for now, virDomainBlockJobAbort still
> leaves things locked and labeled.
>
> * src/qemu/qemu_driver.c (qemuDomainBlockCopy): Set up labeling.
> ---
Given today's fix for snapshot, and that this code heavily copied from
snapshot, I will be squashing this in:
diff --git i/src/qemu/qemu_driver.c w/src/qemu/qemu_driver.c
index a2f88fd..da4ad7e 100644
--- i/src/qemu/qemu_driver.c
+++ w/src/qemu/qemu_driver.c
@@ -12031,6 +12031,7 @@ qemuDomainBlockCopy(virDomainPtr dom, const char
*path,
char *mirrorFormat = NULL;
char *origsrc = NULL;
char *origdriver = NULL;
+ virCgroupPtr cgroup = NULL;
/* Preliminaries: find the disk we are editing, sanity checks */
virCheckFlags(VIR_DOMAIN_BLOCK_REBASE_SHALLOW |
@@ -12049,6 +12050,13 @@ qemuDomainBlockCopy(virDomainPtr dom, const
char *path,
_("domain is not running"));
goto cleanup;
}
+ if (qemuCgroupControllerActive(driver,
VIR_CGROUP_CONTROLLER_DEVICES) &&
+ virCgroupForDomain(driver->cgroup, vm->def->name, &cgroup, 0)) {
+ qemuReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unable to find cgroup for %s"),
+ vm->def->name);
+ goto cleanup;
+ }
device = qemuDiskPathToAlias(vm, path, &idx);
if (!device) {
@@ -12154,8 +12162,15 @@ qemuDomainBlockCopy(virDomainPtr dom, const
char *path,
if (virDomainLockDiskAttach(driver->lockManager, vm, disk) < 0)
goto endjob;
+ if (cgroup && qemuSetupDiskCgroup(driver, vm, cgroup, disk) < 0) {
+ if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
+ VIR_WARN("Unable to release lock on %s", dest);
+ goto cleanup;
+ }
if (virSecurityManagerSetImageLabel(driver->securityManager, vm->def,
disk) < 0) {
+ if (cgroup && qemuTeardownDiskCgroup(driver, vm, cgroup, disk) < 0)
+ VIR_WARN("Failed to teardown cgroup for disk path %s", dest);
if (virDomainLockDiskDetach(driver->lockManager, vm, disk) < 0)
VIR_WARN("Unable to release lock on %s", dest);
goto endjob;
@@ -12167,6 +12182,8 @@ qemuDomainBlockCopy(virDomainPtr dom, const char
*path,
virDomainAuditDisk(vm, NULL, dest, "mirror", ret >= 0);
qemuDomainObjExitMonitorWithDriver(driver, vm);
if (ret < 0) {
+ if (cgroup && qemuTeardownDiskCgroup(driver, vm, cgroup, disk) < 0)
+ VIR_WARN("Failed to teardown cgroup for disk path %s", dest);
if (virSecurityManagerRestoreImageLabel(driver->securityManager,
vm->def, disk) < 0)
VIR_WARN("Unable to restore security label on %s", dest);
@@ -12202,6 +12219,8 @@ endjob:
}
cleanup:
+ if (cgroup)
+ virCgroupFree(&cgroup);
VIR_FREE(device);
if (vm)
virDomainObjUnlock(vm);
--
Eric Blake eblake at redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120507/0f15868d/attachment-0001.sig>
More information about the libvir-list
mailing list