[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] storage: qemu: Fix security labelling of new image chain elements



On 11/21/14 00:15, Eric Blake wrote:
> On 11/20/2014 08:23 AM, Peter Krempa wrote:
>> When creating a disk image snapshot the libvirt code would blindly copy
>> the parents label to the newly created image. This runs into problems
>> when you start a VM from an image hosted on NFS (or other storage system
>> that doesn't support selinux labels) and the snapshot destination is on
>> a storage system that does support selinux labels. Libvirt's code in
>> that case generates a different security label for the image hosted on
>> NFS. This label is valid only for NFS images and doesn't allow access in
>> case of a locally stored image.
>>
>> To fix this issue libvirt needs to refrain from copying security
>> information in cases where the default domain seclabel is a better
>> choice.
>>
>> This patch repurposes the now unused @force argument of
>> virStorageSourceInitChainElement to denote whether a copy of the
>> security labelling stuff should be attempted or not. This allows to
>> fine-control the copy operation for cases where we need to keep the
>> label of the old disk vs. the cases where we need to keep the label
>> unset to use the default domain imagelabel.
>>
>> Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1151718
>> ---
> 
>> + * If @transferLabels is true, security labels from the existing disk are copied
>> + * to the new disk. Otherwise the default domain imagelabel label will be used.
>>   *
>>   * Returns 0 on success, -1 on error.
>>   */
>>  int
>>  virStorageSourceInitChainElement(virStorageSourcePtr newelem,
>>                                   virStorageSourcePtr old,
>> -                                 bool force)
>> +                                 bool transferLables)
> 
> Comment was right, code is not.  s/transferLables/transferLabels/
> 
> ACK with that fix.
> 

Fixed && pushed;

Thanks.

Peter

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]