security: don't try to label network disks

Network disks don't have paths to be resolved or files to be checked
for ownership. ee3efc41e6233e625aa03003bf3127319ccd546f checked this
for some image label functions, but was partially reverted in a
refactor.  This finishes adding the check to each security driver's
set and restore label methods for images.

Signed-off-by: Josh Durgin <josh.durgin@dreamhost.com>

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index db7e7dc8710a00bf2a9b61aab91140407653b6a7..3a01a213f1cbb2e582458ccba829a07c0603458a 100644 (file)
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -606,6 +606,9 @@ AppArmorRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
                                   virDomainObjPtr vm,
                                   virDomainDiskDefPtr disk ATTRIBUTE_UNUSED)
 {
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+        return 0;
+
     return reload_profile(mgr, vm, NULL, false);
 }
 

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 0e75319f8f844c19364cd7dcbcf83dd08c5d37a5..9f8a32056df47d72a4632abf591c131c0827679e 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -180,6 +180,9 @@ virSecurityDACSetSecurityImageLabel(virSecurityManagerPtr mgr,
     if (!priv->dynamicOwnership)
         return 0;
 
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+        return 0;
+
     return virDomainDiskDefForeachPath(disk,
                                        virSecurityManagerGetAllowDiskFormatProbing(mgr),
                                        false,
@@ -199,6 +202,9 @@ virSecurityDACRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
     if (!priv->dynamicOwnership)
         return 0;
 
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+        return 0;
+
     /* Don't restore labels on readoly/shared disks, because
      * other VMs may still be accessing these
      * Alternatively we could iterate over all running

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 78c0d45643c212bf0eb5007e4e89f92481bd86e7..6ef61c767f3084fd4cf7a6c2211c92a6a62fc849 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -636,6 +636,9 @@ SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
     if (secdef->norelabel)
         return 0;
 
+    if (disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
+        return 0;
+
     return virDomainDiskDefForeachPath(disk,
                                        allowDiskFormatProbing,
                                        true,