Skip bulk relabelling of resources in SELinux driver when used with LXC

The virSecurityManager{Set,Restore}AllLabel methods are invoked
at domain startup/shutdown to relabel resources associated with
a domain. This works fine with QEMU, but with LXC they are in
fact both currently no-ops since LXC does not support disks,
hostdevs, or kernel/initrd files. Worse, when LXC gains support
for disks/hostdevs, they will do the wrong thing, since they
run in host context, not container context. Thus this patch
turns then into a formal no-op when used with LXC. The LXC
controller will call out to specific security manager labelling
APIs as required during startup.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 89c5a9d0e83306eef0d73af5cfb32cb49d533afc)

diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 52e1e4932f3ab21d6ae5e2b10c5325d7b63a8cea..5a398f2e02cf165c7211fa1c2449722b4423bdd1 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -61,6 +61,7 @@ struct _virSecuritySELinuxData {
     char *file_context;
     char *content_context;
     virHashTablePtr mcs;
+    bool skipAllLabel;
 };
 
 struct _virSecuritySELinuxCallbackData {
@@ -363,6 +364,8 @@ virSecuritySELinuxLXCInitialize(virSecurityManagerPtr mgr)
     virConfPtr selinux_conf;
     virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
 
+    data->skipAllLabel = true;
+
     selinux_conf = virConfReadFile(selinux_lxc_contexts_path(), 0);
     if (!selinux_conf) {
         virReportSystemError(errno,
@@ -438,6 +441,8 @@ virSecuritySELinuxQEMUInitialize(virSecurityManagerPtr mgr)
     char *ptr;
     virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
 
+    data->skipAllLabel = false;
+
     if (virFileReadAll(selinux_virtual_domain_context_path(), MAX_CONTEXT, &(data->domain_context)) < 0) {
         virReportSystemError(errno,
                              _("cannot read SELinux virtual domain context file '%s'"),
@@ -1441,11 +1446,12 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def,
 
 
 static int
-virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
                                           virDomainDefPtr def,
                                           int migrated ATTRIBUTE_UNUSED)
 {
     virSecurityLabelDefPtr secdef;
+    virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
     int i;
     int rc = 0;
 
@@ -1455,7 +1461,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
     if (secdef == NULL)
         return -1;
 
-    if (secdef->norelabel)
+    if (secdef->norelabel || data->skipAllLabel)
         return 0;
 
     for (i = 0 ; i < def->nhostdevs ; i++) {
@@ -1813,7 +1819,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
     if (secdef == NULL)
         return -1;
 
-    if (secdef->norelabel)
+    if (secdef->norelabel || data->skipAllLabel)
         return 0;
 
     for (i = 0 ; i < def->ndisks ; i++) {