qemuExtTPMStop: Restore TPM state label more often

When stopping swtpm we can restore the label either on just the
swtpm's domain specific logfile (/var/log/swtpm/libvirt/qemu/...),
or on the logfile and the state too (/var/lib/libvirt/swtpm/...).

The deciding factor is whether the guest is stopped because of
outgoing migration OR the state is on a shared filesystem.

But this is not correct condition, because for instance saving the
guest into a file (virsh save) is also an outgoing migration.
Alternatively, when the swtpm state is stored on a shared
filesystem, but the guest is destroyed (virsh destroy), i.e.
stopped because of different reason than migration, we want to
restore the seclabels.

The correct condition is: skip restoring the state on outgoing
migration AND shared filesystem.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2161557
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>

diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index b2748eb6a4080ffc084bb96af2fd51709bf35b8c..5831ffc32e992655ec48cff0193879bca4389cb4 100644 (file)
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -1142,7 +1142,7 @@ qemuExtTPMStop(virQEMUDriver *driver,
         return;
 
     qemuTPMEmulatorStop(cfg->swtpmStateDir, shortName);
-    if (outgoingMigration || qemuTPMHasSharedStorage(vm->def))
+    if (outgoingMigration && qemuTPMHasSharedStorage(vm->def))
         restoreTPMStateLabel = false;
 
     if (qemuSecurityRestoreTPMLabels(driver, vm, restoreTPMStateLabel) < 0)