security: dac: Label externalDataStore

We mirror the labeling strategy that was used for its sibling
image

Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 3edfb8f9f46398b9dbe8f2ae5197049259eb8632..d6d0a8299b966b13990ac561f6820759b0c35fa5 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -884,7 +884,7 @@ virSecurityDACSetImageLabelInternal(virSecurityManagerPtr mgr,
     virSecurityDeviceLabelDefPtr parent_seclabel = NULL;
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
     bool remember;
-    bool is_toplevel = parent == src;
+    bool is_toplevel = parent == src || parent->externalDataStore == src;
     uid_t user;
     gid_t group;
 
@@ -948,6 +948,14 @@ virSecurityDACSetImageLabelRelative(virSecurityManagerPtr mgr,
         if (virSecurityDACSetImageLabelInternal(mgr, def, n, parent) < 0)
             return -1;
 
+        if (n->externalDataStore &&
+            virSecurityDACSetImageLabelRelative(mgr,
+                                                def,
+                                                n->externalDataStore,
+                                                parent,
+                                                flags) < 0)
+            return -1;
+
         if (!(flags & VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN))
             break;
     }