From: Michal Privoznik <mprivozn@redhat.com>
Date: Thu, 24 Jan 2019 16:38:10 +0000 (+0100)
Subject: lxc: Restore seclabels after the container is killed
X-Git-Tag: v5.1.0-rc1~246
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16c123679c4b2f9eff8179ee9fc9f8ec07d7b2f8;p=thirdparty%2Flibvirt.git

lxc: Restore seclabels after the container is killed

Due to a bug the seclabels are restored before any PID in the
container is killed. This should be done afterwards in
virLXCProcessCleanup.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
---

diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index 33c806630b..a3481bfa08 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -180,6 +180,17 @@ static void virLXCProcessCleanup(virLXCDriverPtr driver,
         VIR_FREE(xml);
     }
 
+    virSecurityManagerRestoreAllLabel(driver->securityManager,
+                                      vm->def, false, false);
+    virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
+    /* Clear out dynamically assigned labels */
+    if (vm->def->nseclabels &&
+        vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
+        VIR_FREE(vm->def->seclabels[0]->model);
+        VIR_FREE(vm->def->seclabels[0]->label);
+        VIR_FREE(vm->def->seclabels[0]->imagelabel);
+    }
+
     /* Stop autodestroy in case guest is restarted */
     virCloseCallbacksUnset(driver->closeCallbacks, vm,
                            lxcProcessAutoDestroy);
@@ -836,17 +847,6 @@ int virLXCProcessStop(virLXCDriverPtr driver,
 
     priv = vm->privateData;
 
-    virSecurityManagerRestoreAllLabel(driver->securityManager,
-                                      vm->def, false, false);
-    virSecurityManagerReleaseLabel(driver->securityManager, vm->def);
-    /* Clear out dynamically assigned labels */
-    if (vm->def->nseclabels &&
-        vm->def->seclabels[0]->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
-        VIR_FREE(vm->def->seclabels[0]->model);
-        VIR_FREE(vm->def->seclabels[0]->label);
-        VIR_FREE(vm->def->seclabels[0]->imagelabel);
-    }
-
     /* If the LXC domain is suspended we send all processes a SIGKILL
      * and thaw them. Upon wakeup the process sees the pending signal
      * and dies immediately. It is guaranteed that priv->cgroup != NULL