From: Peter Krempa Date: Thu, 5 Jan 2023 11:59:23 +0000 (+0100) Subject: secuirity: DAC: Don't relabel FD-passed virStorageSource images X-Git-Tag: v9.0.0-rc1~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fceb5e16823d62fd800b546fdba6e561a5ab2ed;p=thirdparty%2Flibvirt.git secuirity: DAC: Don't relabel FD-passed virStorageSource images DAC security label is irrelevant once you have the FD. Disable all labelling for such images. Signed-off-by: Peter Krempa Reviewed-by: Pavel Hrdina --- diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 917fcf76a3..4036a2c27a 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -881,6 +881,10 @@ virSecurityDACSetImageLabelInternal(virSecurityManager *mgr, if (!priv->dynamicOwnership) return 0; + /* Images passed via FD don't need DAC seclabel change */ + if (virStorageSourceIsFD(src)) + return 0; + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); if (secdef && !secdef->relabel) return 0; @@ -992,6 +996,10 @@ virSecurityDACRestoreImageLabelSingle(virSecurityManager *mgr, if (src->readonly || src->shared) return 0; + /* Images passed via FD don't need DAC seclabel change */ + if (virStorageSourceIsFD(src)) + return 0; + secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); if (secdef && !secdef->relabel) return 0; @@ -1112,10 +1120,14 @@ virSecurityDACMoveImageMetadata(virSecurityManager *mgr, if (!priv->dynamicOwnership) return 0; - if (src && virStorageSourceIsLocalStorage(src)) + if (src && + virStorageSourceIsLocalStorage(src) && + !virStorageSourceIsFD(src)) data.src = src->path; - if (dst && virStorageSourceIsLocalStorage(dst)) + if (dst && + virStorageSourceIsLocalStorage(dst) && + !virStorageSourceIsFD(dst)) data.dst = dst->path; if (!data.src)