676ca2f0f6
bugfix patches list: d677de remote: fix driver name check for libxl driver 075641 systemd: start libvirtd after firewalld iptables services 06fc99 qemuDomainCleanupRun: Actually run cleanup callbacks in reverse order 01626c virDevMapperGetTargetsImpl: quit early if device is not a devmapper target 006782 qemu: only stop external devices after the domain 42a415 qemuDomainStorageSourcePrivateDispose: Free httpcookie cc8c29 Don't require secdrivers to implement .domainMoveImageMetadata 0230e3 qemuProcessStop: Use XATTRs to restore seclabels on disks a domain is mirroring into 8fd274 qemuProcessStop: Reattach NVMe disks a domain is mirroring into 55029d security: don't fail if built without attr support a5a297 qemu: Skip pre creation of NVMe disks 2a372 Fix some wrong usage of ATTRIBUTE_NONNULL e728ff conf: Increase cpuset length limit for CPU pinning 8f58a4 virQEMUDriverConfigNew: Add slash to cfg defaultTLSx509certdir for non-embeded driver 1b22dd qemuDomainSetNumaParamsLive: set nodeset for root cgroup bdb8f2 qemu: do not add model when actual iface type is hostdev Signed-off-by: Jin Yan <jinyan12@huawei.com>
76 lines
2.7 KiB
Diff
76 lines
2.7 KiB
Diff
From ba950b814f7a2037829d54e3d1e0522c42c104a4 Mon Sep 17 00:00:00 2001
|
|
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
|
|
Date: Tue, 26 May 2020 09:33:38 +0200
|
|
Subject: [PATCH] security: don't fail if built without attr support
|
|
|
|
If built without attr support removing any image will trigger
|
|
qemuBlockRemoveImageMetadata (the one that emits the warning)
|
|
-> qemuSecurityMoveImageMetadata
|
|
-> virSecurityManagerMoveImageMetadata
|
|
-> virSecurityDACMoveImageMetadata
|
|
-> virSecurityDACMoveImageMetadataHelper
|
|
-> virProcessRunInFork (spawns subprocess)
|
|
-> virSecurityMoveRememberedLabel
|
|
|
|
In there due to !HAVE_LIBATTR virFileGetXAttrQuiet will return
|
|
ENOSYS and from there the chain will error out.
|
|
|
|
That is wrong and looks like:
|
|
libvirtd[6320]: internal error: child reported (status=125):
|
|
libvirtd[6320]: Unable to remove disk metadata on vm testguest from
|
|
/var/lib/uvtool/libvirt/images/testguest.qcow (disk target vda)
|
|
|
|
This change makes virSecurityDACMoveImageMetadataHelper and
|
|
virSecuritySELinuxMoveImageMetadataHelper accept that
|
|
error code gracefully and in that sense it is an extension of:
|
|
5214b2f1a3f "security: Don't skip label restore on file systems lacking XATTRs"
|
|
which does the same for other call chains into the virFile*XAttr functions.
|
|
|
|
cherry-pick from commit: 55029d93150e33d70b02b6de2b899c05054c5d3a
|
|
|
|
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
|
|
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
Signed-off-by: Jin Yan <jinyan12@huawei.com>
|
|
---
|
|
src/security/security_dac.c | 6 ++++++
|
|
src/security/security_selinux.c | 6 ++++++
|
|
2 files changed, 12 insertions(+)
|
|
|
|
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
|
|
index 11fff63..51cabf1 100644
|
|
--- a/src/security/security_dac.c
|
|
+++ b/src/security/security_dac.c
|
|
@@ -1132,6 +1132,12 @@ virSecurityDACMoveImageMetadataHelper(pid_t pid G_GNUC_UNUSED,
|
|
|
|
ret = virSecurityMoveRememberedLabel(SECURITY_DAC_NAME, data->src, data->dst);
|
|
virSecurityManagerMetadataUnlock(data->mgr, &state);
|
|
+
|
|
+ if (ret == -2) {
|
|
+ /* Libvirt built without XATTRS */
|
|
+ ret = 0;
|
|
+ }
|
|
+
|
|
return ret;
|
|
}
|
|
|
|
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
|
|
index 72d1658..78ea618 100644
|
|
--- a/src/security/security_selinux.c
|
|
+++ b/src/security/security_selinux.c
|
|
@@ -1990,6 +1990,12 @@ virSecuritySELinuxMoveImageMetadataHelper(pid_t pid G_GNUC_UNUSED,
|
|
|
|
ret = virSecurityMoveRememberedLabel(SECURITY_SELINUX_NAME, data->src, data->dst);
|
|
virSecurityManagerMetadataUnlock(data->mgr, &state);
|
|
+
|
|
+ if (ret == -2) {
|
|
+ /* Libvirt built without XATTRS */
|
|
+ ret = 0;
|
|
+ }
|
|
+
|
|
return ret;
|
|
}
|
|
|
|
--
|
|
1.8.3.1
|
|
|