From patchwork Sat Apr 23 18:51:26 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cole Robinson <crobinso@redhat.com>
X-Patchwork-Id: 66529
Delivered-To: patch@linaro.org
Received: by 10.140.93.198 with SMTP id d64csp289910qge;
 Sat, 23 Apr 2016 11:54:56 -0700 (PDT)
X-Received: by 10.140.171.65 with SMTP id r62mr9401127qhr.45.1461437696036; 
 Sat, 23 Apr 2016 11:54:56 -0700 (PDT)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com. [209.132.183.37])
 by mx.google.com with ESMTPS id
 y16si6532149qhb.66.2016.04.23.11.54.55
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Sat, 23 Apr 2016 11:54:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com
 designates 209.132.183.37 as permitted sender)
 client-ip=209.132.183.37; 
Authentication-Results: mx.google.com;
 spf=pass (google.com: domain of libvir-list-bounces@redhat.com
 designates 209.132.183.37 as permitted sender)
 smtp.mailfrom=libvir-list-bounces@redhat.com
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
 by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u3NIpX6t057509; 
 Sat, 23 Apr 2016 14:51:34 -0400
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
 (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
 by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with
 ESMTP
 id u3NIpVdP021997 for <libvir-list@listman.util.phx.redhat.com>;
 Sat, 23 Apr 2016 14:51:31 -0400
Received: from colepc.redhat.com (ovpn-113-101.phx2.redhat.com [10.3.113.101])
 by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
 ESMTP id u3NIpU1D020255; Sat, 23 Apr 2016 14:51:31 -0400
From: Cole Robinson <crobinso@redhat.com>
To: libvirt-list@redhat.com
Date: Sat, 23 Apr 2016 14:51:26 -0400
Message-Id: <b9baa39b28d210182501851f5f6fffebf7b4d7e7.1461437486.git.crobinso@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-loop: libvir-list@redhat.com
Cc: Martin Kletzander <mkletzan@redhat.com>
Subject: [libvirt] [PATCH] conf: format runtime DAC seclabel, unless MIGRATABLE
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
 <libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
 <mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com

We historically format runtime seclabel selinux/apparmor values,
however we skip formatting runtime DAC values. This was added in

commit 990e46c4542349f838e001d30638872576c389e9
Author: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
Date:   Fri Aug 31 13:40:41 2012 +0200

    conf: Avoid formatting auto-generated DAC labels

to maintain migration compatibility with libvirt < 0.10.0.

However the formatting was skipped unconditionally. Instead only
skip formatting in the VIR_DOMAIN_DEF_FORMAT_MIGRATABLE case.

https://bugzilla.redhat.com/show_bug.cgi?id=1215833
---
 src/conf/domain_conf.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

-- 
2.7.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index db567f5..0557912 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -18741,7 +18741,8 @@ virDomainEventActionDefFormat(virBufferPtr buf,
 
 static void
 virSecurityLabelDefFormat(virBufferPtr buf,
-                          virSecurityLabelDefPtr def)
+                          virSecurityLabelDefPtr def,
+                          unsigned int flags)
 {
     const char *sectype = virDomainSeclabelTypeToString(def->type);
 
@@ -18751,11 +18752,13 @@ virSecurityLabelDefFormat(virBufferPtr buf,
     if (def->type == VIR_DOMAIN_SECLABEL_DEFAULT)
         return;
 
-    /* To avoid backward compatibility issues, suppress DAC and 'none' labels
-     * that are automatically generated.
+    /* libvirt versions prior to 0.10.0 support just a single seclabel element
+     * in the XML, and that would typically be filled with type=selinux.
+     * Don't format it in the MIGRATABLE case, for backwards compatibility
      */
     if ((STREQ_NULLABLE(def->model, "dac") ||
-         STREQ_NULLABLE(def->model, "none")) && def->implicit)
+         STREQ_NULLABLE(def->model, "none")) && def->implicit &&
+         (flags & VIR_DOMAIN_DEF_FORMAT_MIGRATABLE))
         return;
 
     virBufferAsprintf(buf, "<seclabel type='%s'",
@@ -22886,7 +22889,7 @@ virDomainDefFormatInternal(virDomainDefPtr def,
     virBufferAddLit(buf, "</devices>\n");
 
     for (n = 0; n < def->nseclabels; n++)
-        virSecurityLabelDefFormat(buf, def->seclabels[n]);
+        virSecurityLabelDefFormat(buf, def->seclabels[n], flags);
 
     if (def->namespaceData && def->ns.format) {
         if ((def->ns.format)(buf, def->namespaceData) < 0)