diff --git a/libvirt-logrotate-avoid-compressing-small-logs.patch b/libvirt-logrotate-avoid-compressing-small-logs.patch index 865bf18..e5359ef 100644 --- a/libvirt-logrotate-avoid-compressing-small-logs.patch +++ b/libvirt-logrotate-avoid-compressing-small-logs.patch @@ -27,5 +27,5 @@ index 093651c..0c51fd3 100644 + minsize 100k } -- -1.6.2.5 +1.6.5.2 diff --git a/libvirt-qemu-machine-type-fixes2.patch b/libvirt-qemu-machine-type-fixes2.patch index efe93f4..a449b45 100644 --- a/libvirt-qemu-machine-type-fixes2.patch +++ b/libvirt-qemu-machine-type-fixes2.patch @@ -38,5 +38,5 @@ index ac63570..b881f1e 100644 return 0; -- -1.6.2.5 +1.6.5.2 diff --git a/libvirt-qemu-save-restore-2.patch b/libvirt-qemu-save-restore-2.patch new file mode 100644 index 0000000..907008c --- /dev/null +++ b/libvirt-qemu-save-restore-2.patch @@ -0,0 +1,118 @@ +From 096fc1216eb2654bbff376dcc5bb8177d6498f82 Mon Sep 17 00:00:00 2001 +From: Daniel P. Berrange +Date: Thu, 19 Nov 2009 12:16:30 +0000 +Subject: [PATCH] Fix labelling on QEMU restore images + +Even though QEMU does not directly open the saved image when +restoring, it must be correctly labelled to allow QEMU to +read from it because labelling is passed around with open +file descriptors. + +The labelling should not allow writing to the saved image +again, only reading. + +* src/qemu/qemu_driver.c: Label the save image when restoring +* src/security/security_driver.h: Add a virSecurityDomainSetSavedStateLabelRO + method for labelling a saved image for restore +* src/security/security_selinux.c: Implement labelling of RO + save images for restore + +Fedora-patch: libvirt-qemu-save-restore-2.patch +--- + src/qemu/qemu_driver.c | 11 ++++++++++- + src/security/security_driver.h | 5 +++++ + src/security/security_selinux.c | 11 +++++++++++ + 3 files changed, 26 insertions(+), 1 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 171ac8f..e6abb05 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -3266,7 +3266,7 @@ static int qemudDomainSave(virDomainPtr dom, + + if (driver->securityDriver && + driver->securityDriver->domainRestoreSavedStateLabel && +- driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, path) == -1) ++ driver->securityDriver->domainRestoreSavedStateLabel(dom->conn, vm, path) == -1) + goto cleanup; + + ret = 0; +@@ -3813,6 +3813,11 @@ static int qemudDomainRestore(virConnectPtr conn, + } + def = NULL; + ++ if (driver->securityDriver && ++ driver->securityDriver->domainSetSavedStateLabelRO && ++ driver->securityDriver->domainSetSavedStateLabelRO(conn, vm, path) == -1) ++ goto cleanup; ++ + if (header.version == 2) { + const char *intermediate_argv[3] = { NULL, "-dc", NULL }; + const char *prog = qemudSaveCompressionTypeToString(header.compressed); +@@ -3847,6 +3852,10 @@ static int qemudDomainRestore(virConnectPtr conn, + close(intermediatefd); + close(fd); + fd = -1; ++ if (driver->securityDriver && ++ driver->securityDriver->domainRestoreSavedStateLabel && ++ driver->securityDriver->domainRestoreSavedStateLabel(conn, vm, path) == -1) ++ VIR_WARN("Unable to restore labelling on %s", path); + if (ret < 0) { + if (!vm->persistent) { + virDomainRemoveInactive(&driver->domains, +diff --git a/src/security/security_driver.h b/src/security/security_driver.h +index 5514962..5144976 100644 +--- a/src/security/security_driver.h ++++ b/src/security/security_driver.h +@@ -45,7 +45,11 @@ typedef int (*virSecurityDomainSetHostdevLabel) (virConnectPtr conn, + typedef int (*virSecurityDomainSetSavedStateLabel) (virConnectPtr conn, + virDomainObjPtr vm, + const char *savefile); ++typedef int (*virSecurityDomainSetSavedStateLabelRO) (virConnectPtr conn, ++ virDomainObjPtr vm, ++ const char *savefile); + typedef int (*virSecurityDomainRestoreSavedStateLabel) (virConnectPtr conn, ++ virDomainObjPtr vm, + const char *savefile); + typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn, + virDomainObjPtr sec); +@@ -77,6 +81,7 @@ struct _virSecurityDriver { + virSecurityDomainRestoreHostdevLabel domainRestoreSecurityHostdevLabel; + virSecurityDomainSetHostdevLabel domainSetSecurityHostdevLabel; + virSecurityDomainSetSavedStateLabel domainSetSavedStateLabel; ++ virSecurityDomainSetSavedStateLabelRO domainSetSavedStateLabelRO; + virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel; + + /* +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index 4f2d1d3..0c130e5 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -639,7 +639,17 @@ SELinuxSetSavedStateLabel(virConnectPtr conn, + + + static int ++SELinuxSetSavedStateLabelRO(virConnectPtr conn, ++ virDomainObjPtr vm ATTRIBUTE_UNUSED, ++ const char *savefile) ++{ ++ return SELinuxSetFilecon(conn, savefile, default_content_context); ++} ++ ++ ++static int + SELinuxRestoreSavedStateLabel(virConnectPtr conn, ++ virDomainObjPtr vm ATTRIBUTE_UNUSED, + const char *savefile) + { + return SELinuxRestoreSecurityFileLabel(conn, savefile); +@@ -716,5 +726,6 @@ virSecurityDriver virSELinuxSecurityDriver = { + .domainSetSecurityHostdevLabel = SELinuxSetSecurityHostdevLabel, + .domainRestoreSecurityHostdevLabel = SELinuxRestoreSecurityHostdevLabel, + .domainSetSavedStateLabel = SELinuxSetSavedStateLabel, ++ .domainSetSavedStateLabelRO = SELinuxSetSavedStateLabelRO, + .domainRestoreSavedStateLabel = SELinuxRestoreSavedStateLabel, + }; +-- +1.6.5.2 + diff --git a/libvirt-qemu-save-restore.patch b/libvirt-qemu-save-restore.patch index 366252e..d08715a 100644 --- a/libvirt-qemu-save-restore.patch +++ b/libvirt-qemu-save-restore.patch @@ -1,4 +1,4 @@ -From 076fffe1514b72ffc9a041f7f68348f5487ee8ba Mon Sep 17 00:00:00 2001 +From 1151cdcad3f4b68478b076832843338256b94644 Mon Sep 17 00:00:00 2001 From: Daniel P. Berrange Date: Wed, 11 Nov 2009 12:07:00 +0000 Subject: [PATCH] Fix save and restore with non-privileged guests and SELinux @@ -164,5 +164,5 @@ index 7e0f71a..4f2d1d3 100644 + .domainRestoreSavedStateLabel = SELinuxRestoreSavedStateLabel, }; -- -1.6.2.5 +1.6.5.2 diff --git a/libvirt.spec b/libvirt.spec index 01f8bea..11212d2 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -155,7 +155,7 @@ Summary: Library providing a simple API virtualization Name: libvirt Version: 0.7.2 -Release: 5%{?dist}%{?extra_release} +Release: 6%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz @@ -168,6 +168,7 @@ Patch02: libvirt-logrotate-avoid-compressing-small-logs.patch # Fix QEMU save/restore permissions / labelling Patch03: libvirt-qemu-save-restore.patch +Patch04: libvirt-qemu-save-restore-2.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root URL: http://libvirt.org/ @@ -384,6 +385,7 @@ of recent versions of Linux (and other OSes). %patch01 -p1 %patch02 -p1 %patch03 -p1 +%patch04 -p1 %build %if ! %{with_xen} @@ -796,6 +798,9 @@ fi %endif %changelog +* Thu Nov 19 2009 Daniel P. Berrange - 0.7.2-6 +- Really fix restore file labelling this time + * Wed Nov 11 2009 Daniel P. Berrange - 0.7.2-5 - Disable numactl on s390[x]. Again.