From 70d353356d25a0ea6b2681ef5996ef71fac11813 Mon Sep 17 00:00:00 2001 From: Michal Privoznik Date: Mon, 16 Sep 2019 12:28:48 +0200 Subject: [PATCH] qemu_blockjob: Remove secdriver metadata for whole backing chain on job completion Turns out, block mirror is not the only job a disk can have. It can also do commits of one layer into the other. Or possibly some other tricks too. Problem is that while we set seclabels on given layers of backing chain when the job is starting (via qemuDomainStorageSourceAccessAllow()) we don't restore them when job finishes. This leaves XATTRs set and corresponding images unusable. Signed-off-by: Michal Privoznik ACKed-by: Peter Krempa --- src/qemu/qemu_blockjob.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_blockjob.c b/src/qemu/qemu_blockjob.c index 80d0269128..c118f2c298 100644 --- a/src/qemu/qemu_blockjob.c +++ b/src/qemu/qemu_blockjob.c @@ -664,9 +664,9 @@ qemuBlockJobEventProcessLegacyCompleted(virQEMUDriverPtr driver, virObjectUnref(disk->src); disk->src = disk->mirror; } else { - if (disk->mirror) { - virStorageSourcePtr n; + virStorageSourcePtr n; + if (disk->mirror) { virDomainLockImageDetach(driver->lockManager, vm, disk->mirror); /* Ideally, we would restore seclabels on the backing chain here @@ -684,6 +684,16 @@ qemuBlockJobEventProcessLegacyCompleted(virQEMUDriverPtr driver, virObjectUnref(disk->mirror); } + + for (n = disk->src; virStorageSourceIsBacking(n); n = n->backingStore) { + if (qemuSecurityMoveImageMetadata(driver, vm, n, NULL) < 0) { + VIR_WARN("Unable to remove disk metadata on " + "vm %s from %s (disk target %s)", + vm->def->name, + NULLSTR(n->path), + disk->dst); + } + } } /* Recompute the cached backing chain to match our