security: Don't remember owner for shared resources

This effectively reverts d7420430ce6 and adds new code.

Here is the problem: Imagine a file X that is to be shared
between two domains as a disk. Let the first domain (vm1) have
seclabel remembering turned on and the other (vm2) has it turned
off. Assume that both domains will run under the same user, but
the original owner of X is different (i.e. trying to access X
without relabelling leads to EPERM).

Let's start vm1 first. This will cause X to be relabelled and to
gain new attributes:

  trusted.libvirt.security.ref_dac="1"
  trusted.libvirt.security.dac="$originalOwner"

When vm2 is started, X will again be relabelled, but since the
new label is the same as X already has (because of vm1) nothing
changes and vm1 and vm2 can access X just fine. Note that no
XATTR is changed (especially the refcounter keeps its value of 1)
because the vm2 domain has the feature turned off.

Now, vm1 is shut off and vm2 continues running. In seclabel
restore process we would get to X and since its refcounter is 1
we would restore the $originalOwner on it. But this is unsafe to
do because vm2 is still using X (remember the assumption that
$originalOwner and vm2's seclabel are distinct?).

The problem is that refcounter stored in XATTRs doesn't reflect
the actual times a resource is in use. Since I don't see any easy
way around it let's just not store original owner on shared
resources. Shared resource in world of domain disks is:

  - whole backing chain but the top layer,
  - read only disk (we don't require CDROM to be explicitly
    marked as shareable),
  - disk marked as shareable.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

1 files changed, 23 insertions, 1 deletions

diff --git a/tests/qemusecuritytest.c b/tests/qemusecuritytest.c
index 65e08b4503..2d88979168 100644
--- a/tests/qemusecuritytest.c
+++ b/tests/qemusecuritytest.c
@@ -85,11 +85,32 @@ testDomain(const void *opaque)
 {
     const struct testData *data = opaque;
     VIR_AUTOUNREF(virDomainObjPtr) vm = NULL;
+    VIR_AUTOSTRINGLIST notRestored = NULL;
+    size_t i;
     int ret = -1;
 
     if (prepareObjects(data->driver, data->file, &vm) < 0)
         return -1;
 
+    for (i = 0; i < vm->def->ndisks; i++) {
+        virStorageSourcePtr src = vm->def->disks[i]->src;
+        virStorageSourcePtr n;
+
+        if (!src)
+            continue;
+
+        if (virStorageSourceIsLocalStorage(src) && src->path &&
+            (src->shared || src->readonly) &&
+            virStringListAdd(&notRestored, src->path) < 0)
+            return -1;
+
+        for (n = src->backingStore; virStorageSourceIsBacking(n); n = n->backingStore) {
+            if (virStorageSourceIsLocalStorage(n) && n->path &&
+                virStringListAdd(&notRestored, n->path) < 0)
+                return -1;
+        }
+    }
+
     /* Mocking is enabled only when this env variable is set.
      * See mock code for explanation. */
     if (setenv(ENVVAR, "1", 0) < 0)
@@ -100,7 +121,7 @@ testDomain(const void *opaque)
 
     qemuSecurityRestoreAllLabel(data->driver, vm, false);
 
-    if (checkPaths(NULL) < 0)
+    if (checkPaths((const char **) notRestored) < 0)
         goto cleanup;
 
     ret = 0;
@@ -144,6 +165,7 @@ mymain(void)
     DO_TEST_DOMAIN("console-virtio-unix");
     DO_TEST_DOMAIN("controller-virtio-scsi");
     DO_TEST_DOMAIN("disk-aio");
+    DO_TEST_DOMAIN("disk-backing-chains-noindex");
     DO_TEST_DOMAIN("disk-cache");
     DO_TEST_DOMAIN("disk-cdrom");
     DO_TEST_DOMAIN("disk-cdrom-bus-other");