Skip to content

L
libvirt

openeuler / libvirt

通知 3
Star 0
Fork 0
L
libvirt

体验新版 GitCode,发现更多精彩内容 >>

提交 b0c6300f 编写于 作者: D Daniel P. Berrangé
浏览文件
操作

qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels 

The UNIX socket FDs were we passing to QEMU inherited a label based on
libvirtd's context. QEMU is thus denied ability to access the UNIX
socket. We need to use the security manager to change our current
context temporarily when creating the UNIX socket FD.
Reviewed-by: NLaine Stump <laine@laine.org>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
上级 a2913aed
隐藏空白更改
内联 并排
Showing with 63 addition and 26 deletion
src/qemu/qemu_command.c
浏览文件 @ b0c6300f
......@@ -4931,6 +4931,7 @@ qemuOpenChrChardevUNIXSocket(const virDomainChrSourceDef *dev)
* host side of the character device */
static char *
qemuBuildChrChardevStr(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
......@@ -5065,7 +5066,13 @@ qemuBuildChrChardevStr(virLogManagerPtr logManager,
case VIR_DOMAIN_CHR_TYPE_UNIX:
if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_CHARDEV_FD_PASS)) {
if (qemuSecuritySetSocketLabel(secManager, (virDomainDefPtr)def) < 0)
goto cleanup;
int fd = qemuOpenChrChardevUNIXSocket(dev);
if (qemuSecurityClearSocketLabel(secManager, (virDomainDefPtr)def) < 0) {
VIR_FORCE_CLOSE(fd);
goto cleanup;
}
if (fd < 0)
goto cleanup;
......@@ -5404,6 +5411,7 @@ qemuBuildHostdevCommandLine(virCommandPtr cmd,
static int
qemuBuildMonitorCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
virDomainDefPtr def,
......@@ -5414,7 +5422,8 @@ qemuBuildMonitorCommandLine(virLogManagerPtr logManager,
if (!priv->monConfig)
return 0;
if (!(chrdev = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(chrdev = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
priv->monConfig, "monitor",
priv->qemuCaps, true,
priv->chardevStdioLogd)))
......@@ -5533,6 +5542,7 @@ qemuBuildSclpDevStr(virDomainChrDefPtr dev)
static int
qemuBuildRNGBackendChrdevStr(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
......@@ -5550,7 +5560,8 @@ qemuBuildRNGBackendChrdevStr(virLogManagerPtr logManager,
return 0;
case VIR_DOMAIN_RNG_BACKEND_EGD:
if (!(*chr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(*chr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
rng->source.chardev,
rng->info.alias, qemuCaps, true,
chardevStdioLogd)))
......@@ -5680,6 +5691,7 @@ qemuBuildRNGDevStr(const virDomainDef *def,
static int
qemuBuildRNGCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
......@@ -5702,7 +5714,7 @@ qemuBuildRNGCommandLine(virLogManagerPtr logManager,
}
/* possibly add character device for backend */
if (qemuBuildRNGBackendChrdevStr(logManager, cmd, cfg, def,
if (qemuBuildRNGBackendChrdevStr(logManager, secManager, cmd, cfg, def,
rng, qemuCaps, &tmp,
chardevStdioLogd) < 0)
return -1;
......@@ -8135,6 +8147,7 @@ qemuBuildGraphicsCommandLine(virQEMUDriverConfigPtr cfg,
static int
qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virDomainDefPtr def,
virDomainNetDefPtr net,
......@@ -8157,7 +8170,8 @@ qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
switch ((virDomainChrType)net->data.vhostuser->type) {
case VIR_DOMAIN_CHR_TYPE_UNIX:
if (!(chardev = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(chardev = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
net->data.vhostuser,
net->info.alias, qemuCaps, false,
chardevStdioLogd)))
......@@ -8225,6 +8239,7 @@ qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
static int
qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virDomainDefPtr def,
virDomainNetDefPtr net,
......@@ -8356,7 +8371,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
break;
case VIR_DOMAIN_NET_TYPE_VHOSTUSER:
ret = qemuBuildVhostuserCommandLine(driver, logManager, cmd, def,
ret = qemuBuildVhostuserCommandLine(driver, logManager, secManager, cmd, def,
net, qemuCaps, bootindex,
chardevStdioLogd);
goto cleanup;
......@@ -8534,6 +8549,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
static int
qemuBuildNetCommandLine(virQEMUDriverPtr driver,
virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virDomainDefPtr def,
virQEMUCapsPtr qemuCaps,
......@@ -8566,7 +8582,7 @@ qemuBuildNetCommandLine(virQEMUDriverPtr driver,
for (i = 0; i < def->nnets; i++) {
virDomainNetDefPtr net = def->nets[i];
if (qemuBuildInterfaceCommandLine(driver, logManager, cmd, def, net,
if (qemuBuildInterfaceCommandLine(driver, logManager, secManager, cmd, def, net,
qemuCaps, bootNet, vmop,
standalone, nnicindexes,
nicindexes,
......@@ -8629,6 +8645,7 @@ qemuBuildSmartcardFindCCIDController(const virDomainDef *def,
static int
qemuBuildSmartcardCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
......@@ -8702,7 +8719,8 @@ qemuBuildSmartcardCommandLine(virLogManagerPtr logManager,
return -1;
}
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
smartcard->data.passthru,
smartcard->info.alias,
qemuCaps, true,
......@@ -8862,6 +8880,7 @@ qemuBuildShmemBackendMemProps(virDomainShmemDefPtr shmem)
static int
qemuBuildShmemCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
virDomainDefPtr def,
......@@ -8933,7 +8952,8 @@ qemuBuildShmemCommandLine(virLogManagerPtr logManager,
VIR_FREE(devstr);
if (shmem->server.enabled) {
devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
&shmem->server.chr,
shmem->info.alias, qemuCaps, true,
chardevStdioLogd);
......@@ -9020,6 +9040,7 @@ qemuChrIsPlatformDevice(const virDomainDef *def,
static int
qemuBuildSerialCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
......@@ -9043,7 +9064,8 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager,
if (serial->source->type == VIR_DOMAIN_CHR_TYPE_SPICEPORT && !havespice)
continue;
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
serial->source,
serial->info.alias,
qemuCaps, true,
......@@ -9080,6 +9102,7 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager,
static int
qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
......@@ -9092,7 +9115,8 @@ qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
virDomainChrDefPtr parallel = def->parallels[i];
char *devstr;
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
parallel->source,
parallel->info.alias,
qemuCaps, true,
......@@ -9113,6 +9137,7 @@ qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
static int
qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
......@@ -9127,7 +9152,8 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
switch (channel->targetType) {
case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_GUESTFWD:
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
channel->source,
channel->info.alias,
qemuCaps, true,
......@@ -9144,7 +9170,8 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
break;
case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO:
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
channel->source,
channel->info.alias,
qemuCaps, true,
......@@ -9166,6 +9193,7 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
static int
qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
......@@ -9187,7 +9215,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
return -1;
}
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
console->source,
console->info.alias,
qemuCaps, true,
......@@ -9208,7 +9237,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
return -1;
}
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
console->source,
console->info.alias,
qemuCaps, true,
......@@ -9223,7 +9253,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
break;
case VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_VIRTIO:
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
console->source,
console->info.alias,
qemuCaps, true,
......@@ -9342,6 +9373,7 @@ qemuBuildRedirdevDevStr(const virDomainDef *def,
static int
qemuBuildRedirdevCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
......@@ -9354,7 +9386,8 @@ qemuBuildRedirdevCommandLine(virLogManagerPtr logManager,
virDomainRedirdevDefPtr redirdev = def->redirdevs[i];
char *devstr;
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
redirdev->source,
redirdev->info.alias,
qemuCaps, true,
......@@ -10065,6 +10098,7 @@ qemuBuildVsockCommandLine(virCommandPtr cmd,
virCommandPtr
qemuBuildCommandLine(virQEMUDriverPtr driver,
virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virDomainObjPtr vm,
const char *migrateURI,
virDomainSnapshotObjPtr snapshot,
......@@ -10181,7 +10215,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
if (qemuBuildSgaCommandLine(cmd, def, qemuCaps) < 0)
goto error;
if (qemuBuildMonitorCommandLine(logManager, cmd, cfg, def, priv) < 0)
if (qemuBuildMonitorCommandLine(logManager, secManager, cmd, cfg, def, priv) < 0)
goto error;
if (qemuBuildClockCommandLine(cmd, def, qemuCaps) < 0)
......@@ -10211,29 +10245,29 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
if (qemuBuildFSDevCommandLine(cmd, def, qemuCaps) < 0)
goto error;
if (qemuBuildNetCommandLine(driver, logManager, cmd, def,
if (qemuBuildNetCommandLine(driver, logManager, secManager, cmd, def,
qemuCaps, vmop, standalone,
nnicindexes, nicindexes, &bootHostdevNet,
chardevStdioLogd) < 0)
goto error;
if (qemuBuildSmartcardCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildSmartcardCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
if (qemuBuildSerialCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildSerialCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
if (qemuBuildParallelsCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildParallelsCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
if (qemuBuildChannelsCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildChannelsCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
if (qemuBuildConsoleCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildConsoleCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
......@@ -10258,7 +10292,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
if (qemuBuildWatchdogCommandLine(cmd, def, qemuCaps) < 0)
goto error;
if (qemuBuildRedirdevCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildRedirdevCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
......@@ -10271,7 +10305,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
if (qemuBuildMemballoonCommandLine(cmd, def, qemuCaps) < 0)
goto error;
if (qemuBuildRNGCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildRNGCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
......@@ -10306,7 +10340,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
goto error;
for (i = 0; i < def->nshmems; i++) {
if (qemuBuildShmemCommandLine(logManager, cmd, cfg,
if (qemuBuildShmemCommandLine(logManager, secManager, cmd, cfg,
def, def->shmems[i], qemuCaps,
chardevStdioLogd))
goto error;
......
src/qemu/qemu_command.h
浏览文件 @ b0c6300f
......@@ -46,6 +46,7 @@ VIR_ENUM_DECL(qemuVideo)
virCommandPtr qemuBuildCommandLine(virQEMUDriverPtr driver,
virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virDomainObjPtr vm,
const char *migrateURI,
virDomainSnapshotObjPtr snapshot,
......
src/qemu/qemu_process.c
浏览文件 @ b0c6300f
......@@ -6174,6 +6174,7 @@ qemuProcessLaunch(virConnectPtr conn,
VIR_DEBUG("Building emulator command line");
if (!(cmd = qemuBuildCommandLine(driver,
qemuDomainLogContextGetManager(logCtxt),
driver->securityManager,
vm,
incoming ? incoming->launchURI : NULL,
snapshot, vmop,
......@@ -6642,6 +6643,7 @@ qemuProcessCreatePretendCmd(virQEMUDriverPtr driver,
VIR_DEBUG("Building emulator command line");
cmd = qemuBuildCommandLine(driver,
NULL,
driver->securityManager,
vm,
migrateURI,
NULL,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册