1. 21 1月, 2010 2 次提交
    • D
      Refactor setup & cleanup of security labels in security driver · 0c0e0d02
      Daniel P. Berrange 提交于
      The current security driver architecture has the following
      split of logic
      
       * domainGenSecurityLabel
      
          Allocate the unique label for the domain about to be started
      
       * domainGetSecurityLabel
      
          Retrieve the current live security label for a process
      
       * domainSetSecurityLabel
      
          Apply the previously allocated label to the current process
          Setup all disk image / device labelling
      
       * domainRestoreSecurityLabel
      
          Restore the original disk image / device labelling.
          Release the unique label for the domain
      
      The 'domainSetSecurityLabel' method is special because it runs
      in the context of the child process between the fork + exec.
      
      This is require in order to set the process label. It is not
      required in order to label disks/devices though. Having the
      disk labelling code run in the child process limits what it
      can do.
      
      In particularly libvirtd would like to remember the current
      disk image label, and only change shared image labels for the
      first VM to start. This requires use & update of global state
      in the libvirtd daemon, and thus cannot run in the child
      process context.
      
      The solution is to split domainSetSecurityLabel into two parts,
      one applies process label, and the other handles disk image
      labelling. At the same time domainRestoreSecurityLabel is
      similarly split, just so that it matches the style. Thus the
      previous 4 methods are replaced by the following 6 new methods
      
       * domainGenSecurityLabel
      
          Allocate the unique label for the domain about to be started
          No actual change here.
      
       * domainReleaseSecurityLabel
      
         Release the unique label for the domain
      
       * domainGetSecurityProcessLabel
      
         Retrieve the current live security label for a process
         Merely renamed for clarity.
      
       * domainSetSecurityProcessLabel
      
         Apply the previously allocated label to the current process
      
       * domainRestoreSecurityAllLabel
      
          Restore the original disk image / device labelling.
      
       * domainSetSecurityAllLabel
      
          Setup all disk image / device labelling
      
      The SELinux and AppArmour drivers are then updated to comply with
      this new spec. Notice that the AppArmour driver was actually a
      little different. It was creating its profile for the disk image
      and device labels in the 'domainGenSecurityLabel' method, where as
      the SELinux driver did it in 'domainSetSecurityLabel'. With the
      new method split, we can have consistency, with both drivers doing
      that in the domainSetSecurityAllLabel method.
      
      NB, the AppArmour changes here haven't been compiled so may not
      build.
      0c0e0d02
    • D
      Make security drivers responsible for checking dynamic vs static labelling · 81fbb4cb
      Daniel P. Berrange 提交于
      The QEMU driver is doing 90% of the calls to check for static vs
      dynamic labelling. Except it is forgetting todo so in many places,
      in particular hotplug is mistakenly assigning disk labels. Move
      all this logic into the security drivers themselves, so the HV
      drivers don't have to think about it.
      
      * src/security/security_driver.h: Add virDomainObjPtr parameter
        to virSecurityDomainRestoreHostdevLabel and to
        virSecurityDomainRestoreSavedStateLabel
      * src/security/security_selinux.c, src/security/security_apparmor.c:
        Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all
        chcon() code in those cases
      * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC
        or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL
        driver entry points.
      81fbb4cb
  2. 11 11月, 2009 1 次提交
    • D
      Fix save and restore with non-privileged guests and SELinux · bc0010b3
      Daniel P. Berrange 提交于
      When running qemu:///system instance, libvirtd runs as root,
      but QEMU may optionally be configured to run non-root. When
      then saving a guest to a state file, the file is initially
      created as root, and thus QEMU cannot write to it. It is also
      missing labelling required to allow access via SELinux.
      
      * src/qemu/qemu_driver.c: Set ownership on save image before
        running migrate command in virDomainSave impl. Call out to
        security driver to set save image labelling
      * src/security/security_driver.h: Add driver APIs for setting
        and restoring saved state file labelling
      * src/security/security_selinux.c: Implement saved state file
        labelling for SELinux
      bc0010b3
  3. 07 10月, 2009 1 次提交
    • J
      Add a domain argument to SVirt *RestoreImageLabel · 709c37e9
      Jamie Strandboge 提交于
      When James Morris originally submitted his sVirt patches (as seen in
      libvirt 0.6.1), he did not require on disk labelling for
      virSecurityDomainRestoreImageLabel. A later commit[2] changed this
      behavior to assume on disk labelling, which halts implementations for
      path-based MAC systems such as AppArmor and TOMOYO where
      vm->def->seclabel is required to obtain the label.
      
      * src/security/security_driver.h src/qemu/qemu_driver.c
        src/security/security_selinux.c: adds the 'virDomainObjPtr vm'
        argument back to *RestoreImageLabel
      709c37e9
  4. 21 9月, 2009 1 次提交
    • D
      Move security drivers to src/security/ · e56c6a83
      Daniel P. Berrange 提交于
      * src/Makefile.am, src/qemu/qemu_conf.h, src/qemu/qemu_driver.c,
        tests/seclabeltest.c: Adapt for changed paths
      * src/security.c: Rename to src/security/security_driver.c
      * src/security.h: Rename to src/security/security_driver.h
      * src/security_selinux.c, src/security_selinux.h: Move to src/security/
      e56c6a83
  5. 10 9月, 2009 1 次提交
  6. 23 7月, 2009 1 次提交
    • D
      Fix misc Win32 compile warnings · 899ae0d2
      Daniel P. Berrange 提交于
      GCC >= 4.4 assumes the 'printf' attribute refers to the native
      runtime libraries format specifiers. Thanks to gnulib, libvirt
      has GNU format specifiers everywhere.  This means we need to
      use 'gnu_printf' with GCC >= 4.4 to get correct compiler
      checking of printf format specifiers.
      
      * HACKING: Document new rules for ATTRIBUTE_FMT_PRINTF
      * autobuild.sh, mingw32-libvirt.spec.in: Disable OpenNebula
        driver on mingw32 builds
      * qemud/dispatch.h, qemud/qemu.h, src/buf.h src/internal.h,
        src/logging.h, src/security.h, src/sexpr.h, src/util.h,
        src/virterror_internal.h, src/xend_internal.c: Change
        over to ATTRIBUTE_FMT_PRINTF.
      * src/virsh.c: Disable 'cd' and 'pwd' commands on Win32
        since they don't compile
      * src/threads-win32.c: Add missing return value check
      899ae0d2
  7. 12 6月, 2009 1 次提交
  8. 03 4月, 2009 1 次提交
  9. 17 3月, 2009 1 次提交
  10. 03 3月, 2009 2 次提交