- 16 11月, 2018 2 次提交
-
-
由 Michal Privoznik 提交于
Trying to use virlockd to lock metadata turns out to be too big gun. Since we will always spawn a separate process for relabeling we are safe to use thread unsafe POSIX locks and take out virtlockd completely out of the picture. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
When metadata locking is enabled that means the security commit processing will be run in a fork similar to how namespaces use fork()'s for processing. This is done to ensure libvirt can properly and synchronously modify the metadata to store the original owner data. Since fork()'s (e.g. virFork) have been seen as a performance bottleneck being able to disable them allows the admin to choose whether the performance 'hit' is worth the extra 'security' of being able to remember the original owner of a lock. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 02 10月, 2018 1 次提交
-
-
由 Ján Tomko 提交于
We switched to opening mode='bind' sockets ourselves: commit 30fb2276 qemu: support passing pre-opened UNIX socket listen FD in v4.5.0-rc1~251 Then fixed qemuBuildChrChardevStr to change libvirtd's label while creating the socket: commit b0c6300f qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels v4.5.0-rc1~52 Also add labeling of these sockets to the DAC driver. Instead of duplicating the logic which decides whether libvirt should pre-create the socket, assume an existing path meaning that it was created by libvirt. https://bugzilla.redhat.com/show_bug.cgi?id=1633389Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
- 26 9月, 2018 2 次提交
-
-
由 Michal Privoznik 提交于
It may happen that in the list of paths/disk sources to relabel there is a disk source. If that is the case, the path is NULL. In that case, we shouldn't try to lock the path. It's likely a network disk anyway and therefore there is nothing to lock. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
由 Michal Privoznik 提交于
This shouldn't be needed per-se. Security manager shouldn't disappear during transactions - it's immutable. However, it doesn't hurt to grab a reference either - transaction code uses it after all. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NMarc Hartmayer <mhartmay@linux.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 18 9月, 2018 3 次提交
-
-
由 Michal Privoznik 提交于
Lock all the paths we want to relabel to mutually exclude other libvirt daemons. The only hitch here is that directories can't be locked. Therefore, when relabeling a directory do not lock it (this happens only when setting up some domain private paths anyway, e.g. huge pages directory). Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
Firstly, the message that says we're setting uid:gid shouldn't be called from virSecurityDACSetOwnershipInternal() because virSecurityDACRestoreFileLabelInternal() is calling it too. Secondly, there are places between us reporting label restore and us actually doing it where we can quit. Don't say we're doing something until we are actually about to do it. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
So far the whole transaction handling is done virSecurityDACSetOwnershipInternal(). This needs to change for the sake of security label remembering and locking. Otherwise we would be locking a path when only appending it to transaction list and not when actually relabeling it. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 17 9月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
It will be desirable to run transactions more often than we currently do. Even if the domain we're relabeling the paths for does not run in a namespace. If that's the case, there is no need to fork() as we are already running in the right namespace. To differentiate whether transaction code should fork() or not the @pid argument now accepts -1 (which means do not fork). Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 07 9月, 2018 3 次提交
-
-
由 Michal Privoznik 提交于
These two functions (virSecurityDACSetOwnership and virSecurityDACRestoreFileLabelInternal) do not really change @src. Make it const. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
This function is going call security manager APIs and therefore it needs pointer to it. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
This function is going call security manager APIs and therefore it needs pointer to it. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 06 6月, 2018 2 次提交
-
-
由 Stefan Berger 提交于
Extend the DAC and SELinux modules with support for the tpm-emulator. We label the Unix socket that QEMU connects to after starting swtmp with DAC and SELinux labels. We do not have to restore the labels in this case since the tpm-emulator will remove the Unix socket when it terminates. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
This patch adds support for an external swtpm TPM emulator. The XML for this type of TPM looks as follows: <tpm model='tpm-tis'> <backend type='emulator'/> </tpm> The XML will currently only define a TPM 1.2. Extend the documentation. Add a test case testing the XML parser and formatter. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 04 5月, 2018 1 次提交
-
-
由 Martin Kletzander 提交于
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 13 3月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
We're freeing individual items in it but not the array itself. ==19200== 40 bytes in 1 blocks are definitely lost in loss record 847 of 1,059 ==19200== at 0x4C2D12F: realloc (vg_replace_malloc.c:785) ==19200== by 0x52C5532: virReallocN (viralloc.c:245) ==19200== by 0x52C5628: virExpandN (viralloc.c:294) ==19200== by 0x52C58FC: virInsertElementsN (viralloc.c:436) ==19200== by 0x542856B: virSecurityDACChownListAppend (security_dac.c:115) ==19200== by 0x54286B4: virSecurityDACTransactionAppend (security_dac.c:167) ==19200== by 0x542902F: virSecurityDACSetOwnershipInternal (security_dac.c:560) ==19200== by 0x54295D6: virSecurityDACSetOwnership (security_dac.c:650) ==19200== by 0x542AEE0: virSecurityDACSetInputLabel (security_dac.c:1472) ==19200== by 0x542B61D: virSecurityDACSetAllLabel (security_dac.c:1693) ==19200== by 0x542DD67: virSecurityManagerSetAllLabel (security_manager.c:869) ==19200== by 0x54279C2: virSecurityStackSetAllLabel (security_stack.c:361) Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 10 1月, 2018 1 次提交
-
-
由 Christian Ehrhardt 提交于
virSecurityManagerDomainSetPathLabel is used to make a path known to the security modules, but today is used interchangably for - paths to files/dirs to be accessed directly - paths to a dir, but the access will actually be to files therein Depending on the security module it is important to know which of these types it will be. The argument allowSubtree augments the call to the implementations of DomainSetPathLabel that can - per security module - decide if extra actions shall be taken. For now dac/selinux handle this as before, but apparmor will make use of it to add a wildcard to the path that was passed. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 05 12月, 2017 1 次提交
-
-
由 Pavel Hrdina 提交于
SELinux and DAC drivers already have both functions but they were not exported as public API of security manager. Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
- 25 11月, 2017 1 次提交
-
-
由 Ján Tomko 提交于
Export the existing DAC and SELinux for separate use and introduce functions for stack, nop and the security manager.
-
- 03 11月, 2017 1 次提交
-
-
由 Peter Krempa 提交于
Until now we ignored user-provided backing chains and while detecting the code inherited labels of the parent device. With user provided chains we should keep this functionality, so label of the parent image in the backing chain will be applied if an image-specific label is not present.
-
- 17 10月, 2017 1 次提交
-
-
由 Peter Krempa 提交于
Add helpers that will simplify checking if a backing file is valid or whether it has backing store. The helper virStorageSourceIsBacking returns true if the given virStorageSource is a valid backing store member. virStorageSourceHasBacking returns true if the virStorageSource has a backing store child. Adding these functions creates a central points for further refactors.
-
- 13 9月, 2017 2 次提交
-
-
由 Cole Robinson 提交于
For a logged in user this a path like /dev/dri/renderD128 will have default ownership root:video which won't work for the qemu:qemu user, so we need to chown it. We only do this when mount namespaces are enabled in the qemu driver, so the chown'ing doesn't interfere with other users of the shared render node path https://bugzilla.redhat.com/show_bug.cgi?id=1460804
-
由 Cole Robinson 提交于
The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver if mount namespaces are in use for the VM. Will be used for future changes. Wire it up in the qemu driver
-
- 22 6月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
Our commit e13e8808 was way too generic. Currently, virtlogd is used only for chardevs type of file and nothing else. True, we must not relabel the path in this case, but we have to in all other cases. For instance, if you want to have a physical console attached to your guest: <console type='dev'> <source path='/dev/ttyS0'/> <target type='virtio' port='1'/> </console> Starting such domain fails because qemu doesn't have access to /dev/ttyS0 because we haven't relabelled the path. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 16 6月, 2017 2 次提交
-
-
由 Pavel Hrdina 提交于
In the case that virtlogd is used as stdio handler we pass to QEMU only FD to a PIPE connected to virtlogd instead of the file itself. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1430988Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NMartin Kletzander <mkletzan@redhat.com>
-
由 Pavel Hrdina 提交于
Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 18 5月, 2017 1 次提交
-
-
由 Erik Skultety 提交于
Namely, this patch is about virMediatedDeviceGetIOMMUGroup{Dev,Num} functions. There's no compelling reason why these functions should take an object, on the contrary, having to create an object every time one needs to query the IOMMU group number, discarding the object afterwards, seems odd. Signed-off-by: NErik Skultety <eskultet@redhat.com>
-
- 27 3月, 2017 2 次提交
-
-
由 Erik Skultety 提交于
This patch updates all of our security driver to start labeling the VFIO IOMMU devices under /dev/vfio/ as well. Signed-off-by: NErik Skultety <eskultet@redhat.com>
-
由 Erik Skultety 提交于
A mediated device will be identified by a UUID (with 'model' now being a mandatory <hostdev> attribute to represent the mediated device API) of the user pre-created mediated device. We also need to make sure that if user explicitly provides a guest address for a mdev device, the address type will be matching the device API supported on that specific mediated device and error out with an incorrect XML message. The resulting device XML: <devices> <hostdev mode='subsystem' type='mdev' model='vfio-pci'> <source> <address uuid='c2177883-f1bb-47f0-914d-32a22e3a8804'> </source> </hostdev> </devices> Signed-off-by: NErik Skultety <eskultet@redhat.com>
-
- 15 3月, 2017 2 次提交
-
-
由 Michal Privoznik 提交于
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
When domain is being started up, we ought to relabel the host side of NVDIMM so qemu has access to it. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 17 1月, 2017 1 次提交
-
-
由 Erik Skultety 提交于
The problem is in the way how the list item is created prior to appending it to the transaction list - the @path attribute is just a shallow copy instead of deep copy of the hostdev device's path. Unfortunately, the hostdev devices from which the @path is extracted, in order to add them into the transaction list, are only temporary and freed before the buildup of the qemu namespace, thus making the @path attribute in the transaction list NULL, causing 'permission denied' or 'double free' or 'unknown cause' errors. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1413773Signed-off-by: NErik Skultety <eskultet@redhat.com>
-
- 10 1月, 2017 2 次提交
-
-
由 Michal Privoznik 提交于
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
The code at the very bottom of the DAC secdriver that calls chown() should be fine with read-only data. If something needs to be prepared it should have been done beforehand. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 25 11月, 2016 2 次提交
-
-
由 Eric Farman 提交于
Ensure that the vhost-scsi wwpn information is passed to the different security policies. Signed-off-by: NEric Farman <farman@linux.vnet.ibm.com>
-
由 Eric Farman 提交于
We already have a "scsi" hostdev subsys type, which refers to a single LUN that is passed through to a guest. But what of things where multiple LUNs are passed through via a single SCSI HBA, such as with the vhost-scsi target? Create a new hostdev subsys type that will carry this. Signed-off-by: NEric Farman <farman@linux.vnet.ibm.com>
-
- 22 10月, 2016 1 次提交
-
-
由 John Ferlan 提交于
Change the virDomainChrDef to use a pointer to 'source' and allocate that pointer during virDomainChrDefNew. This has tremendous "fallout" in the rest of the code which mainly has to change source.$field to source->$field. Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
-
- 25 5月, 2016 1 次提交
-
-
由 Ján Tomko 提交于
Add support for the slic_table to the security drivers.
-
- 19 4月, 2016 1 次提交
-
-
由 Martin Kletzander 提交于
It already labels abritrary paths, so it's just the naming that was wrong. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 15 1月, 2016 1 次提交
-
-
由 Jiri Denemark 提交于
A device tree binary file specified by /domain/os/dtb element is a read-only resource similar to kernel and initrd files. We shouldn't restore its label when destroying a domain to avoid breaking other domains configure with the same device tree. Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-