- 16 11月, 2018 2 次提交
-
-
由 Michal Privoznik 提交于
Trying to use virlockd to lock metadata turns out to be too big gun. Since we will always spawn a separate process for relabeling we are safe to use thread unsafe POSIX locks and take out virtlockd completely out of the picture. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
When metadata locking is enabled that means the security commit processing will be run in a fork similar to how namespaces use fork()'s for processing. This is done to ensure libvirt can properly and synchronously modify the metadata to store the original owner data. Since fork()'s (e.g. virFork) have been seen as a performance bottleneck being able to disable them allows the admin to choose whether the performance 'hit' is worth the extra 'security' of being able to remember the original owner of a lock. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 18 9月, 2018 2 次提交
-
-
由 Michal Privoznik 提交于
Two new APIs are added so that security driver can lock and unlock paths it wishes to touch. These APIs are not for other drivers to call but security drivers (DAC and SELinux). That is the reason these APIs are not exposed through our libvirt_private.syms file. Three interesting things happen in this commit. The first is the global @lockManagerMutex. Unfortunately, this has to exist so that there is only one thread talking to virtlockd at a time. If there were more threads and one of them closed the connection prematurely, it would cause virtlockd killing libvirtd. Instead of complicated code that would handle that, let's have a mutex and keep the code simple. The second interesting thing is keeping connection open between lock and unlock API calls. This is achieved by duplicating client FD and keeping it open until unlock is called. This trick is used by regular disk content locking code when the FD is leaked to qemu. Finally, the third thing is polling implemented at client side. Since virtlockd has only one thread that handles locking requests, all it can do is either acquire lock or error out. Therefore, the polling has to be implemented in client. The polling is capped at 60 second timeout, which should be plenty since the metadata lock is held only for a fraction of a second. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
Now that we know what metadata lock manager user wishes to use we can load it when initializing security driver. This is achieved by adding new argument to virSecurityManagerNewDriver() and subsequently to all functions that end up calling it. The cfg.mk change is needed in order to allow lock_manager.h inclusion in security driver without 'syntax-check' complaining. This is safe thing to do as locking APIs will always exist (it's only backend implementation that changes). However, instead of allowing the include for all other drivers (like cpu, network, and so on) allow it only for security driver. This will still trigger the error if including from other drivers. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 08 6月, 2018 1 次提交
-
-
由 Peter Krempa 提交于
Nothing is setting that flag now so it can be removed. Note that removing 'mgr' from 'load_profile' in the apparmor driver would create a lot of churn. Signed-off-by: NPeter Krempa <pkrempa@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 06 6月, 2018 1 次提交
-
-
由 Stefan Berger 提交于
In this patch we label the swtpm process with SELinux labels. We give it the same label as the QEMU process has. We label its state directory and files as well. We restore the old security labels once the swtpm has terminated. The file and process labels now look as follows: Directory: /var/lib/libvirt/swtpm [root@localhost swtpm]# ls -lZ total 4 rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm [root@localhost testvm]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall The log in /var/log/swtpm/libvirt/qemu is labeled as follows: -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..] Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 10 1月, 2018 1 次提交
-
-
由 Christian Ehrhardt 提交于
virSecurityManagerDomainSetPathLabel is used to make a path known to the security modules, but today is used interchangably for - paths to files/dirs to be accessed directly - paths to a dir, but the access will actually be to files therein Depending on the security module it is important to know which of these types it will be. The argument allowSubtree augments the call to the implementations of DomainSetPathLabel that can - per security module - decide if extra actions shall be taken. For now dac/selinux handle this as before, but apparmor will make use of it to add a wildcard to the path that was passed. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 05 12月, 2017 1 次提交
-
-
由 Pavel Hrdina 提交于
SELinux and DAC drivers already have both functions but they were not exported as public API of security manager. Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
- 25 11月, 2017 1 次提交
-
-
由 Ján Tomko 提交于
Export the existing DAC and SELinux for separate use and introduce functions for stack, nop and the security manager.
-
- 03 11月, 2017 1 次提交
-
-
由 Andrea Bolognani 提交于
Right-aligning backslashes when defining macros or using complex commands in Makefiles looks cute, but as soon as any changes is required to the code you end up with either distractingly broken alignment or unnecessarily big diffs where most of the changes are just pushing all backslashes a few characters to one side. Generated using $ git grep -El '[[:blank:]][[:blank:]]\\$' | \ grep -E '*\.([chx]|am|mk)$$' | \ while read f; do \ sed -Ei 's/[[:blank:]]*[[:blank:]]\\$/ \\/g' "$f"; \ done Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
-
- 13 9月, 2017 1 次提交
-
-
由 Cole Robinson 提交于
The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver if mount namespaces are in use for the VM. Will be used for future changes. Wire it up in the qemu driver
-
- 16 6月, 2017 1 次提交
-
-
由 Pavel Hrdina 提交于
In the case that virtlogd is used as stdio handler we pass to QEMU only FD to a PIPE connected to virtlogd instead of the file itself. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1430988Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 15 3月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
These APIs will be used whenever we are hot (un-)plugging a memdev. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 10 1月, 2017 2 次提交
-
-
由 Michal Privoznik 提交于
With our new qemu namespace code in place, the relabelling of devices is done not as good is it could: a child process is spawned, it enters the mount namespace of the qemu process and then runs desired API of the security driver. Problem with this approach is that internal state transition of the security driver done in the child process is not reflected in the parent process. While currently it wouldn't matter that much, it is fairly easy to forget about that. We should take the extra step now while this limitation is still fresh in our minds. Three new APIs are introduced here: virSecurityManagerTransactionStart() virSecurityManagerTransactionCommit() virSecurityManagerTransactionAbort() The Start() is going to be used to let security driver know that we are starting a new transaction. During a transaction no security labels are actually touched, but rather recorded and only at Commit() phase they are actually updated. Should something go wrong Abort() aborts the transaction freeing up all memory allocated by transaction. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
The code at the very bottom of the DAC secdriver that calls chown() should be fine with read-only data. If something needs to be prepared it should have been done beforehand. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 08 12月, 2016 1 次提交
-
-
由 Michal Privoznik 提交于
Since its introduction in 2012 this internal API did nothing. Moreover we have the same API that does exactly the same: virSecurityManagerDomainSetPathLabel. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 19 4月, 2016 1 次提交
-
-
由 Martin Kletzander 提交于
It already labels abritrary paths, so it's just the naming that was wrong. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 07 10月, 2015 1 次提交
-
-
由 Michal Privoznik 提交于
So imagine you want to crate new security manager: if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true))); Hard to parse, right? What about this: if (!(mgr = virSecurityManagerNew("selinux", "QEMU", VIR_SECURITY_MANAGER_DEFAULT_CONFINED | VIR_SECURITY_MANAGER_PRIVILEGED))); Now that's better! This is what the commit does. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 15 9月, 2015 1 次提交
-
-
由 Michal Privoznik 提交于
We may want to do some decisions in drivers based on fact if we are running as privileged user or not. Propagate this info there. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 24 8月, 2015 1 次提交
-
-
由 Martin Kletzander 提交于
That function can be used for setting security labels on arbitrary directories. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 13 2月, 2015 1 次提交
-
-
由 Erik Skultety 提交于
We do have a check for valid per-domain security model, however we still do permit an invalid security model for a domain's device (those which are specified with <source> element). This patch introduces a new function virSecurityManagerCheckAllLabel which compares user specified security model against currently registered security drivers. That being said, it also permits 'none' being specified as a device security model. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1165485Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
- 24 7月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
To integrate the security driver with the storage driver we need to pass a callback for a function that will chown storage volumes. Introduce and document the callback prototype.
-
- 09 7月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
Add security driver functions to label separate storage images using the virStorageSource definition. This will help to avoid the need to do ugly changes to the disk struct and use the source directly.
-
- 26 6月, 2014 2 次提交
-
-
由 Peter Krempa 提交于
Some of the functions in the storage driver had their headers formatted incorrectly.
-
由 Peter Krempa 提交于
I'm going to add functions that will deal with individual image files rather than whole disks. Rename the security function to make room for the new one.
-
- 20 6月, 2014 2 次提交
-
-
由 Peter Krempa 提交于
I'm going to add functions that will deal with individual image files rather than whole disks. Rename the security function to make room for the new one.
-
由 Peter Krempa 提交于
Also remove one spurious ATTRIBUTE_UNUSED guarding the @migrated argument.
-
- 29 10月, 2013 1 次提交
-
-
由 Giuseppe Scrivano 提交于
virSecurityManagerGetBaseLabel queries the default settings used by a security model. Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com>
-
- 19 7月, 2013 1 次提交
-
-
由 Eric Blake 提交于
A future patch wants the DAC security manager to be able to safely get the supplemental group list for a given uid, but at the time of a fork rather than during initialization so as to pick up on live changes to the system's group database. This patch adds the framework, including the possibility of a pre-fork callback failing. For now, any driver that implements a prefork callback must be robust against the possibility of being part of a security stack where a later element in the chain fails prefork. This means that drivers cannot do any action that requires a call to postfork for proper cleanup (no grabbing a mutex, for example). If this is too prohibitive in the future, we would have to switch to a transactioning sequence, where each driver has (up to) 3 callbacks: PreForkPrepare, PreForkCommit, and PreForkAbort, to either clean up or commit changes made during prepare. * src/security/security_driver.h (virSecurityDriverPreFork): New callback. * src/security/security_manager.h (virSecurityManagerPreFork): Change signature. * src/security/security_manager.c (virSecurityManagerPreFork): Optionally call into driver, and allow returning failure. * src/security/security_stack.c (virSecurityDriverStack): Wrap the handler for the stack driver. * src/qemu/qemu_process.c (qemuProcessStart): Adjust caller. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 14 2月, 2013 1 次提交
-
-
由 Laine Stump 提交于
The existing virSecurityManagerSetProcessLabel() API is designed so that it must be called after forking the child process, but before exec'ing the child. Due to the way the virCommand API works, that means it needs to be put in a "hook" function that virCommand is told to call out to at that time. Setting the child process label is a basic enough need when executing any process that virCommand should have a method of doing that. But virCommand must be told what label to set, and only the security driver knows the answer to that question. The new virSecurityManagerSet*Child*ProcessLabel() API is the way to transfer the knowledge about what label to set from the security driver to the virCommand object. It is given a virCommandPtr, and each security driver calls the appropriate virCommand* API to tell virCommand what to do between fork and exec. 1) in the case of the DAC security driver, it calls virCommandSetUID/GID() to set a uid and gid that must be set for the child process. 2) for the SELinux security driver, it calls virCommandSetSELinuxLabel() to save a copy of the char* that will be sent to setexeccon_raw() *after forking the child process*. 3) for the AppArmor security drivers, it calls virCommandSetAppArmorProfile() to save a copy of the char* that will be sent to aa_change_profile() *after forking the child process*. With this new API in place, we will be able to remove virSecurityManagerSetProcessLabel() from any virCommand pre-exec hooks. (Unfortunately, the LXC driver uses clone() rather than virCommand, so it can't take advantage of this new security driver API, meaning that we need to keep around the older virSecurityManagerSetProcessLabel(), at least for now.)
-
- 12 2月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
The hook scripts used by virCommand must be careful wrt accessing any mutexes that may have been held by other threads in the parent process. With the recent refactoring there are 2 potential flaws lurking, which will become real deadlock bugs once the global QEMU driver lock is removed. Remove use of the QEMU driver lock from the hook function by passing in the 'virQEMUDriverConfigPtr' instance directly. Add functions to the virSecurityManager to be invoked before and after fork, to ensure the mutex is held by the current thread. This allows it to be safely used in the hook script in the child process. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 11 2月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
To enable locking to be introduced to the security manager objects later, turn virSecurityManager into a virObjectLockable class Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 18 12月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
When LXC labels USB devices during hotplug, it is running in host context, so it needs to pass in a vroot path to the container root. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 12 12月, 2012 1 次提交
-
-
由 Serge Hallyn 提交于
When a qemu domain is backed by huge pages, apparmor needs to grant the domain rw access to files under the hugetlbfs mount point. Add a hook, called in qemu_process.c, which ends up adding the read-write access through virt-aa-helper. Qemu will be creating a randomly named file under the mountpoint and unlinking it as soon as it has mmap()d it, therefore we cannot predict the full pathname, but for the same reason it is generally safe to provide access to $path/**. Signed-off-by: NSerge Hallyn <serge.hallyn@ubuntu.com>
-
- 15 10月, 2012 1 次提交
-
-
由 Guannan Ren 提交于
BZ:https://bugzilla.redhat.com/show_bug.cgi?id=851981 When using macvtap, a character device gets first created by kernel with name /dev/tapN, its selinux context is: system_u:object_r:device_t:s0 Shortly, when udev gets notification when new file is created in /dev, it will then jump in and relabel this file back to the expected default context: system_u:object_r:tun_tap_device_t:s0 There is a time gap happened. Sometimes, it will have migration failed, AVC error message: type=AVC msg=audit(1349858424.233:42507): avc: denied { read write } for pid=19926 comm="qemu-kvm" path="/dev/tap33" dev=devtmpfs ino=131524 scontext=unconfined_u:system_r:svirt_t:s0:c598,c908 tcontext=system_u:object_r:device_t:s0 tclass=chr_file This patch will label the tapfd device before qemu process starts: system_u:object_r:tun_tap_device_t:MCS(MCS from seclabel->label)
-
- 21 9月, 2012 1 次提交
-
-
由 Eric Blake 提交于
https://www.gnu.org/licenses/gpl-howto.html recommends that the 'If not, see <url>.' phrase be a separate sentence. * tests/securityselinuxhelper.c: Remove doubled line. * tests/securityselinuxtest.c: Likewise. * globally: s/; If/. If/
-
- 21 8月, 2012 1 次提交
-
-
由 Marcelo Cerri 提交于
These changes make the security drivers able to find and handle the correct security label information when more than one label is available. They also update the DAC driver to be used as an usual security driver. Signed-off-by: NMarcelo Cerri <mhcerri@linux.vnet.ibm.com>
-
- 14 8月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
The security_manager.h header is not self-contained because it uses the virDomainDefPtr without first including domain_conf.h Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 23 7月, 2012 1 次提交
-
-
由 Osier Yang 提交于
Per the FSF address could be changed from time to time, and GNU recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html) You should have received a copy of the GNU General Public License along with Foobar. If not, see <http://www.gnu.org/licenses/>. This patch removes the explicit FSF address, and uses above instead (of course, with inserting 'Lesser' before 'General'). Except a bunch of files for security driver, all others are changed automatically, the copyright for securify files are not complete, that's why to do it manually: src/security/security_selinux.h src/security/security_driver.h src/security/security_selinux.c src/security/security_apparmor.h src/security/security_apparmor.c src/security/security_driver.c
-
- 20 7月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Update the security drivers to use virReportError instead of the virSecurityReportError custom macro Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-