- 21 12月, 2010 1 次提交
-
-
由 Eric Blake 提交于
* configure.ac (with_selinux): Check for <selinux/label.h>. * src/security/security_selinux.c (getContext): New function. (SELinuxRestoreSecurityFileLabel): Use it to restore compilation when using older libselinux.
-
- 14 12月, 2010 1 次提交
-
-
由 Eric Blake 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=658657 * src/security/security_selinux.c (SELinuxRestoreSecurityFileLabel): Use selabel_lookup instead of matchpathcon. Suggested by Daniel Walsh.
-
- 25 11月, 2010 1 次提交
-
-
由 Eric Blake 提交于
security_context_t happens to be a typedef for char*, and happens to begin with a string usable as a raw context string. But in reality, it is an opaque type that may or may not have additional information after the first NUL byte, where that additional information can include pointers that can only be freed via freecon(). Proof is from this valgrind run of daemon/libvirtd: ==6028== 839,169 (40 direct, 839,129 indirect) bytes in 1 blocks are definitely lost in loss record 274 of 274 ==6028== at 0x4A0515D: malloc (vg_replace_malloc.c:195) ==6028== by 0x3022E0D48C: selabel_open (label.c:165) ==6028== by 0x3022E11646: matchpathcon_init_prefix (matchpathcon.c:296) ==6028== by 0x3022E1190D: matchpathcon (matchpathcon.c:317) ==6028== by 0x4F9D842: SELinuxRestoreSecurityFileLabel (security_selinux.c:382) 800k is a lot of memory to be leaking. * src/storage/storage_backend.c (virStorageBackendUpdateVolTargetInfoFD): Avoid leak on error. * src/security/security_selinux.c (SELinuxReserveSecurityLabel, SELinuxGetSecurityProcessLabel) (SELinuxRestoreSecurityFileLabel): Use correct function to free security_context_t.
-
- 19 11月, 2010 1 次提交
-
-
由 Daniel Veillard 提交于
The code in SELinuxRestoreSecurityChardevLabel() was trying to use SELinuxSetFilecon directly for devices or file types while it should really use SELinuxRestoreSecurityFileLabel encapsulating routine, which avoid various problems like resolving symlinks, making sure he file exists and work around NFS problems
-
- 18 11月, 2010 1 次提交
-
-
由 Eric Blake 提交于
* cfg.mk (sc_prohibit_sprintf): New rule. (sc_prohibit_asprintf): Avoid false positives. * docs/hacking.html.in (Printf-style functions): Document the policy. * HACKING: Regenerate. * .x-sc_prohibit_sprintf: New exemptions. * Makefile.am (syntax_check_exceptions): Ship new file. * src/vbox/vbox_tmpl.c (vboxStartMachine, vboxAttachUSB): Use virAsprintf instead. * src/uml/uml_driver.c (umlOpenMonitor): Use snprintf instead. * tools/virsh.c (cmdDetachInterface): Likewise. * src/security/security_selinux.c (SELinuxGenSecurityLabel): Likewise. * src/openvz/openvz_driver.c (openvzDomainDefineCmd): Likewise, and ensure large enough buffer.
-
- 12 11月, 2010 1 次提交
-
-
由 Laine Stump 提交于
If virDomainAttachDevice() was called with an image that was located on a root-squashed NFS server, and in a directory that was unreadable by root on the machine running libvirtd, the attach would fail due to an attempt to change the selinux label of the image with EACCES (which isn't covered as an ignore case in SELinuxSetFilecon()) NFS doesn't support SELinux labelling anyway, so we mimic the failure handling of commit 93a18bba, which just ignores the errors if the target is on an NFS filesystem (in SELinuxSetSecurityAllLabel() only, though.) This can be seen as a follow-on to commit 347d266c, which ignores file open failures of files on NFS that occur directly in virDomainDiskDefForeachPath() (also necessary), but does not ignore failures in functions that are called from there (eg SELinuxSetSecurityFileLabel()).
-
- 10 11月, 2010 1 次提交
-
-
由 Stefan Berger 提交于
Using automated replacement with sed and editing I have now replaced all occurrences of close() with VIR_(FORCE_)CLOSE() except for one, of course. Some replacements were straight forward, others I needed to pay attention. I hope I payed attention in all the right places... Please have a look. This should have at least solved one more double-close error.
-
- 02 11月, 2010 2 次提交
-
-
由 Daniel P. Berrange 提交于
NFS in root squash mode may prevent opening disk images to determine backing store. Ignore errors in this scenario. * src/security/security_selinux.c: Ignore open failures on disk images
-
由 Daniel P. Berrange 提交于
NFS does not support file labelling, so ignore this error for stdin_path when on NFS. * src/security/security_selinux.c: Ignore failures on labelling stdin_path on NFS * src/util/storage_file.c, src/util/storage_file.h: Refine virStorageFileIsSharedFS() to allow it to check for a specific FS type.
-
- 28 10月, 2010 1 次提交
-
-
由 Daniel P. Berrange 提交于
This reverts commit b8e2de88 The hooks will be re-added in the QEMU driver itself. * src/security/security_selinux.c: Remove audit hooks
-
- 20 10月, 2010 1 次提交
-
-
由 Miloslav Trmač 提交于
A more natural auditing point would perhaps be SELinuxSetSecurityProcessLabel, but this happens in the child after root permissions are dropped, so the kernel would refuse the audit record.
-
- 20 7月, 2010 4 次提交
-
-
由 Daniel P. Berrange 提交于
Disk format probing is now disabled by default. A new config option in /etc/qemu/qemu.conf will re-enable it for existing deployments where this causes trouble
-
由 Daniel P. Berrange 提交于
The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
-
由 Daniel P. Berrange 提交于
Update the QEMU cgroups code, QEMU DAC security driver, SELinux and AppArmour security drivers over to use the shared helper API virDomainDiskDefForeachPath(). * src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c, src/security/security_selinux.c, src/security/virt-aa-helper.c: Convert over to use virDomainDiskDefForeachPath()
-
由 Daniel P. Berrange 提交于
Require the disk image to be passed into virStorageFileGetMetadata. If this is set to VIR_STORAGE_FILE_AUTO, then the format will be resolved using probing. This makes it easier to control when probing will be used * src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c, src/security/security_selinux.c, src/security/virt-aa-helper.c: Set VIR_STORAGE_FILE_AUTO when calling virStorageFileGetMetadata. * src/storage/storage_backend_fs.c: Probe for disk format before calling virStorageFileGetMetadata. * src/util/storage_file.h, src/util/storage_file.c: Remove format from virStorageFileMeta struct & require it to be passed into method.
-
- 28 6月, 2010 1 次提交
-
-
由 Laine Stump 提交于
Also restore the label to its original value after qemu is finished with the file. Prior to this patch, qemu domain restore did not function properly if selinux was set to enforce.
-
- 25 6月, 2010 1 次提交
-
-
由 Daniel P. Berrange 提交于
When configuring serial, parallel, console or channel devices with a file, dev or pipe backend type, it is necessary to label the file path in the security drivers. For char devices of type file, it is neccessary to pre-create (touch) the file if it does not already exist since QEMU won't be allowed todo so itself. dev/pipe configs already require the admin to pre-create before starting the guest. * src/qemu/qemu_security_dac.c: set file ownership for character devices * src/security/security_selinux.c: Set file labeling for character devices * src/qemu/qemu_driver.c: Add character devices to cgroup ACL
-
- 08 6月, 2010 3 次提交
-
-
由 Daniel P. Berrange 提交于
The restore code is done in places where errors cannot be raised, since they will overwrite over pre-existing errors. * src/security/security_selinux.c: Only warn about failures in label restore, don't report errors
-
由 Daniel J Walsh 提交于
When SELinux is running in MLS mode, libvirtd will have a different security level to the VMs. For libvirtd to be able to connect to the monitor console, the client end of the UNIX domain socket needs a different label. This adds infrastructure to set the socket label via the security driver framework * src/qemu/qemu_driver.c: Call out to socket label APIs in security driver * src/qemu/qemu_security_stacked.c: Wire up socket label drivers * src/security/security_driver.h: Define security driver entry points for socket labelling * src/security/security_selinux.c: Set socket label based on VM label
-
由 Jamie Strandboge 提交于
Adjust args to qemudStartVMDaemon() to also specify path to stdin_fd, so this can be passed to the AppArmor driver via SetSecurityAllLabel(). This updates all calls to qemudStartVMDaemon() as well as setting up the non-AppArmor security driver *SetSecurityAllLabel() declarations for the above. This is required for the following "apparmor-fix-save-restore" patch since AppArmor resolves the passed file descriptor to the pathname given to open().
-
- 19 5月, 2010 1 次提交
-
-
由 Jim Meyering 提交于
Do not require each caller of virStorageFileGetMetadata and virStorageFileGetMetadataFromFD to first clear the storage of the "meta" buffer. Instead, initialize that storage in virStorageFileGetMetadataFromFD. * src/util/storage_file.c (virStorageFileGetMetadataFromFD): Clear "meta" here, not before each of the following callers. * src/qemu/qemu_driver.c (qemuSetupDiskCgroup): Don't clear "meta" here. (qemuTeardownDiskCgroup): Likewise. * src/qemu/qemu_security_dac.c (qemuSecurityDACSetSecurityImageLabel): Likewise. * src/security/security_selinux.c (SELinuxSetSecurityImageLabel): Likewise. * src/security/virt-aa-helper.c (get_files): Likewise.
-
- 18 5月, 2010 1 次提交
-
-
由 Eric Blake 提交于
virFileResolveLink was returning a positive value on error, thus confusing callers that assumed failure was < 0. The confusion is further evidenced by callers that would have ended up calling virReportSystemError with a negative value instead of a valid errno. Fixes Red Hat BZ #591363. * src/util/util.c (virFileResolveLink): Live up to documentation. * src/qemu/qemu_security_dac.c (qemuSecurityDACRestoreSecurityFileLabel): Adjust callers. * src/security/security_selinux.c (SELinuxRestoreSecurityFileLabel): Likewise. * src/storage/storage_backend_disk.c (virStorageBackendDiskDeleteVol): Likewise.
-
- 14 5月, 2010 1 次提交
-
-
由 Daniel P. Berrange 提交于
When QEMU runs with its disk on NFS, and as a non-root user, the disk is chownd to that non-root user. When migration completes the last step is shutting down the QEMU on the source host. THis normally resets user/group/security label. This is bad when the VM was just migrated because the file is still in use on the dest host. It is thus neccessary to skip the reset step for any files found to be on a shared filesystem * src/libvirt_private.syms: Export virStorageFileIsSharedFS * src/util/storage_file.c, src/util/storage_file.h: Add a new method virStorageFileIsSharedFS() to determine if a file is on a shared filesystem (NFS, GFS, OCFS2, etc) * src/qemu/qemu_driver.c: Tell security driver not to reset disk labels on migration completion * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_selinux.c, src/security/security_driver.h, src/security/security_apparmor.c: Add ability to skip disk restore step for files on shared filesystems.
-
- 30 4月, 2010 1 次提交
-
-
由 Jiri Denemark 提交于
-
- 02 4月, 2010 1 次提交
-
-
由 Laine Stump 提交于
(suggested by Daniel Berrange, tested by Dan Kenigsberg) virStorageFileGetMetadata will fail for disk images that are stored on a root-squash NFS share that isn't world-readable. SELinuxSetSecurityImageLabel is called during the startup of every domain (as long as security_driver != "none"), and it will propogate the error from virStorageFileGetMetadata, causing the domain startup to fail. This is, however, a common scenario when qemu is run as a non-root user and the disk image is stored on NFS. Ignoring this failure (which doesn't matter in this case, since the next thing done by SELinuxSetSecurityImageLabel - setting the file context - will also fail (and that function already ignores failures due to root-squash NFS) will allow us to continue bringing up the domain. The result is that we don't need to disable the entire security driver just because a domain's disk image is stored on root-squashed NFS.
-
- 22 3月, 2010 1 次提交
-
-
由 Cole Robinson 提交于
This can be triggered by the qemuStartVMDaemon cleanup path if a VM references a non-existent USB device (by product) in the XML.
-
- 16 3月, 2010 1 次提交
-
-
由 Cole Robinson 提交于
Fixes URL installs when running virt-install as root on Fedora.
-
- 05 3月, 2010 1 次提交
-
-
由 Daniel P. Berrange 提交于
Changeset commit 5073aa99 Author: Cole Robinson <crobinso@redhat.com> Date: Mon Jan 11 11:40:46 2010 -0500 Added support for product/vendor based passthrough, but it only worked at the security driver layer. The main guest XML config was not updated with the resolved bus/device ID. When the QEMU argv refactoring removed use of product/vendor, this then broke launching guests. THe solution is to move the product/vendor resolution up a layer into the QEMU driver. So the first thing QEMU does is resolve the product/vendor to a bus/device and updates the XML config with this info. The rest of the code, including security drivers and QEMU argv generated can now rely on bus/device always being set. * src/util/hostusb.c, src/util/hostusb.h: Split vendor/product resolution code out of usbGetDevice and into usbFindDevice. Add accessors for bus/device ID * src/security/virt-aa-helper.c, src/security/security_selinux.c, src/qemu/qemu_security_dac.c: Remove vendor/product from the usbGetDevice() calls * src/qemu/qemu_driver.c: Use usbFindDevice to resolve vendor/product into a bus/device ID
-
- 10 2月, 2010 2 次提交
-
-
由 Daniel P. Berrange 提交于
All callers now pass a NULL virConnectPtr into the USB/PCi device iterator functions. Therefore the virConnectPtr arg can now be removed from these functions * src/util/hostusb.h, src/util/hostusb.c: Remove virConnectPtr from usbDeviceFileIterate * src/util/pci.c, src/util/pci.h: Remove virConnectPtr arg from pciDeviceFileIterate * src/qemu/qemu_security_dac.c, src/security/security_selinux.c: Update to drop redundant virConnectPtr arg
-
由 Daniel P. Berrange 提交于
The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match
-
- 09 2月, 2010 5 次提交
-
-
由 Matthias Bolte 提交于
It was used for error reporting only.
-
由 Matthias Bolte 提交于
It was used for error reporting only.
-
由 Matthias Bolte 提交于
It was used for error reporting only.
-
由 Matthias Bolte 提交于
-
由 Matthias Bolte 提交于
-
- 21 1月, 2010 2 次提交
-
-
由 Daniel P. Berrange 提交于
The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
-
由 Daniel P. Berrange 提交于
The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
-
- 14 1月, 2010 1 次提交
-
-
由 Cole Robinson 提交于
Based off how QEMU does it, look through /sys/bus/usb/devices/* for matching vendor:product info, and if found, use info from the surrounding files to build the device's /dev/bus/usb path. This fixes USB device assignment by vendor:product when running qemu as non-root (well, it should, but for some reason I couldn't reproduce the failure people are seeing in [1], but it appears to work properly) [1] https://bugzilla.redhat.com/show_bug.cgi?id=542450
-
- 10 12月, 2009 1 次提交
-
-
由 Matthias Bolte 提交于
Replace free(virBufferContentAndReset()) with virBufferFreeAndReset(). Update documentation and replace all remaining calls to free() with calls to VIR_FREE(). Also add missing calls to virBufferFreeAndReset() and virReportOOMError() in OOM error cases.
-
- 23 11月, 2009 1 次提交
-
-
由 Daniel P. Berrange 提交于
Introduce a new type="dir" mode for <disks> that allows use of QEMU's virtual FAT block device driver. eg <disk type='dir' device='floppy'> <source dir='/tmp/test'/> <target dev='fda' bus='fdc'/> <readonly/> </disk> gets turned into -drive file=fat:floppy:/tmp/test,if=floppy,index=0 Only read-only disks are supported with virtual FAT mode * src/conf/domain_conf.c, src/conf/domain_conf.h: Add type="dir" * docs/schemas/domain.rng: Document new disk type * src/xen/xend_internal.c, src/xen/xm_internal.c: Raise error for unsupported disk types * tests/qemuxml2argvdata/qemuxml2argv-disk-cdrom-empty.args: Fix empty disk file handling * tests/qemuxml2argvdata/qemuxml2argv-disk-drive-fat.args, tests/qemuxml2argvdata/qemuxml2argv-disk-drive-fat.xml, tests/qemuxml2argvdata/qemuxml2argv-floppy-drive-fat.args, tests/qemuxml2argvdata/qemuxml2argv-floppy-drive-fat.xml tests/qemuxml2argvtest.c: Test QEMU vitual FAT driver * src/qemu/qemu_conf.c: Support generating fat:/some/dir type disk args * src/security/security_selinux.c: Temporarily skip labelling of directory based disks
-