- 06 6月, 2018 1 次提交
-
-
由 Stefan Berger 提交于
In this patch we label the swtpm process with SELinux labels. We give it the same label as the QEMU process has. We label its state directory and files as well. We restore the old security labels once the swtpm has terminated. The file and process labels now look as follows: Directory: /var/lib/libvirt/swtpm [root@localhost swtpm]# ls -lZ total 4 rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm [root@localhost testvm]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall The log in /var/log/swtpm/libvirt/qemu is labeled as follows: -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..] Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 05 12月, 2017 1 次提交
-
-
由 Pavel Hrdina 提交于
Commit e93d844b was not enough to fix the permission denied issue. We need to apply security labels as well. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1465833Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
- 25 11月, 2017 1 次提交
-
-
由 Ján Tomko 提交于
Introudce functions that will let us create the evdevs in namespaces and label the devices on input device hotplug/hotunplug.
-
- 15 3月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
Now that we have APIs for relabel memdevs on hotplug, fill in the missing implementation in qemu hotplug code. The qemuSecurity wrappers might look like overkill for now, because qemu namespace code does not deal with the nvdimms yet. Nor does our cgroup code. But hey, there's cgroup_device_acl variable in qemu.conf. If users add their /dev/pmem* device in there, the device is allowed in cgroups and created in the namespace so they can successfully passthrough it to the domain. It doesn't look like overkill after all, does it? Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 06 3月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
Now that we have some qemuSecurity wrappers over virSecurityManager APIs, lets make sure everybody sticks with them. We have them for a reason and calling virSecurityManager API directly instead of wrapper may lead into accidentally labelling a file on the host instead of namespace. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 09 2月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
Just like we need wrappers over other virSecurityManager APIs, we need one for virSecurityManagerSetImageLabel and virSecurityManagerRestoreImageLabel. Otherwise we might end up relabelling device in wrong namespace. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 15 12月, 2016 3 次提交
-
-
由 Michal Privoznik 提交于
When attaching a device to a domain that's using separate mount namespace we must maintain /dev entries in order for qemu process to see them. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
When attaching a device to a domain that's using separate mount namespace we must maintain /dev entries in order for qemu process to see them. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
Instead of trying to fix our security drivers, we can use a simple trick to relabel paths in both namespace and the host. I mean, if we enter the namespace some paths are still shared with the host so any change done to them is visible from the host too. Therefore, we can just enter the namespace and call SetAllLabel()/RestoreAllLabel() from there. Yes, it has slight overhead because we have to fork in order to enter the namespace. But on the other hand, no complexity is added to our code. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 16 2月, 2016 1 次提交
-
-
由 Andrea Bolognani 提交于
We currently blindly accept any numeric value as a GIC version, even though only GIC v2 and GIC v3 actually exist; on the other hand, we reject "host", which is a perfectly legitimate value for QEMU guests. This new enumeration contains all GIC versions libvirt is aware of.
-
- 27 3月, 2015 1 次提交
-
-
由 Pavel Hrdina 提交于
We need to mock virFileExists to return true for "/dev/kvm" because the test should not depend on host system. Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
- 06 11月, 2014 1 次提交
-
-
由 Erik Skultety 提交于
Patch 43b67f2e disallowed network tuning only with qemu driver, however this patch moved the check for root privileges into virNetDevBandwidthSet function, so the call should now fail in all possible cases. A mock function was created so that the test suite doesn't fail because of unsufficient privileges.
-
- 18 3月, 2014 1 次提交
-
-
由 Martin Kletzander 提交于
If there should be some sort of separator it is better to use comment with the filename, copyright, description, license information and authors. Found by: git grep -nH '^$' | grep '\.[ch]:1:' Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 21 9月, 2012 1 次提交
-
-
由 Eric Blake 提交于
https://www.gnu.org/licenses/gpl-howto.html recommends that the 'If not, see <url>.' phrase be a separate sentence. * tests/securityselinuxhelper.c: Remove doubled line. * tests/securityselinuxtest.c: Likewise. * globally: s/; If/. If/
-
- 23 7月, 2012 1 次提交
-
-
由 Osier Yang 提交于
Per the FSF address could be changed from time to time, and GNU recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html) You should have received a copy of the GNU General Public License along with Foobar. If not, see <http://www.gnu.org/licenses/>. This patch removes the explicit FSF address, and uses above instead (of course, with inserting 'Lesser' before 'General'). Except a bunch of files for security driver, all others are changed automatically, the copyright for securify files are not complete, that's why to do it manually: src/security/security_selinux.h src/security/security_driver.h src/security/security_selinux.c src/security/security_apparmor.h src/security/security_apparmor.c src/security/security_driver.c
-
- 18 12月, 2010 1 次提交
-
-
由 Matthias Bolte 提交于
Don't require dlopen, but link to ole32 and oleaut32 on Windows. Don't expose g_pVBoxFuncs anymore. It was only used to get the version of the API. Make VBoxCGlueInit return the version instead. This simplifies the implementation of the MSCOM glue layer. Get the VirtualBox version from the registry. Add a dummy implementation of the nsIEventQueue to the MSCOM glue as there seems to be no direct equivalent with MSCOM. It might be implemented using the normal window message loop. This requires additional investigation.
-
- 23 3月, 2010 1 次提交
-
-
由 Matthias Bolte 提交于
Replace 'method' with 'function' and get the filename's suffix right.
-
- 10 3月, 2010 1 次提交
-
-
由 Eric Blake 提交于
* global: patch created by running: for f in $(git ls-files '*.[ch]') ; do cppi $f > $f.t && mv $f.t $f done
-
- 18 1月, 2010 1 次提交
-
-
由 Matthias Bolte 提交于
This stops libvirt from probing for a libvirtd on the ESX server and sets the base for the implementation of the secondary drivers.
-
- 21 9月, 2009 1 次提交
-
-
由 Daniel P. Berrange 提交于
* src/bridge.c, src/bridge.h, src/buf.c, src/buf.h, src/cgroup.c, src/cgroup.h, src/conf.c, src/conf.h, src/event.c, src/event.h, src/hash.c, src/hash.h, src/hostusb.c, src/hostusb.h, src/iptables.c, src/iptables.h, src/logging.c, src/logging.h, src/memory.c, src/memory.h, src/pci.c, src/pci.h, src/qparams.c, src/qparams.h, src/stats_linux.c, src/stats_linux.h, src/threads-pthread.c, src/threads-pthread.h, src/threads-win32.c, src/threads-win32.h, src/threads.c, src/threads.h, src/util.c, src/util.h, src/uuid.c, src/uuid.h, src/virterror.c, src/virterror_internal.h, src/xml.c, src/xml.h: Move all files into src/util/ * daemon/Makefile.am: Add -Isrc/util/ to build flags * src/Makefile.am: Add -Isrc/util/ to build flags and update for moved files * src/libvirt_private.syms: Export cgroup APIs since they're now in util rather than linking directly to drivers * src/xen/xs_internal.c: Disable bogus virEventRemoveHandle call when built under PROXY * proxy/Makefile.am: Update for changed file locations. Remove bogus build of event.c * tools/Makefile.am, tests/Makefile.am: Add -Isrc/util/ to build flags
-
- 16 1月, 2009 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 20 11月, 2008 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 10 10月, 2008 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 21 8月, 2008 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 08 2月, 2008 1 次提交
-
-
由 Mark McLoughlin 提交于
* src/internal.h: move xstrol() variants from here ... * src/util.[ch]: ... to here and rename to virStrToLong() * src/libvirt_sym.version: export __virStrToLong_i() for virsh and qemud. * src/nodeinfo.c, src/stats_linux.c, src/virsh.c, src/xend_internal.c, qemud/qemud.c: replace xstrtol() calls with virStrToLong() * src/nodeinfo.h: don't include internal.h, which was only needed for xstrtol(), but instead include libvirt.h which is suffificient for the declarations in the header.
-
- 26 7月, 2007 1 次提交
-
-
由 Daniel P. Berrange 提交于
-
- 29 6月, 2007 1 次提交
-
-
由 Daniel Veillard 提交于
stylesheet * docs/*: regenerated * src/bridge.c src/bridge.h src/buf.c src/iptables.c src/libvirt.c src/qemu_driver.c src/qemu_driver.h src/uuid.c src/uuid.h: cleanup, addd comments, made functions static and fixe a few bugs Daniel
-
- 27 6月, 2007 10 次提交
-
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
- 16 3月, 2007 1 次提交
-
-
由 Daniel Veillard 提交于
src/sexpr.h src/test.c src/xm_internal.c src/xml.c src/xml.h: applied patch from Richard Jones adding check to printf-like functions and fixing the problems raised Daniel
-
- 23 2月, 2007 2 次提交
-
-
由 Mark McLoughlin 提交于
* qemud/protocol.h: add the (domain/network)(Get/Set)Autostart requests and replies to the protocol. * src/qemu_internal.c: hookup the qemu driver autostart methods * qemud/dispatch.c, qemud/driver.[ch], internal.h: add the daemon side, but just set an in-memory autostart flag for now.
-
由 Mark McLoughlin 提交于
* qemud/driver.[ch], qemud/dispatch.c: fix the fact that qemudDispatchDomainStart() doesn't report an error if the uuid lookup fails and also move the uuid lookup into the driver so that it matches the way we do Destroy().
-