1. 06 6月, 2018 3 次提交
    • S
      security: Label the external swtpm with SELinux labels · 2fc665bb
      Stefan Berger 提交于
      In this patch we label the swtpm process with SELinux labels. We give it the
      same label as the QEMU process has. We label its state directory and files
      as well. We restore the old security labels once the swtpm has terminated.
      
      The file and process labels now look as follows:
      
      Directory: /var/lib/libvirt/swtpm
      
      [root@localhost swtpm]# ls -lZ
      total 4
      rwx------. 2 tss  tss  system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr  5 16:46 testvm
      
      [root@localhost testvm]# ls -lZ
      total 8
      -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr  5 16:46 tpm-00.permall
      
      The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
      
      -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr  5 16:46 vtpm.log
      
      [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
      system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0  0.0 28172  3892 ?        Ss   16:57   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
      
      [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
      system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0  0.0 3096704 48500 ?    Sl   16:57   3:28 /bin/qemu-system-x86_64 [..]
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      2fc665bb
    • S
      security: Add DAC and SELinux security for tpm-emulator · a21c45c4
      Stefan Berger 提交于
      Extend the DAC and SELinux modules with support for the tpm-emulator.
      We label the Unix socket that QEMU connects to after starting swtmp
      with DAC and SELinux labels. We do not have to restore the labels in
      this case since the tpm-emulator will remove the Unix socket when it
      terminates.
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      a21c45c4
    • S
      conf: Add support for external swtpm TPM emulator to domain XML · 33af0b2b
      Stefan Berger 提交于
      This patch adds support for an external swtpm TPM emulator. The XML for
      this type of TPM looks as follows:
      
       <tpm model='tpm-tis'>
         <backend type='emulator'/>
       </tpm>
      
      The XML will currently only define a TPM 1.2.
      
      Extend the documentation.
      
      Add a test case testing the XML parser and formatter.
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      33af0b2b
  2. 04 5月, 2018 1 次提交
  3. 25 4月, 2018 1 次提交
  4. 18 4月, 2018 1 次提交
    • M
      virobject: Introduce VIR_CLASS_NEW() macro · 10f94828
      Michal Privoznik 提交于
      So far we are repeating the following lines over and over:
      
        if (!(virSomeObjectClass = virClassNew(virClassForObject(),
                                   "virSomeObject",
                                   sizeof(virSomeObject),
                                   virSomeObjectDispose)))
            return -1;
      
      While this works, it is impossible to do some checking. Firstly,
      the class name (the 2nd argument) doesn't match the name in the
      code in all cases (the 3rd argument). Secondly, the current style
      is needlessly verbose. This commit turns example into following:
      
        if (!(VIR_CLASS_NEW(virSomeObject,
                            virClassForObject)))
            return -1;
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      10f94828
  5. 22 3月, 2018 4 次提交
  6. 19 3月, 2018 1 次提交
    • C
      virt-aa-helper: resolve file symlinks · 77cd862f
      Christian Ehrhardt 提交于
      In a recent change b932ed69: "virt-aa-helper: resolve yet to be created
      paths" several cases with symlinks in paths were fixed, but it regressed
      cases where the file being last element of the path was the actual link.
      
      In the case of the last element being the symlink realpath can (and shall)
      be called on the full path that was passed.
      
      Examples would be zfs/lvm block devices like:
       <disk type='block' device='disk'>
          <driver name='qemu' type='raw'/>
          <source dev='/dev/mapper/testlvm-testvol1'/>
          <target dev='vdd' bus='virtio'/>
       </disk>
      With the target being:
       /dev/mapper/testlvm-testvol1 -> ../dm-0
      
      That currently is rendered as
       "/dev/mapper/testlvm-testvol1" rwk,
      but instead should be (and is with the fix):
       "/dev/dm-0" rwk,
      
      Fixes: b932ed69: "virt-aa-helper: resolve yet to be created paths"
      Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1756394Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
      77cd862f
  7. 13 3月, 2018 1 次提交
    • M
      virSecurityDACChownListFree: Don't leak list->items array · ca250269
      Michal Privoznik 提交于
      We're freeing individual items in it but not the array itself.
      
      ==19200== 40 bytes in 1 blocks are definitely lost in loss record 847 of 1,059
      ==19200==    at 0x4C2D12F: realloc (vg_replace_malloc.c:785)
      ==19200==    by 0x52C5532: virReallocN (viralloc.c:245)
      ==19200==    by 0x52C5628: virExpandN (viralloc.c:294)
      ==19200==    by 0x52C58FC: virInsertElementsN (viralloc.c:436)
      ==19200==    by 0x542856B: virSecurityDACChownListAppend (security_dac.c:115)
      ==19200==    by 0x54286B4: virSecurityDACTransactionAppend (security_dac.c:167)
      ==19200==    by 0x542902F: virSecurityDACSetOwnershipInternal (security_dac.c:560)
      ==19200==    by 0x54295D6: virSecurityDACSetOwnership (security_dac.c:650)
      ==19200==    by 0x542AEE0: virSecurityDACSetInputLabel (security_dac.c:1472)
      ==19200==    by 0x542B61D: virSecurityDACSetAllLabel (security_dac.c:1693)
      ==19200==    by 0x542DD67: virSecurityManagerSetAllLabel (security_manager.c:869)
      ==19200==    by 0x54279C2: virSecurityStackSetAllLabel (security_stack.c:361)
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      ca250269
  8. 08 3月, 2018 1 次提交
    • C
      virt-aa-helper: resolve yet to be created paths · b932ed69
      Christian Ehrhardt 提交于
      In certain cases a xml contains paths that do not yet exist, but
      are valid as qemu will create them later on - for example
      vhostuser mode=server sockets.
      
      In any such cases so far the check to virFileExists failed and due to
      that the paths stayed non-resolved in regard to symlinks.
      
      But for apparmor those non-resolved rules are non functional as they
      are evaluated after resolving any symlinks.
      
      Therefore for non-existent files and partially non-existent paths
      resolve as much as possible to get valid rules.
      
      Example:
         <interface type='vhostuser'>
             <model type='virtio'/>
             <source type='unix' path='/var/run/symlinknet' mode='server'/>
         </interface>
      
      Got rendered as:
        "/var/run/symlinknet" rw,
      
      But correct with "/var/run" being a symlink to "/run" is:
        "/run/symlinknet" rw,
      Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
      Acked-by: NMichal Privoznik <mprivozn@redhat.com>
      b932ed69
  9. 06 3月, 2018 1 次提交
  10. 22 2月, 2018 1 次提交
  11. 09 2月, 2018 1 次提交
    • D
      storage: move storage file backend framework into util directory · 064fec69
      Daniel P. Berrangé 提交于
      The QEMU driver loadable module needs to be able to resolve all ELF
      symbols it references against libvirt.so. Some of its symbols can only
      be resolved against the storage_driver.so loadable module which creates
      a hard dependancy between them. By moving the storage file backend
      framework into the util directory, this gets included directly in the
      libvirt.so library. The actual backend implementations are still done as
      loadable modules, so this doesn't re-add deps on gluster libraries.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      064fec69
  12. 06 2月, 2018 1 次提交
  13. 10 1月, 2018 4 次提交
  14. 05 12月, 2017 1 次提交
  15. 25 11月, 2017 1 次提交
  16. 03 11月, 2017 4 次提交
    • A
      Remove backslash alignment attempts · 3e7db8d3
      Andrea Bolognani 提交于
      Right-aligning backslashes when defining macros or using complex
      commands in Makefiles looks cute, but as soon as any changes is
      required to the code you end up with either distractingly broken
      alignment or unnecessarily big diffs where most of the changes
      are just pushing all backslashes a few characters to one side.
      
      Generated using
      
        $ git grep -El '[[:blank:]][[:blank:]]\\$' | \
          grep -E '*\.([chx]|am|mk)$$' | \
          while read f; do \
            sed -Ei 's/[[:blank:]]*[[:blank:]]\\$/ \\/g' "$f"; \
          done
      Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
      3e7db8d3
    • P
      security: selinux: Take parent security label into account · cc16fa2a
      Peter Krempa 提交于
      Until now we ignored user-provided backing chains and while detecting
      the code inherited labels of the parent device. With user provided
      chains we should keep this functionality, so label of the parent image
      in the backing chain will be applied if an image-specific label is not
      present.
      cc16fa2a
    • P
      security: dac: Take parent security label into account · 2742dfee
      Peter Krempa 提交于
      Until now we ignored user-provided backing chains and while detecting
      the code inherited labels of the parent device. With user provided
      chains we should keep this functionality, so label of the parent image
      in the backing chain will be applied if an image-specific label is not
      present.
      2742dfee
    • P
      security: selinux: Pass parent storage source into image labeling helper · 023da7dd
      Peter Krempa 提交于
      virSecuritySELinuxSetImageLabelInternal assigns different labels to
      backing chain members than to the parent image. This was done via the
      'first' flag. Convert it to passing in pointer to the parent
      virStorageSource. This will allow us to use the parent virStorageSource
      in further changes.
      023da7dd
  17. 27 10月, 2017 1 次提交
  18. 26 10月, 2017 1 次提交
    • C
      virt-aa-helper: grant locking permission on -f · 07fc5c9c
      Christian Ehrhardt 提交于
      Hot-adding disks does not parse the full XML to generate apparmor rules.
      Instead it uses -f <PATH> to append a generic rule for that file path.
      
      580cdaa7: "virt-aa-helper: locking disk files for qemu 2.10" implemented
      the qemu 2.10 requirement to allow locking on disks images that are part of
      the domain xml.
      
      But on attach-device a user will still trigger an apparmor deny by going
      through virt-aa-helper -f, to fix that add the lock "k" permission to the
      append file case of virt-aa-helper.
      Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
      07fc5c9c
  19. 17 10月, 2017 1 次提交
    • P
      util: storagefile: Add helpers to check presence of backing store · 0a294a8e
      Peter Krempa 提交于
      Add helpers that will simplify checking if a backing file is valid or
      whether it has backing store. The helper virStorageSourceIsBacking
      returns true if the given virStorageSource is a valid backing store
      member. virStorageSourceHasBacking returns true if the virStorageSource
      has a backing store child.
      
      Adding these functions creates a central points for further refactors.
      0a294a8e
  20. 06 10月, 2017 3 次提交
    • C
      virt-aa-helper: put static rules in quotes · cbd60952
      Christian Ehrhardt 提交于
      To avoid any issues later on if paths ever change (unlikely but
      possible) and to match the style of other generated rules the paths
      of the static rules have to be quoted as well.
      Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
      cbd60952
    • C
      virt-aa-helper: allow spaces in vm names · e79211ed
      Christian Ehrhardt 提交于
      libvirt allows spaces in vm names, there were issues in the past but it
      seems not removed so the assumption has to be that spaces are continuing
      to be allowed.
      
      Therefore virt-aa-helper should not reject spaces in vm names anymore if
      it is going to be refused causing issues then the parser or xml schema
      should do so.
      Apparmor rules are in quotes, so a space in a path based on the name works.
      Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      e79211ed
    • C
      virt-aa-helper: fix paths for usb hostdevs · 750e0844
      Christian Ehrhardt 提交于
      If users only specified vendor&product (the common case) then parsing
      the xml via virDomainHostdevSubsysUSBDefParseXML would only set these.
      Bus and Device would much later be added when the devices are prepared
      to be added.
      
      Due to that a hot-add of a usb hostdev works as the device is prepared
      and virt-aa-helper processes the new internal xml. But on an initial
      guest start at the time virt-aa-helper renders the apparmor rules the
      bus/device id's are not set yet:
      
      p ctl->def->hostdevs[0]->source.subsys.u.usb
      $12 = {autoAddress = false, bus = 0, device = 0, vendor = 1921, product
      = 21888}
      
      That causes rules to be wrong:
        "/dev/bus/usb/000/000" rw,
      
      The fix calls virHostdevFindUSBDevice after reading the XML from
      virt-aa-helper to only add apparmor rules for devices that could be found
      and now are fully known to be able to write the rule correctly.
      
      It uncondtionally sets virHostdevFindUSBDevice mandatory attribute as
      adding an apparmor rule for a device not found makes no sense no matter
      what startup policy it has set.
      Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      750e0844
  21. 25 9月, 2017 1 次提交
  22. 22 9月, 2017 1 次提交
  23. 19 9月, 2017 1 次提交
  24. 13 9月, 2017 2 次提交
  25. 21 8月, 2017 1 次提交
    • J
      Don't autogenerate seclabels of type 'none' · 0f1993aa
      Jim Fehlig 提交于
      When security drivers are active but confinement is not enabled,
      there is no need to autogenerate <seclabel> elements when starting
      a domain def that contains no <seclabel> elements. In fact,
      autogenerating the elements can result in needless save/restore and
      migration failures when the security driver is not active on the
      restore/migration target.
      
      This patch changes the virSecurityManagerGenLabel function in
      src/security_manager.c to only autogenerate a <seclabel> element
      if none is already defined for the domain *and* default
      confinement is enabled. Otherwise the needless <seclabel>
      autogeneration is skipped.
      
      Resolves: https://bugzilla.opensuse.org/show_bug.cgi?id=1051017
      0f1993aa
  26. 17 8月, 2017 1 次提交
    • C
      virt-aa-helper: locking loader/nvram for qemu 2.10 · 03fb4e3d
      Christian Ehrhardt 提交于
      Testing qemu-2.10-rc3 shows issues like:
        qemu-system-aarch64: -drive file=/home/ubuntu/vm-start-stop/vms/
        7936-0_CODE.fd,if=pflash,format=raw,unit=1: Failed to unlock byte 100
      
      There is an apparmor deny due to qemu now locking those files:
       apparmor="DENIED" operation="file_lock" [...]
       name="/home/ubuntu/vm-start-stop/vms/7936-0_CODE.fd"
       name="/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow"
       [...] comm="qemu-system-aarch64" requested_mask="k" denied_mask="k"
      
      The profile needs to allow locking for loader and nvram files via
      the locking (k) rule.
      Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
      03fb4e3d