- 06 6月, 2018 3 次提交
-
-
由 Stefan Berger 提交于
In this patch we label the swtpm process with SELinux labels. We give it the same label as the QEMU process has. We label its state directory and files as well. We restore the old security labels once the swtpm has terminated. The file and process labels now look as follows: Directory: /var/lib/libvirt/swtpm [root@localhost swtpm]# ls -lZ total 4 rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm [root@localhost testvm]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall The log in /var/log/swtpm/libvirt/qemu is labeled as follows: -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..] Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
Extend the DAC and SELinux modules with support for the tpm-emulator. We label the Unix socket that QEMU connects to after starting swtmp with DAC and SELinux labels. We do not have to restore the labels in this case since the tpm-emulator will remove the Unix socket when it terminates. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
由 Stefan Berger 提交于
This patch adds support for an external swtpm TPM emulator. The XML for this type of TPM looks as follows: <tpm model='tpm-tis'> <backend type='emulator'/> </tpm> The XML will currently only define a TPM 1.2. Extend the documentation. Add a test case testing the XML parser and formatter. Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 04 5月, 2018 1 次提交
-
-
由 Martin Kletzander 提交于
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 25 4月, 2018 1 次提交
-
-
由 Daniel P. Berrangé 提交于
Currently the driver module loading code does not report an error if the driver module is physically missing on disk. This is useful for distro packaging optional pieces. When the daemons are split up into one daemon per driver, we will expect module loading to always succeed. If a driver is not desired, the entire daemon should not be installed. Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 18 4月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
So far we are repeating the following lines over and over: if (!(virSomeObjectClass = virClassNew(virClassForObject(), "virSomeObject", sizeof(virSomeObject), virSomeObjectDispose))) return -1; While this works, it is impossible to do some checking. Firstly, the class name (the 2nd argument) doesn't match the name in the code in all cases (the 3rd argument). Secondly, the current style is needlessly verbose. This commit turns example into following: if (!(VIR_CLASS_NEW(virSomeObject, virClassForObject))) return -1; Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 22 3月, 2018 4 次提交
-
-
由 Christian Ehrhardt 提交于
nvdimm memory is backed by a path on the host. This currently works only via hotplug where the AppArmor label is created via the domain label callbacks. This adds the virt-aa-helper support for nvdimm memory devices to generate rules for the needed paths from the initial guest definition as well. Example in domain xml: <memory model='nvdimm'> <source> <path>/tmp/nvdimm-base</path> </source> <target> <size unit='KiB'>524288</size> <node>0</node> </target> </memory> Works to start now and creates: "/tmp/nvdimm-base" rw, Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1757085Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
Input devices can passthrough an event device. This currently works only via hotplug where the AppArmor label is created via the domain label callbacks. This adds the virt-aa-helper support for passthrough input devices to generate rules for the needed paths from the initial guest definition as well. Example in domain xml: <input type='passthrough' bus='virtio'> <source evdev='/dev/input/event0' /> </input> Works to start now and creates: "/dev/input/event0" rw, Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1757085Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
d8116b5a "security: Introduce functions for input device hot(un)plug" implemented the code (Set|Restore)InputLabel for several security modules, this patch adds an AppArmor implementation for it as well. That fixes hot-plugging event input devices by generating a rule for the path that needs to be accessed. Example hot adding: <input type='passthrough' bus='virtio'> <source evdev='/dev/input/event0' /> </input> Creates now: "/dev/input/event0" rwk, Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1755153Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
Recent changes have made implementing this mandatory to hot add any memory. Implementing this in apparmor fixes this as well as allows hot-add of nvdimm tpye memory with an nvdimmPath set generating a AppArmor rule for that path. Example hot adding: <memory model='nvdimm'> <source> <path>/tmp/nvdimm-test</path> </source> <target> <size unit='KiB'>524288</size> <node>0</node> </target> </memory> Creates now: "/tmp/nvdimm-test" rwk, Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1755153Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 19 3月, 2018 1 次提交
-
-
由 Christian Ehrhardt 提交于
In a recent change b932ed69: "virt-aa-helper: resolve yet to be created paths" several cases with symlinks in paths were fixed, but it regressed cases where the file being last element of the path was the actual link. In the case of the last element being the symlink realpath can (and shall) be called on the full path that was passed. Examples would be zfs/lvm block devices like: <disk type='block' device='disk'> <driver name='qemu' type='raw'/> <source dev='/dev/mapper/testlvm-testvol1'/> <target dev='vdd' bus='virtio'/> </disk> With the target being: /dev/mapper/testlvm-testvol1 -> ../dm-0 That currently is rendered as "/dev/mapper/testlvm-testvol1" rwk, but instead should be (and is with the fix): "/dev/dm-0" rwk, Fixes: b932ed69: "virt-aa-helper: resolve yet to be created paths" Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1756394Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 13 3月, 2018 1 次提交
-
-
由 Michal Privoznik 提交于
We're freeing individual items in it but not the array itself. ==19200== 40 bytes in 1 blocks are definitely lost in loss record 847 of 1,059 ==19200== at 0x4C2D12F: realloc (vg_replace_malloc.c:785) ==19200== by 0x52C5532: virReallocN (viralloc.c:245) ==19200== by 0x52C5628: virExpandN (viralloc.c:294) ==19200== by 0x52C58FC: virInsertElementsN (viralloc.c:436) ==19200== by 0x542856B: virSecurityDACChownListAppend (security_dac.c:115) ==19200== by 0x54286B4: virSecurityDACTransactionAppend (security_dac.c:167) ==19200== by 0x542902F: virSecurityDACSetOwnershipInternal (security_dac.c:560) ==19200== by 0x54295D6: virSecurityDACSetOwnership (security_dac.c:650) ==19200== by 0x542AEE0: virSecurityDACSetInputLabel (security_dac.c:1472) ==19200== by 0x542B61D: virSecurityDACSetAllLabel (security_dac.c:1693) ==19200== by 0x542DD67: virSecurityManagerSetAllLabel (security_manager.c:869) ==19200== by 0x54279C2: virSecurityStackSetAllLabel (security_stack.c:361) Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 08 3月, 2018 1 次提交
-
-
由 Christian Ehrhardt 提交于
In certain cases a xml contains paths that do not yet exist, but are valid as qemu will create them later on - for example vhostuser mode=server sockets. In any such cases so far the check to virFileExists failed and due to that the paths stayed non-resolved in regard to symlinks. But for apparmor those non-resolved rules are non functional as they are evaluated after resolving any symlinks. Therefore for non-existent files and partially non-existent paths resolve as much as possible to get valid rules. Example: <interface type='vhostuser'> <model type='virtio'/> <source type='unix' path='/var/run/symlinknet' mode='server'/> </interface> Got rendered as: "/var/run/symlinknet" rw, But correct with "/var/run" being a symlink to "/run" is: "/run/symlinknet" rw, Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com> Acked-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 06 3月, 2018 1 次提交
-
-
由 Daniel P. Berrangé 提交于
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 22 2月, 2018 1 次提交
-
-
由 Daniel P. Berrangé 提交于
Ensure all enum cases are listed in switch statements. Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 09 2月, 2018 1 次提交
-
-
由 Daniel P. Berrangé 提交于
The QEMU driver loadable module needs to be able to resolve all ELF symbols it references against libvirt.so. Some of its symbols can only be resolved against the storage_driver.so loadable module which creates a hard dependancy between them. By moving the storage file backend framework into the util directory, this gets included directly in the libvirt.so library. The actual backend implementations are still done as loadable modules, so this doesn't re-add deps on gluster libraries. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 06 2月, 2018 1 次提交
-
-
由 Shivaprasad G Bhat 提交于
The virt-aa-helper fails to parse the xmls with the memory/cpu hotplug features or user assigned aliases. Set the features in xmlopt->config for the parsing to succeed. Signed-off-by: NShivaprasad G Bhat <sbhat@linux.vnet.ibm.com> Tested-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com> Reviewed-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 10 1月, 2018 4 次提交
-
-
由 Christian Ehrhardt 提交于
This is now covered by DomainSetPathLabel being implemented in apparmor. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
Since 1b4f66ec "security: introduce virSecurityManager (Set|Restore)ChardevLabel" this is a public API of security manager. Implementing this in apparmor avoids miss any rules that should be added for devices labeled via these calls. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
virSecurityManagerDomainSetPathLabel is used to make a path known to the security modules, but today is used interchangably for - paths to files/dirs to be accessed directly - paths to a dir, but the access will actually be to files therein Depending on the security module it is important to know which of these types it will be. The argument allowSubtree augments the call to the implementations of DomainSetPathLabel that can - per security module - decide if extra actions shall be taken. For now dac/selinux handle this as before, but apparmor will make use of it to add a wildcard to the path that was passed. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Christian Ehrhardt 提交于
This came up in discussions around huge pages, but it will cover more per guest paths that should be added to the guests apparmor profile: - keys via qemuDomainWriteMasterKeyFile - per domain dirs via qemuProcessMakeDir - memory backing paths via qemuProcessBuildDestroyMemoryPathsImpl Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 05 12月, 2017 1 次提交
-
-
由 Pavel Hrdina 提交于
SELinux and DAC drivers already have both functions but they were not exported as public API of security manager. Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
- 25 11月, 2017 1 次提交
-
-
由 Ján Tomko 提交于
Export the existing DAC and SELinux for separate use and introduce functions for stack, nop and the security manager.
-
- 03 11月, 2017 4 次提交
-
-
由 Andrea Bolognani 提交于
Right-aligning backslashes when defining macros or using complex commands in Makefiles looks cute, but as soon as any changes is required to the code you end up with either distractingly broken alignment or unnecessarily big diffs where most of the changes are just pushing all backslashes a few characters to one side. Generated using $ git grep -El '[[:blank:]][[:blank:]]\\$' | \ grep -E '*\.([chx]|am|mk)$$' | \ while read f; do \ sed -Ei 's/[[:blank:]]*[[:blank:]]\\$/ \\/g' "$f"; \ done Signed-off-by: NAndrea Bolognani <abologna@redhat.com>
-
由 Peter Krempa 提交于
Until now we ignored user-provided backing chains and while detecting the code inherited labels of the parent device. With user provided chains we should keep this functionality, so label of the parent image in the backing chain will be applied if an image-specific label is not present.
-
由 Peter Krempa 提交于
Until now we ignored user-provided backing chains and while detecting the code inherited labels of the parent device. With user provided chains we should keep this functionality, so label of the parent image in the backing chain will be applied if an image-specific label is not present.
-
由 Peter Krempa 提交于
virSecuritySELinuxSetImageLabelInternal assigns different labels to backing chain members than to the parent image. This was done via the 'first' flag. Convert it to passing in pointer to the parent virStorageSource. This will allow us to use the parent virStorageSource in further changes.
-
- 27 10月, 2017 1 次提交
-
-
由 Christian Ehrhardt 提交于
Some globbing chars in the domain name could be used to break out of apparmor rules, so lets forbid these when in virt-aa-helper. Also adding a test to ensure all those cases were detected as bad char. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 26 10月, 2017 1 次提交
-
-
由 Christian Ehrhardt 提交于
Hot-adding disks does not parse the full XML to generate apparmor rules. Instead it uses -f <PATH> to append a generic rule for that file path. 580cdaa7: "virt-aa-helper: locking disk files for qemu 2.10" implemented the qemu 2.10 requirement to allow locking on disks images that are part of the domain xml. But on attach-device a user will still trigger an apparmor deny by going through virt-aa-helper -f, to fix that add the lock "k" permission to the append file case of virt-aa-helper. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 17 10月, 2017 1 次提交
-
-
由 Peter Krempa 提交于
Add helpers that will simplify checking if a backing file is valid or whether it has backing store. The helper virStorageSourceIsBacking returns true if the given virStorageSource is a valid backing store member. virStorageSourceHasBacking returns true if the virStorageSource has a backing store child. Adding these functions creates a central points for further refactors.
-
- 06 10月, 2017 3 次提交
-
-
由 Christian Ehrhardt 提交于
To avoid any issues later on if paths ever change (unlikely but possible) and to match the style of other generated rules the paths of the static rules have to be quoted as well. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
libvirt allows spaces in vm names, there were issues in the past but it seems not removed so the assumption has to be that spaces are continuing to be allowed. Therefore virt-aa-helper should not reject spaces in vm names anymore if it is going to be refused causing issues then the parser or xml schema should do so. Apparmor rules are in quotes, so a space in a path based on the name works. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Christian Ehrhardt 提交于
If users only specified vendor&product (the common case) then parsing the xml via virDomainHostdevSubsysUSBDefParseXML would only set these. Bus and Device would much later be added when the devices are prepared to be added. Due to that a hot-add of a usb hostdev works as the device is prepared and virt-aa-helper processes the new internal xml. But on an initial guest start at the time virt-aa-helper renders the apparmor rules the bus/device id's are not set yet: p ctl->def->hostdevs[0]->source.subsys.u.usb $12 = {autoAddress = false, bus = 0, device = 0, vendor = 1921, product = 21888} That causes rules to be wrong: "/dev/bus/usb/000/000" rw, The fix calls virHostdevFindUSBDevice after reading the XML from virt-aa-helper to only add apparmor rules for devices that could be found and now are fully known to be able to write the rule correctly. It uncondtionally sets virHostdevFindUSBDevice mandatory attribute as adding an apparmor rule for a device not found makes no sense no matter what startup policy it has set. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 25 9月, 2017 1 次提交
-
-
由 Daniel P. Berrange 提交于
Seeing a log message saying 'flags=93' is ambiguous & confusing unless you happen to know that libvirt always prints flags as hex. Change our debug messages so that they always add a '0x' prefix when printing flags, and '0' prefix when printing mode. A few other misc places gain a '0x' prefix in error messages too. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 22 9月, 2017 1 次提交
-
-
由 Guido Günther 提交于
instead of only unloading it. This makes sure old profiles don't pile up in /etc/apparmor.d/libvirt and we get updates to modified templates on VM restart. Reviewed-by: NJim Fehlig <jfehlig@suse.com>
-
- 19 9月, 2017 1 次提交
-
-
由 Guido Günther 提交于
Things moved again, sigh. Reviewed-By: NJamie Strandboge <jamie@canonical.com> Michal Privoznik <mprivozn@redhat.com>
-
- 13 9月, 2017 2 次提交
-
-
由 Cole Robinson 提交于
For a logged in user this a path like /dev/dri/renderD128 will have default ownership root:video which won't work for the qemu:qemu user, so we need to chown it. We only do this when mount namespaces are enabled in the qemu driver, so the chown'ing doesn't interfere with other users of the shared render node path https://bugzilla.redhat.com/show_bug.cgi?id=1460804
-
由 Cole Robinson 提交于
The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver if mount namespaces are in use for the VM. Will be used for future changes. Wire it up in the qemu driver
-
- 21 8月, 2017 1 次提交
-
-
由 Jim Fehlig 提交于
When security drivers are active but confinement is not enabled, there is no need to autogenerate <seclabel> elements when starting a domain def that contains no <seclabel> elements. In fact, autogenerating the elements can result in needless save/restore and migration failures when the security driver is not active on the restore/migration target. This patch changes the virSecurityManagerGenLabel function in src/security_manager.c to only autogenerate a <seclabel> element if none is already defined for the domain *and* default confinement is enabled. Otherwise the needless <seclabel> autogeneration is skipped. Resolves: https://bugzilla.opensuse.org/show_bug.cgi?id=1051017
-
- 17 8月, 2017 1 次提交
-
-
由 Christian Ehrhardt 提交于
Testing qemu-2.10-rc3 shows issues like: qemu-system-aarch64: -drive file=/home/ubuntu/vm-start-stop/vms/ 7936-0_CODE.fd,if=pflash,format=raw,unit=1: Failed to unlock byte 100 There is an apparmor deny due to qemu now locking those files: apparmor="DENIED" operation="file_lock" [...] name="/home/ubuntu/vm-start-stop/vms/7936-0_CODE.fd" name="/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow" [...] comm="qemu-system-aarch64" requested_mask="k" denied_mask="k" The profile needs to allow locking for loader and nvram files via the locking (k) rule. Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-