1. 01 10月, 2010 1 次提交
    • J
      implement usb and pci hot attach in AppArmor driver · 593e0072
      Jamie Strandboge 提交于
      Description: Implement AppArmorSetSecurityHostdevLabel() and
      AppArmorRestoreSecurityHostdevLabel() for hostdev and pcidev attach.
      
      virt-aa-helper also has to be adjusted because *FileIterate() is used for pci
      and usb devices and the corresponding XML for hot attached hostdev and pcidev
      is not in the XML passed to virt-aa-helper. The new '-F filename' option is
      added to append a rule to the profile as opposed to the existing '-f
      filename', which rewrites the libvirt-<uuid>.files file anew. This new '-F'
      option will append a rule to an existing libvirt-<uuid>.files if it exists,
      otherwise it acts the same as '-f'.
      
      load_profile() and reload_profile() have been adjusted to add an 'append'
      argument, which when true will use '-F' instead of '-f' when executing
      virt-aa-helper.
      
      All existing calls to load_profile() and reload_profile() have been adjusted
      to use the old behavior (ie append==false) except AppArmorSetSavedStateLabel()
      where it made sense to use the new behavior.
      
      This patch also adds tests for '-F'.
      
      Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/640993
      593e0072
  2. 24 9月, 2010 1 次提交
  3. 17 8月, 2010 1 次提交
  4. 24 7月, 2010 3 次提交
    • M
      virt-aa-helper: Make getopt accept the p option · d01340e7
      Matthias Bolte 提交于
      Commit 68719c4b added the
      p option to control disk format probing, but it wasn't added
      to the getopt_long optstring parameter.
      
      Add the p option to the getopt_long optstring parameter.
      d01340e7
    • M
      virt-aa-helper: Fix return value of add_file_path · adde0e2c
      Matthias Bolte 提交于
      Commit a8853344 added this
      function and wrapped vah_add_file in it. vah_add_file may
      return -1, 0, 1. It returns 1 in case the call to valid_path
      detects a restricted file. The original code treated a return
      value != 0 as error. The refactored code treats a return
      value < 0 as error. This triggers segfault in virt-aa-helper
      and breaks virt-aa-helper-test for the restricted file tests.
      
      Make sure that add_file_path returns -1 on error.
      adde0e2c
    • M
      virt-aa-helper: Ignore open errors again · 05c9a413
      Matthias Bolte 提交于
      virt-aa-helper used to ignore errors when opening files.
      Commit a8853344 refactored
      the related code and changed this behavior. virt-aa-helper
      didn't ignore open errors anymore and virt-aa-helper-test
      fails.
      
      Make sure that virt-aa-helper ignores open errors again.
      05c9a413
  5. 20 7月, 2010 4 次提交
    • D
      Disable all disk probing in QEMU driver & add config option to re-enable · 68719c4b
      Daniel P. Berrange 提交于
      Disk format probing is now disabled by default. A new config
      option in /etc/qemu/qemu.conf will re-enable it for existing
      deployments where this causes trouble
      68719c4b
    • D
      Pass security driver object into all security driver callbacks · f70e0809
      Daniel P. Berrange 提交于
      The implementation of security driver callbacks often needs
      to access the security driver object. Currently only a handful
      of callbacks include the driver object as a parameter. Later
      patches require this is many more places.
      
      * src/qemu/qemu_driver.c: Pass in the security driver object
        to all callbacks
      * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c,
        src/security/security_apparmor.c, src/security/security_driver.h,
        src/security/security_selinux.c: Add a virSecurityDriverPtr
        param to all security callbacks
      f70e0809
    • D
      Convert all disk backing store loops to shared helper API · a8853344
      Daniel P. Berrange 提交于
      Update the QEMU cgroups code, QEMU DAC security driver, SELinux
      and AppArmour security drivers over to use the shared helper API
      virDomainDiskDefForeachPath().
      
      * src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c,
        src/security/security_selinux.c, src/security/virt-aa-helper.c:
        Convert over to use virDomainDiskDefForeachPath()
      a8853344
    • D
      Require format to be passed into virStorageFileGetMetadata · bf80fc68
      Daniel P. Berrange 提交于
      Require the disk image to be passed into virStorageFileGetMetadata.
      If this is set to VIR_STORAGE_FILE_AUTO, then the format will be
      resolved using probing. This makes it easier to control when
      probing will be used
      
      * src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c,
        src/security/security_selinux.c, src/security/virt-aa-helper.c:
        Set VIR_STORAGE_FILE_AUTO when calling virStorageFileGetMetadata.
      * src/storage/storage_backend_fs.c: Probe for disk format before
        calling virStorageFileGetMetadata.
      * src/util/storage_file.h, src/util/storage_file.c: Remove format
        from virStorageFileMeta struct & require it to be passed into
        method.
      bf80fc68
  6. 28 6月, 2010 1 次提交
  7. 25 6月, 2010 1 次提交
    • D
      Set labelling for character devices in security drivers · 2bad82f7
      Daniel P. Berrange 提交于
      When configuring serial, parallel, console or channel devices
      with a file, dev or pipe backend type, it is necessary to label
      the file path in the security drivers. For char devices of type
      file, it is neccessary to pre-create (touch) the file if it does
      not already exist since QEMU won't be allowed todo so itself.
      dev/pipe configs already require the admin to pre-create before
      starting the guest.
      
      * src/qemu/qemu_security_dac.c: set file ownership for character
        devices
      * src/security/security_selinux.c: Set file labeling for character
        devices
      * src/qemu/qemu_driver.c: Add character devices to cgroup ACL
      2bad82f7
  8. 08 6月, 2010 4 次提交
    • D
      Don't raise errors in the selinux restore code · f43dc26a
      Daniel P. Berrange 提交于
      The restore code is done in places where errors cannot be
      raised, since they will overwrite over pre-existing errors.
      
      * src/security/security_selinux.c: Only warn about failures
        in label restore, don't report errors
      f43dc26a
    • D
      Add support for setting socket MLS level in SELinux driver · e72cc3c1
      Daniel J Walsh 提交于
      When SELinux is running in MLS mode, libvirtd will have a
      different security level to the VMs. For libvirtd to be
      able to connect to the monitor console, the client end of
      the UNIX domain socket needs a different label. This adds
      infrastructure to set the socket label via the security
      driver framework
      
      * src/qemu/qemu_driver.c: Call out to socket label APIs in
        security driver
      * src/qemu/qemu_security_stacked.c: Wire up socket label
        drivers
      * src/security/security_driver.h: Define security driver
        entry points for socket labelling
      * src/security/security_selinux.c: Set socket label based on
        VM label
      e72cc3c1
    • J
      Fix AppArmor save/restore.Add stdin_path to qemudStartVMDaemon() args. · 97b68a49
      Jamie Strandboge 提交于
      Refactor to update AppArmor security driver to adjust profile for
      save/restore. This addresses the following bugs:
      
       https://bugzilla.redhat.com/show_bug.cgi?id=529363
       https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/457716
      97b68a49
    • J
      Add stdin_path to qemudStartVMDaemon() args. · 2b57478e
      Jamie Strandboge 提交于
      Adjust args to qemudStartVMDaemon() to also specify path to stdin_fd,
      so this can be passed to the AppArmor driver via SetSecurityAllLabel().
      
      This updates all calls to qemudStartVMDaemon() as well as setting up
      the non-AppArmor security driver *SetSecurityAllLabel() declarations
      for the above. This is required for the following
      "apparmor-fix-save-restore" patch since AppArmor resolves the passed
      file descriptor to the pathname given to open().
      2b57478e
  9. 19 5月, 2010 1 次提交
    • J
      initialize "meta" in virStorageFileGetMetadata, not in each caller · dcf30d9c
      Jim Meyering 提交于
      Do not require each caller of virStorageFileGetMetadata and
      virStorageFileGetMetadataFromFD to first clear the storage of the
      "meta" buffer.  Instead, initialize that storage in
      virStorageFileGetMetadataFromFD.
      * src/util/storage_file.c (virStorageFileGetMetadataFromFD): Clear
      "meta" here, not before each of the following callers.
      * src/qemu/qemu_driver.c (qemuSetupDiskCgroup): Don't clear "meta" here.
      (qemuTeardownDiskCgroup): Likewise.
      * src/qemu/qemu_security_dac.c (qemuSecurityDACSetSecurityImageLabel):
      Likewise.
      * src/security/security_selinux.c (SELinuxSetSecurityImageLabel):
      Likewise.
      * src/security/virt-aa-helper.c (get_files): Likewise.
      dcf30d9c
  10. 18 5月, 2010 2 次提交
    • J
      maint: add more free-like functions to the list and deal with fallout · a986892e
      Jim Meyering 提交于
      * cfg.mk (useless_free_options): Add many vir*Free* function names,
      and then remove the useless if-before-free tests exposed by running
      make syntax-check.
      * src/conf/interface_conf.c (virInterfaceDefFree): Remove useless "if".
      (virInterfaceAssignDef): Likewise.
      * src/conf/network_conf.c (virNetworkAssignDef): Likewise.
      * src/conf/storage_conf.c (virStoragePoolObjAssignDef): Likewise.
      * src/node_device/node_device_hal.c (dev_create): Likewise.
      * src/security/virt-aa-helper.c (vahDeinit): Likewise.
      * src/test/test_driver.c (testNodeDeviceCreateXML): Likewise.
      * src/util/conf.c (virConfSetValue): Likewise.
      a986892e
    • E
      virFileResolveLink: fix return value · d533a98e
      Eric Blake 提交于
      virFileResolveLink was returning a positive value on error,
      thus confusing callers that assumed failure was < 0.  The
      confusion is further evidenced by callers that would have
      ended up calling virReportSystemError with a negative value
      instead of a valid errno.
      
      Fixes Red Hat BZ #591363.
      
      * src/util/util.c (virFileResolveLink): Live up to documentation.
      * src/qemu/qemu_security_dac.c
      (qemuSecurityDACRestoreSecurityFileLabel): Adjust callers.
      * src/security/security_selinux.c
      (SELinuxRestoreSecurityFileLabel): Likewise.
      * src/storage/storage_backend_disk.c
      (virStorageBackendDiskDeleteVol): Likewise.
      d533a98e
  11. 14 5月, 2010 1 次提交
    • D
      Don't reset user/group/security label on shared filesystems during migrate · 02ddaddf
      Daniel P. Berrange 提交于
      When QEMU runs with its disk on NFS, and as a non-root user, the
      disk is chownd to that non-root user. When migration completes
      the last step is shutting down the QEMU on the source host. THis
      normally resets user/group/security label. This is bad when the
      VM was just migrated because the file is still in use on the dest
      host. It is thus neccessary to skip the reset step for any files
      found to be on a shared filesystem
      
      * src/libvirt_private.syms: Export virStorageFileIsSharedFS
      * src/util/storage_file.c, src/util/storage_file.h: Add a new
        method virStorageFileIsSharedFS() to determine if a file is
        on a shared filesystem (NFS, GFS, OCFS2, etc)
      * src/qemu/qemu_driver.c: Tell security driver not to reset
        disk labels on migration completion
      * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c,
        src/security/security_selinux.c, src/security/security_driver.h,
        src/security/security_apparmor.c: Add ability to skip disk
        restore step for files on shared filesystems.
      02ddaddf
  12. 30 4月, 2010 1 次提交
  13. 07 4月, 2010 6 次提交
    • J
      Improve virt-aa-helper to handle SDL graphics and cleanups · 1a253b38
      Jamie Strandboge 提交于
      * src/security/virt-aa-helper.c: add support for SDL devices and 3
        code cleanups
      1a253b38
    • J
      Adjust virt-aa-helper to handle pci devices · 1efb6236
      Jamie Strandboge 提交于
      * src/security/virt-aa-helper.c: adjust virt-aa-helper to handle pci
        devices. Update valid_path() to have an override array to check against,
        and add "/sys/devices/pci" to it. Then rename file_iterate_cb() to
        file_iterate_hostdev_cb() and create file_iterate_pci_cb() based on it
      1efb6236
    • J
      Add backingstore support to apparmor · 2aca94bf
      Jamie Strandboge 提交于
      adjust virt-aa-helper to handle backing store
      * src/security/virt-aa-helper.c: look for backing store metadata
        for disk definitions.
      2aca94bf
    • J
      Add VIR_DOMAIN_XML_INACTIVE flag when parsing domain XML · a331b909
      Jamie Strandboge 提交于
      To avoid an error when hitting the <seclabel...> definition
      * src/security/virt-aa-helper.c: add VIR_DOMAIN_XML_INACTIVE flag
        to virDomainDefParseString
      a331b909
    • J
      virt-aa-helper should not fail if profile was removed · ba32e11d
      Jamie Strandboge 提交于
      Don't exit with error if the user unloaded the profile outside of
       libvirt
      * src/security/virt-aa-helper.c: check the exit error from apparmor_parser
        before exiting with a failure
      ba32e11d
    • J
      Do nor clear caps when invoking virt-aa-helper · e68792c1
      Jamie Strandboge 提交于
      The calls to virExec() in security_apparmor.c when
      invoking virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without
      libcap-ng, this is not a problem (it's effectively a no-op) but with
      libcap-ng this causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by
      virt-aa-helper to manipulate apparmor profiles and without it VMs will
      not start[1]. This patch calls virExec with the default VIR_EXEC_NONE
      instead.
      * src/security/security_apparmor.c: fallback to VIR_EXEC_NONE flags for
        virExec of virt_aa_helper
      e68792c1
  14. 06 4月, 2010 1 次提交
  15. 02 4月, 2010 1 次提交
    • L
      Allow domain disk images on root-squash NFS to coexist with security driver. · 8a7b4be5
      Laine Stump 提交于
      (suggested by Daniel Berrange, tested by Dan Kenigsberg)
      
      virStorageFileGetMetadata will fail for disk images that are stored on
      a root-squash NFS share that isn't world-readable.
      SELinuxSetSecurityImageLabel is called during the startup of every
      domain (as long as security_driver != "none"), and it will propogate
      the error from virStorageFileGetMetadata, causing the domain startup
      to fail. This is, however, a common scenario when qemu is run as a
      non-root user and the disk image is stored on NFS.
      
      Ignoring this failure (which doesn't matter in this case, since the
      next thing done by SELinuxSetSecurityImageLabel - setting the file
      context - will also fail (and that function already ignores failures
      due to root-squash NFS) will allow us to continue bringing up the
      domain. The result is that we don't need to disable the entire
      security driver just because a domain's disk image is stored on
      root-squashed NFS.
      8a7b4be5
  16. 22 3月, 2010 1 次提交
  17. 16 3月, 2010 1 次提交
  18. 10 3月, 2010 1 次提交
  19. 08 3月, 2010 1 次提交
    • E
      build: consistently use C99 varargs macros · 2e56fb2b
      Eric Blake 提交于
      Prior to this patch, there was an inconsistent mix between GNU and C99.
      
      For consistency, and potential portability to other compilers, stick
      with the C99 vararg macro syntax.
      
      * src/conf/cpu_conf.c (virCPUReportError): Use C99 rather than GNU
        vararg macro syntax.
      * src/conf/domain_conf.c (virDomainReportError): Likewise.
      * src/conf/domain_event.c (eventReportError): Likewise.
      * src/conf/interface_conf.c (virInterfaceReportError): Likewise.
      * src/conf/network_conf.c (virNetworkReportError): Likewise.
      * src/conf/node_device_conf.h (virNodeDeviceReportError): Likewise.
      * src/conf/secret_conf.h (virSecretReportError): Likewise.
      * src/conf/storage_conf.h (virStorageReportError): Likewise.
      * src/esx/esx_device_monitor.c (ESX_ERROR): Use C99 rather than
        GNU vararg macro syntax.
      * src/esx/esx_driver.c (ESX_ERROR): Likewise.
      * src/esx/esx_interface_driver.c (ESX_ERROR): Likewise.
      * src/esx/esx_network_driver.c (ESX_ERROR): Likewise.
      * src/esx/esx_secret_driver.c (ESX_ERROR): Likewise.
      * src/esx/esx_storage_driver.c (ESX_ERROR): Likewise.
      * src/esx/esx_util.c (ESX_ERROR): Likewise.
      * src/esx/esx_vi.c (ESX_VI_ERROR): Likewise.
      * src/esx/esx_vi_methods.c (ESX_VI_ERROR): Likewise.
      * src/esx/esx_vi_types.c (ESX_VI_ERROR): Likewise.
      * src/esx/esx_vmx.c (ESX_ERROR): Likewise.
      * src/util/hostusb.c (usbReportError): Use C99 rather than GNU
        vararg macro syntax.
      * src/util/json.c (virJSONError): Likewise.
      * src/util/macvtap.c (ReportError): Likewise.
      * src/util/pci.c (pciReportError): Likewise.
      * src/util/stats_linux.c (virStatsError): Likewise.
      * src/util/util.c (virUtilError): Likewise.
      * src/util/xml.c (virXMLError): Likewise.
      * src/xen/proxy_internal.c (virProxyError): Use C99 rather than
        GNU vararg macro syntax.
      * src/xen/sexpr.c (virSexprError): Likewise.
      * src/xen/xen_driver.c (xenUnifiedError): Likewise.
      * src/xen/xen_hypervisor.c (virXenError): Likewise.
      * src/xen/xen_inotify.c (virXenInotifyError): Likewise.
      * src/xen/xend_internal.c (virXendError): Likewise.
      * src/xen/xm_internal.c (xenXMError): Likewise.
      * src/xen/xs_internal.c (virXenStoreError): Likewise.
      * src/cpu/cpu.h (virCPUReportError): Use C99 rather than GNU
        vararg macro syntax.
      * src/datatypes.c (virLibConnError): Likewise.
      * src/interface/netcf_driver.c (interfaceReportError): Likewise.
      * src/libvirt.c (virLibStreamError): Likewise.
      * src/lxc/lxc_conf.h (lxcError): Likewise.
      * src/network/bridge_driver.c (networkReportError): Likewise.
      * src/nodeinfo.c (nodeReportError): Likewise.
      * src/opennebula/one_conf.h (oneError): Likewise.
      * src/openvz/openvz_conf.h (openvzError): Likewise.
      * src/phyp/phyp_driver.c (PHYP_ERROR): Likewise.
      * src/qemu/qemu_conf.h (qemuReportError): Likewise.
      * src/remote/remote_driver.c (errorf): Likewise.
      * src/security/security_driver.h (virSecurityReportError): Likewise.
      * src/test/test_driver.c (testError): Likewise.
      * src/uml/uml_conf.h (umlReportError): Likewise.
      * src/vbox/vbox_driver.c (vboxError): Likewise.
      * src/vbox/vbox_tmpl.c (vboxError): Likewise.
      2e56fb2b
  20. 05 3月, 2010 1 次提交
    • D
      Fix USB passthrough based on product/vendor · 09ed0729
      Daniel P. Berrange 提交于
      Changeset
      
        commit 5073aa99
        Author: Cole Robinson <crobinso@redhat.com>
        Date:   Mon Jan 11 11:40:46 2010 -0500
      
      Added support for product/vendor based passthrough, but it only
      worked at the security driver layer. The main guest XML config
      was not updated with the resolved bus/device ID. When the QEMU
      argv refactoring removed use of product/vendor, this then broke
      launching guests.
      
      THe solution is to move the product/vendor resolution up a layer
      into the QEMU driver. So the first thing QEMU does is resolve
      the product/vendor to a bus/device and updates the XML config
      with this info. The rest of the code, including security drivers
      and QEMU argv generated can now rely on bus/device always being
      set.
      
      * src/util/hostusb.c, src/util/hostusb.h: Split vendor/product
        resolution code out of usbGetDevice and into usbFindDevice.
        Add accessors for bus/device ID
      * src/security/virt-aa-helper.c, src/security/security_selinux.c,
        src/qemu/qemu_security_dac.c: Remove vendor/product from the
        usbGetDevice() calls
      * src/qemu/qemu_driver.c: Use usbFindDevice to resolve vendor/product
        into a bus/device ID
      09ed0729
  21. 15 2月, 2010 1 次提交
    • M
      Convert virSecurityReportError into a macro · cad2a4ca
      Matthias Bolte 提交于
      The virRaiseError macro inside of virSecurityReportError expands to
      virRaiseErrorFull and includes the __FILE__, __FUNCTION__ and __LINE__
      information. But this three values are always the same for every call
      to virSecurityReportError and do not reflect the actual error context.
      
      Converting virSecurityReportError into a macro results in getting the
      correct __FILE__, __FUNCTION__ and __LINE__ information.
      cad2a4ca
  22. 12 2月, 2010 1 次提交
  23. 10 2月, 2010 2 次提交
    • D
      Remove virConnectPtr from USB/PCI device iterators · ce71b865
      Daniel P. Berrange 提交于
      All callers now pass a NULL virConnectPtr into the USB/PCi device
      iterator functions. Therefore the virConnectPtr arg can now be
      removed from these functions
      
      * src/util/hostusb.h, src/util/hostusb.c: Remove virConnectPtr
        from usbDeviceFileIterate
      * src/util/pci.c, src/util/pci.h: Remove virConnectPtr arg from
        pciDeviceFileIterate
      * src/qemu/qemu_security_dac.c, src/security/security_selinux.c: Update
        to drop redundant virConnectPtr arg
      ce71b865
    • D
      Remove use of virConnectPtr from security driver APIs · d6126f76
      Daniel P. Berrange 提交于
      The virConnectPtr is no longer required for error reporting since
      that is recorded in a thread local. Remove use of virConnectPtr
      from all APIs in security_driver.{h,c} and update all callers to
      match
      d6126f76
  24. 09 2月, 2010 2 次提交