You need to sign in or sign up before continuing.
- 24 4月, 2013 1 次提交
-
-
由 Peter Krempa 提交于
Since cbe67ff9 virSecuritySELinuxGenNewContext reports good error messages. Fix callers that mask the errors by generic error message.
-
- 17 4月, 2013 1 次提交
-
-
由 Osier Yang 提交于
Detected by a simple Shell script: for i in $(git ls-files -- '*.[ch]'); do awk 'BEGIN { fail=0 } /# *include.*\.h/{ match($0, /["<][^">]*[">]/) arr[substr($0, RSTART+1, RLENGTH-2)]++ } END { for (key in arr) { if (arr[key] > 1) { fail=1 printf("%d %s\n", arr[key], key) } } if (fail == 1) exit 1 }' $i if test $? != 0; then echo "Duplicate header(s) in $i" fi done; A later patch will add the syntax-check to avoid duplicate headers.
-
- 13 4月, 2013 1 次提交
-
-
由 Stefan Berger 提交于
Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NCorey Bryant <coreyb@linux.vnet.ibm.com> Tested-by: NCorey Bryant <coreyb@linux.vnet.ibm.com>
-
- 28 3月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
The virDomainDefGetSecurityLabelDef was modifying the domain XML. It tried to find a seclabel corresponding to given sec driver. If the label wasn't found, the function created one which is wrong. In fact it's security manager which should modify this part of domain XML.
-
- 20 3月, 2013 1 次提交
-
-
由 Olivia Yin 提交于
-
- 14 3月, 2013 3 次提交
-
-
由 Daniel P. Berrange 提交于
Normally libvirtd should run with a SELinux label system_u:system_r:virtd_t:s0-s0:c0.c1023 If a user manually runs libvirtd though, it is sometimes possible to get into a situation where it is running system_u:system_r:init_t:s0 The SELinux security driver isn't expecting this and can't parse the security label since it lacks the ':c0.c1023' part causing it to complain internal error Cannot parse sensitivity level in s0 This updates the parser to cope with this, so if no category is present, libvirtd will hardcode the equivalent of c0.c1023. Now this won't work if SELinux is in Enforcing mode, but that's not an issue, because the user can only get into this problem if in Permissive mode. This means they can now start VMs in Permissive mode without hitting that parsing error Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Pull the code which parses the current process MCS range out of virSecuritySELinuxMCSFind and into a new method virSecuritySELinuxMCSGetProcessRange. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The body of the loop in virSecuritySELinuxMCSFind would directly 'return NULL' on OOM, instead of jumping to the cleanup label. This caused a leak of several local vars. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 16 2月, 2013 1 次提交
-
-
由 John Ferlan 提交于
Coverity found the DACGenLabel was checking for mgr == NULL after a possible dereference; however, in order to get into the function the virSecurityManagerGenLabel would have already dereferenced sec_managers[i] so the check was unnecessary. Same check is made in SELinuxGenSecurityLabel.
-
- 14 2月, 2013 1 次提交
-
-
由 Laine Stump 提交于
The existing virSecurityManagerSetProcessLabel() API is designed so that it must be called after forking the child process, but before exec'ing the child. Due to the way the virCommand API works, that means it needs to be put in a "hook" function that virCommand is told to call out to at that time. Setting the child process label is a basic enough need when executing any process that virCommand should have a method of doing that. But virCommand must be told what label to set, and only the security driver knows the answer to that question. The new virSecurityManagerSet*Child*ProcessLabel() API is the way to transfer the knowledge about what label to set from the security driver to the virCommand object. It is given a virCommandPtr, and each security driver calls the appropriate virCommand* API to tell virCommand what to do between fork and exec. 1) in the case of the DAC security driver, it calls virCommandSetUID/GID() to set a uid and gid that must be set for the child process. 2) for the SELinux security driver, it calls virCommandSetSELinuxLabel() to save a copy of the char* that will be sent to setexeccon_raw() *after forking the child process*. 3) for the AppArmor security drivers, it calls virCommandSetAppArmorProfile() to save a copy of the char* that will be sent to aa_change_profile() *after forking the child process*. With this new API in place, we will be able to remove virSecurityManagerSetProcessLabel() from any virCommand pre-exec hooks. (Unfortunately, the LXC driver uses clone() rather than virCommand, so it can't take advantage of this new security driver API, meaning that we need to keep around the older virSecurityManagerSetProcessLabel(), at least for now.)
-
- 12 2月, 2013 2 次提交
-
-
由 Eric Blake 提交于
On RHEL 5, I got: security/security_selinux.c: In function 'getContext': security/security_selinux.c:971: warning: unused parameter 'mgr' [-Wunused-parameter] * src/security/security_selinux.c (getContext): Mark potentially unused parameter.
-
由 Daniel P. Berrange 提交于
The security manager drivers are not allowed to call back out to top level security manager APIs, since that results in recursive mutex acquisition and thus deadlock. Remove calls to virSecurityManagerGetModel from SELinux / AppArmor drivers Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 06 2月, 2013 2 次提交
-
-
由 Daniel P. Berrange 提交于
Rename all the usbDeviceXXX and usbXXXDevice APIs to have a fixed virUSBDevice name prefix
-
由 Daniel P. Berrange 提交于
Rename all the pciDeviceXXX and pciXXXDevice APIs to have a fixed virPCIDevice name prefix
-
- 24 1月, 2013 2 次提交
-
-
由 Jiri Denemark 提交于
-
由 Richard W.M. Jones 提交于
According to Eric Paris this is slightly more efficient because it only loads the regular expressions in libselinux once.
-
- 23 1月, 2013 1 次提交
-
-
由 John Ferlan 提交于
It was possible to call VIR_FREE in cleanup prior to initialization
-
- 22 1月, 2013 1 次提交
-
-
由 John Ferlan 提交于
Commit id a994ef2d changed the mechanism to store/update the default security label from using disk->seclabels[0] to allocating one on the fly. That change allocated the label, but never saved it. This patch will save the label. The new virDomainDiskDefAddSecurityLabelDef() is a copy of the virDomainDefAddSecurityLabelDef().
-
- 21 12月, 2012 8 次提交
-
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
由 Daniel P. Berrange 提交于
-
- 18 12月, 2012 4 次提交
-
-
由 Daniel P. Berrange 提交于
The SELinux security driver needs to learn to label storage/misc hostdev devices for LXC Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Prepare to support different types of hostdevs by refactoring the current SELinux security driver code Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
When LXC labels USB devices during hotplug, it is running in host context, so it needs to pass in a vroot path to the container root. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The virSecurityManager{Set,Restore}AllLabel methods are invoked at domain startup/shutdown to relabel resources associated with a domain. This works fine with QEMU, but with LXC they are in fact both currently no-ops since LXC does not support disks, hostdevs, or kernel/initrd files. Worse, when LXC gains support for disks/hostdevs, they will do the wrong thing, since they run in host context, not container context. Thus this patch turns then into a formal no-op when used with LXC. The LXC controller will call out to specific security manager labelling APIs as required during startup. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 17 12月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
The current SELinux policy only works for KVM guests, since TCG requires the 'execmem' privilege. There is a 'virt_use_execmem' boolean to turn this on globally, but that is unpleasant for users. This changes libvirt to automatically use a new 'svirt_tcg_t' context for TCG based guests. This obsoletes the previous boolean tunable and makes things 'just work(tm)' Since we can't assume we run with new enough policy, I also make us log a warning message (once only) if we find the policy lacks support. In this case we fallback to the normal label and expect users to set the boolean tunable Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 14 12月, 2012 1 次提交
-
-
由 Ján Tomko 提交于
In the case of an OOM error in virDomainDefGetSecurityLabelDef, secdef is set to NULL, then dereferenced while printing the debug message.
-
- 28 11月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
The impls of virSecurityManagerGetMountOptions had no way to return errors, since the code was treating 'NULL' as a success value. This is somewhat pointless, since the calling code did not want NULL in the first place and has to translate it into the empty string "". So change the code so that the impls can return "" directly, allowing use of NULL for error reporting once again Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 02 11月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
The libvirt coding standard is to use 'function(...args...)' instead of 'function (...args...)'. A non-trivial number of places did not follow this rule and are fixed in this patch. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 23 10月, 2012 1 次提交
-
-
由 Cole Robinson 提交于
When restoring selinux labels after a VM is stopped, any non-standard path that doesn't have a default selinux label causes the process to stop and exit early. This isn't really an error condition IMO. Of course the selinux API could be erroring for some other reason but hopefully that's rare enough to not need explicit handling. Common example here is storing disk images in a non-standard location like under /mnt.
-
- 20 10月, 2012 1 次提交
-
-
由 Eric Blake 提交于
We used to walk the backing file chain at least twice per disk, once to set up cgroup device whitelisting, and once to set up security labeling. Rather than walk the chain every iteration, which possibly includes calls to fork() in order to open root-squashed NFS files, we can exploit the cache of the previous patch. * src/conf/domain_conf.h (virDomainDiskDefForeachPath): Alter signature. * src/conf/domain_conf.c (virDomainDiskDefForeachPath): Require caller to supply backing chain via disk, if recursion is desired. * src/security/security_dac.c (virSecurityDACSetSecurityImageLabel): Adjust caller. * src/security/security_selinux.c (virSecuritySELinuxSetSecurityImageLabel): Likewise. * src/security/virt-aa-helper.c (get_files): Likewise. * src/qemu/qemu_cgroup.c (qemuSetupDiskCgroup) (qemuTeardownDiskCgroup): Likewise. (qemuSetupCgroup): Pre-populate chain.
-
- 17 10月, 2012 1 次提交
-
-
由 Guannan Ren 提交于
-
- 16 10月, 2012 1 次提交
-
-
由 Martin Kletzander 提交于
In commit 9674f2c6, I forgot to change selabel_lookup with the other functions, so this one-liner does exactly that.
-
- 15 10月, 2012 1 次提交
-
-
由 Guannan Ren 提交于
BZ:https://bugzilla.redhat.com/show_bug.cgi?id=851981 When using macvtap, a character device gets first created by kernel with name /dev/tapN, its selinux context is: system_u:object_r:device_t:s0 Shortly, when udev gets notification when new file is created in /dev, it will then jump in and relabel this file back to the expected default context: system_u:object_r:tun_tap_device_t:s0 There is a time gap happened. Sometimes, it will have migration failed, AVC error message: type=AVC msg=audit(1349858424.233:42507): avc: denied { read write } for pid=19926 comm="qemu-kvm" path="/dev/tap33" dev=devtmpfs ino=131524 scontext=unconfined_u:system_r:svirt_t:s0:c598,c908 tcontext=system_u:object_r:device_t:s0 tclass=chr_file This patch will label the tapfd device before qemu process starts: system_u:object_r:tun_tap_device_t:MCS(MCS from seclabel->label)
-
- 12 10月, 2012 1 次提交
-
-
由 Martin Kletzander 提交于
We are currently able to work only with non-translated SELinux contexts, but we are using functions that work with translated contexts throughout the code. This patch swaps all SELinux context translation relative calls with their raw sisters to avoid parsing problems. The problems can be experienced with mcstrans for example. The difference is that if you have translations enabled (yum install mcstrans; service mcstrans start), fgetfilecon_raw() will get you something like 'system_u:object_r:virt_image_t:s0', whereas fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow' that we cannot parse. I was trying to confirm that the _raw variants were here since the dawn of time, but the only thing I see now is that it was imported together in the upstream repo [1] from svn, so before 2008. Thanks Laurent Bigonville for finding this out. [1] http://oss.tresys.com/git/selinux.git
-