You need to sign in or sign up before continuing.
  1. 24 4月, 2013 1 次提交
  2. 17 4月, 2013 1 次提交
    • O
      cleanup: Remove the duplicate header · bc95be5d
      Osier Yang 提交于
      Detected by a simple Shell script:
      
      for i in $(git ls-files -- '*.[ch]'); do
          awk 'BEGIN {
              fail=0
          }
          /# *include.*\.h/{
              match($0, /["<][^">]*[">]/)
              arr[substr($0, RSTART+1, RLENGTH-2)]++
          }
          END {
              for (key in arr) {
                  if (arr[key] > 1) {
                      fail=1
                      printf("%d %s\n", arr[key], key)
                  }
              }
              if (fail == 1)
                  exit 1
          }' $i
      
          if test $? != 0; then
              echo "Duplicate header(s) in $i"
          fi
      done;
      
      A later patch will add the syntax-check to avoid duplicate
      headers.
      bc95be5d
  3. 13 4月, 2013 1 次提交
  4. 28 3月, 2013 1 次提交
  5. 20 3月, 2013 1 次提交
  6. 14 3月, 2013 3 次提交
    • D
      Fix parsing of SELinux ranges without a category · 1732c1c6
      Daniel P. Berrange 提交于
      Normally libvirtd should run with a SELinux label
      
        system_u:system_r:virtd_t:s0-s0:c0.c1023
      
      If a user manually runs libvirtd though, it is sometimes
      possible to get into a situation where it is running
      
        system_u:system_r:init_t:s0
      
      The SELinux security driver isn't expecting this and can't
      parse the security label since it lacks the ':c0.c1023' part
      causing it to complain
      
        internal error Cannot parse sensitivity level in s0
      
      This updates the parser to cope with this, so if no category
      is present, libvirtd will hardcode the equivalent of c0.c1023.
      
      Now this won't work if SELinux is in Enforcing mode, but that's
      not an issue, because the user can only get into this problem
      if in Permissive mode. This means they can now start VMs in
      Permissive mode without hitting that parsing error
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      1732c1c6
    • D
      Separate MCS range parsing from MCS range checking · 4a92fe44
      Daniel P. Berrange 提交于
      Pull the code which parses the current process MCS range
      out of virSecuritySELinuxMCSFind and into a new method
      virSecuritySELinuxMCSGetProcessRange.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      4a92fe44
    • D
      Fix memory leak on OOM in virSecuritySELinuxMCSFind · f2d8190c
      Daniel P. Berrange 提交于
      The body of the loop in virSecuritySELinuxMCSFind would
      directly 'return NULL' on OOM, instead of jumping to the
      cleanup label. This caused a leak of several local vars.
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      f2d8190c
  7. 16 2月, 2013 1 次提交
    • J
      security: Remove unnecessary checks for mgr == NULL · 676688b6
      John Ferlan 提交于
      Coverity found the DACGenLabel was checking for mgr == NULL after a
      possible dereference; however, in order to get into the function the
      virSecurityManagerGenLabel would have already dereferenced sec_managers[i]
      so the check was unnecessary. Same check is made in SELinuxGenSecurityLabel.
      676688b6
  8. 14 2月, 2013 1 次提交
    • L
      security: add new virSecurityManagerSetChildProcessLabel API · 7bf1aa0b
      Laine Stump 提交于
      The existing virSecurityManagerSetProcessLabel() API is designed so
      that it must be called after forking the child process, but before
      exec'ing the child. Due to the way the virCommand API works, that
      means it needs to be put in a "hook" function that virCommand is told
      to call out to at that time.
      
      Setting the child process label is a basic enough need when executing
      any process that virCommand should have a method of doing that. But
      virCommand must be told what label to set, and only the security
      driver knows the answer to that question.
      
      The new virSecurityManagerSet*Child*ProcessLabel() API is the way to
      transfer the knowledge about what label to set from the security
      driver to the virCommand object. It is given a virCommandPtr, and each
      security driver calls the appropriate virCommand* API to tell
      virCommand what to do between fork and exec.
      
      1) in the case of the DAC security driver, it calls
      virCommandSetUID/GID() to set a uid and gid that must be set for the
      child process.
      
      2) for the SELinux security driver, it calls
      virCommandSetSELinuxLabel() to save a copy of the char* that will be
      sent to setexeccon_raw() *after forking the child process*.
      
      3) for the AppArmor security drivers, it calls
      virCommandSetAppArmorProfile() to save a copy of the char* that will
      be sent to aa_change_profile() *after forking the child process*.
      
      With this new API in place, we will be able to remove
      virSecurityManagerSetProcessLabel() from any virCommand pre-exec
      hooks.
      
      (Unfortunately, the LXC driver uses clone() rather than virCommand, so
      it can't take advantage of this new security driver API, meaning that
      we need to keep around the older virSecurityManagerSetProcessLabel(),
      at least for now.)
      7bf1aa0b
  9. 12 2月, 2013 2 次提交
  10. 06 2月, 2013 2 次提交
  11. 24 1月, 2013 2 次提交
  12. 23 1月, 2013 1 次提交
  13. 22 1月, 2013 1 次提交
    • J
      selinux: Resolve resource leak using the default disk label · 05cc0351
      John Ferlan 提交于
      Commit id a994ef2d changed the mechanism to store/update the default
      security label from using disk->seclabels[0] to allocating one on the
      fly. That change allocated the label, but never saved it.  This patch
      will save the label. The new virDomainDiskDefAddSecurityLabelDef() is
      a copy of the virDomainDefAddSecurityLabelDef().
      05cc0351
  14. 21 12月, 2012 8 次提交
  15. 18 12月, 2012 4 次提交
  16. 17 12月, 2012 1 次提交
    • D
      Support custom 'svirt_tcg_t' context for TCG based guests · 77d3a809
      Daniel P. Berrange 提交于
      The current SELinux policy only works for KVM guests, since
      TCG requires the 'execmem' privilege. There is a 'virt_use_execmem'
      boolean to turn this on globally, but that is unpleasant for users.
      This changes libvirt to automatically use a new 'svirt_tcg_t'
      context for TCG based guests. This obsoletes the previous
      boolean tunable and makes things 'just work(tm)'
      
      Since we can't assume we run with new enough policy, I also
      make us log a warning message (once only) if we find the policy
      lacks support. In this case we fallback to the normal label and
      expect users to set the boolean tunable
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      77d3a809
  17. 14 12月, 2012 1 次提交
  18. 28 11月, 2012 1 次提交
    • D
      Fix error handling in virSecurityManagerGetMountOptions · 3f6470f7
      Daniel P. Berrange 提交于
      The impls of virSecurityManagerGetMountOptions had no way to
      return errors, since the code was treating 'NULL' as a success
      value. This is somewhat pointless, since the calling code did
      not want NULL in the first place and has to translate it into
      the empty string "". So change the code so that the impls can
      return "" directly, allowing use of NULL for error reporting
      once again
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      3f6470f7
  19. 02 11月, 2012 1 次提交
  20. 23 10月, 2012 1 次提交
    • C
      selinux: Don't fail RestoreAll if file doesn't have a default label · 767be8be
      Cole Robinson 提交于
      When restoring selinux labels after a VM is stopped, any non-standard
      path that doesn't have a default selinux label causes the process
      to stop and exit early. This isn't really an error condition IMO.
      
      Of course the selinux API could be erroring for some other reason
      but hopefully that's rare enough to not need explicit handling.
      
      Common example here is storing disk images in a non-standard location
      like under /mnt.
      767be8be
  21. 20 10月, 2012 1 次提交
    • E
      storage: use cache to walk backing chain · 38c4a9cc
      Eric Blake 提交于
      We used to walk the backing file chain at least twice per disk,
      once to set up cgroup device whitelisting, and once to set up
      security labeling.  Rather than walk the chain every iteration,
      which possibly includes calls to fork() in order to open root-squashed
      NFS files, we can exploit the cache of the previous patch.
      
      * src/conf/domain_conf.h (virDomainDiskDefForeachPath): Alter
      signature.
      * src/conf/domain_conf.c (virDomainDiskDefForeachPath): Require caller
      to supply backing chain via disk, if recursion is desired.
      * src/security/security_dac.c
      (virSecurityDACSetSecurityImageLabel): Adjust caller.
      * src/security/security_selinux.c
      (virSecuritySELinuxSetSecurityImageLabel): Likewise.
      * src/security/virt-aa-helper.c (get_files): Likewise.
      * src/qemu/qemu_cgroup.c (qemuSetupDiskCgroup)
      (qemuTeardownDiskCgroup): Likewise.
      (qemuSetupCgroup): Pre-populate chain.
      38c4a9cc
  22. 17 10月, 2012 1 次提交
  23. 16 10月, 2012 1 次提交
  24. 15 10月, 2012 1 次提交
    • G
      selinux: add security selinux function to label tapfd · ae368ebf
      Guannan Ren 提交于
      BZ:https://bugzilla.redhat.com/show_bug.cgi?id=851981
      When using macvtap, a character device gets first created by
      kernel with name /dev/tapN, its selinux context is:
      system_u:object_r:device_t:s0
      
      Shortly, when udev gets notification when new file is created
      in /dev, it will then jump in and relabel this file back to the
      expected default context:
      system_u:object_r:tun_tap_device_t:s0
      
      There is a time gap happened.
      Sometimes, it will have migration failed, AVC error message:
      type=AVC msg=audit(1349858424.233:42507): avc:  denied  { read write } for
      pid=19926 comm="qemu-kvm" path="/dev/tap33" dev=devtmpfs ino=131524
      scontext=unconfined_u:system_r:svirt_t:s0:c598,c908
      tcontext=system_u:object_r:device_t:s0 tclass=chr_file
      
      This patch will label the tapfd device before qemu process starts:
      system_u:object_r:tun_tap_device_t:MCS(MCS from seclabel->label)
      ae368ebf
  25. 12 10月, 2012 1 次提交
    • M
      selinux: Use raw contexts · 9674f2c6
      Martin Kletzander 提交于
      We are currently able to work only with non-translated SELinux
      contexts, but we are using functions that work with translated
      contexts throughout the code.  This patch swaps all SELinux context
      translation relative calls with their raw sisters to avoid parsing
      problems.
      
      The problems can be experienced with mcstrans for example.  The
      difference is that if you have translations enabled (yum install
      mcstrans; service mcstrans start), fgetfilecon_raw() will get you
      something like 'system_u:object_r:virt_image_t:s0', whereas
      fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow'
      that we cannot parse.
      
      I was trying to confirm that the _raw variants were here since the dawn of
      time, but the only thing I see now is that it was imported together in
      the upstream repo [1] from svn, so before 2008.
      
      Thanks Laurent Bigonville for finding this out.
      
      [1] http://oss.tresys.com/git/selinux.git
      9674f2c6