- 25 2月, 2020 3 次提交
-
-
由 Michal Privoznik 提交于
There are some cases where we want to remember the original owner of a file but we fail to lock it for XATTR change (e.g. root squashed NFS). If that is the case we error out and refuse to start a domain. Well, we can do better if we disable remembering for paths we haven't locked successfully. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NPeter Krempa <pkrempa@redhat.com>
-
由 Michal Privoznik 提交于
So far, in the lock state we are storing only the file descriptors of the files we've locked. Therefore, when unlocking them and something does wrong the only thing we can report is FD number, which is not user friendly at all. But if we store paths among with FDs we can do better error reporting. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NPeter Krempa <pkrempa@redhat.com>
-
由 Jim Fehlig 提交于
Commit fb01e1a4 missed including virutil.h, causing the following compilation error ../../src/security/virt-aa-helper.c:1055:43: error: implicit declaration of function 'virHostGetDRMRenderNode' [-Werror=implicit-function-declaration] 1055 | char *defaultRenderNode = virHostGetDRMRenderNode(); Signed-off-by: NJim Fehlig <jfehlig@suse.com>
-
- 24 2月, 2020 2 次提交
-
-
由 Ján Tomko 提交于
This module depends on domain_conf and is used directly by various hypervisor drivers. Move it to src/hypervisor. Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Christian Ehrhardt 提交于
Configuring vhost-user-gpu like: <video> <driver name='vhostuser'/> <model type='virtio' heads='1'/> </video> Triggers an apparmor denial like: apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/qemu/vhost-user-gpu" pid=888257 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 This helper is provided by qemu for vhost-user-gpu and thereby being in the same path as qemu_bridge_helper. Due to that adding a rule allowing to call uses the same path list. Reviewed-by: NJim Fehlig <jfehlig@suse.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 12 2月, 2020 1 次提交
-
-
由 Arnaud Patard 提交于
When emulating smartcard with host certificates, qemu needs to be able to read the certificates files. Add necessary code to add the smartcard certificates file path to the apparmor profile. Passthrough support has been tested with spicevmc and remote-viewer. v2: - Fix CodingStyle - Add support for 'host' case. - Add a comment to mention that the passthrough case doesn't need some configuration - Use one rule with '{,*}' instead of two rules. Signed-off-by: NArnaud Patard <apatard@hupstream.com> Reviewed-by: NCole Robinson <crobinso@redhat.com> Acked-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 07 2月, 2020 1 次提交
-
-
由 Daniel P. Berrangé 提交于
This deletes all trace of gnulib from libvirt. We still have the keycodemapdb submodule to deal with. The simple solution taken was to update it when running autogen.sh. Previously gnulib could auto-trigger refresh when running 'make' too. We could figure out a solution for this, but with the pending meson rewrite it isn't worth worrying about, given how infrequently keycodemapdb changes. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 04 2月, 2020 1 次提交
-
-
由 Michal Privoznik 提交于
The configure script allows users to specify different paths for /etc/, /usr/sbin/, /var/run/ and /usr/libexec/. Instead of assuming user will pass expected value, generate the apparmor profiles using the actual values. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 31 1月, 2020 1 次提交
-
-
由 Christian Ehrhardt 提交于
Since a3ab6d42 "apparmor: convert libvirtd profile to a named profile" the detection of the subelement for qemu_bridge_helper is wrong. In combination with the older 123cc3e1 "apparmor: allow /usr/lib/qemu/qemu-bridge-helper" it now detects qemu-bridge-helper no more with its path, but instead as a proper subelement of the named profile like: label=libvirtd//qemu_bridge_helper In the same fashion the reverse rule in the qemu_bridge_helper sub-profile still uses the path and not the named profile label. Triggering denies like: apparmor="DENIED" operation="file_inherit" profile="libvirtd//qemu_bridge_helper" pid=5629 comm="qemu-bridge-hel" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr=none peer_addr=none peer="libvirtd" This patch fixes the unix socket rules for the communication between libvirtd and qemu-bridge-helper to match that. Fixes: a3ab6d42 Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1655111Reviewed-by: NMichal Privoznik <mprivozn@redhat.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 30 1月, 2020 4 次提交
-
-
由 Ján Tomko 提交于
Also add a space after the start in some of the cases. Signed-off-by: NJán Tomko <jtomko@redhat.com> Reviewed-by: NPeter Krempa <pkrempa@redhat.com>
-
由 Michal Privoznik 提交于
At the beginning of each profile we have a comment that says when the profile was last updated. In theory, it makes sense because one can see immediately if they are using an outdated profile. However, we don't do a good job in keeping the comments in sync with reality and also sysadmins should rather use their package manager to find out libvirt version which installed the profiles. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Acked-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Michal Privoznik 提交于
There are two more paths that we are missing in the default domain profile: /usr/share/edk2-ovmf/ and /usr/share/sgabios/. These exist on my Gentoo box and contain UEFI and BIOS images respectively. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Acked-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Michal Privoznik 提交于
Even though we construct a domain specific profile for each domain we start (which should cover domain specific paths), there is also another file that is included from the profile and which contains domain agnostic paths (e.g. to cover libraries that qemu links with). The paths in the file are split into blocks divided by comments. Sort the paths in each block individually (ignoring case sensitivity). Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Acked-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 29 1月, 2020 5 次提交
-
-
由 Daniel P. Berrangé 提交于
chown and some stat constants are not available on the Windows platform. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The S_ISSOCK macro is not available on Windows platforms. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The strchrnul function doesn't exist on Windows and rather than attempt to implement it, it is simpler to just avoid its usage, as any callers are easily adapted. Reviewed-by: NPavel Hrdina <phrdina@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel Henrique Barboza 提交于
Files inside /dev/vfio/ can't be opened more than once, meaning that any subsequent open calls will fail. This behavior was introduced in kernel v3.11, commit 6d6768c61b39. When using the VFIO driver, we open a FD to /dev/vfio/N and pass it to QEMU. If any other call attempt for the same /dev/vfio/N happens while QEMU is still using the file, we are unable to open it and QEMU will report -EBUSY. This can happen if we hotplug a PCI hostdev that belongs to the same IOMMU group of an existing domain hostdev. The problem and solution is similar to what we already dealt with for TPM in commit 4e95cdcb. This patch changes both DAC and SELinux drivers to disable 'remember' for VFIO hostdevs in virSecurityDACSetHostdevLabelHelper() and virSecurityDACSetHostdevLabel(), and 'recall' in virSecurityDACRestoreHostdevLabel() and virSecuritySELinuxRestoreHostdevSubsysLabel(). Signed-off-by: NDaniel Henrique Barboza <danielhb413@gmail.com> Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Daniel Henrique Barboza 提交于
There is a case in which we do not want 'remember' to be set to true in SetOwnership() calls inside the HostdevLabelHelper() functions of both DAC and SELinux drivers. Next patch will explain and handle that scenario. For now, let's make virSecurityDACSetOwnership() and virSecuritySELinuxSetHostdevLabelHelper() accept a 'remember' flag, which will be used to set the 'remember' parameter of their respective SetOwnership() calls. No functional change is made. Signed-off-by: NDaniel Henrique Barboza <danielhb413@gmail.com> Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 07 1月, 2020 4 次提交
-
-
由 Michal Privoznik 提交于
After one of previous commits (v5.10.0-524-gce56408e) there is a variable left unused in verify_xpath_context() which breaks the build. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Daniel Henrique Barboza 提交于
Signed-off-by: NDaniel Henrique Barboza <danielhb413@gmail.com> Reviewed-by: NErik Skultety <eskultet@redhat.com>
-
由 Sebastian Mitterle 提交于
Currently, when security driver is not available users are informed that it wasn't found which can be confusing. 1. Update error message 2. Add comment to domain doc Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com> Signed-off-by Sebastian Mitterle <smitterl@redhat.com>
-
由 Dominick Grift 提交于
/dev/tap* is an invalid path but it works with lax policy. Make it work with more accurate policy as well Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com> Signed-off-by: NDominick Grift <dac.override@gmail.com>
-
- 03 1月, 2020 3 次提交
-
-
由 Daniel P. Berrangé 提交于
Reviewed-by: NFabiano Fidêncio <fidencio@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
The GLib g_lstat() function provides a portable impl for Win32. Reviewed-by: NFabiano Fidêncio <fidencio@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Eliminate direct use of normal setenv/unsetenv calls in favour of GLib's wrapper. This eliminates two gnulib modules Reviewed-by: NFabiano Fidêncio <fidencio@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 17 12月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
This function is currently not called for any type of storage source that is not considered 'local' (as defined by virStorageSourceIsLocalStorage()). Well, NVMe disks are not 'local' from that point of view and therefore we will need to call this function more frequently. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NCole Robinson <crobinso@redhat.com>
-
- 10 12月, 2019 1 次提交
-
-
由 Cole Robinson 提交于
Teach virt-aa-helper how to label a qcow2 data_file, tracked internally as externalDataStore. It should be treated the same as its sibling disk image Reviewed-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: NCole Robinson <crobinso@redhat.com>
-
- 09 12月, 2019 3 次提交
-
-
由 Daniel P. Berrangé 提交于
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
This parameter is now unused and can be removed entirely. Reviewed-by: NMichal Privoznik <mprivozn@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
由 Daniel P. Berrangé 提交于
Moving their instance parameter to be the first one, and give consistent ordering of other parameters across all functions. Ensure that the xml options are passed into both functions in prep for future work. Reviewed-by: NMichal Privoznik <mprivozn@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 03 12月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
When SELinux support was first introduced the libselinux library wasn't that advanced and setfilecon_raw() or fsetfilecon_raw() could fail even when the target context was set. Looking at the current code [1][2] this is no longer the case. We can drop our workarounds. 1: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/setfilecon.c#L10 2: https://github.com/SELinuxProject/selinux/blob/master/libselinux/src/fsetfilecon.c#L10Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 21 11月, 2019 5 次提交
-
-
由 Christian Ehrhardt 提交于
Shared memory devices need qemu to be able to access certain paths either for the shared memory directly (mostly ivshmem-plain) or for a socket (mostly ivshmem-doorbell). Add logic to virt-aa-helper to render those apparmor rules based on the domain configuration. https://bugzilla.redhat.com/show_bug.cgi?id=1761645Reviewed-by: NCole Robinson <crobinso@redhat.com> Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
There are currently broken use cases, e.g. snapshotting more than one disk at once like: $ virsh snapshot-create-as --domain eoan --disk-only --atomic --diskspec vda,snapshot=no --diskspec vdb,snapshot=no --diskspec vdc,file=/test/disk1.snapshot1.qcow,snapshot=external --diskspec vdd,file=/test/disk2.snapshot1.qcow,snapshot=external The command above will iterate from qemuDomainSnapshotCreateDiskActive and eventually add /test/disk1.snapshot1.qcow first (appears in the rules) to then later add /test/disk2.snapshot1.qcow and while doing so throwing away the former rule causing it to fail. All other calls to (re)load_profile already use append=true when adding rules append=false is only used when restoring rules [1]. Fix this by letting AppArmorSetSecurityImageLabel use append=true as well. Since this is removing a (unintentional) trigger to revoke all rules appended so far we agreed on review to do some tests, but in the tests no rules came back on: - hot-plug - hot-unplug - snapshotting Bugs: https://bugs.launchpad.net/libvirt/+bug/1845506 https://bugzilla.redhat.com/show_bug.cgi?id=1746684 [1]: https://bugs.launchpad.net/libvirt/+bug/1845506/comments/13Reviewed-by: NCole Robinson <crobinso@redhat.com> Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
A lot of the code in AppArmorSetSecurityImageLabel is a duplicate of what is in reload_profile, this refactors AppArmorSetSecurityImageLabel to use reload_profile instead. Reviewed-by: NCole Robinson <crobinso@redhat.com> Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
reload_profile calls get_profile_name for no particular gain, lets remove that call. The string isn't used in that function later on and not registered/passed anywhere. It can only fail if it either can't allocate or if the virDomainDefPtr would have no uuid set (which isn't allowed). Thereby the only "check" it really provides is if it can allocate the string to then free it again. This was initially added in [1] when the code was still in AppArmorRestoreSecurityImageLabel (later moved) and even back then had no further effect than described above. [1]: https://libvirt.org/git/?p=libvirt.git;a=blob;f=src/security/security_apparmor.c;h=16de0f26f41689e0c50481120d9f8a59ba1f4073;hb=bbaecd6a8f15345bc822ab4b79eb0955986bb2fd#l487Reviewed-by: NCole Robinson <crobinso@redhat.com> Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
由 Christian Ehrhardt 提交于
While only used internally from libvirt the options still are misleading enough to cause issues every now and then. Group modes, options and an adding extra file and extend the wording of the latter which had the biggest lack of clarity. Both add a file to the end of the rules, but one re-generates the rules from XML and the other keeps the existing rules as-is not considering the XML content. Reviewed-by: NCole Robinson <crobinso@redhat.com> Acked-by: NJamie Strandboge <jamie@canonical.com> Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
-
- 15 11月, 2019 1 次提交
-
-
由 Pavel Hrdina 提交于
Glib implementation follows the ISO C99 standard so it's safe to replace the gnulib implementation. Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NPeter Krempa <pkrempa@redhat.com>
-
- 12 11月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NDaniel Henrique Barboza <danielhb413@gmail.com>
-
- 25 10月, 2019 1 次提交
-
-
由 Peter Krempa 提交于
The function now does not return an error so we can drop it fully. Signed-off-by: NPeter Krempa <pkrempa@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 23 10月, 2019 1 次提交
-
-
由 Pavel Hrdina 提交于
All OSes that we support have libselinux >= 2.5 except for Ubuntu 16.04 where the version is 2.4. Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-