1. 25 2月, 2020 2 次提交
  2. 29 1月, 2020 1 次提交
  3. 07 1月, 2020 1 次提交
  4. 16 10月, 2019 1 次提交
  5. 15 10月, 2019 1 次提交
  6. 14 10月, 2019 4 次提交
  7. 18 7月, 2019 2 次提交
  8. 03 7月, 2019 1 次提交
  9. 10 4月, 2019 2 次提交
  10. 31 1月, 2019 2 次提交
  11. 14 12月, 2018 1 次提交
    • D
      Remove all Author(s): lines from source file headers · 60046283
      Daniel P. Berrangé 提交于
      In many files there are header comments that contain an Author:
      statement, supposedly reflecting who originally wrote the code.
      In a large collaborative project like libvirt, any non-trivial
      file will have been modified by a large number of different
      contributors. IOW, the Author: comments are quickly out of date,
      omitting people who have made significant contribitions.
      
      In some places Author: lines have been added despite the person
      merely being responsible for creating the file by moving existing
      code out of another file. IOW, the Author: lines give an incorrect
      record of authorship.
      
      With this all in mind, the comments are useless as a means to identify
      who to talk to about code in a particular file. Contributors will always
      be better off using 'git log' and 'git blame' if they need to  find the
      author of a particular bit of code.
      
      This commit thus deletes all Author: comments from the source and adds
      a rule to prevent them reappearing.
      
      The Copyright headers are similarly misleading and inaccurate, however,
      we cannot delete these as they have legal meaning, despite being largely
      inaccurate. In addition only the copyright holder is permitted to change
      their respective copyright statement.
      Reviewed-by: NErik Skultety <eskultet@redhat.com>
      Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
      60046283
  12. 16 11月, 2018 3 次提交
  13. 18 9月, 2018 2 次提交
    • M
      security_manager: Introduce metadata locking APIs · c34f1199
      Michal Privoznik 提交于
      Two new APIs are added so that security driver can lock and
      unlock paths it wishes to touch. These APIs are not for other
      drivers to call but security drivers (DAC and SELinux). That is
      the reason these APIs are not exposed through our
      libvirt_private.syms file.
      
      Three interesting things happen in this commit. The first is the
      global @lockManagerMutex. Unfortunately, this has to exist so that
      there is only one thread talking to virtlockd at a time. If there
      were more threads and one of them closed the connection
      prematurely, it would cause virtlockd killing libvirtd. Instead
      of complicated code that would handle that, let's have a mutex
      and keep the code simple.
      
      The second interesting thing is keeping connection open between
      lock and unlock API calls. This is achieved by duplicating client
      FD and keeping it open until unlock is called. This trick is used
      by regular disk content locking code when the FD is leaked to
      qemu.
      
      Finally, the third thing is polling implemented at client side.
      Since virtlockd has only one thread that handles locking
      requests, all it can do is either acquire lock or error out.
      Therefore, the polling has to be implemented in client. The
      polling is capped at 60 second timeout, which should be plenty
      since the metadata lock is held only for a fraction of a second.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      c34f1199
    • M
      security_manager: Load lock plugin on init · 3e26b476
      Michal Privoznik 提交于
      Now that we know what metadata lock manager user wishes to use we
      can load it when initializing security driver. This is achieved
      by adding new argument to virSecurityManagerNewDriver() and
      subsequently to all functions that end up calling it.
      
      The cfg.mk change is needed in order to allow lock_manager.h
      inclusion in security driver without 'syntax-check' complaining.
      This is safe thing to do as locking APIs will always exist (it's
      only backend implementation that changes). However, instead of
      allowing the include for all other drivers (like cpu, network,
      and so on) allow it only for security driver. This will still
      trigger the error if including from other drivers.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      3e26b476
  14. 17 9月, 2018 1 次提交
  15. 05 9月, 2018 2 次提交
  16. 08 6月, 2018 1 次提交
  17. 06 6月, 2018 1 次提交
    • S
      security: Label the external swtpm with SELinux labels · 2fc665bb
      Stefan Berger 提交于
      In this patch we label the swtpm process with SELinux labels. We give it the
      same label as the QEMU process has. We label its state directory and files
      as well. We restore the old security labels once the swtpm has terminated.
      
      The file and process labels now look as follows:
      
      Directory: /var/lib/libvirt/swtpm
      
      [root@localhost swtpm]# ls -lZ
      total 4
      rwx------. 2 tss  tss  system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr  5 16:46 testvm
      
      [root@localhost testvm]# ls -lZ
      total 8
      -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr  5 16:46 tpm-00.permall
      
      The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
      
      -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr  5 16:46 vtpm.log
      
      [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
      system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0  0.0 28172  3892 ?        Ss   16:57   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
      
      [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
      system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0  0.0 3096704 48500 ?    Sl   16:57   3:28 /bin/qemu-system-x86_64 [..]
      Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com>
      Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
      Reviewed-by: NJán Tomko <jtomko@redhat.com>
      2fc665bb
  18. 18 4月, 2018 1 次提交
    • M
      virobject: Introduce VIR_CLASS_NEW() macro · 10f94828
      Michal Privoznik 提交于
      So far we are repeating the following lines over and over:
      
        if (!(virSomeObjectClass = virClassNew(virClassForObject(),
                                   "virSomeObject",
                                   sizeof(virSomeObject),
                                   virSomeObjectDispose)))
            return -1;
      
      While this works, it is impossible to do some checking. Firstly,
      the class name (the 2nd argument) doesn't match the name in the
      code in all cases (the 3rd argument). Secondly, the current style
      is needlessly verbose. This commit turns example into following:
      
        if (!(VIR_CLASS_NEW(virSomeObject,
                            virClassForObject)))
            return -1;
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
      10f94828
  19. 10 1月, 2018 1 次提交
    • C
      security: full path option for DomainSetPathLabel · a5486e57
      Christian Ehrhardt 提交于
      virSecurityManagerDomainSetPathLabel is used to make a path known
      to the security modules, but today is used interchangably for
       - paths to files/dirs to be accessed directly
       - paths to a dir, but the access will actually be to files therein
      
      Depending on the security module it is important to know which of
      these types it will be.
      
      The argument allowSubtree augments the call to the implementations of
      DomainSetPathLabel that can - per security module - decide if extra
      actions shall be taken.
      
      For now dac/selinux handle this as before, but apparmor will make
      use of it to add a wildcard to the path that was passed.
      Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      a5486e57
  20. 05 12月, 2017 1 次提交
  21. 25 11月, 2017 1 次提交
  22. 25 9月, 2017 1 次提交
  23. 13 9月, 2017 1 次提交
    • C
      security: add MANAGER_MOUNT_NAMESPACE flag · 321031e4
      Cole Robinson 提交于
      The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver
      if mount namespaces are in use for the VM. Will be used for future
      changes.
      
      Wire it up in the qemu driver
      321031e4
  24. 21 8月, 2017 1 次提交
    • J
      Don't autogenerate seclabels of type 'none' · 0f1993aa
      Jim Fehlig 提交于
      When security drivers are active but confinement is not enabled,
      there is no need to autogenerate <seclabel> elements when starting
      a domain def that contains no <seclabel> elements. In fact,
      autogenerating the elements can result in needless save/restore and
      migration failures when the security driver is not active on the
      restore/migration target.
      
      This patch changes the virSecurityManagerGenLabel function in
      src/security_manager.c to only autogenerate a <seclabel> element
      if none is already defined for the domain *and* default
      confinement is enabled. Otherwise the needless <seclabel>
      autogeneration is skipped.
      
      Resolves: https://bugzilla.opensuse.org/show_bug.cgi?id=1051017
      0f1993aa
  25. 16 6月, 2017 2 次提交
  26. 15 3月, 2017 1 次提交
  27. 10 1月, 2017 1 次提交
    • M
      security driver: Introduce transaction APIs · 95576b4d
      Michal Privoznik 提交于
      With our new qemu namespace code in place, the relabelling of
      devices is done not as good is it could: a child process is
      spawned, it enters the mount namespace of the qemu process and
      then runs desired API of the security driver.
      
      Problem with this approach is that internal state transition of
      the security driver done in the child process is not reflected in
      the parent process. While currently it wouldn't matter that much,
      it is fairly easy to forget about that. We should take the extra
      step now while this limitation is still fresh in our minds.
      
      Three new APIs are introduced here:
        virSecurityManagerTransactionStart()
        virSecurityManagerTransactionCommit()
        virSecurityManagerTransactionAbort()
      
      The Start() is going to be used to let security driver know that
      we are starting a new transaction. During a transaction no
      security labels are actually touched, but rather recorded and
      only at Commit() phase they are actually updated. Should
      something go wrong Abort() aborts the transaction freeing up all
      memory allocated by transaction.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      95576b4d
  28. 08 12月, 2016 1 次提交