- 25 9月, 2014 1 次提交
-
-
由 Cole Robinson 提交于
The check for ISCSI devices was missing a check of subsys type, which meant we could skip labelling of other host devices as well. This fixes USB hotplug on F21 https://bugzilla.redhat.com/show_bug.cgi?id=1145968
-
- 19 9月, 2014 1 次提交
-
-
由 Michal Privoznik 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1141879 A long time ago I've implemented support for so called multiqueue net. The idea was to let guest network traffic be processed by multiple host CPUs and thus increasing performance. However, this behavior is enabled by QEMU via special ioctl() iterated over the all tap FDs passed in by libvirt. Unfortunately, SELinux comes in and disallows the ioctl() call because the /dev/net/tun has label system_u:object_r:tun_tap_device_t:s0 and 'attach_queue' ioctl() is not allowed on tun_tap_device_t type. So after discussion with a SELinux developer we've decided that the FDs passed to the QEMU should be labelled with svirt_t type and SELinux policy will allow the ioctl(). Therefore I've made a patch (cf976d9d) that does exactly this. The patch was fixed then by a4431931 and b635b7a1. However, things are not that easy - even though the API to label FD is called (fsetfilecon_raw) the underlying file is labelled too! So effectively we are mangling /dev/net/tun label. Yes, that broke dozen of other application from openvpn, or boxes, to qemu running other domains. The best solution would be if SELinux provides a way to label an FD only, which could be then labeled when passed to the qemu. However that's a long path to go and we should fix this regression AQAP. So I went to talk to the SELinux developer again and we agreed on temporary solution that: 1) All the three patches are reverted 2) SELinux temporarily allows 'attach_queue' on the tun_tap_device_t Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 11 9月, 2014 2 次提交
-
-
由 Michal Privoznik 提交于
I've noticed two problem with the automatically created NVRAM varstore file. The first, even though I run qemu as root:root for some reason I get Permission denied when trying to open the _VARS.fd file. The problem is, the upper directory misses execute permissions, which in combination with us dropping some capabilities result in EPERM. The next thing is, that if I switch SELinux to enforcing mode, I get another EPERM because the vars file is not labeled correctly. It is passed to qemu as disk and hence should be labelled as disk. QEMU may write to it eventually, so this is different to kernel or initrd. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
After a4431931 the TAP FDs ale labeled with image label instead of the process label. On the other hand, the commit was incomplete as a few lines above, there's still old check for the process label presence while it should be check for the image label instead. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 10 9月, 2014 1 次提交
-
-
由 Michal Privoznik 提交于
QEMU now supports UEFI with the following command line: -drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on \ -drive file=/usr/share/OVMF/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \ where the first line reflects <loader> and the second one <nvram>. Moreover, these two lines obsolete the -bios argument. Note that UEFI is unusable without ACPI. This is handled properly now. Among with this extension, the variable file is expected to be writable and hence we need security drivers to label it. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Acked-by: NLaszlo Ersek <lersek@redhat.com>
-
- 07 9月, 2014 1 次提交
-
-
由 Shivaprasad G Bhat 提交于
For security type='none' libvirt according to the docs should not generate seclabel be it for selinux or any model. So, skip the reservation of labels when type is none. Signed-off-by: NShivaprasad G Bhat <sbhat@linux.vnet.ibm.com>
-
- 01 9月, 2014 1 次提交
-
-
由 Martin Kletzander 提交于
The cleanup in commit cf976d9d used secdef->label to label the tap FDs, but that is not possible since it's process-only label (svirt_t) and not a object label (e.g. svirt_image_t). Starting a domain failed with EPERM, but simply using secdef->imagelabel instead of secdef->label fixes it. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 20 8月, 2014 1 次提交
-
-
由 Michal Privoznik 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=1095636 When starting up the domain the domain's NICs are allocated. As of 1f24f682 (v1.0.6) we are able to use multiqueue feature on virtio NICs. It breaks network processing into multiple queues which can be processed in parallel by different host CPUs. The queues are, however, created by opening /dev/net/tun several times. Unfortunately, only the first FD in the row is labelled so when turning the multiqueue feature on in the guest, qemu will get AVC denial. Make sure we label all the FDs needed. Moreover, the default label of /dev/net/tun doesn't allow attaching a queue: type=AVC msg=audit(1399622478.790:893): avc: denied { attach_queue } for pid=7585 comm="qemu-kvm" scontext=system_u:system_r:svirt_t:s0:c638,c877 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=tun_socket And as suggested by SELinux maintainers, the tun FD should be labeled as svirt_t. Therefore, we don't need to adjust any range (as done previously by Guannan in ae368ebf) rather set the seclabel of the domain directly. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 24 7月, 2014 5 次提交
-
-
由 John Ferlan 提交于
Create the structures and API's to hold and manage the iSCSI host device. This extends the 'scsi_host' definitions added in commit id '5c811dce'. A future patch will add the XML parsing, but that code requires some infrastructure to be in place first in order to handle the differences between a 'scsi_host' and an 'iSCSI host' device.
-
由 John Ferlan 提交于
Split virDomainHostdevSubsysSCSI further. In preparation for having either SCSI or iSCSI data, create a union in virDomainHostdevSubsysSCSI to contain just a virDomainHostdevSubsysSCSIHost to describe the 'scsi_host' host device
-
由 John Ferlan 提交于
Create a separate typedef for the hostdev union data describing SCSI Then adjust the code to use the new pointer
-
由 John Ferlan 提交于
Create a separate typedef for the hostdev union data describing PCI. Then adjust the code to use the new pointer
-
由 John Ferlan 提交于
Create a separate typedef for the hostdev union data describing USB. Then adjust the code to use the new pointer
-
- 11 7月, 2014 2 次提交
-
-
由 Michal Privoznik 提交于
Similarly to the previous commit, boolean variables should not start with 'no-' prefix. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
This negation in names of boolean variables is driving me insane. The code is much more readable if we drop the 'no-' prefix. Well, at least for me. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 09 7月, 2014 2 次提交
-
-
由 Peter Krempa 提交于
Refactor the code and reuse it to implement the functionality.
-
由 Peter Krempa 提交于
Refactor the existing code to allow re-using it for the per-image label restore too.
-
- 08 7月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
In the future we might need to track state of individual images. Move the readonly and shared flags to the virStorageSource struct so that we can keep them in a per-image basis.
-
- 26 6月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
I'm going to add functions that will deal with individual image files rather than whole disks. Rename the security function to make room for the new one.
-
- 20 6月, 2014 3 次提交
-
-
由 Peter Krempa 提交于
I'm going to add functions that will deal with individual image files rather than whole disks. Rename the security function to make room for the new one.
-
由 Peter Krempa 提交于
Also remove one spurious ATTRIBUTE_UNUSED guarding the @migrated argument.
-
由 Peter Krempa 提交于
The image labels are stored in the virStorageSource struct. Convert the virDomainDiskDefGetSecurityLabelDef helper not to use the full disk def and move it appropriately.
-
- 12 6月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
A network disk might actually be backed by local storage. Also the path iterator actually handles networked disks well now so remove the code that skips the labelling in dac and selinux security driver.
-
- 10 6月, 2014 1 次提交
-
-
由 Ján Tomko 提交于
This fixes startup of a domain with: <seclabel type='none' model='dac'/> on a host with selinux and dac drivers and security_default_confined = 0 https://bugzilla.redhat.com/show_bug.cgi?id=1105939 https://bugzilla.redhat.com/show_bug.cgi?id=1102611
-
- 06 6月, 2014 1 次提交
-
-
由 Eric Blake 提交于
As part of the work on backing chains, I'm finding that it would be easier to directly manipulate chains of pointers (adding a snapshot merely adjusts pointers to form the correct list) rather than copy data from one struct to another. This patch converts domain disk source to be a pointer. In this patch, the pointer is ALWAYS allocated (thanks in part to the previous patch forwarding all disk def allocation through a common point), and all other changse are just mechanical fallout of the new type; there should be no functional change. It is possible that we may want to leave the pointer NULL for a cdrom with no medium in a later patch, but as that requires a closer audit of the source to ensure we don't fault on a null dereference, I didn't do it here. * src/conf/domain_conf.h (_virDomainDiskDef): Change type of src. * src/conf/domain_conf.c: Adjust all clients. * src/security/security_selinux.c: Likewise. * src/qemu/qemu_domain.c: Likewise. * src/qemu/qemu_command.c: Likewise. * src/qemu/qemu_conf.c: Likewise. * src/qemu/qemu_process.c: Likewise. * src/qemu/qemu_migration.c: Likewise. * src/qemu/qemu_driver.c: Likewise. * src/lxc/lxc_driver.c: Likewise. * src/lxc/lxc_controller.c: Likewise. * tests/securityselinuxlabeltest.c: Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 24 4月, 2014 1 次提交
-
-
由 Peter Krempa 提交于
Switch over to storing of the backing chain as a recursive virStorageSource structure. This is a string based move. Currently the first element will be present twice in the backing chain as currently the retrieval function stores the parent in the newly detected chain. This will be fixed later.
-
- 22 4月, 2014 1 次提交
-
-
由 Nehal J Wani 提交于
Fix minor typos in source comments Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 02 4月, 2014 3 次提交
-
-
由 Eric Blake 提交于
The code in virstoragefile.c is getting more complex as I consolidate backing chain handling code. But for the setuid virt-login-shell, we don't need to crawl backing chains. It's easier to audit things for setuid security if there are fewer files involved, so this patch moves the one function that virFileOpen() was actually relying on to also live in virfile.c. * src/util/virstoragefile.c (virStorageFileIsSharedFS) (virStorageFileIsSharedFSType): Move... * src/util/virfile.c (virFileIsSharedFS, virFileIsSharedFSType): ...to here, and rename. (virFileOpenAs): Update caller. * src/security/security_selinux.c (virSecuritySELinuxSetFileconHelper) (virSecuritySELinuxSetSecurityAllLabel) (virSecuritySELinuxRestoreSecurityImageLabelInt): Likewise. * src/security/security_dac.c (virSecurityDACRestoreSecurityImageLabelInt): Likewise. * src/qemu/qemu_driver.c (qemuOpenFileAs): Likewise. * src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise. * src/util/virstoragefile.h: Adjust declarations. * src/util/virfile.h: Likewise. * src/libvirt_private.syms (virfile.h, virstoragefile.h): Move symbols as appropriate. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
A continuation of the migration of disk details to virstoragefile. This patch moves a single enum, but converting the name has quite a bit of fallout. * src/conf/domain_conf.h (virDomainDiskType): Move... * src/util/virstoragefile.h (virStorageType): ...and rename. * src/bhyve/bhyve_command.c (bhyveBuildDiskArgStr) (virBhyveProcessBuildLoadCmd): Update clients. * src/conf/domain_conf.c (virDomainDiskSourceDefParse) (virDomainDiskDefParseXML, virDomainDiskSourceDefFormatInternal) (virDomainDiskDefFormat, virDomainDiskGetActualType) (virDomainDiskDefForeachPath, virDomainDiskSourceIsBlockType): Likewise. * src/conf/snapshot_conf.h (_virDomainSnapshotDiskDef): Likewise. * src/conf/snapshot_conf.c (virDomainSnapshotDiskDefParseXML) (virDomainSnapshotAlignDisks, virDomainSnapshotDiskDefFormat): Likewise. * src/esx/esx_driver.c (esxAutodetectSCSIControllerModel) (esxDomainDefineXML): Likewise. * src/locking/domain_lock.c (virDomainLockManagerAddDisk): Likewise. * src/lxc/lxc_controller.c (virLXCControllerSetupLoopDeviceDisk) (virLXCControllerSetupNBDDeviceDisk) (virLXCControllerSetupLoopDevices, virLXCControllerSetupDisk): Likewise. * src/parallels/parallels_driver.c (parallelsGetHddInfo): Likewise. * src/phyp/phyp_driver.c (phypDiskType): Likewise. * src/qemu/qemu_command.c (qemuGetDriveSourceString) (qemuDomainDiskGetSourceString, qemuBuildDriveStr) (qemuBuildCommandLine, qemuParseCommandLineDisk) (qemuParseCommandLine): Likewise. * src/qemu/qemu_conf.c (qemuCheckSharedDevice) (qemuTranslateDiskSourcePool) (qemuTranslateSnapshotDiskSourcePool): Likewise. * src/qemu/qemu_domain.c (qemuDomainDeviceDefPostParse) (qemuDomainDetermineDiskChain): Likewise. * src/qemu/qemu_driver.c (qemuDomainGetBlockInfo) (qemuDomainSnapshotPrepareDiskExternalBackingInactive) (qemuDomainSnapshotPrepareDiskExternalBackingActive) (qemuDomainSnapshotPrepareDiskExternalOverlayActive) (qemuDomainSnapshotPrepareDiskExternalOverlayInactive) (qemuDomainSnapshotPrepareDiskInternal) (qemuDomainSnapshotPrepare) (qemuDomainSnapshotCreateSingleDiskActive): Likewise. * src/qemu/qemu_hotplug.c (qemuDomainChangeEjectableMedia): Likewise. * src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise. * src/security/security_apparmor.c (AppArmorRestoreSecurityImageLabel) (AppArmorSetSecurityImageLabel): Likewise. * src/security/security_dac.c (virSecurityDACSetSecurityImageLabel) (virSecurityDACRestoreSecurityImageLabelInt) (virSecurityDACSetSecurityAllLabel): Likewise. * src/security/security_selinux.c (virSecuritySELinuxRestoreSecurityImageLabelInt) (virSecuritySELinuxSetSecurityImageLabel) (virSecuritySELinuxSetSecurityAllLabel): Likewise. * src/storage/storage_backend.c (virStorageFileBackendForType): Likewise. * src/storage/storage_backend_fs.c (virStorageFileBackendFile) (virStorageFileBackendBlock): Likewise. * src/storage/storage_backend_gluster.c (virStorageFileBackendGluster): Likewise. * src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc, vboxAttachDrives) (vboxDomainAttachDeviceImpl, vboxDomainDetachDevice): Likewise. * src/vmware/vmware_conf.c (vmwareVmxPath): Likewise. * src/vmx/vmx.c (virVMXParseDisk, virVMXFormatDisk) (virVMXFormatFloppy): Likewise. * src/xenxs/xen_sxpr.c (xenParseSxprDisks, xenParseSxpr) (xenFormatSxprDisk): Likewise. * src/xenxs/xen_xm.c (xenParseXM, xenFormatXMDisk): Likewise. * tests/securityselinuxlabeltest.c (testSELinuxLoadDef): Likewise. * src/libvirt_private.syms (domain_conf.h): Move symbols... (virstoragefile.h): ...as appropriate. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
In order to reuse the newly-created host-side disk struct in the virstoragefile backing chain code, I first have to move it to util/. This starts the process, by first moving the security label structures. * src/conf/domain_conf.h (virDomainDefGenSecurityLabelDef) (virDomainDiskDefGenSecurityLabelDef, virSecurityLabelDefFree) (virSecurityDeviceLabelDefFree, virSecurityLabelDef) (virSecurityDeviceLabelDef): Move... * src/util/virseclabel.h: ...to new file. (virSecurityLabelDefNew, virSecurityDeviceLabelDefNew): Rename the GenSecurity functions. * src/qemu/qemu_process.c (qemuProcessAttach): Adjust callers. * src/security/security_manager.c (virSecurityManagerGenLabel): Likewise. * src/security/security_selinux.c (virSecuritySELinuxSetSecurityFileLabel): Likewise. * src/util/virseclabel.c: New file. * src/conf/domain_conf.c: Move security code, and fix fallout. * src/Makefile.am (UTIL_SOURCES): Build new file. * src/libvirt_private.syms (domain_conf.h): Move symbols... (virseclabel.h): ...to new section. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 25 3月, 2014 3 次提交
-
-
由 Ján Tomko 提交于
-
由 Eric Blake 提交于
It's finally time to start tracking disk backing chains in <domain> XML. The first step is to start refactoring code so that we have an object more convenient for representing each host source resource in the context of a single guest <disk>. Ultimately, I plan to move the new type into src/util where it can be reused by virStorageFile, but to make the transition easier to review, this patch just creates the new type then fixes everything until it compiles again. * src/conf/domain_conf.h (_virDomainDiskDef): Split... (_virDomainDiskSourceDef): ...to new struct. (virDomainDiskAuthClear): Use new type. * src/conf/domain_conf.c (virDomainDiskDefFree): Split... (virDomainDiskSourceDefClear): ...to new function. (virDomainDiskGetType, virDomainDiskSetType) (virDomainDiskGetSource, virDomainDiskSetSource) (virDomainDiskGetDriver, virDomainDiskSetDriver) (virDomainDiskGetFormat, virDomainDiskSetFormat) (virDomainDiskAuthClear, virDomainDiskGetActualType) (virDomainDiskDefParseXML, virDomainDiskSourceDefFormat) (virDomainDiskDefFormat, virDomainDiskDefForeachPath) (virDomainDiskDefGetSecurityLabelDef) (virDomainDiskSourceIsBlockType): Adjust all users. * src/lxc/lxc_controller.c (virLXCControllerSetupDisk): Likewise. * src/lxc/lxc_driver.c (lxcDomainAttachDeviceMknodHelper): Likewise. * src/qemu/qemu_command.c (qemuAddRBDHost, qemuParseRBDString) (qemuParseDriveURIString, qemuParseGlusterString) (qemuParseISCSIString, qemuParseNBDString) (qemuDomainDiskGetSourceString, qemuBuildDriveStr) (qemuBuildCommandLine, qemuParseCommandLineDisk) (qemuParseCommandLine): Likewise. * src/qemu/qemu_conf.c (qemuCheckSharedDevice) (qemuAddISCSIPoolSourceHost, qemuTranslateDiskSourcePool): Likewise. * src/qemu/qemu_driver.c (qemuDomainUpdateDeviceConfig) (qemuDomainPrepareDiskChainElement) (qemuDomainSnapshotCreateInactiveExternal) (qemuDomainSnapshotPrepareDiskExternalBackingInactive) (qemuDomainSnapshotPrepareDiskInternal) (qemuDomainSnapshotPrepare) (qemuDomainSnapshotCreateSingleDiskActive) (qemuDomainSnapshotUndoSingleDiskActive) (qemuDomainBlockPivot, qemuDomainBlockJobImpl) (qemuDomainBlockCopy, qemuDomainBlockCommit): Likewise. * src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise. * src/qemu/qemu_process.c (qemuProcessGetVolumeQcowPassphrase) (qemuProcessInitPasswords): Likewise. * src/security/security_selinux.c (virSecuritySELinuxSetSecurityFileLabel): Likewise. * src/storage/storage_driver.c (virStorageFileInitFromDiskDef): Likewise. * tests/securityselinuxlabeltest.c (testSELinuxLoadDef): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
Part of a series of cleanups to use new accessor methods. * src/security/security_dac.c (virSecurityDACSetSecurityImageLabel) (virSecurityDACRestoreSecurityImageLabelInt) (virSecurityDACSetSecurityAllLabel): Use accessors. * src/security/security_selinux.c (virSecuritySELinuxRestoreSecurityImageLabelInt) (virSecuritySELinuxSetSecurityImageLabel) (virSecuritySELinuxSetSecurityAllLabel): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 20 3月, 2014 1 次提交
-
-
由 Scott Sullivan 提交于
Per the documentation, is_selinux_enabled() returns -1 on error. Account for this. Previously when -1 was being returned the condition would still be true. I was noticing this because on my system that has selinux disabled I was getting this in the libvirt.log every 5 seconds: error : virIdentityGetSystem:173 : Unable to lookup SELinux process context: Invalid argument With this patch applied, I no longer get these messages every 5 seconds. I am submitting this in case its deemed useful for inclusion. Anyone have any comments on this change? This is a patch off current master. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 18 3月, 2014 1 次提交
-
-
由 Daniel P. Berrange 提交于
Any source file which calls the logging APIs now needs to have a VIR_LOG_INIT("source.name") declaration at the start of the file. This provides a static variable of the virLogSource type. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 06 2月, 2014 1 次提交
-
-
由 Ján Tomko 提交于
Commit 2ce63c16 added imagelabel generation when relabeling is turned off. But we weren't filling out the sensitivity for type 'none' labels, resulting in an invalid label: $ virsh managedsave domain error: unable to set security context 'system_u:object_r:svirt_image_t' on fd 28: Invalid argument
-
- 30 1月, 2014 1 次提交
-
-
由 Osier Yang 提交于
To support passing the path of the test data to the utils, one more argument is added to virSCSIDeviceGetSgName, virSCSIDeviceGetDevName, and virSCSIDeviceNew, and the related code is changed accordingly. Later tests for the scsi utils will be based on this patch. Signed-off-by: NOsier Yang <jyang@redhat.com>
-
- 23 1月, 2014 1 次提交
-
-
由 Osier Yang 提交于
Unlike the host devices of other types, SCSI host device XML supports "shareable" tag. This patch introduces it for the virSCSIDevice struct for a later patch use (to detect if the SCSI device is shareable when preparing the SCSI host device in QEMU driver).
-
- 17 1月, 2014 1 次提交
-
-
由 Michal Privoznik 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=996543 When starting up a domain, the SELinux labeling is done depending on current configuration. If the labeling fails we check for possible causes, as not all labeling failures are fatal. For example, if the labeled file is on NFS which lacks SELinux support, the file can still be readable to qemu process. These cases are distinguished by the errno code: NFS without SELinux support returns EOPNOTSUPP. However, we were missing one scenario. In case there's a read-only disk on a read-only NFS (and possibly any FS) and the labeling is just optional (not explicitly requested in the XML) there's no need to make the labeling error fatal. In other words, read-only file on read-only NFS can fail to be labeled, but be readable at the same time. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 04 12月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
The SELinux security driver would overwrite errors from the virConfReadFile function. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-