1. 25 9月, 2014 1 次提交
  2. 19 9月, 2014 1 次提交
    • M
      virSecuritySELinuxSetTapFDLabel: Temporarily revert to old behavior · ba7468db
      Michal Privoznik 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=1141879
      
      A long time ago I've implemented support for so called multiqueue
      net.  The idea was to let guest network traffic be processed by
      multiple host CPUs and thus increasing performance. However, this
      behavior is enabled by QEMU via special ioctl() iterated over the
      all tap FDs passed in by libvirt. Unfortunately, SELinux comes in
      and disallows the ioctl() call because the /dev/net/tun has label
      system_u:object_r:tun_tap_device_t:s0 and 'attach_queue' ioctl()
      is not allowed on tun_tap_device_t type. So after discussion with
      a SELinux developer we've decided that the FDs passed to the QEMU
      should be labelled with svirt_t type and SELinux policy will
      allow the ioctl(). Therefore I've made a patch
      (cf976d9d) that does exactly this. The patch
      was fixed then by a4431931 and
      b635b7a1. However, things are not
      that easy - even though the API to label FD is called
      (fsetfilecon_raw) the underlying file is labelled too! So
      effectively we are mangling /dev/net/tun label. Yes, that broke
      dozen of other application from openvpn, or boxes, to qemu
      running other domains.
      
      The best solution would be if SELinux provides a way to label an
      FD only, which could be then labeled when passed to the qemu.
      However that's a long path to go and we should fix this
      regression AQAP. So I went to talk to the SELinux developer again
      and we agreed on temporary solution that:
      
      1) All the three patches are reverted
      2) SELinux temporarily allows 'attach_queue' on the
      tun_tap_device_t
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      ba7468db
  3. 11 9月, 2014 2 次提交
    • M
      nvram: Fix permissions · 37d8c75f
      Michal Privoznik 提交于
      I've noticed two problem with the automatically created NVRAM varstore
      file. The first, even though I run qemu as root:root for some reason I
      get Permission denied when trying to open the _VARS.fd file. The
      problem is, the upper directory misses execute permissions, which in
      combination with us dropping some capabilities result in EPERM.
      
      The next thing is, that if I switch SELinux to enforcing mode, I get
      another EPERM because the vars file is not labeled correctly. It is
      passed to qemu as disk and hence should be labelled as disk. QEMU may
      write to it eventually, so this is different to kernel or initrd.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      37d8c75f
    • M
      selinux: Properly check TAP FD label · b635b7a1
      Michal Privoznik 提交于
      After a4431931 the TAP FDs ale labeled with image label instead
      of the process label. On the other hand, the commit was
      incomplete as a few lines above, there's still old check for the
      process label presence while it should be check for the image
      label instead.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      b635b7a1
  4. 10 9月, 2014 1 次提交
    • M
      qemu: Implement extended loader and nvram · 54289916
      Michal Privoznik 提交于
      QEMU now supports UEFI with the following command line:
      
        -drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on \
        -drive file=/usr/share/OVMF/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \
      
      where the first line reflects <loader> and the second one <nvram>.
      Moreover, these two lines obsolete the -bios argument.
      
      Note that UEFI is unusable without ACPI. This is handled properly now.
      Among with this extension, the variable file is expected to be
      writable and hence we need security drivers to label it.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      Acked-by: NLaszlo Ersek <lersek@redhat.com>
      54289916
  5. 07 9月, 2014 1 次提交
  6. 01 9月, 2014 1 次提交
  7. 20 8月, 2014 1 次提交
    • M
      qemu: Label all TAP FDs · cf976d9d
      Michal Privoznik 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=1095636
      
      When starting up the domain the domain's NICs are allocated. As of
      1f24f682 (v1.0.6) we are able to use multiqueue feature on virtio
      NICs. It breaks network processing into multiple queues which can be
      processed in parallel by different host CPUs. The queues are, however,
      created by opening /dev/net/tun several times. Unfortunately, only the
      first FD in the row is labelled so when turning the multiqueue feature
      on in the guest, qemu will get AVC denial. Make sure we label all the
      FDs needed.
      
      Moreover, the default label of /dev/net/tun doesn't allow
      attaching a queue:
      
          type=AVC msg=audit(1399622478.790:893): avc:  denied  { attach_queue }
          for  pid=7585 comm="qemu-kvm"
          scontext=system_u:system_r:svirt_t:s0:c638,c877
          tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023
          tclass=tun_socket
      
      And as suggested by SELinux maintainers, the tun FD should be labeled
      as svirt_t. Therefore, we don't need to adjust any range (as done
      previously by Guannan in ae368ebf) rather set the seclabel of the
      domain directly.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      cf976d9d
  8. 24 7月, 2014 5 次提交
  9. 11 7月, 2014 2 次提交
  10. 09 7月, 2014 2 次提交
  11. 08 7月, 2014 1 次提交
  12. 26 6月, 2014 1 次提交
  13. 20 6月, 2014 3 次提交
  14. 12 6月, 2014 1 次提交
    • P
      security: Don't skip labelling for network disks · cc6484d4
      Peter Krempa 提交于
      A network disk might actually be backed by local storage. Also the path
      iterator actually handles networked disks well now so remove the code
      that skips the labelling in dac and selinux security driver.
      cc6484d4
  15. 10 6月, 2014 1 次提交
  16. 06 6月, 2014 1 次提交
    • E
      conf: store disk source as pointer, for easier manipulation · c123ef71
      Eric Blake 提交于
      As part of the work on backing chains, I'm finding that it would
      be easier to directly manipulate chains of pointers (adding a
      snapshot merely adjusts pointers to form the correct list) rather
      than copy data from one struct to another.  This patch converts
      domain disk source to be a pointer.
      
      In this patch, the pointer is ALWAYS allocated (thanks in part to
      the previous patch forwarding all disk def allocation through a
      common point), and all other changse are just mechanical fallout of
      the new type; there should be no functional change.  It is possible
      that we may want to leave the pointer NULL for a cdrom with no
      medium in a later patch, but as that requires a closer audit of the
      source to ensure we don't fault on a null dereference, I didn't do
      it here.
      
      * src/conf/domain_conf.h (_virDomainDiskDef): Change type of src.
      * src/conf/domain_conf.c: Adjust all clients.
      * src/security/security_selinux.c: Likewise.
      * src/qemu/qemu_domain.c: Likewise.
      * src/qemu/qemu_command.c: Likewise.
      * src/qemu/qemu_conf.c: Likewise.
      * src/qemu/qemu_process.c: Likewise.
      * src/qemu/qemu_migration.c: Likewise.
      * src/qemu/qemu_driver.c: Likewise.
      * src/lxc/lxc_driver.c: Likewise.
      * src/lxc/lxc_controller.c: Likewise.
      * tests/securityselinuxlabeltest.c: Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      c123ef71
  17. 24 4月, 2014 1 次提交
    • P
      storage: Move disk->backingChain to the recursive disk->src.backingStore · 44551275
      Peter Krempa 提交于
      Switch over to storing of the backing chain as a recursive
      virStorageSource structure.
      
      This is a string based move. Currently the first element will be present
      twice in the backing chain as currently the retrieval function stores
      the parent in the newly detected chain. This will be fixed later.
      44551275
  18. 22 4月, 2014 1 次提交
  19. 02 4月, 2014 3 次提交
    • E
      util: move detection of shared filesystems · 5160ab79
      Eric Blake 提交于
      The code in virstoragefile.c is getting more complex as I
      consolidate backing chain handling code.  But for the setuid
      virt-login-shell, we don't need to crawl backing chains.  It's
      easier to audit things for setuid security if there are fewer
      files involved, so this patch moves the one function that
      virFileOpen() was actually relying on to also live in virfile.c.
      
      * src/util/virstoragefile.c (virStorageFileIsSharedFS)
      (virStorageFileIsSharedFSType): Move...
      * src/util/virfile.c (virFileIsSharedFS, virFileIsSharedFSType):
      ...to here, and rename.
      (virFileOpenAs): Update caller.
      * src/security/security_selinux.c
      (virSecuritySELinuxSetFileconHelper)
      (virSecuritySELinuxSetSecurityAllLabel)
      (virSecuritySELinuxRestoreSecurityImageLabelInt): Likewise.
      * src/security/security_dac.c
      (virSecurityDACRestoreSecurityImageLabelInt): Likewise.
      * src/qemu/qemu_driver.c (qemuOpenFileAs): Likewise.
      * src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise.
      * src/util/virstoragefile.h: Adjust declarations.
      * src/util/virfile.h: Likewise.
      * src/libvirt_private.syms (virfile.h, virstoragefile.h): Move
      symbols as appropriate.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      5160ab79
    • E
      conf: move host disk type to util/ · 16ac4c9d
      Eric Blake 提交于
      A continuation of the migration of disk details to virstoragefile.
      This patch moves a single enum, but converting the name has quite
      a bit of fallout.
      
      * src/conf/domain_conf.h (virDomainDiskType): Move...
      * src/util/virstoragefile.h (virStorageType): ...and rename.
      * src/bhyve/bhyve_command.c (bhyveBuildDiskArgStr)
      (virBhyveProcessBuildLoadCmd): Update clients.
      * src/conf/domain_conf.c (virDomainDiskSourceDefParse)
      (virDomainDiskDefParseXML, virDomainDiskSourceDefFormatInternal)
      (virDomainDiskDefFormat, virDomainDiskGetActualType)
      (virDomainDiskDefForeachPath, virDomainDiskSourceIsBlockType):
      Likewise.
      * src/conf/snapshot_conf.h (_virDomainSnapshotDiskDef): Likewise.
      * src/conf/snapshot_conf.c (virDomainSnapshotDiskDefParseXML)
      (virDomainSnapshotAlignDisks, virDomainSnapshotDiskDefFormat):
      Likewise.
      * src/esx/esx_driver.c (esxAutodetectSCSIControllerModel)
      (esxDomainDefineXML): Likewise.
      * src/locking/domain_lock.c (virDomainLockManagerAddDisk):
      Likewise.
      * src/lxc/lxc_controller.c
      (virLXCControllerSetupLoopDeviceDisk)
      (virLXCControllerSetupNBDDeviceDisk)
      (virLXCControllerSetupLoopDevices, virLXCControllerSetupDisk):
      Likewise.
      * src/parallels/parallels_driver.c (parallelsGetHddInfo):
      Likewise.
      * src/phyp/phyp_driver.c (phypDiskType): Likewise.
      * src/qemu/qemu_command.c (qemuGetDriveSourceString)
      (qemuDomainDiskGetSourceString, qemuBuildDriveStr)
      (qemuBuildCommandLine, qemuParseCommandLineDisk)
      (qemuParseCommandLine): Likewise.
      * src/qemu/qemu_conf.c (qemuCheckSharedDevice)
      (qemuTranslateDiskSourcePool)
      (qemuTranslateSnapshotDiskSourcePool): Likewise.
      * src/qemu/qemu_domain.c (qemuDomainDeviceDefPostParse)
      (qemuDomainDetermineDiskChain): Likewise.
      * src/qemu/qemu_driver.c (qemuDomainGetBlockInfo)
      (qemuDomainSnapshotPrepareDiskExternalBackingInactive)
      (qemuDomainSnapshotPrepareDiskExternalBackingActive)
      (qemuDomainSnapshotPrepareDiskExternalOverlayActive)
      (qemuDomainSnapshotPrepareDiskExternalOverlayInactive)
      (qemuDomainSnapshotPrepareDiskInternal)
      (qemuDomainSnapshotPrepare)
      (qemuDomainSnapshotCreateSingleDiskActive): Likewise.
      * src/qemu/qemu_hotplug.c (qemuDomainChangeEjectableMedia):
      Likewise.
      * src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise.
      * src/security/security_apparmor.c
      (AppArmorRestoreSecurityImageLabel)
      (AppArmorSetSecurityImageLabel): Likewise.
      * src/security/security_dac.c (virSecurityDACSetSecurityImageLabel)
      (virSecurityDACRestoreSecurityImageLabelInt)
      (virSecurityDACSetSecurityAllLabel): Likewise.
      * src/security/security_selinux.c
      (virSecuritySELinuxRestoreSecurityImageLabelInt)
      (virSecuritySELinuxSetSecurityImageLabel)
      (virSecuritySELinuxSetSecurityAllLabel): Likewise.
      * src/storage/storage_backend.c (virStorageFileBackendForType):
      Likewise.
      * src/storage/storage_backend_fs.c (virStorageFileBackendFile)
      (virStorageFileBackendBlock): Likewise.
      * src/storage/storage_backend_gluster.c
      (virStorageFileBackendGluster): Likewise.
      * src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc, vboxAttachDrives)
      (vboxDomainAttachDeviceImpl, vboxDomainDetachDevice): Likewise.
      * src/vmware/vmware_conf.c (vmwareVmxPath): Likewise.
      * src/vmx/vmx.c (virVMXParseDisk, virVMXFormatDisk)
      (virVMXFormatFloppy): Likewise.
      * src/xenxs/xen_sxpr.c (xenParseSxprDisks, xenParseSxpr)
      (xenFormatSxprDisk): Likewise.
      * src/xenxs/xen_xm.c (xenParseXM, xenFormatXMDisk): Likewise.
      * tests/securityselinuxlabeltest.c (testSELinuxLoadDef):
      Likewise.
      * src/libvirt_private.syms (domain_conf.h): Move symbols...
      (virstoragefile.h): ...as appropriate.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      16ac4c9d
    • E
      conf: split security label structs to util/ · 3e929386
      Eric Blake 提交于
      In order to reuse the newly-created host-side disk struct in
      the virstoragefile backing chain code, I first have to move
      it to util/.  This starts the process, by first moving the
      security label structures.
      
      * src/conf/domain_conf.h (virDomainDefGenSecurityLabelDef)
      (virDomainDiskDefGenSecurityLabelDef, virSecurityLabelDefFree)
      (virSecurityDeviceLabelDefFree, virSecurityLabelDef)
      (virSecurityDeviceLabelDef): Move...
      * src/util/virseclabel.h: ...to new file.
      (virSecurityLabelDefNew, virSecurityDeviceLabelDefNew): Rename the
      GenSecurity functions.
      * src/qemu/qemu_process.c (qemuProcessAttach): Adjust callers.
      * src/security/security_manager.c (virSecurityManagerGenLabel):
      Likewise.
      * src/security/security_selinux.c
      (virSecuritySELinuxSetSecurityFileLabel): Likewise.
      * src/util/virseclabel.c: New file.
      * src/conf/domain_conf.c: Move security code, and fix fallout.
      * src/Makefile.am (UTIL_SOURCES): Build new file.
      * src/libvirt_private.syms (domain_conf.h): Move symbols...
      (virseclabel.h): ...to new section.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      3e929386
  20. 25 3月, 2014 3 次提交
    • J
      9e7ecabf
    • E
      conf: prepare to track multiple host source files per <disk> · 4f202266
      Eric Blake 提交于
      It's finally time to start tracking disk backing chains in
      <domain> XML.  The first step is to start refactoring code
      so that we have an object more convenient for representing
      each host source resource in the context of a single guest
      <disk>.  Ultimately, I plan to move the new type into src/util
      where it can be reused by virStorageFile, but to make the
      transition easier to review, this patch just creates the
      new type then fixes everything until it compiles again.
      
      * src/conf/domain_conf.h (_virDomainDiskDef): Split...
      (_virDomainDiskSourceDef): ...to new struct.
      (virDomainDiskAuthClear): Use new type.
      * src/conf/domain_conf.c (virDomainDiskDefFree): Split...
      (virDomainDiskSourceDefClear): ...to new function.
      (virDomainDiskGetType, virDomainDiskSetType)
      (virDomainDiskGetSource, virDomainDiskSetSource)
      (virDomainDiskGetDriver, virDomainDiskSetDriver)
      (virDomainDiskGetFormat, virDomainDiskSetFormat)
      (virDomainDiskAuthClear, virDomainDiskGetActualType)
      (virDomainDiskDefParseXML, virDomainDiskSourceDefFormat)
      (virDomainDiskDefFormat, virDomainDiskDefForeachPath)
      (virDomainDiskDefGetSecurityLabelDef)
      (virDomainDiskSourceIsBlockType): Adjust all users.
      * src/lxc/lxc_controller.c (virLXCControllerSetupDisk):
      Likewise.
      * src/lxc/lxc_driver.c (lxcDomainAttachDeviceMknodHelper):
      Likewise.
      * src/qemu/qemu_command.c (qemuAddRBDHost, qemuParseRBDString)
      (qemuParseDriveURIString, qemuParseGlusterString)
      (qemuParseISCSIString, qemuParseNBDString)
      (qemuDomainDiskGetSourceString, qemuBuildDriveStr)
      (qemuBuildCommandLine, qemuParseCommandLineDisk)
      (qemuParseCommandLine): Likewise.
      * src/qemu/qemu_conf.c (qemuCheckSharedDevice)
      (qemuAddISCSIPoolSourceHost, qemuTranslateDiskSourcePool):
      Likewise.
      * src/qemu/qemu_driver.c (qemuDomainUpdateDeviceConfig)
      (qemuDomainPrepareDiskChainElement)
      (qemuDomainSnapshotCreateInactiveExternal)
      (qemuDomainSnapshotPrepareDiskExternalBackingInactive)
      (qemuDomainSnapshotPrepareDiskInternal)
      (qemuDomainSnapshotPrepare)
      (qemuDomainSnapshotCreateSingleDiskActive)
      (qemuDomainSnapshotUndoSingleDiskActive)
      (qemuDomainBlockPivot, qemuDomainBlockJobImpl)
      (qemuDomainBlockCopy, qemuDomainBlockCommit): Likewise.
      * src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise.
      * src/qemu/qemu_process.c (qemuProcessGetVolumeQcowPassphrase)
      (qemuProcessInitPasswords): Likewise.
      * src/security/security_selinux.c
      (virSecuritySELinuxSetSecurityFileLabel): Likewise.
      * src/storage/storage_driver.c (virStorageFileInitFromDiskDef):
      Likewise.
      * tests/securityselinuxlabeltest.c (testSELinuxLoadDef):
      Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      4f202266
    • E
      conf: use disk source accessors in security/ · 2aad0ebe
      Eric Blake 提交于
      Part of a series of cleanups to use new accessor methods.
      
      * src/security/security_dac.c (virSecurityDACSetSecurityImageLabel)
      (virSecurityDACRestoreSecurityImageLabelInt)
      (virSecurityDACSetSecurityAllLabel): Use accessors.
      * src/security/security_selinux.c
      (virSecuritySELinuxRestoreSecurityImageLabelInt)
      (virSecuritySELinuxSetSecurityImageLabel)
      (virSecuritySELinuxSetSecurityAllLabel): Likewise.
      Signed-off-by: NEric Blake <eblake@redhat.com>
      2aad0ebe
  21. 20 3月, 2014 1 次提交
    • S
      is_selinux_enabled() returns -1 on error, account for this. · 0099a4ae
      Scott Sullivan 提交于
      Per the documentation, is_selinux_enabled() returns -1 on error.
      Account for this. Previously when -1 was being returned the condition
      would still be true. I was noticing this because on my system that has
      selinux disabled I was getting this in the libvirt.log every 5
      seconds:
      
      error : virIdentityGetSystem:173 : Unable to lookup SELinux process context: Invalid argument
      
      With this patch applied, I no longer get these messages every 5
      seconds. I am submitting this in case its deemed useful for inclusion.
      Anyone have any comments on this change? This is a patch off current
      master.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      0099a4ae
  22. 18 3月, 2014 1 次提交
  23. 06 2月, 2014 1 次提交
    • J
      Generate a valid imagelabel even for type 'none' · 0db9b088
      Ján Tomko 提交于
      Commit 2ce63c16 added imagelabel generation when relabeling is turned
      off. But we weren't filling out the sensitivity for type 'none' labels,
      resulting in an invalid label:
      
      $ virsh managedsave domain
      error: unable to set security context 'system_u:object_r:svirt_image_t'
      on fd 28: Invalid argument
      0db9b088
  24. 30 1月, 2014 1 次提交
    • O
      util: Add one argument for several scsi utils · 10c9ceff
      Osier Yang 提交于
      To support passing the path of the test data to the utils, one
      more argument is added to virSCSIDeviceGetSgName,
      virSCSIDeviceGetDevName, and virSCSIDeviceNew, and the related
      code is changed accordingly.
      
      Later tests for the scsi utils will be based on this patch.
      Signed-off-by: NOsier Yang <jyang@redhat.com>
      10c9ceff
  25. 23 1月, 2014 1 次提交
    • O
      util: Add "shareable" field for virSCSIDevice struct · 2b66504d
      Osier Yang 提交于
      Unlike the host devices of other types, SCSI host device XML supports
      "shareable" tag. This patch introduces it for the virSCSIDevice struct
      for a later patch use (to detect if the SCSI device is shareable when
      preparing the SCSI host device in QEMU driver).
      2b66504d
  26. 17 1月, 2014 1 次提交
    • M
      virSecuritySELinuxSetFileconHelper: Don't fail on read-only NFS · d1fdecb6
      Michal Privoznik 提交于
      https://bugzilla.redhat.com/show_bug.cgi?id=996543
      
      When starting up a domain, the SELinux labeling is done depending on
      current configuration. If the labeling fails we check for possible
      causes, as not all labeling failures are fatal. For example, if the
      labeled file is on NFS which lacks SELinux support, the file can still
      be readable to qemu process. These cases are distinguished by the errno
      code: NFS without SELinux support returns EOPNOTSUPP. However, we were
      missing one scenario. In case there's a read-only disk on a read-only
      NFS (and possibly any FS) and the labeling is just optional (not
      explicitly requested in the XML) there's no need to make the labeling
      error fatal. In other words, read-only file on read-only NFS can fail to
      be labeled, but be readable at the same time.
      Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
      d1fdecb6
  27. 04 12月, 2013 1 次提交