1. 27 4月, 2013 1 次提交
  2. 26 4月, 2013 2 次提交
    • L
      security: update hostdev labelling functions for VFIO · f0bd70a9
      Laine Stump 提交于
      Legacy kvm style pci device assignment requires changes to the
      labelling of several sysfs files for each device, but for vfio device
      assignment, the only thing that needs to be relabelled/chowned is the
      "group" device for the group that contains the device to be assigned.
      f0bd70a9
    • L
      conf: put hostdev pci address in a struct · 9f80fc1b
      Laine Stump 提交于
      There will soon be other items related to pci hostdevs that need to be
      in the same part of the hostdevsubsys union as the pci address (which
      is currently a single member called "pci". This patch replaces the
      single member named pci with a struct named pci that contains a single
      member named "addr".
      9f80fc1b
  3. 13 4月, 2013 1 次提交
  4. 20 3月, 2013 1 次提交
  5. 16 2月, 2013 1 次提交
    • J
      security: Remove unnecessary checks for mgr == NULL · 676688b6
      John Ferlan 提交于
      Coverity found the DACGenLabel was checking for mgr == NULL after a
      possible dereference; however, in order to get into the function the
      virSecurityManagerGenLabel would have already dereferenced sec_managers[i]
      so the check was unnecessary. Same check is made in SELinuxGenSecurityLabel.
      676688b6
  6. 14 2月, 2013 1 次提交
    • L
      security: add new virSecurityManagerSetChildProcessLabel API · 7bf1aa0b
      Laine Stump 提交于
      The existing virSecurityManagerSetProcessLabel() API is designed so
      that it must be called after forking the child process, but before
      exec'ing the child. Due to the way the virCommand API works, that
      means it needs to be put in a "hook" function that virCommand is told
      to call out to at that time.
      
      Setting the child process label is a basic enough need when executing
      any process that virCommand should have a method of doing that. But
      virCommand must be told what label to set, and only the security
      driver knows the answer to that question.
      
      The new virSecurityManagerSet*Child*ProcessLabel() API is the way to
      transfer the knowledge about what label to set from the security
      driver to the virCommand object. It is given a virCommandPtr, and each
      security driver calls the appropriate virCommand* API to tell
      virCommand what to do between fork and exec.
      
      1) in the case of the DAC security driver, it calls
      virCommandSetUID/GID() to set a uid and gid that must be set for the
      child process.
      
      2) for the SELinux security driver, it calls
      virCommandSetSELinuxLabel() to save a copy of the char* that will be
      sent to setexeccon_raw() *after forking the child process*.
      
      3) for the AppArmor security drivers, it calls
      virCommandSetAppArmorProfile() to save a copy of the char* that will
      be sent to aa_change_profile() *after forking the child process*.
      
      With this new API in place, we will be able to remove
      virSecurityManagerSetProcessLabel() from any virCommand pre-exec
      hooks.
      
      (Unfortunately, the LXC driver uses clone() rather than virCommand, so
      it can't take advantage of this new security driver API, meaning that
      we need to keep around the older virSecurityManagerSetProcessLabel(),
      at least for now.)
      7bf1aa0b
  7. 06 2月, 2013 2 次提交
  8. 22 1月, 2013 1 次提交
  9. 21 12月, 2012 7 次提交
  10. 18 12月, 2012 1 次提交
  11. 02 11月, 2012 1 次提交
  12. 23 10月, 2012 2 次提交
    • E
      build: print uids as unsigned · add633bd
      Eric Blake 提交于
      Reported by Michal Privoznik.
      
      * src/security/security_dac.c (virSecurityDACGenLabel): Use
      correct format.
      add633bd
    • E
      build: use correct printf types for uid/gid · 23a4df88
      Eric Blake 提交于
      Fixes a build failure on cygwin:
      cc1: warnings being treated as errors
      security/security_dac.c: In function 'virSecurityDACSetProcessLabel':
      security/security_dac.c:862:5: error: format '%u' expects type 'unsigned int', but argument 7 has type 'uid_t' [-Wformat]
      security/security_dac.c:862:5: error: format '%u' expects type 'unsigned int', but argument 8 has type 'gid_t' [-Wformat]
      
      * src/security/security_dac.c (virSecurityDACSetProcessLabel)
      (virSecurityDACGenLabel): Use proper casts.
      23a4df88
  13. 20 10月, 2012 1 次提交
    • E
      storage: use cache to walk backing chain · 38c4a9cc
      Eric Blake 提交于
      We used to walk the backing file chain at least twice per disk,
      once to set up cgroup device whitelisting, and once to set up
      security labeling.  Rather than walk the chain every iteration,
      which possibly includes calls to fork() in order to open root-squashed
      NFS files, we can exploit the cache of the previous patch.
      
      * src/conf/domain_conf.h (virDomainDiskDefForeachPath): Alter
      signature.
      * src/conf/domain_conf.c (virDomainDiskDefForeachPath): Require caller
      to supply backing chain via disk, if recursion is desired.
      * src/security/security_dac.c
      (virSecurityDACSetSecurityImageLabel): Adjust caller.
      * src/security/security_selinux.c
      (virSecuritySELinuxSetSecurityImageLabel): Likewise.
      * src/security/virt-aa-helper.c (get_files): Likewise.
      * src/qemu/qemu_cgroup.c (qemuSetupDiskCgroup)
      (qemuTeardownDiskCgroup): Likewise.
      (qemuSetupCgroup): Pre-populate chain.
      38c4a9cc
  14. 15 10月, 2012 1 次提交
    • G
      selinux: add security selinux function to label tapfd · ae368ebf
      Guannan Ren 提交于
      BZ:https://bugzilla.redhat.com/show_bug.cgi?id=851981
      When using macvtap, a character device gets first created by
      kernel with name /dev/tapN, its selinux context is:
      system_u:object_r:device_t:s0
      
      Shortly, when udev gets notification when new file is created
      in /dev, it will then jump in and relabel this file back to the
      expected default context:
      system_u:object_r:tun_tap_device_t:s0
      
      There is a time gap happened.
      Sometimes, it will have migration failed, AVC error message:
      type=AVC msg=audit(1349858424.233:42507): avc:  denied  { read write } for
      pid=19926 comm="qemu-kvm" path="/dev/tap33" dev=devtmpfs ino=131524
      scontext=unconfined_u:system_r:svirt_t:s0:c598,c908
      tcontext=system_u:object_r:device_t:s0 tclass=chr_file
      
      This patch will label the tapfd device before qemu process starts:
      system_u:object_r:tun_tap_device_t:MCS(MCS from seclabel->label)
      ae368ebf
  15. 11 10月, 2012 1 次提交
  16. 09 10月, 2012 1 次提交
  17. 03 10月, 2012 1 次提交
    • M
      security: also parse user/group names instead of just IDs for DAC labels · 60469dd1
      Marcelo Cerri 提交于
      The DAC driver is missing parsing of group and user names for DAC labels
      and currently just parses uid and gid. This patch extends it to support
      names, so the following security label definition is now valid:
      
        <seclabel type='static' model='dac' relabel='yes'>
            <label>qemu:qemu</label>
            <imagelabel>qemu:qemu</imagelabel>
        </seclabel>
      
      When it tries to parse an owner or a group, it first tries to resolve it as
      a name, if it fails or it's an invalid user/group name then it tries to
      parse it as an UID or GID. A leading '+' can also be used for both owner and
      group to force it to be parsed as IDs, so the following example is also
      valid:
      
        <seclabel type='static' model='dac' relabel='yes'>
            <label>+101:+101</label>
            <imagelabel>+101:+101</imagelabel>
        </seclabel>
      
      This ensures that UID 101 and GUI 101 will be used instead of an user or
      group named "101".
      60469dd1
  18. 21 9月, 2012 1 次提交
  19. 20 9月, 2012 1 次提交
    • P
      security: Don't ignore errors when parsing DAC security labels · ede89aab
      Peter Krempa 提交于
      The DAC security driver silently ignored errors when parsing the DAC
      label and used default values instead.
      
      With a domain containing the following label definition:
      
      <seclabel type='static' model='dac' relabel='yes'>
        <label>sdfklsdjlfjklsdjkl</label>
      </seclabel>
      
      the domain would start normaly but the disk images would be still owned
      by root and no error was displayed.
      
      This patch changes the behavior if the parsing of the label fails (note
      that a not present label is not a failure and in this case the default
      label should be used) the error isn't masked but is raised that causes
      the domain start to fail with a descriptive error message:
      
      virsh #  start tr
      error: Failed to start domain tr
      error: internal error invalid argument: failed to parse DAC seclabel
      'sdfklsdjlfjklsdjkl' for domain 'tr'
      
      I also changed the error code to "invalid argument" from "internal
      error" and tweaked the various error messages to contain correct and
      useful information.
      ede89aab
  20. 29 8月, 2012 4 次提交
  21. 21 8月, 2012 2 次提交
  22. 23 7月, 2012 1 次提交
    • O
      Desert the FSF address in copyright · f9ce7dad
      Osier Yang 提交于
      Per the FSF address could be changed from time to time, and GNU
      recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html)
      
        You should have received a copy of the GNU General Public License
        along with Foobar.  If not, see <http://www.gnu.org/licenses/>.
      
      This patch removes the explicit FSF address, and uses above instead
      (of course, with inserting 'Lesser' before 'General').
      
      Except a bunch of files for security driver, all others are changed
      automatically, the copyright for securify files are not complete,
      that's why to do it manually:
      
        src/security/security_selinux.h
        src/security/security_driver.h
        src/security/security_selinux.c
        src/security/security_apparmor.h
        src/security/security_apparmor.c
        src/security/security_driver.c
      f9ce7dad
  23. 24 5月, 2012 1 次提交
  24. 16 5月, 2012 2 次提交
  25. 02 3月, 2012 1 次提交
    • E
      build: use correct type for pid and similar types · 3e2c3d8f
      Eric Blake 提交于
      No thanks to 64-bit windows, with 64-bit pid_t, we have to avoid
      constructs like 'int pid'.  Our API in libvirt-qemu cannot be
      changed without breaking ABI; but then again, libvirt-qemu can
      only be used on systems that support UNIX sockets, which rules
      out Windows (even if qemu could be compiled there) - so for all
      points on the call chain that interact with this API decision,
      we require a different variable name to make it clear that we
      audited the use for safety.
      
      Adding a syntax-check rule only solves half the battle; anywhere
      that uses printf on a pid_t still needs to be converted, but that
      will be a separate patch.
      
      * cfg.mk (sc_correct_id_types): New syntax check.
      * src/libvirt-qemu.c (virDomainQemuAttach): Document why we didn't
      use pid_t for pid, and validate for overflow.
      * include/libvirt/libvirt-qemu.h (virDomainQemuAttach): Tweak name
      for syntax check.
      * src/vmware/vmware_conf.c (vmwareExtractPid): Likewise.
      * src/driver.h (virDrvDomainQemuAttach): Likewise.
      * tools/virsh.c (cmdQemuAttach): Likewise.
      * src/remote/qemu_protocol.x (qemu_domain_attach_args): Likewise.
      * src/qemu_protocol-structs (qemu_domain_attach_args): Likewise.
      * src/util/cgroup.c (virCgroupPidCode, virCgroupKillInternal):
      Likewise.
      * src/qemu/qemu_command.c(qemuParseProcFileStrings): Likewise.
      (qemuParseCommandLinePid): Use pid_t for pid.
      * daemon/libvirtd.c (daemonForkIntoBackground): Likewise.
      * src/conf/domain_conf.h (_virDomainObj): Likewise.
      * src/probes.d (rpc_socket_new): Likewise.
      * src/qemu/qemu_command.h (qemuParseCommandLinePid): Likewise.
      * src/qemu/qemu_driver.c (qemudGetProcessInfo, qemuDomainAttach):
      Likewise.
      * src/qemu/qemu_process.c (qemuProcessAttach): Likewise.
      * src/qemu/qemu_process.h (qemuProcessAttach): Likewise.
      * src/uml/uml_driver.c (umlGetProcessInfo): Likewise.
      * src/util/virnetdev.h (virNetDevSetNamespace): Likewise.
      * src/util/virnetdev.c (virNetDevSetNamespace): Likewise.
      * tests/testutils.c (virtTestCaptureProgramOutput): Likewise.
      * src/conf/storage_conf.h (_virStoragePerms): Use mode_t, uid_t,
      and gid_t rather than int.
      * src/security/security_dac.c (virSecurityDACSetOwnership): Likewise.
      * src/conf/storage_conf.c (virStorageDefParsePerms): Avoid
      compiler warning.
      3e2c3d8f
  26. 04 2月, 2012 1 次提交
    • L
      qemu: eliminate "Ignoring open failure" when using root-squash NFS · c18a88ac
      Laine Stump 提交于
      This eliminates the warning message reported in:
      
       https://bugzilla.redhat.com/show_bug.cgi?id=624447
      
      It was caused by a failure to open an image file that is not
      accessible by root (the uid libvirtd is running as) because it's on a
      root-squash NFS share, owned by a different user, with permissions of
      660 (or maybe 600).
      
      The solution is to use virFileOpenAs() rather than open(). The
      codepath that generates the error is during qemuSetupDiskCGroup(), but
      the actual open() is in a lower-level generic function called from
      many places (virDomainDiskDefForeachPath), so some other pieces of the
      code were touched just to add dummy (or possibly useful) uid and gid
      arguments.
      
      Eliminating this warning message has the nice side effect that the
      requested operation may even succeed (which in this case isn't
      necessary, but shouldn't hurt anything either).
      c18a88ac