- 29 8月, 2012 4 次提交
-
-
由 Alex Jia 提交于
* src/security/security_dac.c: remove useless dead code. Signed-off-by: NAlex Jia <ajia@redhat.com>
-
由 Peter Krempa 提交于
As in the previous commit, images are also chowned to uninitialised uid and gid if the label is not present.
-
由 Peter Krempa 提交于
When starting a machine the DAC security driver tries to set the UID and GID of the newly spawned process. This worked as desired if the desired label was set. When the label was missing a logical bug in virSecurityDACGenLabel() caused that uninitialised values were used as uid and gid for the new process. With this patch, default values (from qemu driver configuration) are used if the label is not found.
-
由 Peter Krempa 提交于
When no DAC "label" was requested for a domain the DAC manager tried to strdup a NULL string causing a segfault.
-
- 24 8月, 2012 1 次提交
-
-
由 Michal Privoznik 提交于
Currently, if users set 'security_driver="dac"' in qemu.conf libvirtd fails to initialize as DAC driver is not found because it is missing in our security drivers array.
-
- 21 8月, 2012 6 次提交
-
-
由 Daniel P. Berrange 提交于
The DAC security driver uses the virStrToLong_ui function to parse the uid/gid out of the seclabel string. This works on Linux where 'uid_t' is an unsigned int, but on Mingw32 it is just an 'int'. This causes compiler warnings about signed/ unsigned int pointer mis-match. To avoid this, use explicit 'unsigned int ouruid' local vars to pass into virStrToLong_ui, and then simply assign to the 'uid_t' type after parsing Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
Currently the dynamic label generation code will create labels with a sensitivity of s0, and a category pair in the range 0-1023. This is fine when running a standard MCS policy because libvirtd will run with a label system_u:system_r:virtd_t:s0-s0:c0.c1023 With custom policies though, it is possible for libvirtd to have a different sensitivity, or category range. For example system_u:system_r:virtd_t:s2-s3:c512.c1023 In this case we must assign the VM a sensitivity matching the current lower sensitivity value, and categories in the range 512-1023 Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The code to refactor sec label handling accidentally changed the SELinux driver to use the 'domain_context' when generating the image label instead of the 'file_context' Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Marcelo Cerri 提交于
These changes make the security drivers able to find and handle the correct security label information when more than one label is available. They also update the DAC driver to be used as an usual security driver. Signed-off-by: NMarcelo Cerri <mhcerri@linux.vnet.ibm.com>
-
由 Marcelo Cerri 提交于
This patch updates the structures that store information about each domain and each hypervisor to support multiple security labels and drivers. It also updates all the remaining code to use the new fields. Signed-off-by: NMarcelo Cerri <mhcerri@linux.vnet.ibm.com>
-
由 Viktor Mihajlovski 提交于
This is a fix for the object label generation. It uses a new flag for virSecuritySELinuxGenNewContext that specifies whether the context is for an object. If so the context role remains unchanged. Without this fix it is not possible to start domains with image file or block device backed storage when selinux is enabled. Signed-off-by: NViktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
-
- 14 8月, 2012 5 次提交
-
-
由 Daniel P. Berrange 提交于
The code for picking a MCS label is about to get significantly more complicated, so it deserves to be in a standlone method, instead of a switch/case body. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
When generating an SELinux context for a VM from the template "system_u:system_r:svirt_t:s0", copy the role + user from the current process instead of the template context. So if the current process is unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 then the VM context ends up as unconfined_u:unconfined_r:svirt_t:s0:c386,c703 instead of system_u:system_r:svirt_t:s0:c177,c424 Ideally the /etc/selinux/targeted/contexts/virtual_domain_context file would have just shown the 'svirt_t' type, and not the full context, but that can't be changed now for compatibility reasons. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The virSecuritySELinuxGenNewContext method was not reporting any errors, leaving it up to the caller to report a generic error. In addition it could potentially trigger a strdup(NULL) in an OOM scenario. Move all error reporting into the virSecuritySELinuxGenNewContext method where accurate info can be provided Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
There is currently no way to distinguish the case that a requested security driver was disabled, from the case where no security driver was available. Use VIR_ERR_CONFIG_UNSUPPORTED as the error when an explicitly requested security driver was disabled Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The security_manager.h header is not self-contained because it uses the virDomainDefPtr without first including domain_conf.h Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 06 8月, 2012 1 次提交
-
-
由 Eric Blake 提交于
All callers used the same initialization seed (well, the new viratomictest forgot to look at getpid()); so we might as well make this value automatic. And while it may feel like we are giving up functionality, I documented how to get it back in the unlikely case that you actually need to debug with a fixed pseudo-random sequence. I left that crippled by default, so that a stray environment variable doesn't cause a lack of randomness to become a security issue. * src/util/virrandom.c (virRandomInitialize): Rename... (virRandomOnceInit): ...and make static, with one-shot call. Document how to do fixed-seed debugging. * src/util/virrandom.h (virRandomInitialize): Drop prototype. * src/libvirt_private.syms (virrandom.h): Don't export it. * src/libvirt.c (virInitialize): Adjust caller. * src/lxc/lxc_controller.c (main): Likewise. * src/security/virt-aa-helper.c (main): Likewise. * src/util/iohelper.c (main): Likewise. * tests/seclabeltest.c (main): Likewise. * tests/testutils.c (virtTestMain): Likewise. * tests/viratomictest.c (mymain): Likewise.
-
- 28 7月, 2012 1 次提交
-
-
由 Jiri Denemark 提交于
If a domain is explicitly configured with <seclabel type="none"/> we correctly ensure that no labeling will be done by setting norelabel=true. However, if no seclabel element is present in domain XML and hypervisor is configured not to confine domains by default, we only set type to "none" without turning off relabeling. Thus if such a domain is being started, security driver wants to relabel resources with default label, which doesn't make any sense. Moreover, with SELinux security driver, the generated image label lacks "s0" sensitivity, which causes setfilecon() fail with EINVAL in enforcing mode.
-
- 27 7月, 2012 1 次提交
-
-
由 Osier Yang 提交于
This is a follow up patch of commit f9ce7dad, it modifies all the files which declare the copyright like "See COPYING.LIB for the License of this software" to use the detailed/consistent one. And deserts the outdated comments like: * libvirt-qemu.h: * Summary: qemu specific interfaces * Description: Provides the interfaces of the libvirt library to handle * qemu specific methods * * Copy: Copyright (C) 2010, 2012 Red Hat, Inc. Uses the more compact style like: * libvirt-qemu.h: Interfaces specific for QEMU/KVM driver * * Copyright (C) 2010, 2012 Red Hat, Inc.
-
- 23 7月, 2012 1 次提交
-
-
由 Osier Yang 提交于
Per the FSF address could be changed from time to time, and GNU recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html) You should have received a copy of the GNU General Public License along with Foobar. If not, see <http://www.gnu.org/licenses/>. This patch removes the explicit FSF address, and uses above instead (of course, with inserting 'Lesser' before 'General'). Except a bunch of files for security driver, all others are changed automatically, the copyright for securify files are not complete, that's why to do it manually: src/security/security_selinux.h src/security/security_driver.h src/security/security_selinux.c src/security/security_apparmor.h src/security/security_apparmor.c src/security/security_driver.c
-
- 21 7月, 2012 3 次提交
-
-
由 Daniel P. Berrange 提交于
Instead of using an O(n) efficiency linked list for storing MCS labels, use a hash table. Instead of having the list be global, put it in the SELinux driver private data struct to ensure uniqueness across different instances of the driver. This also ensures thread safety when multiple hypervisor drivers are used in the same libvirtd process Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
When adding MCS labels, OOM was not being handled correctly. In addition when reserving an existing label, no check was made to see if it was already reserved Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel P. Berrange 提交于
The function names in the SELinux driver all start with SELinux or 'mcs' as a prefix. Sanitize this so that they all use 'virSecuritySELinux' as the prefix Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 20 7月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Update the security drivers to use virReportError instead of the virSecurityReportError custom macro Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 19 7月, 2012 1 次提交
-
-
由 Eric Blake 提交于
Noticed during the recent error cleanups. * src/network/bridge_driver.c (networkStartRadvd): Fix spacing. * src/openvz/openvz_conf.c (openvzReadMemConf): Likewise. * src/qemu/qemu_command.c (qemuNetworkIfaceConnect): Likewise. * src/qemu/qemu_hotplug.c (qemuDomainDetachNetDevice): Likewise. * src/qemu/qemu_process.c (qemuProcessStop): Likewise. * src/security/virt-aa-helper.c (vah_add_file): Likewise.
-
- 28 5月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Remove a number of pointless checks against PATH_MAX and add a syntax-check rule to prevent its use in future Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 24 5月, 2012 1 次提交
-
-
由 Michal Privoznik 提交于
-
- 16 5月, 2012 6 次提交
-
-
由 Daniel P. Berrange 提交于
Most versions of libselinux do not contain the function selinux_lxc_contexts_path() that the security driver recently started using for LXC. We must add a conditional check for it in configure and then disable the LXC security driver for builds where libselinux lacks this function. * configure.ac: Check for selinux_lxc_contexts_path * src/security/security_selinux.c: Disable LXC security if selinux_lxc_contexts_path() is missing
-
由 Daniel Walsh 提交于
Some security drivers require special options to be passed to the mount system call. Add a security driver API for handling this data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel Walsh 提交于
The SELinux policy for LXC uses a different configuration file than the traditional svirt one. Thus we need to load /etc/selinux/targeted/contexts/lxc_contexts which contains something like this: process = "system_u:system_r:svirt_lxc_net_t:s0" file = "system_u:object_r:svirt_lxc_file_t:s0" content = "system_u:object_r:virt_var_lib_t:s0" cleverly designed to be parsable by virConfPtr Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel Walsh 提交于
Currently the SELinux driver stores its state in a set of global variables. This switches it to use a private data struct instead. This will enable different instances to have their own data. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel Walsh 提交于
The AppArmour driver does not currently have support for LXC so ensure that when probing, it claims to be disabled Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
由 Daniel Walsh 提交于
To allow the security drivers to apply different configuration information per hypervisor, pass the virtualization driver name into the security manager constructor. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 30 3月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
The code is splattered with a mix of sizeof foo sizeof (foo) sizeof(foo) Standardize on sizeof(foo) and add a syntax check rule to enforce it Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 27 3月, 2012 1 次提交
-
-
由 Martin Kletzander 提交于
Return statements with parameter enclosed in parentheses were modified and parentheses were removed. The whole change was scripted, here is how: List of files was obtained using this command: git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' | \ grep -e '\.[ch]$' -e '\.py$' Found files were modified with this command: sed -i -e \ 's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \ -e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_' Then checked for nonsense. The whole command looks like this: git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' | \ grep -e '\.[ch]$' -e '\.py$' | xargs sed -i -e \ 's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \ -e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_'
-
- 02 3月, 2012 1 次提交
-
-
由 Eric Blake 提交于
No thanks to 64-bit windows, with 64-bit pid_t, we have to avoid constructs like 'int pid'. Our API in libvirt-qemu cannot be changed without breaking ABI; but then again, libvirt-qemu can only be used on systems that support UNIX sockets, which rules out Windows (even if qemu could be compiled there) - so for all points on the call chain that interact with this API decision, we require a different variable name to make it clear that we audited the use for safety. Adding a syntax-check rule only solves half the battle; anywhere that uses printf on a pid_t still needs to be converted, but that will be a separate patch. * cfg.mk (sc_correct_id_types): New syntax check. * src/libvirt-qemu.c (virDomainQemuAttach): Document why we didn't use pid_t for pid, and validate for overflow. * include/libvirt/libvirt-qemu.h (virDomainQemuAttach): Tweak name for syntax check. * src/vmware/vmware_conf.c (vmwareExtractPid): Likewise. * src/driver.h (virDrvDomainQemuAttach): Likewise. * tools/virsh.c (cmdQemuAttach): Likewise. * src/remote/qemu_protocol.x (qemu_domain_attach_args): Likewise. * src/qemu_protocol-structs (qemu_domain_attach_args): Likewise. * src/util/cgroup.c (virCgroupPidCode, virCgroupKillInternal): Likewise. * src/qemu/qemu_command.c(qemuParseProcFileStrings): Likewise. (qemuParseCommandLinePid): Use pid_t for pid. * daemon/libvirtd.c (daemonForkIntoBackground): Likewise. * src/conf/domain_conf.h (_virDomainObj): Likewise. * src/probes.d (rpc_socket_new): Likewise. * src/qemu/qemu_command.h (qemuParseCommandLinePid): Likewise. * src/qemu/qemu_driver.c (qemudGetProcessInfo, qemuDomainAttach): Likewise. * src/qemu/qemu_process.c (qemuProcessAttach): Likewise. * src/qemu/qemu_process.h (qemuProcessAttach): Likewise. * src/uml/uml_driver.c (umlGetProcessInfo): Likewise. * src/util/virnetdev.h (virNetDevSetNamespace): Likewise. * src/util/virnetdev.c (virNetDevSetNamespace): Likewise. * tests/testutils.c (virtTestCaptureProgramOutput): Likewise. * src/conf/storage_conf.h (_virStoragePerms): Use mode_t, uid_t, and gid_t rather than int. * src/security/security_dac.c (virSecurityDACSetOwnership): Likewise. * src/conf/storage_conf.c (virStorageDefParsePerms): Avoid compiler warning.
-
- 08 2月, 2012 1 次提交
-
-
由 Jiri Denemark 提交于
In case the caller specifies that confined guests are required but the security driver turns out to be 'none', we should return an error since this driver clearly cannot meet that requirement. As a result of this error, libvirtd fails to start when the host admin explicitly sets confined guests are required but there is no security driver available. Since security driver 'none' cannot create confined guests, we override default confined setting so that hypervisor drivers do not thing they should create confined guests.
-
- 06 2月, 2012 1 次提交
-
-
由 Jiri Denemark 提交于
Typo introduced by c18a88ac
-
- 04 2月, 2012 1 次提交
-
-
由 Laine Stump 提交于
This eliminates the warning message reported in: https://bugzilla.redhat.com/show_bug.cgi?id=624447 It was caused by a failure to open an image file that is not accessible by root (the uid libvirtd is running as) because it's on a root-squash NFS share, owned by a different user, with permissions of 660 (or maybe 600). The solution is to use virFileOpenAs() rather than open(). The codepath that generates the error is during qemuSetupDiskCGroup(), but the actual open() is in a lower-level generic function called from many places (virDomainDiskDefForeachPath), so some other pieces of the code were touched just to add dummy (or possibly useful) uid and gid arguments. Eliminating this warning message has the nice side effect that the requested operation may even succeed (which in this case isn't necessary, but shouldn't hurt anything either).
-
- 03 2月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Curently security labels can be of type 'dynamic' or 'static'. If no security label is given, then 'dynamic' is assumed. The current code takes advantage of this default, and avoids even saving <seclabel> elements with type='dynamic' to disk. This means if you temporarily change security driver, the guests can all still start. With the introduction of sVirt to LXC though, there needs to be a new default of 'none' to allow unconfined LXC containers. This patch introduces two new security label types - default: the host configuration decides whether to run the guest with type 'none' or 'dynamic' at guest start - none: the guest will run unconfined by security policy The 'none' label type will obviously be undesirable for some deployments, so a new qemu.conf option allows a host admin to mandate confined guests. It is also possible to turn off default confinement security_default_confined = 1|0 (default == 1) security_require_confined = 1|0 (default == 0) * src/conf/domain_conf.c, src/conf/domain_conf.h: Add new seclabel types * src/security/security_manager.c, src/security/security_manager.h: Set default sec label types * src/security/security_selinux.c: Handle 'none' seclabel type * src/qemu/qemu.conf, src/qemu/qemu_conf.c, src/qemu/qemu_conf.h, src/qemu/libvirtd_qemu.aug: New security config options * src/qemu/qemu_driver.c: Tell security driver about default config
-