1. 18 12月, 2012 4 次提交
  2. 17 12月, 2012 1 次提交
    • D
      Support custom 'svirt_tcg_t' context for TCG based guests · 77d3a809
      Daniel P. Berrange 提交于
      The current SELinux policy only works for KVM guests, since
      TCG requires the 'execmem' privilege. There is a 'virt_use_execmem'
      boolean to turn this on globally, but that is unpleasant for users.
      This changes libvirt to automatically use a new 'svirt_tcg_t'
      context for TCG based guests. This obsoletes the previous
      boolean tunable and makes things 'just work(tm)'
      
      Since we can't assume we run with new enough policy, I also
      make us log a warning message (once only) if we find the policy
      lacks support. In this case we fallback to the normal label and
      expect users to set the boolean tunable
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      77d3a809
  3. 14 12月, 2012 1 次提交
  4. 28 11月, 2012 1 次提交
    • D
      Fix error handling in virSecurityManagerGetMountOptions · 3f6470f7
      Daniel P. Berrange 提交于
      The impls of virSecurityManagerGetMountOptions had no way to
      return errors, since the code was treating 'NULL' as a success
      value. This is somewhat pointless, since the calling code did
      not want NULL in the first place and has to translate it into
      the empty string "". So change the code so that the impls can
      return "" directly, allowing use of NULL for error reporting
      once again
      Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
      3f6470f7
  5. 02 11月, 2012 1 次提交
  6. 23 10月, 2012 1 次提交
    • C
      selinux: Don't fail RestoreAll if file doesn't have a default label · 767be8be
      Cole Robinson 提交于
      When restoring selinux labels after a VM is stopped, any non-standard
      path that doesn't have a default selinux label causes the process
      to stop and exit early. This isn't really an error condition IMO.
      
      Of course the selinux API could be erroring for some other reason
      but hopefully that's rare enough to not need explicit handling.
      
      Common example here is storing disk images in a non-standard location
      like under /mnt.
      767be8be
  7. 20 10月, 2012 1 次提交
    • E
      storage: use cache to walk backing chain · 38c4a9cc
      Eric Blake 提交于
      We used to walk the backing file chain at least twice per disk,
      once to set up cgroup device whitelisting, and once to set up
      security labeling.  Rather than walk the chain every iteration,
      which possibly includes calls to fork() in order to open root-squashed
      NFS files, we can exploit the cache of the previous patch.
      
      * src/conf/domain_conf.h (virDomainDiskDefForeachPath): Alter
      signature.
      * src/conf/domain_conf.c (virDomainDiskDefForeachPath): Require caller
      to supply backing chain via disk, if recursion is desired.
      * src/security/security_dac.c
      (virSecurityDACSetSecurityImageLabel): Adjust caller.
      * src/security/security_selinux.c
      (virSecuritySELinuxSetSecurityImageLabel): Likewise.
      * src/security/virt-aa-helper.c (get_files): Likewise.
      * src/qemu/qemu_cgroup.c (qemuSetupDiskCgroup)
      (qemuTeardownDiskCgroup): Likewise.
      (qemuSetupCgroup): Pre-populate chain.
      38c4a9cc
  8. 17 10月, 2012 1 次提交
  9. 16 10月, 2012 1 次提交
  10. 15 10月, 2012 1 次提交
    • G
      selinux: add security selinux function to label tapfd · ae368ebf
      Guannan Ren 提交于
      BZ:https://bugzilla.redhat.com/show_bug.cgi?id=851981
      When using macvtap, a character device gets first created by
      kernel with name /dev/tapN, its selinux context is:
      system_u:object_r:device_t:s0
      
      Shortly, when udev gets notification when new file is created
      in /dev, it will then jump in and relabel this file back to the
      expected default context:
      system_u:object_r:tun_tap_device_t:s0
      
      There is a time gap happened.
      Sometimes, it will have migration failed, AVC error message:
      type=AVC msg=audit(1349858424.233:42507): avc:  denied  { read write } for
      pid=19926 comm="qemu-kvm" path="/dev/tap33" dev=devtmpfs ino=131524
      scontext=unconfined_u:system_r:svirt_t:s0:c598,c908
      tcontext=system_u:object_r:device_t:s0 tclass=chr_file
      
      This patch will label the tapfd device before qemu process starts:
      system_u:object_r:tun_tap_device_t:MCS(MCS from seclabel->label)
      ae368ebf
  11. 12 10月, 2012 1 次提交
    • M
      selinux: Use raw contexts · 9674f2c6
      Martin Kletzander 提交于
      We are currently able to work only with non-translated SELinux
      contexts, but we are using functions that work with translated
      contexts throughout the code.  This patch swaps all SELinux context
      translation relative calls with their raw sisters to avoid parsing
      problems.
      
      The problems can be experienced with mcstrans for example.  The
      difference is that if you have translations enabled (yum install
      mcstrans; service mcstrans start), fgetfilecon_raw() will get you
      something like 'system_u:object_r:virt_image_t:s0', whereas
      fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow'
      that we cannot parse.
      
      I was trying to confirm that the _raw variants were here since the dawn of
      time, but the only thing I see now is that it was imported together in
      the upstream repo [1] from svn, so before 2008.
      
      Thanks Laurent Bigonville for finding this out.
      
      [1] http://oss.tresys.com/git/selinux.git
      9674f2c6
  12. 11 10月, 2012 1 次提交
  13. 21 9月, 2012 2 次提交
  14. 21 8月, 2012 5 次提交
  15. 14 8月, 2012 3 次提交
  16. 23 7月, 2012 1 次提交
    • O
      Desert the FSF address in copyright · f9ce7dad
      Osier Yang 提交于
      Per the FSF address could be changed from time to time, and GNU
      recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html)
      
        You should have received a copy of the GNU General Public License
        along with Foobar.  If not, see <http://www.gnu.org/licenses/>.
      
      This patch removes the explicit FSF address, and uses above instead
      (of course, with inserting 'Lesser' before 'General').
      
      Except a bunch of files for security driver, all others are changed
      automatically, the copyright for securify files are not complete,
      that's why to do it manually:
      
        src/security/security_selinux.h
        src/security/security_driver.h
        src/security/security_selinux.c
        src/security/security_apparmor.h
        src/security/security_apparmor.c
        src/security/security_driver.c
      f9ce7dad
  17. 21 7月, 2012 3 次提交
  18. 20 7月, 2012 1 次提交
  19. 24 5月, 2012 1 次提交
  20. 16 5月, 2012 5 次提交
  21. 27 3月, 2012 1 次提交
    • M
      Cleanup for a return statement in source files · 9943276f
      Martin Kletzander 提交于
      Return statements with parameter enclosed in parentheses were modified
      and parentheses were removed. The whole change was scripted, here is how:
      
      List of files was obtained using this command:
      git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' |             \
      grep -e '\.[ch]$' -e '\.py$'
      
      Found files were modified with this command:
      sed -i -e                                                                 \
      's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \
      -e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_'
      
      Then checked for nonsense.
      
      The whole command looks like this:
      git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' |             \
      grep -e '\.[ch]$' -e '\.py$' | xargs sed -i -e                            \
      's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \
      -e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_'
      9943276f
  22. 04 2月, 2012 1 次提交
    • L
      qemu: eliminate "Ignoring open failure" when using root-squash NFS · c18a88ac
      Laine Stump 提交于
      This eliminates the warning message reported in:
      
       https://bugzilla.redhat.com/show_bug.cgi?id=624447
      
      It was caused by a failure to open an image file that is not
      accessible by root (the uid libvirtd is running as) because it's on a
      root-squash NFS share, owned by a different user, with permissions of
      660 (or maybe 600).
      
      The solution is to use virFileOpenAs() rather than open(). The
      codepath that generates the error is during qemuSetupDiskCGroup(), but
      the actual open() is in a lower-level generic function called from
      many places (virDomainDiskDefForeachPath), so some other pieces of the
      code were touched just to add dummy (or possibly useful) uid and gid
      arguments.
      
      Eliminating this warning message has the nice side effect that the
      requested operation may even succeed (which in this case isn't
      necessary, but shouldn't hurt anything either).
      c18a88ac
  23. 03 2月, 2012 1 次提交
    • D
      Add two new security label types · b170eb99
      Daniel P. Berrange 提交于
      Curently security labels can be of type 'dynamic' or 'static'.
      If no security label is given, then 'dynamic' is assumed. The
      current code takes advantage of this default, and avoids even
      saving <seclabel> elements with type='dynamic' to disk. This
      means if you temporarily change security driver, the guests
      can all still start.
      
      With the introduction of sVirt to LXC though, there needs to be
      a new default of 'none' to allow unconfined LXC containers.
      
      This patch introduces two new security label types
      
       - default:  the host configuration decides whether to run the
                   guest with type 'none' or 'dynamic' at guest start
       - none:     the guest will run unconfined by security policy
      
      The 'none' label type will obviously be undesirable for some
      deployments, so a new qemu.conf option allows a host admin to
      mandate confined guests. It is also possible to turn off default
      confinement
      
        security_default_confined = 1|0  (default == 1)
        security_require_confined = 1|0  (default == 0)
      
      * src/conf/domain_conf.c, src/conf/domain_conf.h: Add new
        seclabel types
      * src/security/security_manager.c, src/security/security_manager.h:
        Set default sec label types
      * src/security/security_selinux.c: Handle 'none' seclabel type
      * src/qemu/qemu.conf, src/qemu/qemu_conf.c, src/qemu/qemu_conf.h,
        src/qemu/libvirtd_qemu.aug: New security config options
      * src/qemu/qemu_driver.c: Tell security driver about default
        config
      b170eb99
  24. 26 1月, 2012 1 次提交
    • D
      Introduce new API for generating random numbers · e95ef67b
      Daniel P. Berrange 提交于
      The old virRandom() API was not generating good random numbers.
      Replace it with a new API virRandomBits which instead of being
      told the upper limit, gets told the number of bits of randomness
      required.
      
      * src/util/virrandom.c, src/util/virrandom.h: Add virRandomBits,
        and move virRandomInitialize
      * src/util/util.h, src/util/util.c: Delete virRandom and
        virRandomInitialize
      * src/libvirt.c, src/security/security_selinux.c,
        src/test/test_driver.c, src/util/iohelper.c: Update for
        changes from virRandom to virRandomBits
      * src/storage/storage_backend_iscsi.c: Remove bogus call
        to virRandomInitialize & convert to virRandomBits
      e95ef67b