- 08 2月, 2012 1 次提交
-
-
由 Jiri Denemark 提交于
In case the caller specifies that confined guests are required but the security driver turns out to be 'none', we should return an error since this driver clearly cannot meet that requirement. As a result of this error, libvirtd fails to start when the host admin explicitly sets confined guests are required but there is no security driver available. Since security driver 'none' cannot create confined guests, we override default confined setting so that hypervisor drivers do not thing they should create confined guests.
-
- 03 2月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
Curently security labels can be of type 'dynamic' or 'static'. If no security label is given, then 'dynamic' is assumed. The current code takes advantage of this default, and avoids even saving <seclabel> elements with type='dynamic' to disk. This means if you temporarily change security driver, the guests can all still start. With the introduction of sVirt to LXC though, there needs to be a new default of 'none' to allow unconfined LXC containers. This patch introduces two new security label types - default: the host configuration decides whether to run the guest with type 'none' or 'dynamic' at guest start - none: the guest will run unconfined by security policy The 'none' label type will obviously be undesirable for some deployments, so a new qemu.conf option allows a host admin to mandate confined guests. It is also possible to turn off default confinement security_default_confined = 1|0 (default == 1) security_require_confined = 1|0 (default == 0) * src/conf/domain_conf.c, src/conf/domain_conf.h: Add new seclabel types * src/security/security_manager.c, src/security/security_manager.h: Set default sec label types * src/security/security_selinux.c: Handle 'none' seclabel type * src/qemu/qemu.conf, src/qemu/qemu_conf.c, src/qemu/qemu_conf.h, src/qemu/libvirtd_qemu.aug: New security config options * src/qemu/qemu_driver.c: Tell security driver about default config
-
- 11 1月, 2012 1 次提交
-
-
由 Daniel P. Berrange 提交于
When sVirt is integrated with the LXC driver, it will be neccessary to invoke the security driver APIs using only a virDomainDefPtr since the lxc_container.c code has no virDomainObjPtr available. Aside from two functions which want obj->pid, every bit of the security driver code only touches obj->def. So we don't need to pass a virDomainObjPtr into the security drivers, a virDomainDefPtr is sufficient. Two functions also gain a 'pid_t pid' argument. * src/qemu/qemu_driver.c, src/qemu/qemu_hotplug.c, src/qemu/qemu_migration.c, src/qemu/qemu_process.c, src/security/security_apparmor.c, src/security/security_dac.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_nop.c, src/security/security_selinux.c, src/security/security_stack.c: Change all security APIs to use a virDomainDefPtr instead of virDomainObjPtr
-
- 31 8月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
The virSecurityManagerSetProcessFDLabel method was introduced after a mis-understanding from a conversation about SELinux socket labelling. The virSecurityManagerSetSocketLabel method should have been used for all such scenarios. * src/security/security_apparmor.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_selinux.c, src/security/security_stack.c: Remove SetProcessFDLabel driver
-
- 26 8月, 2011 2 次提交
-
-
由 Jiri Denemark 提交于
This API labels all sockets created until ClearSocketLabel is called in a way that a vm can access them (i.e., they are labeled with svirt_t based label in SELinux).
-
由 Jiri Denemark 提交于
The APIs are designed to label a socket in a way that the libvirt daemon itself is able to access it (i.e., in SELinux the label is virtd_t based as opposed to svirt_* we use for labeling resources that need to be accessed by a vm). The new name reflects this.
-
- 28 6月, 2011 2 次提交
-
-
由 Daniel P. Berrange 提交于
Add a new security driver method for labelling an FD with the process label, rather than the image label * src/libvirt_private.syms, src/security/security_apparmor.c, src/security/security_dac.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_selinux.c, src/security/security_stack.c: Add virSecurityManagerSetProcessFDLabel & impl
-
由 Daniel P. Berrange 提交于
The virSecurityManagerSetFDLabel method is used to label file descriptors associated with disk images. There will shortly be a need to label other file descriptors in a different way. So the current name is ambiguous. Rename the method to virSecurityManagerSetImageFDLabel to clarify its purpose * src/libvirt_private.syms, src/qemu/qemu_migration.c, src/qemu/qemu_process.c, src/security/security_apparmor.c, src/security/security_dac.c, src/security/security_driver.h, src/security/security_manager.c, src/security/security_manager.h, src/security/security_selinux.c, src/security/security_stack.c: s/FDLabel/ImageFDLabel/
-
- 02 6月, 2011 1 次提交
-
-
由 Eric Blake 提交于
Regression introduced in commit d6623003 (v0.8.8) - using the wrong sizeof operand meant that security manager private data was overlaying the allowDiskFormatProbing member of struct _virSecurityManager. This reopens disk probing, which was supposed to be prevented by the solution to CVE-2010-2238. * src/security/security_manager.c (virSecurityManagerGetPrivateData): Use correct offset.
-
- 26 1月, 2011 1 次提交
-
-
由 Laine Stump 提交于
A need was found to set the SELinux context label on an open fd (a pipe, as a matter of fact). This patch adds a function to the security driver API that will set the label on an open fd to secdef.label. For all drivers other than the SELinux driver, it's a NOP. For the SElinux driver, it calls fsetfilecon(). If the return is a failure, it only returns error up to the caller if 1) the desired label is different from the existing label, 2) the destination fd is of a type that supports setting the selinux context, and 3) selinux is in enforcing mode. Otherwise it will return success. This follows the pattern of the existing function SELinuxSetFilecon().
-
- 22 1月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
If the XML security model is NULL, it is assumed that the current model will be used with dynamic labelling. The verify step is meaningless and potentially crashes if dereferencing NULL * src/security/security_manager.c: Skip NULL model on verify
-
- 11 1月, 2011 1 次提交
-
-
由 Daniel P. Berrange 提交于
The current security driver usage requires horrible code like if (driver->securityDriver && driver->securityDriver->domainSetSecurityHostdevLabel && driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver, vm, hostdev) < 0) This pair of checks for NULL clutters up the code, making the driver calls 2 lines longer than they really need to be. The goal of the patchset is to change the calling convention to simply if (virSecurityManagerSetHostdevLabel(driver->securityDriver, vm, hostdev) < 0) The first check for 'driver->securityDriver' being NULL is removed by introducing a 'no op' security driver that will always be present if no real driver is enabled. This guarentees driver->securityDriver != NULL. The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel' being non-NULL is hidden in a new abstraction called virSecurityManager. This separates the driver callbacks, from main internal API. The addition of a virSecurityManager object, that is separate from the virSecurityDriver struct also allows for security drivers to carry state / configuration information directly. Thus the DAC/Stack drivers from src/qemu which used to pull config from 'struct qemud_driver' can now be moved into the 'src/security' directory and store their config directly. * src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to use new virSecurityManager APIs * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h: Move into src/security directory * src/security/security_stack.c, src/security/security_stack.h, src/security/security_dac.c, src/security/security_dac.h: Generic versions of previous QEMU specific drivers * src/security/security_apparmor.c, src/security/security_apparmor.h, src/security/security_driver.c, src/security/security_driver.h, src/security/security_selinux.c, src/security/security_selinux.h: Update to take virSecurityManagerPtr object as the first param in all callbacks * src/security/security_nop.c, src/security/security_nop.h: Stub implementation of all security driver APIs. * src/security/security_manager.h, src/security/security_manager.c: New internal API for invoking security drivers * src/libvirt.c: Add missing debug for security APIs
-