- 04 12月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
The SELinux security driver would overwrite errors from the virConfReadFile function. Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 20 11月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
For a while we're have random failures of 'securityselinuxtest' which were not at all reproducible. Fortunately we finally caught a failure with VIR_TEST_DEBUG=1 enabled. This revealed TEST: securityselinuxtest 1) GenLabel "dynamic unconfined, s0, c0.c1023" ... OK 2) GenLabel "dynamic unconfined, s0, c0.c1023" ... OK 3) GenLabel "dynamic unconfined, s0, c0.c1023" ... OK 4) GenLabel "dynamic virtd, s0, c0.c1023" ... OK 5) GenLabel "dynamic virtd, s0, c0.c10" ... OK 6) GenLabel "dynamic virtd, s2-s3, c0.c1023" ... OK 7) GenLabel "dynamic virtd, missing range" ... Category two 1024 is out of range 0-1023 FAILED FAIL: securityselinuxtest And sure enough we had an off-by-1 in the MCS range code when the current process has no range set. The test suite randomly allocates 2 categories from 0->1024 so the chances of hitting this in the test suite were slim indeed :-) Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 31 10月, 2013 1 次提交
-
-
由 Eric Blake 提交于
To make it easier to forbid future attempts at a confusing typedef name ending in Ptr that isn't actually a pointer, insist that we follow our preferred style of 'typedef foo *fooPtr'. * cfg.mk (sc_forbid_const_pointer_typedef): Enforce consistent style, to prevent issue fixed in previous storage patch. * src/conf/capabilities.h (virCapsPtr): Fix offender. * src/security/security_stack.c (virSecurityStackItemPtr): Likewise. * tests/qemucapabilitiestest.c (testQemuDataPtr): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 30 10月, 2013 2 次提交
-
-
由 John Ferlan 提交于
To ensure proper processing by virGetUserID() and virGetGroupID() of a uid/gid add a "+" prior to the uid/gid to denote it's really a uid/gid for the label.
-
由 Peter Krempa 提交于
Commit 64a68a4a introduced a typo in the initialization of the apparmor driver structure breaking the build with apparmor enabled.
-
- 29 10月, 2013 2 次提交
-
-
由 Giuseppe Scrivano 提交于
virSecurityManagerGetBaseLabel queries the default settings used by a security model. Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com>
-
由 Giuseppe Scrivano 提交于
Merge the functions 'virSecurityDACSetUser' and 'virSecurityDACSetGroup' into 'virSecurityDACSetUserAndGroup'. Signed-off-by: NGiuseppe Scrivano <gscrivan@redhat.com>
-
- 15 10月, 2013 1 次提交
-
-
由 Eric Blake 提交于
'const fooPtr' is the same as 'foo * const' (the pointer won't change, but it's contents can). But in general, if an interface is trying to be const-correct, it should be using 'const foo *' (the pointer is to data that can't be changed). Fix up offenders in src/security. * src/security/security_apparmor.c (reload_profile) (AppArmorSetSecurityHostdevLabelHelper) (AppArmorReleaseSecurityLabel, AppArmorRestoreSecurityAllLabel) (AppArmorSetSecurityProcessLabel) (AppArmorSetSecurityChildProcessLabel) (AppArmorSetSecurityImageLabel, AppArmorSecurityVerify) (AppArmorSetSecurityHostdevLabel) (AppArmorRestoreSecurityHostdevLabel, AppArmorSetFDLabel): Drop needless const. * src/security/security_selinux.c (virSecuritySELinuxSetSecurityFileLabel): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 01 10月, 2013 1 次提交
-
- 04 9月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
The @profile_name variable can be used uninitialized.
-
- 29 8月, 2013 1 次提交
-
-
由 Eric Blake 提交于
Commit 29fe5d74 (released in 1.1.1) introduced a latent problem for any caller of virSecurityManagerSetProcessLabel and where the domain already had a uid:gid label to be parsed. Such a setup would collect the list of supplementary groups during virSecurityManagerPreFork, but then ignores that information, and thus fails to call setgroups() to adjust the supplementary groups of the process. Upstream does not use virSecurityManagerSetProcessLabel for qemu (it uses virSecurityManagerSetChildProcessLabel instead), so this problem remained latent until backporting the initial commit into v0.10.2-maint (commit c061ff5e, released in 0.10.2.7), where virSecurityManagerSetChildProcessLabel has not been backported. As a result of using a different code path in the backport, attempts to start a qemu domain that runs as qemu:qemu will end up with supplementary groups unchanged from the libvirtd parent process, rather than the desired supplementary groups of the qemu user. This can lead to failure to start a domain (typical Fedora setup assigns user 107 'qemu' to both group 107 'qemu' and group 36 'kvm', so a disk image that is only readable under kvm group rights is locked out). Worse, it is a security hole (the qemu process will inherit supplemental group rights from the parent libvirtd process, which means it has access rights to files owned by group 0 even when such files should not normally be visible to user qemu). LXC does not use the DAC security driver, so it is not vulnerable at this time. Still, it is better to plug the latent hole on the master branch first, before cherry-picking it to the only vulnerable branch v0.10.2-maint. * src/security/security_dac.c (virSecurityDACGetIds): Always populate groups and ngroups, rather than only when no label is parsed. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 21 8月, 2013 1 次提交
-
-
由 Eric Blake 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=924153 Commit 904e05a2 (v0.9.9) added a per-<disk> seclabel element with an attribute relabel='no' in order to try and minimize the impact of shutdown delays when an NFS server disappears. The idea was that if a disk is on NFS and can't be labeled in the first place, there is no need to attempt the (no-op) relabel on domain shutdown. Unfortunately, the way this was implemented was by modifying the domain XML so that the optimization would survive libvirtd restart, but in a way that is indistinguishable from an explicit user setting. Furthermore, once the setting is turned on, libvirt avoids attempts at labeling, even for operations like snapshot or blockcopy where the chain is being extended or pivoted onto non-NFS, where SELinux labeling is once again possible. As a result, it was impossible to do a blockcopy to pivot from an NFS image file onto a local file. The solution is to separate the semantics of a chain that must not be labeled (which the user can set even on persistent domains) vs. the optimization of not attempting a relabel on cleanup (a live-only annotation), and using only the user's explicit notation rather than the optimization as the decision on whether to skip a label attempt in the first place. When upgrading an older libvirtd to a newer, an NFS volume will still attempt the relabel; but as the avoidance of a relabel was only an optimization, this shouldn't cause any problems. In the ideal future, libvirt will eventually have XML describing EVERY file in the backing chain, with each file having a separate <seclabel> element. At that point, libvirt will be able to track more closely which files need a relabel attempt at shutdown. But until we reach that point, the single <seclabel> for the entire <disk> chain is treated as a hint - when a chain has only one file, then we know it is accurate; but if the chain has more than one file, we have to attempt relabel in spite of the attribute, in case part of the chain is local and SELinux mattered for that portion of the chain. * src/conf/domain_conf.h (_virSecurityDeviceLabelDef): Add new member. * src/conf/domain_conf.c (virSecurityDeviceLabelDefParseXML): Parse it, for live images only. (virSecurityDeviceLabelDefFormat): Output it. (virDomainDiskDefParseXML, virDomainChrSourceDefParseXML) (virDomainDiskSourceDefFormat, virDomainChrDefFormat) (virDomainDiskDefFormat): Pass flags on through. * src/security/security_selinux.c (virSecuritySELinuxRestoreSecurityImageLabelInt): Honor labelskip when possible. (virSecuritySELinuxSetSecurityFileLabel): Set labelskip, not norelabel, if labeling fails. (virSecuritySELinuxSetFileconHelper): Fix indentation. * docs/formatdomain.html.in (seclabel): Document new xml. * docs/schemas/domaincommon.rng (devSeclabel): Allow it in RNG. * tests/qemuxml2argvdata/qemuxml2argv-seclabel-*-labelskip.xml: * tests/qemuxml2argvdata/qemuxml2argv-seclabel-*-labelskip.args: * tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-*-labelskip.xml: New test files. * tests/qemuxml2argvtest.c (mymain): Run the new tests. * tests/qemuxml2xmltest.c (mymain): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 24 7月, 2013 1 次提交
-
-
由 Martin Kletzander 提交于
Parsing 'user:group' is useful even outside the DAC security driver, so expose the most abstract function which has no DAC security driver bits in itself.
-
- 19 7月, 2013 3 次提交
-
-
由 Eric Blake 提交于
Attempts to start a domain with both SELinux and DAC security modules loaded will deadlock; latent problem introduced in commit fdb3bde3 and exposed in commit 29fe5d74. Basically, when recursing into the security manager for other driver's prefork, we have to undo the asymmetric lock taken at the manager level. Reported by Jiri Denemark, with diagnosis help from Dan Berrange. * src/security/security_stack.c (virSecurityStackPreFork): Undo extra lock grabbed during recursion. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
Commit 75c12564 states that virGetGroupList must not be called between fork and exec, then commit ee777e99 promptly violated that for lxc's use of virSecurityManagerSetProcessLabel. Hoist the supplemental group detection to the time that the security manager needs to fork. Qemu is safe, as it uses virSecurityManagerSetChildProcessLabel which in turn uses virCommand to determine supplemental groups. This does not fix the fact that virSecurityManagerSetProcessLabel calls virSecurityDACParseIds calls parseIds which eventually calls getpwnam_r, which also violates fork/exec async-signal-safe safety rules, but so far no one has complained of hitting deadlock in that case. * src/security/security_dac.c (_virSecurityDACData): Track groups in private data. (virSecurityDACPreFork): New function, to set them. (virSecurityDACClose): Clean up new fields. (virSecurityDACGetIds): Alter signature. (virSecurityDACSetSecurityHostdevLabelHelper) (virSecurityDACSetChardevLabel, virSecurityDACSetProcessLabel) (virSecurityDACSetChildProcessLabel): Update callers. Signed-off-by: NEric Blake <eblake@redhat.com>
-
由 Eric Blake 提交于
A future patch wants the DAC security manager to be able to safely get the supplemental group list for a given uid, but at the time of a fork rather than during initialization so as to pick up on live changes to the system's group database. This patch adds the framework, including the possibility of a pre-fork callback failing. For now, any driver that implements a prefork callback must be robust against the possibility of being part of a security stack where a later element in the chain fails prefork. This means that drivers cannot do any action that requires a call to postfork for proper cleanup (no grabbing a mutex, for example). If this is too prohibitive in the future, we would have to switch to a transactioning sequence, where each driver has (up to) 3 callbacks: PreForkPrepare, PreForkCommit, and PreForkAbort, to either clean up or commit changes made during prepare. * src/security/security_driver.h (virSecurityDriverPreFork): New callback. * src/security/security_manager.h (virSecurityManagerPreFork): Change signature. * src/security/security_manager.c (virSecurityManagerPreFork): Optionally call into driver, and allow returning failure. * src/security/security_stack.c (virSecurityDriverStack): Wrap the handler for the stack driver. * src/qemu/qemu_process.c (qemuProcessStart): Adjust caller. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 17 7月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
While generating seclabels, we check the seclabel stack if required driver is in the stack. If not, an error is returned. However, it is possible for a seclabel to not have any model set (happens with LXC domains that have just <seclabel type='none'>). If that's the case, we should just skip the iteration instead of calling STREQ(NULL, ...) and SIGSEGV-ing subsequently.
-
- 12 7月, 2013 1 次提交
-
-
由 Eric Blake 提交于
https://bugzilla.redhat.com/show_bug.cgi?id=964358 POSIX states that multi-threaded apps should not use functions that are not async-signal-safe between fork and exec, yet we were using getpwuid_r and initgroups. Although rare, it is possible to hit deadlock in the child, when it tries to grab a mutex that was already held by another thread in the parent. I actually hit this deadlock when testing multiple domains being started in parallel with a command hook, with the following backtrace in the child: Thread 1 (Thread 0x7fd56bbf2700 (LWP 3212)): #0 __lll_lock_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136 #1 0x00007fd5761e7388 in _L_lock_854 () from /lib64/libpthread.so.0 #2 0x00007fd5761e7257 in __pthread_mutex_lock (mutex=0x7fd56be00360) at pthread_mutex_lock.c:61 #3 0x00007fd56bbf9fc5 in _nss_files_getpwuid_r (uid=0, result=0x7fd56bbf0c70, buffer=0x7fd55c2a65f0 "", buflen=1024, errnop=0x7fd56bbf25b8) at nss_files/files-pwd.c:40 #4 0x00007fd575aeff1d in __getpwuid_r (uid=0, resbuf=0x7fd56bbf0c70, buffer=0x7fd55c2a65f0 "", buflen=1024, result=0x7fd56bbf0cb0) at ../nss/getXXbyYY_r.c:253 #5 0x00007fd578aebafc in virSetUIDGID (uid=0, gid=0) at util/virutil.c:1031 #6 0x00007fd578aebf43 in virSetUIDGIDWithCaps (uid=0, gid=0, capBits=0, clearExistingCaps=true) at util/virutil.c:1388 #7 0x00007fd578a9a20b in virExec (cmd=0x7fd55c231f10) at util/vircommand.c:654 #8 0x00007fd578a9dfa2 in virCommandRunAsync (cmd=0x7fd55c231f10, pid=0x0) at util/vircommand.c:2247 #9 0x00007fd578a9d74e in virCommandRun (cmd=0x7fd55c231f10, exitstatus=0x0) at util/vircommand.c:2100 #10 0x00007fd56326fde5 in qemuProcessStart (conn=0x7fd53c000df0, driver=0x7fd55c0dc4f0, vm=0x7fd54800b100, migrateFrom=0x0, stdin_fd=-1, stdin_path=0x0, snapshot=0x0, vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE, flags=1) at qemu/qemu_process.c:3694 ... The solution is to split the work of getpwuid_r/initgroups into the unsafe portions (getgrouplist, called pre-fork) and safe portions (setgroups, called post-fork). * src/util/virutil.h (virSetUIDGID, virSetUIDGIDWithCaps): Adjust signature. * src/util/virutil.c (virSetUIDGID): Add parameters. (virSetUIDGIDWithCaps): Adjust clients. * src/util/vircommand.c (virExec): Likewise. * src/util/virfile.c (virFileAccessibleAs, virFileOpenForked) (virDirCreate): Likewise. * src/security/security_dac.c (virSecurityDACSetProcessLabel): Likewise. * src/lxc/lxc_container.c (lxcContainerSetID): Likewise. * configure.ac (AC_CHECK_FUNCS_ONCE): Check for setgroups, not initgroups. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 11 7月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
Convert the type of loop iterators named 'i', 'j', k', 'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or 'unsigned int', also santizing 'ii', 'jj', 'kk' to use the normal 'i', 'j', 'k' naming Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 10 7月, 2013 2 次提交
-
-
由 Michal Privoznik 提交于
-
由 Michal Privoznik 提交于
Similarly to VIR_STRDUP, we want the OOM error to be reported in VIR_ALLOC and friends.
-
- 08 7月, 2013 2 次提交
-
-
由 Peter Krempa 提交于
The imagelabel SELinux label was only generated when relabeling was enabled. This prohibited labeling of files created by libvirt that need to be labeled even if relabeling is turned off. The only codepath this change has direct impact on is labeling of FDs passed to qemu which is always safe in current state.
-
由 Peter Krempa 提交于
-
- 26 6月, 2013 1 次提交
-
-
由 Laine Stump 提交于
I realized after the fact that it's probably better in the long run to give this function a name that matches the name of the link used in sysfs to hold the group (iommu_group). I'm changing it now because I'm about to add several more functions that deal with iommu groups.
-
- 11 6月, 2013 1 次提交
-
-
由 Ján Tomko 提交于
This fixes a crash: https://bugzilla.redhat.com/show_bug.cgi?id=969878
-
- 28 5月, 2013 1 次提交
-
-
由 Eric Blake 提交于
I noticed several unusual spacings in for loops, and decided to fix them up. See the next commit for the syntax check that found all of these. * examples/domsuspend/suspend.c (main): Fix spacing. * python/libvirt-override.c: Likewise. * src/conf/interface_conf.c: Likewise. * src/security/virt-aa-helper.c: Likewise. * src/util/virconf.c: Likewise. * src/util/virhook.c: Likewise. * src/util/virlog.c: Likewise. * src/util/virsocketaddr.c: Likewise. * src/util/virsysinfo.c: Likewise. * src/util/viruuid.c: Likewise. * src/vbox/vbox_tmpl.c: Likewise. * src/xen/xen_hypervisor.c: Likewise. * tools/virsh-domain-monitor.c (vshDomainStateToString): Drop default case, to let compiler check us. * tools/virsh-domain.c (vshDomainVcpuStateToString): Likewise. Signed-off-by: NEric Blake <eblake@redhat.com>
-
- 24 5月, 2013 1 次提交
-
-
由 Osier Yang 提交于
Pushed under trivial rule.
-
- 23 5月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
-
- 21 5月, 2013 1 次提交
-
-
由 Osier Yang 提交于
-
- 13 5月, 2013 2 次提交
-
-
由 Michal Privoznik 提交于
After introducing AppArmorSetSecuritySCSILabel() in 2691cd5f we are using virSCSIDevicePtr type without proper include.
-
由 Osier Yang 提交于
To not introduce more redundant code, helpers are added for both "selinux", "dac", and "apparmor" backends. Signed-off-by: NHan Cheng <hanc.fnst@cn.fujitsu.com> Signed-off-by: NOsier Yang <jyang@redhat> v2.5 - v3: * Splitted from 8/10 of v2.5 * Don't forget the other backends (DAC, and apparmor)
-
- 11 5月, 2013 1 次提交
-
-
由 Laine Stump 提交于
These all existed before virfile.c was created, and for some reason weren't moved. This is mostly straightfoward, although the syntax rule prohibiting write() had to be changed to have an exception for virfile.c instead of virutil.c. This movement pointed out that there is a function called virBuildPath(), and another almost identical function called virFileBuildPath(). They really should be a single function, which I'll take care of as soon as I figure out what the arglist should look like.
-
- 10 5月, 2013 1 次提交
-
-
由 Daniel P. Berrange 提交于
Some of the apparmor code files did not follow the normal goto label naming pratices Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 07 5月, 2013 1 次提交
-
-
由 Ján Tomko 提交于
Use virBufferAddLit or virBufferAddChar instead.
-
- 02 5月, 2013 1 次提交
-
-
由 Michal Privoznik 提交于
The source code base needs to be adapted as well. Some files include virutil.h just for the string related functions (here, the include is substituted to match the new file), some include virutil.h without any need (here, the include is removed), and some require both.
-
- 30 4月, 2013 1 次提交
-
-
由 Laine Stump 提交于
If virPCIDeviceGetVFIOGroupDev() failed, virSecurity*(Set|Restore)HostdevLabel() would fail to free a virPCIDevice that had been allocated. These leaks were all introduced (by me) very recently, in commit f0bd70a9.
-
- 27 4月, 2013 1 次提交
-
-
由 Laine Stump 提交于
This isn't strictly speaking a bugfix, but I realized I'd gotten a bit too verbose when I chose the names for VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_*. This shortens them all a bit.
-
- 26 4月, 2013 2 次提交
-
-
由 Laine Stump 提交于
Legacy kvm style pci device assignment requires changes to the labelling of several sysfs files for each device, but for vfio device assignment, the only thing that needs to be relabelled/chowned is the "group" device for the group that contains the device to be assigned.
-
由 Laine Stump 提交于
There will soon be other items related to pci hostdevs that need to be in the same part of the hostdevsubsys union as the pci address (which is currently a single member called "pci". This patch replaces the single member named pci with a struct named pci that contains a single member named "addr".
-
- 24 4月, 2013 1 次提交
-
-
由 Peter Krempa 提交于
Since cbe67ff9 virSecuritySELinuxGenNewContext reports good error messages. Fix callers that mask the errors by generic error message.
-