- 17 1月, 2017 1 次提交
-
-
由 Erik Skultety 提交于
The problem is in the way how the list item is created prior to appending it to the transaction list - the @path attribute is just a shallow copy instead of deep copy of the hostdev device's path. Unfortunately, the hostdev devices from which the @path is extracted, in order to add them into the transaction list, are only temporary and freed before the buildup of the qemu namespace, thus making the @path attribute in the transaction list NULL, causing 'permission denied' or 'double free' or 'unknown cause' errors. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1413773Signed-off-by: NErik Skultety <eskultet@redhat.com>
-
- 11 1月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
There are still some systems out there that have broken setfilecon*() prototypes. Instead of taking 'const char *tcon' it is taking 'char *tcon'. The function should just set the context, not modify it. We had been bitten with this problem before which resulted in 292d3f2d and subsequently b109c097. However, with one my latest commits (4674fc6a) I've changed the type of @tcon variable to 'const char *' which results in build failure on the systems from above. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 10 1月, 2017 4 次提交
-
-
由 Michal Privoznik 提交于
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
With our new qemu namespace code in place, the relabelling of devices is done not as good is it could: a child process is spawned, it enters the mount namespace of the qemu process and then runs desired API of the security driver. Problem with this approach is that internal state transition of the security driver done in the child process is not reflected in the parent process. While currently it wouldn't matter that much, it is fairly easy to forget about that. We should take the extra step now while this limitation is still fresh in our minds. Three new APIs are introduced here: virSecurityManagerTransactionStart() virSecurityManagerTransactionCommit() virSecurityManagerTransactionAbort() The Start() is going to be used to let security driver know that we are starting a new transaction. During a transaction no security labels are actually touched, but rather recorded and only at Commit() phase they are actually updated. Should something go wrong Abort() aborts the transaction freeing up all memory allocated by transaction. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
The code at the very bottom of the DAC secdriver that calls chown() should be fine with read-only data. If something needs to be prepared it should have been done beforehand. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 09 1月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
It doesn't make much sense to have two different prefix for functions within the same driver. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 08 12月, 2016 1 次提交
-
-
由 Michal Privoznik 提交于
Since its introduction in 2012 this internal API did nothing. Moreover we have the same API that does exactly the same: virSecurityManagerDomainSetPathLabel. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 30 11月, 2016 1 次提交
-
-
由 Christian Ehrhardt 提交于
When virt-aa-helper parses xml content it can fail on security labels. It fails by requiring to parse active domain content on seclabels that are not yet filled in. Testcase with virt-aa-helper on a minimal xml: $ cat << EOF > /tmp/test.xml <domain type='kvm'> <name>test-seclabel</name> <uuid>12345678-9abc-def1-2345-6789abcdef00</uuid> <memory unit='KiB'>1</memory> <os><type arch='x86_64'>hvm</type></os> <seclabel type='dynamic' model='apparmor' relabel='yes'/> <seclabel type='dynamic' model='dac' relabel='yes'/> </domain> EOF $ /usr/lib/libvirt/virt-aa-helper -d -r -p 0 \ -u libvirt-12345678-9abc-def1-2345-6789abcdef00 < /tmp/test.xml Current Result: virt-aa-helper: error: could not parse XML virt-aa-helper: error: could not get VM definition Expected Result is a valid apparmor profile Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com> Signed-off-by: NGuido Günther <agx@sigxcpu.org>
-
- 25 11月, 2016 2 次提交
-
-
由 Eric Farman 提交于
Ensure that the vhost-scsi wwpn information is passed to the different security policies. Signed-off-by: NEric Farman <farman@linux.vnet.ibm.com>
-
由 Eric Farman 提交于
We already have a "scsi" hostdev subsys type, which refers to a single LUN that is passed through to a guest. But what of things where multiple LUNs are passed through via a single SCSI HBA, such as with the vhost-scsi target? Create a new hostdev subsys type that will carry this. Signed-off-by: NEric Farman <farman@linux.vnet.ibm.com>
-
- 12 11月, 2016 1 次提交
-
-
由 Eric Farman 提交于
As was suggested in an earlier review comment[1], we can catch some additional code points by cleaning up how we use the hostdev subsystem type in some switch statements. [1] End of https://www.redhat.com/archives/libvir-list/2016-September/msg00399.htmlSigned-off-by: NEric Farman <farman@linux.vnet.ibm.com> Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
-
- 24 10月, 2016 1 次提交
-
-
由 John Ferlan 提交于
Use a pointer and the virDomainChrSourceDefNew() function in order to allocate the structure for _virDomainSmartcardDef. Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
-
- 22 10月, 2016 1 次提交
-
-
由 John Ferlan 提交于
Change the virDomainChrDef to use a pointer to 'source' and allocate that pointer during virDomainChrDefNew. This has tremendous "fallout" in the rest of the code which mainly has to change source.$field to source->$field. Signed-off-by: NJohn Ferlan <jferlan@redhat.com>
-
- 26 9月, 2016 1 次提交
-
-
由 Michal Privoznik 提交于
We want to pass the proper opaque pointer instead of NULL to virDomainDefParse and subsequently virDomainDefParseNode too. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 08 9月, 2016 2 次提交
-
-
由 Julio Faracco 提交于
There is an issue with a wrong label inside vah_add_path(). The compilation fails with the error: make[3]: Entering directory '/tmp/libvirt/src' CC security/virt_aa_helper-virt-aa-helper.o security/virt-aa-helper.c: In function 'vah_add_path': security/virt-aa-helper.c:769:9: error: label 'clean' used but not defined goto clean; This patch moves 'clean' label to 'cleanup' label. Signed-off-by: NJulio Faracco <jcfaracco@gmail.com>
-
由 Rufo Dogav 提交于
This patch fixes a segfault in virt-aa-helper caused by attempting to modify a static string literal. It is triggered when a domain has a <filesystem> with type='mount' configured read-only and libvirt is using the AppArmor security driver for sVirt confinement. An "R" is passed into the function and converted to 'r'.
-
- 22 7月, 2016 1 次提交
-
-
由 Guido Günther 提交于
-
- 19 7月, 2016 2 次提交
-
-
由 Cédric Bosdonnat 提交于
Better fix replacing c726af2d: introducing an 'R' permission to add read rule, but no explicit deny write rule.
-
由 Julio Faracco 提交于
The commit da665fbd introduced virStorageSourcePtr inside the structure _virDomainFSDef. This is causing an error when libvirt is being compiled. make[3]: Entering directory `/media/julio/8d65c59c-6ade-4740-9cdc-38016a4cb8ae /home/julio/Desktop/virt/libvirt/src' CC security/virt_aa_helper-virt-aa-helper.o security/virt-aa-helper.c: In function 'get_files': security/virt-aa-helper.c:1087:13: error: passing argument 2 of 'vah_add_path' from incompatible pointer type [-Werror] if (vah_add_path(&buf, fs->src, "rw", true) != 0) ^ security/virt-aa-helper.c:732:1: note: expected 'const char *' but argument is of type 'virStorageSourcePtr' vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursive) ^ cc1: all warnings being treated as errors Adding the attribute "path" from virStorageSourcePtr fixes this issue. Signed-off-by: NJulio Faracco <jcfaracco@gmail.com>
-
- 12 7月, 2016 1 次提交
-
-
由 Daniel P. Berrange 提交于
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
-
- 09 6月, 2016 2 次提交
-
-
由 Pavel Hrdina 提交于
VNC graphics already supports sockets but only via 'socket' attribute. This patch coverts that attribute into listen type 'socket'. For backward compatibility we need to handle listen type 'socket' and 'socket' attribute properly to support old XMLs and new XMLs. If both are provided they have to match, if only one of them is provided we need to be able to parse that configuration too. To not break migration back to old libvirt if the socket is provided by user we need to generate migratable XML without the listen element and use only 'socket' attribute. Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
由 Pavel Hrdina 提交于
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
- 07 6月, 2016 1 次提交
-
-
由 Peter Krempa 提交于
Until now we weren't able to add checks that would reject configuration once accepted by the parser. This patch adds a new callback and infrastructure to add such checks. In this patch all the places where rejecting a now-invalid configuration wouldn't be a good idea are marked with a new parser flag.
-
- 25 5月, 2016 1 次提交
-
-
由 Ján Tomko 提交于
Add support for the slic_table to the security drivers.
-
- 13 5月, 2016 1 次提交
-
-
由 Pavel Hrdina 提交于
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
- 20 4月, 2016 1 次提交
-
-
由 Simon Arlott 提交于
The VM does not need read permission for its own VNC socket to create(), bind(), accept() connections or to receive(), send(), etc. on connections. https://bugzilla.redhat.com/show_bug.cgi?id=1312573
-
- 19 4月, 2016 1 次提交
-
-
由 Martin Kletzander 提交于
It already labels abritrary paths, so it's just the naming that was wrong. Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 15 4月, 2016 1 次提交
-
-
由 Cole Robinson 提交于
Take setlocale/gettext error handling pattern from tools/virsh-* and use it for all standalone binaries via a new shared virGettextInitialize routine. The virsh* pattern differed slightly from other callers. All users now consistently: * Ignore setlocale errors. virsh has done this forever, presumably for good reason. This has been partially responsible for some bug reports: https://bugzilla.redhat.com/show_bug.cgi?id=1312688 https://bugzilla.redhat.com/show_bug.cgi?id=1026514 https://bugzilla.redhat.com/show_bug.cgi?id=1016158 * Report the failed function name * Report strerror
-
- 11 4月, 2016 1 次提交
-
-
由 Pavel Hrdina 提交于
fdstream.c: In function 'virFDStreamWrite': fdstream.c:390:29: error: logical 'or' of equal expressions [-Werror=logical-op] if (errno == EAGAIN || errno == EWOULDBLOCK) { ^~ Fedora rawhide now uses gcc 6.0 and there is a bug with -Wlogical-op producing false warnings. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69602 Use GCC pragma push/pop and ignore -Wlogical-op for GCC that supports push/pop pragma and also has this bug. Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
- 02 4月, 2016 1 次提交
-
-
由 Guido Günther 提交于
The directory name changed in a89f05ba. This unbreaks launching QEMU/KVM VMs with apparmor enabled. It also adds the directory for the qemu guest-agent socket which is not known when parsing the domain XML.
-
- 20 2月, 2016 1 次提交
-
-
由 Laurent Bigonville 提交于
-
- 04 2月, 2016 1 次提交
-
-
由 Peter Krempa 提交于
Few build breaking mistakes in less-popular parts of our code.
-
- 03 2月, 2016 1 次提交
-
-
由 Martin Kletzander 提交于
Since commit 71408079 we are generating socket path later than before -- when starting a domain. That makes one particular inconsistent state of a chardev, which was not possible before, currently valid. However, SELinux security driver forgot to guard the main restoring function by a check for NULL-paths. So make it no-op for NULL paths, as in the DAC driver. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1300532Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 15 1月, 2016 2 次提交
-
-
由 Jiri Denemark 提交于
A device tree binary file specified by /domain/os/dtb element is a read-only resource similar to kernel and initrd files. We shouldn't restore its label when destroying a domain to avoid breaking other domains configure with the same device tree. Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-
由 Jiri Denemark 提交于
Kernel/initrd files are essentially read-only shareable images and thus should be handled in the same way. We already use the appropriate label for kernel/initrd files when starting a domain, but when a domain gets destroyed we would remove the labels which would make other running domains using the same files very unhappy. https://bugzilla.redhat.com/show_bug.cgi?id=921135Signed-off-by: NJiri Denemark <jdenemar@redhat.com>
-
- 14 1月, 2016 1 次提交
-
-
由 Cédric Bosdonnat 提交于
There is no need to deny writes on a readonly mount: write still won't be accepted, even if the user remounts the folder as RW in the guest as qemu sets the 9p mount as ro. This deny rule was leading to problems for example with readonly /: The qemu process had to write to a bunch of files in / like logs, sockets, etc. This deny rule was also preventing auditing of these denials, making it harder to debug.
-
- 15 12月, 2015 3 次提交
-
-
由 Ján Tomko 提交于
Many of the functions follow the pattern: virSecurity.*Security.*Label Remove the second 'Security' from the names, it should be obvious that the virSecurity* functions deal with security labels even without it.
-
由 Ján Tomko 提交于
Many of the functions follow the pattern: virSecurity.*Security.*Label Remove the second 'Security' from the names, it should be obvious that the virSecurity* functions deal with security labels even without it.
-
由 Ján Tomko 提交于
Many of the functions follow the pattern: virSecurity.*Security.*Label Remove the second 'Security' from the names, it should be obvious that the virSecurity* functions deal with security labels even without it.
-