- 06 9月, 2019 1 次提交
-
-
由 Marc-André Lureau 提交于
Add a generic way to run a command through the security management. Signed-off-by: NMarc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 27 7月, 2019 1 次提交
-
-
由 Stefan Berger 提交于
Set the transactionStarted to false if the commit failed. If this is not done, then the failure path will report 'no transaction is set' and hide more useful error reports. Signed-off-by: NStefan Berger <stefanb@linux.ibm.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com> Message-Id: <20190726210706.24440-2-stefanb@linux.ibm.com>
-
- 03 7月, 2019 1 次提交
-
-
由 Michal Privoznik 提交于
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NCole Robinson <crobinso@redhat.com> Reviewed-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 31 1月, 2019 3 次提交
-
-
由 Peter Krempa 提交于
The same can be achieved by using qemuSecurity[Set|Restore]ImageLabel. Signed-off-by: NPeter Krempa <pkrempa@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Peter Krempa 提交于
The flag will control the VIR_SECURITY_DOMAIN_IMAGE_LABEL_BACKING_CHAIN flag of the security driver image labeling APIs. Signed-off-by: NPeter Krempa <pkrempa@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Peter Krempa 提交于
Security labeling of disks consists of labeling of the disk image itself and it's backing chain. Modify virSecurityManager[Set|Restore]ImageLabel to take a boolean flag that will label the full chain rather than the top image itself. This allows to delete/unify some parts of the code and will also simplify callers in some cases. Signed-off-by: NPeter Krempa <pkrempa@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 14 12月, 2018 1 次提交
-
-
由 Daniel P. Berrangé 提交于
In many files there are header comments that contain an Author: statement, supposedly reflecting who originally wrote the code. In a large collaborative project like libvirt, any non-trivial file will have been modified by a large number of different contributors. IOW, the Author: comments are quickly out of date, omitting people who have made significant contribitions. In some places Author: lines have been added despite the person merely being responsible for creating the file by moving existing code out of another file. IOW, the Author: lines give an incorrect record of authorship. With this all in mind, the comments are useless as a means to identify who to talk to about code in a particular file. Contributors will always be better off using 'git log' and 'git blame' if they need to find the author of a particular bit of code. This commit thus deletes all Author: comments from the source and adds a rule to prevent them reappearing. The Copyright headers are similarly misleading and inaccurate, however, we cannot delete these as they have legal meaning, despite being largely inaccurate. In addition only the copyright holder is permitted to change their respective copyright statement. Reviewed-by: NErik Skultety <eskultet@redhat.com> Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>
-
- 05 12月, 2018 1 次提交
-
-
由 Yuri Chornoivan 提交于
Signed-off-by: NYuri Chornoivan <yurchor@ukr.net> Reviewed-by: NJán Tomko <jtomko@redhat.com> Signed-off-by: NJán Tomko <jtomko@redhat.com>
-
- 16 11月, 2018 2 次提交
-
-
由 Michal Privoznik 提交于
When metadata locking is enabled that means the security commit processing will be run in a fork similar to how namespaces use fork()'s for processing. This is done to ensure libvirt can properly and synchronously modify the metadata to store the original owner data. Since fork()'s (e.g. virFork) have been seen as a performance bottleneck being able to disable them allows the admin to choose whether the performance 'hit' is worth the extra 'security' of being able to remember the original owner of a lock. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
The TPM code currently accepts pointer to a domain definition. This is okay for now, but in near future the security driver APIs it calls will require domain object. Therefore, change the TPM code to accept the domain object pointer. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 17 9月, 2018 3 次提交
-
-
由 Michal Privoznik 提交于
Now that committing transactions using pid == -1 means that we're not fork()-ing to run the transaction in a specific namespace, we can utilize the transaction processing semantics in order to start, run a or multiple commands, and then commit the transaction without being concerned with other interactions or transactions interrupting the processing. This will eventually allow us to have a single place where all the paths can be locked, followed by relabeling and unlocking again. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
Even though the current use of the functions does not require full implementation with transactions (none of the callers passes a path somewhere under /dev), it doesn't hurt either. Moreover, in future patches the paradigm is going to shift so that any API that touches a file is required to use transactions. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
由 Michal Privoznik 提交于
Even though the current use of the function does not require full implementation with transactions (none of the callers pass a path somewhere under /dev), it doesn't hurt either. Moreover, in future patches the paradigm is going to shift so that any API that touches a file is required to use transactions. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
-
- 06 6月, 2018 1 次提交
-
-
由 Stefan Berger 提交于
In this patch we label the swtpm process with SELinux labels. We give it the same label as the QEMU process has. We label its state directory and files as well. We restore the old security labels once the swtpm has terminated. The file and process labels now look as follows: Directory: /var/lib/libvirt/swtpm [root@localhost swtpm]# ls -lZ total 4 rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm [root@localhost testvm]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall The log in /var/log/swtpm/libvirt/qemu is labeled as follows: -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..] Signed-off-by: NStefan Berger <stefanb@linux.vnet.ibm.com> Reviewed-by: NJohn Ferlan <jferlan@redhat.com> Reviewed-by: NJán Tomko <jtomko@redhat.com>
-
- 05 12月, 2017 1 次提交
-
-
由 Pavel Hrdina 提交于
Commit e93d844b was not enough to fix the permission denied issue. We need to apply security labels as well. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1465833Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
-
- 25 11月, 2017 1 次提交
-
-
由 Ján Tomko 提交于
Introudce functions that will let us create the evdevs in namespaces and label the devices on input device hotplug/hotunplug.
-
- 16 6月, 2017 1 次提交
-
-
由 Pavel Hrdina 提交于
In the case that virtlogd is used as stdio handler we pass to QEMU only FD to a PIPE connected to virtlogd instead of the file itself. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1430988Signed-off-by: NPavel Hrdina <phrdina@redhat.com> Reviewed-by: NMartin Kletzander <mkletzan@redhat.com>
-
- 15 3月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
Now that we have APIs for relabel memdevs on hotplug, fill in the missing implementation in qemu hotplug code. The qemuSecurity wrappers might look like overkill for now, because qemu namespace code does not deal with the nvdimms yet. Nor does our cgroup code. But hey, there's cgroup_device_acl variable in qemu.conf. If users add their /dev/pmem* device in there, the device is allowed in cgroups and created in the namespace so they can successfully passthrough it to the domain. It doesn't look like overkill after all, does it? Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 09 2月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
Just like we need wrappers over other virSecurityManager APIs, we need one for virSecurityManagerSetImageLabel and virSecurityManagerRestoreImageLabel. Otherwise we might end up relabelling device in wrong namespace. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 08 2月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
This struct is unused after 095f042e. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 07 2月, 2017 2 次提交
-
-
由 Michal Privoznik 提交于
The idea is to move all the seclabel setting to security driver. Having the relabel code spread all over the place looks very messy. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
Because of the nature of security driver transactions, it is impossible to use them properly. The thing is, transactions enter the domain namespace and commit all the seclabel changes. However, in RestoreAllLabel() this is impossible - the qemu process, the only process running in the namespace, is gone. And thus is the namespace. Therefore we shouldn't use the transactions as there is no namespace to enter. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 10 1月, 2017 1 次提交
-
-
由 Michal Privoznik 提交于
So far if qemu is spawned under separate mount namespace in order to relabel everything it needs an access to the security driver to run in that namespace too. This has a very nasty down side - it is being run in a separate process, so any internal state transition is NOT reflected in the daemon. This can lead to many sleepless nights. Therefore, use the transaction APIs so that libvirt developers can sleep tight again. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
- 15 12月, 2016 3 次提交
-
-
由 Michal Privoznik 提交于
When attaching a device to a domain that's using separate mount namespace we must maintain /dev entries in order for qemu process to see them. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
When attaching a device to a domain that's using separate mount namespace we must maintain /dev entries in order for qemu process to see them. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-
由 Michal Privoznik 提交于
Instead of trying to fix our security drivers, we can use a simple trick to relabel paths in both namespace and the host. I mean, if we enter the namespace some paths are still shared with the host so any change done to them is visible from the host too. Therefore, we can just enter the namespace and call SetAllLabel()/RestoreAllLabel() from there. Yes, it has slight overhead because we have to fork in order to enter the namespace. But on the other hand, no complexity is added to our code. Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>
-