libvirt/src/security/virt-aa-helper.c

1583 lines
49 KiB
C
Raw Normal View History

/*
* virt-aa-helper: wrapper program used by AppArmor security driver.
*
* Copyright (C) 2010-2014 Red Hat, Inc.
* Copyright (C) 2009-2011 Canonical Ltd.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include <stdarg.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>
#include <getopt.h>
#include <sys/utsname.h>
#include "internal.h"
#include "virbuffer.h"
2012-12-12 18:06:53 +00:00
#include "viralloc.h"
#include "vircommand.h"
#include "virlog.h"
#include "driver.h"
#include "security_driver.h"
#include "security_apparmor.h"
#include "domain_conf.h"
2012-12-13 18:13:21 +00:00
#include "virxml.h"
2012-12-13 18:01:25 +00:00
#include "viruuid.h"
2012-12-12 17:04:51 +00:00
#include "virusb.h"
#include "virutil.h"
2012-12-13 14:52:25 +00:00
#include "virpci.h"
#include "virfile.h"
maint: use gnulib configmake rather than open-coding things * bootstrap.conf (gnulib_modules): Add configmake. * daemon/Makefile.am (libvirtd_CFLAGS): Drop defines provided by gnulib. * src/Makefile.am (INCLUDES): Likewise. * tests/Makefile.am (INCLUDES): Likewise. * tools/Makefile.am (virsh_CFLAGS): Likewise. * daemon/libvirtd.c (qemudInitPaths, usage, main): Update clients. * src/cpu/cpu_map.c (CPUMAPFILE): Likewise. * src/driver.c (DEFAULT_DRIVER_DIR): Likewise. * src/internal.h (_): Likewise. * src/libvirt.c (virInitialize): Likewise. * src/lxc/lxc_conf.h (LXC_CONFIG_DIR, LXC_STATE_DIR, LXC_LOG_DIR): Likewise. * src/lxc/lxc_conf.c (lxcCapsInit, lxcLoadDriverConfig): Likewise. * src/network/bridge_driver.c (NETWORK_PID_DIR) (NETWORK_STATE_DIR, DNSMASQ_STATE_DIR, networkStartup): Likewise. * src/nwfilter/nwfilter_driver.c (nwfilterDriverStartup): Likewise. * src/qemu/qemu_conf.c (qemudLoadDriverConfig): Likewise. * src/qemu/qemu_driver.c (qemudStartup): Likewise. * src/remote/remote_driver.h (LIBVIRTD_PRIV_UNIX_SOCKET) (LIBVIRTD_PRIV_UNIX_SOCKET_RO, LIBVIRTD_CONFIGURATION_FILE) (LIBVIRT_PKI_DIR): Likewise. * src/secret/secret_driver.c (secretDriverStartup): Likewise. * src/security/security_apparmor.c (VIRT_AA_HELPER): Likewise. * src/security/virt-aa-helper.c (main): Likewise. * src/storage/storage_backend_disk.c (PARTHELPER): Likewise. * src/storage/storage_driver.c (storageDriverStartup): Likewise. * src/uml/uml_driver.c (TEMPDIR, umlStartup): Likewise. * src/util/hooks.c (LIBVIRT_HOOK_DIR): Likewise. * tools/virsh.c (main): Likewise. * docs/hooks.html.in: Likewise.
2010-11-16 14:54:17 +00:00
#include "configmake.h"
#include "virrandom.h"
#include "virstring.h"
#include "virgettext.h"
#include "virhostdev.h"
#define VIR_FROM_THIS VIR_FROM_SECURITY
static char *progname;
typedef struct {
char uuid[PROFILE_NAME_SIZE]; /* UUID of vm */
bool dryrun; /* dry run */
char cmd; /* 'c' create
* 'a' add (load)
* 'r' replace
* 'R' remove */
char *files; /* list of files */
virDomainDefPtr def; /* VM definition */
virCapsPtr caps; /* VM capabilities */
virDomainXMLOptionPtr xmlopt; /* XML parser data */
char *virtType; /* type of hypervisor (eg qemu, xen, lxc) */
char *os; /* type of os (eg hvm, xen, exe) */
virArch arch; /* machine architecture */
char *newfile; /* newly added file */
bool append; /* append to .files instead of rewrite */
} vahControl;
static int
vahDeinit(vahControl * ctl)
{
if (ctl == NULL)
return -1;
VIR_FREE(ctl->def);
virObjectUnref(ctl->caps);
virObjectUnref(ctl->xmlopt);
VIR_FREE(ctl->files);
VIR_FREE(ctl->virtType);
VIR_FREE(ctl->os);
VIR_FREE(ctl->newfile);
return 0;
}
/*
* Print usage
*/
static void
vah_usage(void)
{
printf(_("\n%s mode [options] [extra file] [< def.xml]\n\n"
" Modes:\n"
" -a | --add load profile\n"
" -c | --create create profile from template\n"
" -D | --delete unload and delete profile\n"
" -r | --replace reload profile\n"
" -R | --remove unload profile\n"
" Options:\n"
" -d | --dryrun dry run\n"
" -u | --uuid <uuid> uuid (profile name)\n"
" -h | --help this help\n"
" Extra File:\n"
" -f | --add-file <file> add file to a profile generated from XML\n"
" -F | --append-file <file> append file to an existing profile\n"
"\n"), progname);
puts(_("This command is intended to be used by libvirtd "
"and not used directly.\n"));
return;
}
static void
vah_error(vahControl * ctl, int doexit, const char *str)
{
fprintf(stderr, _("%s: error: %s%c"), progname, str, '\n');
if (doexit) {
if (ctl != NULL)
vahDeinit(ctl);
exit(EXIT_FAILURE);
}
}
static void
vah_warning(const char *str)
{
fprintf(stderr, _("%s: warning: %s%c"), progname, str, '\n');
}
static void
vah_info(const char *str)
{
fprintf(stderr, _("%s:\n%s%c"), progname, str, '\n');
}
/*
* run an apparmor_parser command
*/
static int
parserCommand(const char *profile_name, const char cmd)
{
int result = -1;
char flag[3];
char *profile;
int status;
int ret;
if (strchr("arR", cmd) == NULL) {
vah_error(NULL, 0, _("invalid flag"));
return -1;
}
g_snprintf(flag, 3, "-%c", cmd);
profile = g_strdup_printf("%s/%s", APPARMOR_DIR "/libvirt", profile_name);
if (!virFileExists(profile)) {
vah_error(NULL, 0, _("profile does not exist"));
goto cleanup;
} else {
const char * const argv[] = {
"/sbin/apparmor_parser", flag, profile, NULL
};
g_autoptr(virCommand) command = virCommandNewArgs(argv);
virCommandRawStatus(command);
if ((ret = virCommandRun(command, &status)) != 0 ||
(WIFEXITED(status) && WEXITSTATUS(status) != 0)) {
if (ret != 0) {
vah_error(NULL, 0, _("failed to run apparmor_parser"));
goto cleanup;
} else if (cmd == 'R' && WIFEXITED(status) &&
WEXITSTATUS(status) == 234) {
vah_warning(_("unable to unload already unloaded profile"));
} else {
vah_error(NULL, 0, _("apparmor_parser exited with error"));
goto cleanup;
}
}
}
result = 0;
cleanup:
VIR_FREE(profile);
return result;
}
/*
* Update the dynamic files
*/
static int
update_include_file(const char *include_file, const char *included_files,
bool append)
{
int rc = -1;
int plen, flen = 0;
int fd;
char *pcontent = NULL;
char *existing = NULL;
const char *warning =
"# DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.\n";
if (virFileExists(include_file)) {
flen = virFileReadAll(include_file, MAX_FILE_LEN, &existing);
if (flen < 0)
return rc;
}
if (append && virFileExists(include_file))
pcontent = g_strdup_printf("%s%s", existing, included_files);
else
pcontent = g_strdup_printf("%s%s", warning, included_files);
plen = strlen(pcontent);
if (plen > MAX_FILE_LEN) {
vah_error(NULL, 0, _("invalid length for new profile"));
goto cleanup;
}
/* only update the disk profile if it is different */
if (flen > 0 && flen == plen && STREQLEN(existing, pcontent, plen)) {
rc = 0;
goto cleanup;
}
/* write the file */
if ((fd = open(include_file, O_CREAT | O_TRUNC | O_WRONLY, 0644)) == -1) {
vah_error(NULL, 0, _("failed to create include file"));
goto cleanup;
}
if (safewrite(fd, pcontent, plen) < 0) { /* don't write the '\0' */
VIR_FORCE_CLOSE(fd);
vah_error(NULL, 0, _("failed to write to profile"));
goto cleanup;
}
if (VIR_CLOSE(fd) != 0) {
vah_error(NULL, 0, _("failed to close or write to profile"));
goto cleanup;
}
rc = 0;
cleanup:
VIR_FREE(pcontent);
VIR_FREE(existing);
return rc;
}
/*
* Create a profile based on a template
*/
static int
create_profile(const char *profile, const char *profile_name,
const char *profile_files, int virtType)
{
g_autofree char *template = NULL;
g_autofree char *tcontent = NULL;
g_autofree char *pcontent = NULL;
g_autofree char *replace_name = NULL;
g_autofree char *replace_files = NULL;
char *tmp = NULL;
const char *template_name = "\nprofile LIBVIRT_TEMPLATE";
const char *template_end = "\n}";
int tlen, plen;
int fd;
const char *driver_name = NULL;
if (virFileExists(profile)) {
vah_error(NULL, 0, _("profile exists"));
return -1;
}
switch (virtType) {
case VIR_DOMAIN_VIRT_QEMU:
case VIR_DOMAIN_VIRT_KQEMU:
case VIR_DOMAIN_VIRT_KVM:
driver_name = "qemu";
break;
default:
driver_name = virDomainVirtTypeToString(virtType);
}
template = g_strdup_printf("%s/TEMPLATE.%s", APPARMOR_DIR "/libvirt", driver_name);
if (!virFileExists(template)) {
vah_error(NULL, 0, _("template does not exist"));
return -1;
}
if ((tlen = virFileReadAll(template, MAX_FILE_LEN, &tcontent)) < 0) {
vah_error(NULL, 0, _("failed to read AppArmor template"));
return -1;
}
if (strstr(tcontent, template_name) == NULL) {
vah_error(NULL, 0, _("no replacement string in template"));
return -1;
}
if (strstr(tcontent, template_end) == NULL) {
vah_error(NULL, 0, _("no replacement string in template"));
return -1;
}
/* '\nprofile <profile_name>\0' */
replace_name = g_strdup_printf("\nprofile %s", profile_name);
/* '\n<profile_files>\n}\0' */
if (virtType != VIR_DOMAIN_VIRT_LXC)
replace_files = g_strdup_printf("\n%s\n}", profile_files);
plen = tlen + strlen(replace_name) - strlen(template_name) + 1;
if (virtType != VIR_DOMAIN_VIRT_LXC)
plen += strlen(replace_files) - strlen(template_end);
if (plen > MAX_FILE_LEN || plen < tlen) {
vah_error(NULL, 0, _("invalid length for new profile"));
return -1;
}
if (!(pcontent = virStringReplace(tcontent, template_name, replace_name)))
return -1;
if (virtType != VIR_DOMAIN_VIRT_LXC) {
if (!(tmp = virStringReplace(pcontent, template_end, replace_files)))
return -1;
VIR_FREE(pcontent);
pcontent = g_steal_pointer(&tmp);
}
/* write the file */
if ((fd = open(profile, O_CREAT | O_EXCL | O_WRONLY, 0644)) == -1) {
vah_error(NULL, 0, _("failed to create profile"));
return -1;
}
if (safewrite(fd, pcontent, plen - 1) < 0) { /* don't write the '\0' */
VIR_FORCE_CLOSE(fd);
vah_error(NULL, 0, _("failed to write to profile"));
return -1;
}
if (VIR_CLOSE(fd) != 0) {
vah_error(NULL, 0, _("failed to close or write to profile"));
return -1;
}
return 0;
}
/*
* Load an existing profile
*/
static int
parserLoad(const char *profile_name)
{
return parserCommand(profile_name, 'a');
}
/*
* Remove an existing profile
*/
static int
parserRemove(const char *profile_name)
{
return parserCommand(profile_name, 'R');
}
/*
* Replace an existing profile
*/
static int
parserReplace(const char *profile_name)
{
return parserCommand(profile_name, 'r');
}
static int
valid_uuid(const char *uuid)
{
unsigned char rawuuid[VIR_UUID_BUFLEN];
if (strlen(uuid) != PROFILE_NAME_SIZE - 1)
return -1;
if (!STRPREFIX(uuid, AA_PREFIX))
return -1;
if (virUUIDParse(uuid + strlen(AA_PREFIX), rawuuid) < 0)
return -1;
return 0;
}
static int
valid_name(const char *name)
{
/* just try to filter out any dangerous characters in the name that can be
* used to subvert the profile */
const char *bad = "/[]{}?^,\"*";
if (strlen(name) == 0)
return -1;
if (strcspn(name, bad) != strlen(name))
return -1;
return 0;
}
/* see if one of the strings in arr starts with str */
static int
array_starts_with(const char *str, const char * const *arr, const long size)
{
size_t i;
for (i = 0; i < size; i++) {
if (strlen(str) < strlen(arr[i]))
continue;
if (STRPREFIX(str, arr[i]))
return 0;
}
return 1;
}
/*
* Don't allow access to special files or restricted paths such as /bin, /sbin,
* /usr/bin, /usr/sbin and /etc. This is in an effort to prevent read/write
* access to system files which could be used to elevate privileges. This is a
* safety measure in case libvirtd is under a restrictive profile and is
* subverted and trying to escape confinement.
*
* Note that we cannot exclude block devices because they are valid devices.
* The TEMPLATE file can be adjusted to explicitly disallow these if needed.
*
* RETURN: -1 on error, 0 if ok, 1 if blocked
*/
static int
valid_path(const char *path, const bool readonly)
{
const char * const restricted[] = {
"/bin/",
"/etc/",
"/lib",
"/lost+found/",
"/proc/",
"/sbin/",
"/selinux/",
"/sys/",
"/usr/bin/",
"/usr/lib",
"/usr/sbin/",
"/usr/share/",
"/usr/local/bin/",
"/usr/local/etc/",
"/usr/local/lib",
"/usr/local/sbin/"
};
/* these paths are ok for readonly, but not read/write */
const char * const restricted_rw[] = {
"/boot/",
"/vmlinuz",
"/initrd",
"/initrd.img",
"/usr/share/edk2/",
"/usr/share/OVMF/", /* for OVMF images */
"/usr/share/ovmf/", /* for OVMF images */
"/usr/share/AAVMF/", /* for AAVMF images */
"/usr/share/qemu-efi/", /* for AAVMF images */
"/usr/share/qemu-efi-aarch64/" /* for AAVMF images */
};
/* override the above with these */
const char * const override[] = {
"/sys/devices/pci", /* for hostdev pci devices */
"/sys/kernel/config/target/vhost", /* for hostdev vhost_scsi devices */
"/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */
};
const int nropaths = G_N_ELEMENTS(restricted);
const int nrwpaths = G_N_ELEMENTS(restricted_rw);
const int nopaths = G_N_ELEMENTS(override);
virt-aa-helper: Improve valid_path So, after some movement in virt-aa-helper, I've noticed the virt-aa-helper-test failing. I've ran gdb (it took me a while to realize how to do that) and this showed up immediately: Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525 #2 0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617 #3 0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823 #4 0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854 #5 0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931 #6 0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 <add_file_path>, opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286 #7 0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982 #8 0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277 #9 0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332 So I've taken look at valid_path() because it is obviously calling array_starts_with() with malformed @size. And here's the result: there are two variables to hold the size of three arrays and their value is recalculated before each call of array_starts_with(). What if we just use three variables, initialize them and do not touch them afterwards? Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-08-27 00:50:21 +00:00
if (path == NULL) {
vah_error(NULL, 0, _("bad pathname"));
return -1;
}
/* Don't allow double quotes, since we use them to quote the filename
* and this will confuse the apparmor parser.
*/
if (strchr(path, '"') != NULL)
return 1;
/* Require an absolute path */
if (STRNEQLEN(path, "/", 1))
return 1;
if (!virFileExists(path))
vah_warning(_("path does not exist, skipping file type checks"));
/* overrides are always allowed */
virt-aa-helper: Improve valid_path So, after some movement in virt-aa-helper, I've noticed the virt-aa-helper-test failing. I've ran gdb (it took me a while to realize how to do that) and this showed up immediately: Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525 #2 0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617 #3 0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823 #4 0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854 #5 0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931 #6 0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 <add_file_path>, opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286 #7 0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982 #8 0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277 #9 0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332 So I've taken look at valid_path() because it is obviously calling array_starts_with() with malformed @size. And here's the result: there are two variables to hold the size of three arrays and their value is recalculated before each call of array_starts_with(). What if we just use three variables, initialize them and do not touch them afterwards? Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-08-27 00:50:21 +00:00
if (array_starts_with(path, override, nopaths) == 0)
return 0;
/* allow read only paths upfront */
if (readonly) {
virt-aa-helper: Improve valid_path So, after some movement in virt-aa-helper, I've noticed the virt-aa-helper-test failing. I've ran gdb (it took me a while to realize how to do that) and this showed up immediately: Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525 #2 0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617 #3 0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823 #4 0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854 #5 0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931 #6 0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 <add_file_path>, opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286 #7 0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982 #8 0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277 #9 0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332 So I've taken look at valid_path() because it is obviously calling array_starts_with() with malformed @size. And here's the result: there are two variables to hold the size of three arrays and their value is recalculated before each call of array_starts_with(). What if we just use three variables, initialize them and do not touch them afterwards? Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-08-27 00:50:21 +00:00
if (array_starts_with(path, restricted_rw, nrwpaths) == 0)
return 0;
}
/* disallow RW access to all paths in restricted and restriced_rw */
virt-aa-helper: Improve valid_path So, after some movement in virt-aa-helper, I've noticed the virt-aa-helper-test failing. I've ran gdb (it took me a while to realize how to do that) and this showed up immediately: Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525 #2 0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617 #3 0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823 #4 0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854 #5 0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931 #6 0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 <add_file_path>, opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286 #7 0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982 #8 0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277 #9 0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332 So I've taken look at valid_path() because it is obviously calling array_starts_with() with malformed @size. And here's the result: there are two variables to hold the size of three arrays and their value is recalculated before each call of array_starts_with(). What if we just use three variables, initialize them and do not touch them afterwards? Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-08-27 00:50:21 +00:00
if ((array_starts_with(path, restricted, nropaths) == 0 ||
array_starts_with(path, restricted_rw, nrwpaths) == 0))
return 1;
return 0;
}
static int
verify_xpath_context(xmlXPathContextPtr ctxt)
{
char *tmp = NULL;
if (!ctxt) {
vah_warning(_("Invalid context"));
return -1;
}
/* check if have <name> */
if (!(tmp = virXPathString("string(./name[1])", ctxt))) {
vah_warning(_("Could not find <name>"));
return -1;
}
VIR_FREE(tmp);
/* check if have <uuid> */
if (!(tmp = virXPathString("string(./uuid[1])", ctxt))) {
vah_warning(_("Could not find <uuid>"));
return -1;
}
VIR_FREE(tmp);
return 0;
}
/*
* Parse the xml we received to fill in the following:
* ctl->virtType
* ctl->os
* ctl->arch
*
* These are suitable for setting up a virCapsPtr
*/
static int
caps_mockup(vahControl * ctl, const char *xmlStr)
{
int rc = -1;
xmlDocPtr xml = NULL;
xmlXPathContextPtr ctxt = NULL;
char *arch;
if (!(xml = virXMLParseStringCtxt(xmlStr, _("(domain_definition)"),
&ctxt))) {
goto cleanup;
}
if (!virXMLNodeNameEqual(ctxt->node, "domain")) {
vah_error(NULL, 0, _("unexpected root element, expecting <domain>"));
goto cleanup;
}
/* Quick sanity check for some required elements */
if (verify_xpath_context(ctxt) != 0)
goto cleanup;
ctl->virtType = virXPathString("string(./@type)", ctxt);
if (!ctl->virtType) {
vah_error(ctl, 0, _("domain type is not defined"));
goto cleanup;
}
ctl->os = virXPathString("string(./os/type[1])", ctxt);
if (!ctl->os) {
vah_error(ctl, 0, _("os.type is not defined"));
goto cleanup;
}
arch = virXPathString("string(./os/type[1]/@arch)", ctxt);
if (!arch) {
ctl->arch = virArchFromHost();
} else {
ctl->arch = virArchFromString(arch);
VIR_FREE(arch);
}
rc = 0;
cleanup:
xmlFreeDoc(xml);
xmlXPathFreeContext(ctxt);
return rc;
}
virDomainDefParserConfig virAAHelperDomainDefParserConfig = {
.features = VIR_DOMAIN_DEF_FEATURE_MEMORY_HOTPLUG |
VIR_DOMAIN_DEF_FEATURE_OFFLINE_VCPUPIN |
VIR_DOMAIN_DEF_FEATURE_INDIVIDUAL_VCPUS |
VIR_DOMAIN_DEF_FEATURE_NET_MODEL_STRING,
};
static int
get_definition(vahControl * ctl, const char *xmlStr)
{
int ostype, virtType;
virCapsGuestPtr guest; /* this is freed when caps is freed */
/*
* mock up some capabilities. We don't currently use these explicitly,
* but need them for virDomainDefParseString().
*/
if (caps_mockup(ctl, xmlStr) != 0)
return -1;
capabilities: use bool instead of int While preparing to add a capability for active commit, I noticed that the existing code was abusing int for boolean values. * src/conf/capabilities.h (_virCapsGuestFeature, _virCapsHost) (virCapabilitiesNew, virCapabilitiesAddGuestFeature): Improve types. * src/conf/capabilities.c (virCapabilitiesNew) (virCapabilitiesAddGuestFeature): Adjust signature. * src/bhyve/bhyve_capabilities.c (virBhyveCapsBuild): Update clients. * src/esx/esx_driver.c (esxCapsInit): Likewise. * src/libxl/libxl_conf.c (libxlMakeCapabilities): Likewise. * src/lxc/lxc_conf.c (virLXCDriverCapsInit): Likewise. * src/openvz/openvz_conf.c (openvzCapsInit): Likewise. * src/parallels/parallels_driver.c (parallelsBuildCapabilities): Likewise. * src/phyp/phyp_driver.c (phypCapsInit): Likewise. * src/qemu/qemu_capabilities.c (virQEMUCapsInit) (virQEMUCapsInitGuestFromBinary): Likewise. * src/security/virt-aa-helper.c (get_definition): Likewise. * src/test/test_driver.c (testBuildCapabilities): Likewise. * src/uml/uml_conf.c (umlCapsInit): Likewise. * src/vbox/vbox_tmpl.c (vboxCapsInit): Likewise. * src/vmware/vmware_conf.c (vmwareCapsInit): Likewise. * src/xen/xen_hypervisor.c (xenHypervisorBuildCapabilities): Likewise. * src/xenapi/xenapi_driver.c (getCapsObject): Likewise. * tests/qemucaps2xmltest.c (testGetCaps): Likewise. * tests/testutils.c (virTestGenericCapsInit): Likewise. * tests/testutilslxc.c (testLXCCapsInit): Likewise. * tests/testutilsqemu.c (testQemuCapsInit): Likewise. * tests/testutilsxen.c (testXenCapsInit): Likewise. * tests/vircaps2xmltest.c (buildVirCapabilities): Likewise. * tests/vircapstest.c (buildNUMATopology): Likewise. * tests/vmx2xmltest.c (testCapsInit): Likewise. * tests/xml2vmxtest.c (testCapsInit): Likewise. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-07-14 12:56:13 +00:00
if ((ctl->caps = virCapabilitiesNew(ctl->arch, true, true)) == NULL) {
vah_error(ctl, 0, _("could not allocate memory"));
return -1;
}
if (!(ctl->xmlopt = virDomainXMLOptionNew(&virAAHelperDomainDefParserConfig,
NULL, NULL, NULL, NULL))) {
vah_error(ctl, 0, _("Failed to create XML config object"));
return -1;
}
if ((ostype = virDomainOSTypeFromString(ctl->os)) < 0) {
vah_error(ctl, 0, _("unknown OS type"));
return -1;
}
if ((guest = virCapabilitiesAddGuest(ctl->caps,
ostype,
ctl->arch,
NULL,
NULL,
0,
NULL)) == NULL) {
vah_error(ctl, 0, _("could not allocate memory"));
return -1;
}
if ((virtType = virDomainVirtTypeFromString(ctl->virtType)) < 0) {
vah_error(ctl, 0, _("unknown virtualization type"));
return -1;
}
if (virCapabilitiesAddGuestDomain(guest,
virtType,
NULL,
NULL,
0,
NULL) == NULL) {
vah_error(ctl, 0, _("could not allocate memory"));
return -1;
}
ctl->def = virDomainDefParseString(xmlStr,
ctl->xmlopt, NULL,
VIR_DOMAIN_DEF_PARSE_SKIP_SECLABEL |
VIR_DOMAIN_DEF_PARSE_SKIP_VALIDATE);
if (ctl->def == NULL) {
vah_error(ctl, 0, _("could not parse XML"));
return -1;
}
if (!ctl->def->name) {
vah_error(ctl, 0, _("could not find name in XML"));
return -1;
}
if (valid_name(ctl->def->name) != 0) {
vah_error(ctl, 0, _("bad name"));
return -1;
}
return 0;
}
/**
* The permissions allowed are apparmor valid permissions and 'R'. 'R' stands for
* read with no explicit deny rule.
*/
static int
vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursive)
{
char *tmp = NULL;
int rc = -1;
bool readonly = true;
bool explicit_deny_rule = true;
char *sub = NULL;
char *perms_new = NULL;
char *pathdir = NULL;
char *pathtmp = NULL;
char *pathreal = NULL;
if (path == NULL)
return rc;
/* Skip files without an absolute path. Not having one confuses the
* apparmor parser and this also ensures things like tcp consoles don't
* get added to the profile.
*/
if (STRNEQLEN(path, "/", 1)) {
vah_warning(path);
vah_warning(_("skipped non-absolute path"));
return 0;
}
/* files might be created by qemu later on and not exist right now.
* But realpath needs a valid path to work on, therefore:
* 1. walk the path to find longest valid path
* 2. get the realpath of that valid path
* 3. re-combine the realpath with the remaining suffix
* Note: A totally non existent path is used as-is
*/
pathdir = g_strdup(path);
while (!virFileExists(pathdir)) {
pathtmp = g_path_get_dirname(pathdir);
VIR_FREE(pathdir);
pathdir = g_steal_pointer(&pathtmp);
}
if (strlen(pathdir) == 1) {
/* nothing of the path does exist yet */
tmp = g_strdup(path);
} else {
pathtmp = g_strdup(path + strlen(pathdir));
if ((pathreal = realpath(pathdir, NULL)) == NULL) {
vah_error(NULL, 0, pathdir);
vah_error(NULL, 0, _("could not find realpath"));
goto cleanup;
}
tmp = g_strdup_printf("%s%s", pathreal, pathtmp);
maint: use consistent if-else braces in remaining spots I'm about to add a syntax check that enforces our documented HACKING style of always using matching {} on if-else statements. This patch focuses on all remaining problems, where there weren't enough issues to warrant splitting it further. * src/remote/remote_driver.c (doRemoteOpen): Correct use of {}. * src/security/virt-aa-helper.c (vah_add_path, valid_path, main): Likewise. * src/rpc/virnetsocket.c (virNetSocketNewConnectLibSSH2): Likewise. * src/esx/esx_vi_types.c (esxVI_Type_FromString): Likewise. * src/uml/uml_driver.c (umlDomainDetachDevice): Likewise. * src/util/viralloc.c (virShrinkN): Likewise. * src/util/virbuffer.c (virBufferURIEncodeString): Likewise. * src/util/virdbus.c (virDBusCall): Likewise. * src/util/virnetdev.c (virNetDevValidateConfig): Likewise. * src/util/virnetdevvportprofile.c (virNetDevVPortProfileGetNthParent): Likewise. * src/util/virpci.c (virPCIDeviceIterDevices) (virPCIDeviceWaitForCleanup) (virPCIDeviceIsBehindSwitchLackingACS): Likewise. * src/util/virsocketaddr.c (virSocketAddrGetNumNetmaskBits): Likewise. * src/util/viruri.c (virURIParseParams): Likewise. * daemon/stream.c (daemonStreamHandleAbort): Likewise. * tests/testutils.c (virtTestResult): Likewise. * tests/cputest.c (cpuTestBaseline): Likewise. * tools/virsh-domain.c (cmdDomPMSuspend): Likewise. * tools/virsh-host.c (cmdNodeSuspend): Likewise. * src/esx/esx_vi_generator.py (Type.generate_typefromstring): Tweak generated code. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-09-03 19:39:21 +00:00
}
perms_new = g_strdup(perms);
if (strchr(perms_new, 'w') != NULL) {
readonly = false;
explicit_deny_rule = false;
}
if ((sub = strchr(perms_new, 'R')) != NULL) {
/* Don't write the invalid R permission, replace it with 'r' */
sub[0] = 'r';
explicit_deny_rule = false;
}
rc = valid_path(tmp, readonly);
if (rc != 0) {
if (rc > 0) {
vah_error(NULL, 0, path);
vah_error(NULL, 0, _("skipped restricted file"));
}
goto cleanup;
}
if (tmp[strlen(tmp) - 1] == '/')
tmp[strlen(tmp) - 1] = '\0';
virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "",
perms_new);
if (explicit_deny_rule) {
virBufferAddLit(buf, " # don't audit writes to readonly files\n");
virBufferAsprintf(buf, " deny \"%s%s\" w,\n", tmp, recursive ? "/**" : "");
}
if (recursive) {
/* allow reading (but not creating) the dir */
virBufferAsprintf(buf, " \"%s/\" r,\n", tmp);
}
cleanup:
VIR_FREE(pathdir);
VIR_FREE(pathtmp);
VIR_FREE(pathreal);
VIR_FREE(perms_new);
VIR_FREE(tmp);
return rc;
}
static int
vah_add_file(virBufferPtr buf, const char *path, const char *perms)
{
return vah_add_path(buf, path, perms, false);
}
static int
vah_add_file_chardev(virBufferPtr buf,
const char *path,
const char *perms,
const int type)
{
char *pipe_in;
char *pipe_out;
int rc = -1;
if (type == VIR_DOMAIN_CHR_TYPE_PIPE) {
/* add the pipe input */
pipe_in = g_strdup_printf("%s.in", path);
if (vah_add_file(buf, pipe_in, perms) != 0)
goto clean_pipe_in;
/* add the pipe output */
pipe_out = g_strdup_printf("%s.out", path);
if (vah_add_file(buf, pipe_out, perms) != 0)
goto clean_pipe_out;
rc = 0;
clean_pipe_out:
VIR_FREE(pipe_out);
clean_pipe_in:
VIR_FREE(pipe_in);
} else {
/* add the file */
if (vah_add_file(buf, path, perms) != 0)
return -1;
rc = 0;
}
return rc;
}
static int
file_iterate_hostdev_cb(virUSBDevicePtr dev G_GNUC_UNUSED,
const char *file, void *opaque)
{
virBufferPtr buf = opaque;
return vah_add_file(buf, file, "rw");
}
static int
file_iterate_pci_cb(virPCIDevicePtr dev G_GNUC_UNUSED,
const char *file, void *opaque)
{
virBufferPtr buf = opaque;
return vah_add_file(buf, file, "rw");
}
static int
add_file_path(virStorageSourcePtr src,
size_t depth,
virBufferPtr buf)
{
int ret;
/* execute the callback only for local storage */
if (!src->path || !virStorageSourceIsLocalStorage(src))
return 0;
if (depth == 0) {
if (src->readonly)
ret = vah_add_file(buf, src->path, "rk");
else
ret = vah_add_file(buf, src->path, "rwk");
} else {
ret = vah_add_file(buf, src->path, "rk");
}
if (ret != 0)
ret = -1;
return ret;
}
static int
storage_source_add_files(virStorageSourcePtr src,
virBufferPtr buf,
size_t depth)
{
virStorageSourcePtr tmp;
for (tmp = src; virStorageSourceIsBacking(tmp); tmp = tmp->backingStore) {
if (add_file_path(tmp, depth, buf) < 0)
return -1;
depth++;
}
return 0;
}
static int
get_files(vahControl * ctl)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
int rc = -1;
size_t i;
char *uuid;
char *mem_path = NULL;
char uuidstr[VIR_UUID_STRING_BUFLEN];
bool needsVfio = false, needsvhost = false, needsgl = false;
/* verify uuid is same as what we were given on the command line */
virUUIDFormat(ctl->def->uuid, uuidstr);
uuid = g_strdup_printf("%s%s", AA_PREFIX, uuidstr);
if (STRNEQ(uuid, ctl->uuid)) {
vah_error(ctl, 0, _("given uuid does not match XML uuid"));
goto cleanup;
}
/* load the storage driver so that backing store can be accessed */
#ifdef WITH_STORAGE
virDriverLoadModule("storage", "storageRegister", false);
#endif
for (i = 0; i < ctl->def->ndisks; i++) {
virDomainDiskDefPtr disk = ctl->def->disks[i];
if (!virDomainDiskGetSource(disk))
continue;
/* XXX - if we knew the qemu user:group here we could send it in
* so that the open could be re-tried as that user:group.
*/
if (!virStorageSourceHasBacking(disk->src))
virStorageFileGetMetadata(disk->src, -1, -1, false);
/* XXX should handle open errors more careful than just ignoring them.
*/
if (storage_source_add_files(disk->src, &buf, 0) < 0)
goto cleanup;
}
for (i = 0; i < ctl->def->nserials; i++)
if (ctl->def->serials[i] &&
(ctl->def->serials[i]->source->type == VIR_DOMAIN_CHR_TYPE_PTY ||
ctl->def->serials[i]->source->type == VIR_DOMAIN_CHR_TYPE_DEV ||
ctl->def->serials[i]->source->type == VIR_DOMAIN_CHR_TYPE_FILE ||
ctl->def->serials[i]->source->type == VIR_DOMAIN_CHR_TYPE_UNIX ||
ctl->def->serials[i]->source->type == VIR_DOMAIN_CHR_TYPE_PIPE) &&
ctl->def->serials[i]->source->data.file.path &&
ctl->def->serials[i]->source->data.file.path[0] != '\0')
if (vah_add_file_chardev(&buf,
ctl->def->serials[i]->source->data.file.path,
"rw",
ctl->def->serials[i]->source->type) != 0)
goto cleanup;
for (i = 0; i < ctl->def->nconsoles; i++)
if (ctl->def->consoles[i] &&
(ctl->def->consoles[i]->source->type == VIR_DOMAIN_CHR_TYPE_PTY ||
ctl->def->consoles[i]->source->type == VIR_DOMAIN_CHR_TYPE_DEV ||
ctl->def->consoles[i]->source->type == VIR_DOMAIN_CHR_TYPE_FILE ||
ctl->def->consoles[i]->source->type == VIR_DOMAIN_CHR_TYPE_UNIX ||
ctl->def->consoles[i]->source->type == VIR_DOMAIN_CHR_TYPE_PIPE) &&
ctl->def->consoles[i]->source->data.file.path &&
ctl->def->consoles[i]->source->data.file.path[0] != '\0')
if (vah_add_file(&buf,
ctl->def->consoles[i]->source->data.file.path, "rw") != 0)
goto cleanup;
for (i = 0; i < ctl->def->nparallels; i++)
if (ctl->def->parallels[i] &&
(ctl->def->parallels[i]->source->type == VIR_DOMAIN_CHR_TYPE_PTY ||
ctl->def->parallels[i]->source->type == VIR_DOMAIN_CHR_TYPE_DEV ||
ctl->def->parallels[i]->source->type == VIR_DOMAIN_CHR_TYPE_FILE ||
ctl->def->parallels[i]->source->type == VIR_DOMAIN_CHR_TYPE_UNIX ||
ctl->def->parallels[i]->source->type == VIR_DOMAIN_CHR_TYPE_PIPE) &&
ctl->def->parallels[i]->source->data.file.path &&
ctl->def->parallels[i]->source->data.file.path[0] != '\0')
if (vah_add_file_chardev(&buf,
ctl->def->parallels[i]->source->data.file.path,
"rw",
ctl->def->parallels[i]->source->type) != 0)
goto cleanup;
for (i = 0; i < ctl->def->nchannels; i++)
if (ctl->def->channels[i] &&
(ctl->def->channels[i]->source->type == VIR_DOMAIN_CHR_TYPE_PTY ||
ctl->def->channels[i]->source->type == VIR_DOMAIN_CHR_TYPE_DEV ||
ctl->def->channels[i]->source->type == VIR_DOMAIN_CHR_TYPE_FILE ||
ctl->def->channels[i]->source->type == VIR_DOMAIN_CHR_TYPE_UNIX ||
ctl->def->channels[i]->source->type == VIR_DOMAIN_CHR_TYPE_PIPE) &&
ctl->def->channels[i]->source->data.file.path &&
ctl->def->channels[i]->source->data.file.path[0] != '\0')
if (vah_add_file_chardev(&buf,
ctl->def->channels[i]->source->data.file.path,
"rw",
ctl->def->channels[i]->source->type) != 0)
goto cleanup;
if (ctl->def->os.kernel)
if (vah_add_file(&buf, ctl->def->os.kernel, "r") != 0)
goto cleanup;
if (ctl->def->os.initrd)
if (vah_add_file(&buf, ctl->def->os.initrd, "r") != 0)
goto cleanup;
2013-03-14 04:49:44 +00:00
if (ctl->def->os.dtb)
if (vah_add_file(&buf, ctl->def->os.dtb, "r") != 0)
goto cleanup;
if (ctl->def->os.slic_table)
if (vah_add_file(&buf, ctl->def->os.slic_table, "r") != 0)
goto cleanup;
if (ctl->def->os.loader && ctl->def->os.loader->path)
if (vah_add_file(&buf, ctl->def->os.loader->path, "rk") != 0)
goto cleanup;
if (ctl->def->os.loader && ctl->def->os.loader->nvram)
if (vah_add_file(&buf, ctl->def->os.loader->nvram, "rwk") != 0)
goto cleanup;
for (i = 0; i < ctl->def->ngraphics; i++) {
virDomainGraphicsDefPtr graphics = ctl->def->graphics[i];
size_t n;
const char *rendernode = virDomainGraphicsGetRenderNode(graphics);
if (rendernode) {
vah_add_file(&buf, rendernode, "rw");
needsgl = true;
} else {
if (virDomainGraphicsNeedsAutoRenderNode(graphics)) {
char *defaultRenderNode = virHostGetDRMRenderNode();
needsgl = true;
if (defaultRenderNode) {
vah_add_file(&buf, defaultRenderNode, "rw");
VIR_FREE(defaultRenderNode);
}
}
}
for (n = 0; n < graphics->nListens; n++) {
virDomainGraphicsListenDef listenObj = graphics->listens[n];
if (listenObj.type == VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_SOCKET &&
listenObj.socket &&
vah_add_file(&buf, listenObj.socket, "rw"))
goto cleanup;
}
}
if (ctl->def->ngraphics == 1 &&
ctl->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL)
if (vah_add_file(&buf, ctl->def->graphics[0]->data.sdl.xauth,
"r") != 0)
goto cleanup;
for (i = 0; i < ctl->def->nhostdevs; i++)
if (ctl->def->hostdevs[i]) {
virDomainHostdevDefPtr dev = ctl->def->hostdevs[i];
virDomainHostdevSubsysUSBPtr usbsrc = &dev->source.subsys.u.usb;
switch (dev->source.subsys.type) {
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
virUSBDevicePtr usb =
virUSBDeviceNew(usbsrc->bus, usbsrc->device, NULL);
if (usb == NULL)
continue;
if (virHostdevFindUSBDevice(dev, true, &usb) < 0)
continue;
rc = virUSBDeviceFileIterate(usb, file_iterate_hostdev_cb, &buf);
virUSBDeviceFree(usb);
if (rc != 0)
goto cleanup;
break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: {
virDomainHostdevSubsysMediatedDevPtr mdevsrc = &dev->source.subsys.u.mdev;
switch ((virMediatedDeviceModelType) mdevsrc->model) {
case VIR_MDEV_MODEL_TYPE_VFIO_PCI:
case VIR_MDEV_MODEL_TYPE_VFIO_AP:
case VIR_MDEV_MODEL_TYPE_VFIO_CCW:
needsVfio = true;
break;
case VIR_MDEV_MODEL_TYPE_LAST:
default:
virReportEnumRangeError(virMediatedDeviceModelType,
mdevsrc->model);
break;
}
break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
virPCIDevicePtr pci = virPCIDeviceNew(
dev->source.subsys.u.pci.addr.domain,
dev->source.subsys.u.pci.addr.bus,
dev->source.subsys.u.pci.addr.slot,
dev->source.subsys.u.pci.addr.function);
virDomainHostdevSubsysPCIBackendType backend = dev->source.subsys.u.pci.backend;
if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO ||
backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) {
needsVfio = true;
}
if (pci == NULL)
continue;
rc = virPCIDeviceFileIterate(pci, file_iterate_pci_cb, &buf);
virPCIDeviceFree(pci);
break;
}
default:
rc = 0;
break;
} /* switch */
}
for (i = 0; i < ctl->def->nfss; i++) {
if (ctl->def->fss[i] &&
ctl->def->fss[i]->type == VIR_DOMAIN_FS_TYPE_MOUNT &&
(ctl->def->fss[i]->fsdriver == VIR_DOMAIN_FS_DRIVER_TYPE_PATH ||
ctl->def->fss[i]->fsdriver == VIR_DOMAIN_FS_DRIVER_TYPE_DEFAULT) &&
ctl->def->fss[i]->src) {
virDomainFSDefPtr fs = ctl->def->fss[i];
/* We don't need to add deny rw rules for readonly mounts,
* this can only lead to troubles when mounting / readonly.
*/
if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0)
goto cleanup;
}
}
for (i = 0; i < ctl->def->ninputs; i++) {
if (ctl->def->inputs[i] &&
ctl->def->inputs[i]->type == VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH) {
if (vah_add_file(&buf, ctl->def->inputs[i]->source.evdev, "rw") != 0)
goto cleanup;
}
}
for (i = 0; i < ctl->def->nnets; i++) {
if (ctl->def->nets[i] &&
ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
ctl->def->nets[i]->data.vhostuser) {
virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser;
if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
vhu->type) != 0)
goto cleanup;
}
}
for (i = 0; i < ctl->def->nmems; i++) {
if (ctl->def->mems[i] &&
ctl->def->mems[i]->model == VIR_DOMAIN_MEMORY_MODEL_NVDIMM) {
if (vah_add_file(&buf, ctl->def->mems[i]->nvdimmPath, "rw") != 0)
goto cleanup;
}
}
for (i = 0; i < ctl->def->nsysinfo; i++) {
size_t j;
for (j = 0; j < ctl->def->sysinfo[i]->nfw_cfgs; j++) {
virSysinfoFWCfgDefPtr f = &ctl->def->sysinfo[i]->fw_cfgs[j];
if (f->file &&
vah_add_file(&buf, f->file, "r") != 0)
goto cleanup;
}
}
for (i = 0; i < ctl->def->nshmems; i++) {
virDomainShmemDef *shmem = ctl->def->shmems[i];
/* explicit server paths can be on any model to overwrites defaults.
* When the server path is enabled, use it - otherwise fallback to
* model dependent defaults. */
if (shmem->server.enabled &&
shmem->server.chr.data.nix.path) {
if (vah_add_file(&buf, shmem->server.chr.data.nix.path,
"rw") != 0)
goto cleanup;
} else {
switch (shmem->model) {
case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM_PLAIN:
/* until exposed, recreate qemuBuildShmemBackendMemProps */
mem_path = g_strdup_printf("/dev/shm/%s", shmem->name);
break;
case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM_DOORBELL:
case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM:
/* until exposed, recreate qemuDomainPrepareShmemChardev */
mem_path = g_strdup_printf("/var/lib/libvirt/shmem-%s-sock",
shmem->name);
break;
}
if (mem_path != NULL) {
if (vah_add_file(&buf, mem_path, "rw") != 0)
goto cleanup;
}
}
}
if (ctl->def->ntpms > 0) {
char *shortName = NULL;
const char *tpmpath = NULL;
for (i = 0; i < ctl->def->ntpms; i++) {
if (ctl->def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR)
continue;
shortName = virDomainDefGetShortName(ctl->def);
switch (ctl->def->tpms[i]->version) {
case VIR_DOMAIN_TPM_VERSION_1_2:
tpmpath = "tpm1.2";
break;
case VIR_DOMAIN_TPM_VERSION_2_0:
tpmpath = "tpm2";
break;
case VIR_DOMAIN_TPM_VERSION_DEFAULT:
case VIR_DOMAIN_TPM_VERSION_LAST:
break;
}
/* Unix socket for QEMU and swtpm to use */
virBufferAsprintf(&buf,
" \"%s/libvirt/qemu/swtpm/%s-swtpm.sock\" rw,\n",
RUNSTATEDIR, shortName);
/* Paths for swtpm to use: give it access to its state
* directory, log, and PID files.
*/
virBufferAsprintf(&buf,
" \"%s/lib/libvirt/swtpm/%s/%s/**\" rwk,\n",
LOCALSTATEDIR, uuidstr, tpmpath);
virBufferAsprintf(&buf,
" \"%s/log/swtpm/libvirt/qemu/%s-swtpm.log\" w,\n",
LOCALSTATEDIR, ctl->def->name);
virBufferAsprintf(&buf,
" \"%s/libvirt/qemu/swtpm/%s-swtpm.pid\" rw,\n",
RUNSTATEDIR, shortName);
VIR_FREE(shortName);
}
}
for (i = 0; i < ctl->def->nsmartcards; i++) {
virDomainSmartcardDefPtr sc = ctl->def->smartcards[i];
virDomainSmartcardType sc_type = sc->type;
char *sc_db = (char *)VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
if (sc->data.cert.database)
sc_db = sc->data.cert.database;
switch (sc_type) {
/*
* Note: At time of writing, to get this working, qemu seccomp sandbox has
* to be disabled or the host must be running QEMU with commit
* 9a1565a03b79d80b236bc7cc2dbce52a2ef3a1b8.
* It's possibly due to libcacard:vcard_emul_new_event_thread(), which calls
* PR_CreateThread(), which calls {g,s}etpriority(). And resourcecontrol seccomp
* filter forbids it (cf src/qemu/qemu_command.c which seems to always use
* resourcecontrol=deny).
*/
case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
virBufferAddLit(&buf, " \"/etc/pki/nssdb/{,*}\" rk,\n");
break;
case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
virBufferAsprintf(&buf, " \"%s/{,*}\" rk,\n", sc_db);
break;
/*
* Nothing to do for passthrough, as the smartcard
* access is done through TCP or Spice
*/
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
break;
case VIR_DOMAIN_SMARTCARD_TYPE_LAST:
break;
}
}
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDefPtr net = ctl->def->nets[i];
if (net && virDomainNetGetModelString(net)) {
if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU)
continue;
if (!virDomainNetIsVirtioModel(net))
continue;
}
needsvhost = true;
}
}
if (needsvhost)
virBufferAddLit(&buf, " \"/dev/vhost-net\" rw,\n");
if (needsVfio) {
virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n");
virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n");
}
if (needsgl) {
/* if using gl all sorts of further dri related paths will be needed */
virBufferAddLit(&buf, " # DRI/Mesa/(e)GL config and driver paths\n");
virBufferAddLit(&buf, " \"/usr/lib{,32,64}/dri/*.so*\" mr,\n");
virBufferAddLit(&buf, " \"/usr/lib/@{multiarch}/dri/*.so*\" mr,\n");
virBufferAddLit(&buf, " \"/usr/lib/fglrx/dri/*.so*\" mr,\n");
virBufferAddLit(&buf, " \"/etc/drirc\" r,\n");
virBufferAddLit(&buf, " \"/usr/share/drirc.d/{,*.conf}\" r,\n");
virBufferAddLit(&buf, " \"/etc/glvnd/egl_vendor.d/{,*}\" r,\n");
virBufferAddLit(&buf, " \"/usr/share/glvnd/egl_vendor.d/{,*}\" r,\n");
virBufferAddLit(&buf, " \"/usr/share/egl/egl_external_platform.d/\" r,\n");
virBufferAddLit(&buf, " \"/usr/share/egl/egl_external_platform.d/*\" r,\n");
virBufferAddLit(&buf, " \"/proc/modules\" r,\n");
virBufferAddLit(&buf, " \"/proc/driver/nvidia/params\" r,\n");
virBufferAddLit(&buf, " \"/dev/nvidiactl\" rw,\n");
virBufferAddLit(&buf, " # Probe DRI device attributes\n");
virBufferAddLit(&buf, " \"/dev/dri/\" r,\n");
virBufferAddLit(&buf, " \"/sys/devices/**/{uevent,vendor,device,subsystem_vendor,subsystem_device}\" r,\n");
virBufferAddLit(&buf, " # dri libs will trigger that, but t is not requited and DAC would deny it anyway\n");
virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n");
}
if (ctl->newfile)
if (vah_add_file(&buf, ctl->newfile, "rwk") != 0)
goto cleanup;
rc = 0;
ctl->files = virBufferContentAndReset(&buf);
cleanup:
VIR_FREE(mem_path);
VIR_FREE(uuid);
return rc;
}
static int
vahParseArgv(vahControl * ctl, int argc, char **argv)
{
int arg, idx = 0;
struct option opt[] = {
{"add", 0, 0, 'a'},
{"create", 0, 0, 'c'},
{"dryrun", 0, 0, 'd'},
{"delete", 0, 0, 'D'},
{"add-file", 0, 0, 'f'},
{"append-file", 0, 0, 'F'},
{"help", 0, 0, 'h'},
{"replace", 0, 0, 'r'},
{"remove", 0, 0, 'R'},
{"uuid", 1, 0, 'u'},
{0, 0, 0, 0}
};
while ((arg = getopt_long(argc, argv, "acdDhrRH:b:u:p:f:F:", opt,
&idx)) != -1) {
switch (arg) {
case 'a':
ctl->cmd = 'a';
break;
case 'c':
ctl->cmd = 'c';
break;
case 'd':
ctl->dryrun = true;
break;
case 'D':
ctl->cmd = 'D';
break;
case 'f':
case 'F':
ctl->newfile = g_strdup(optarg);
ctl->append = arg == 'F';
break;
case 'h':
vah_usage();
exit(EXIT_SUCCESS);
break;
case 'r':
ctl->cmd = 'r';
break;
case 'R':
ctl->cmd = 'R';
break;
case 'u':
if (strlen(optarg) > PROFILE_NAME_SIZE - 1)
vah_error(ctl, 1, _("invalid UUID"));
if (virStrcpy((char *)ctl->uuid, optarg,
PROFILE_NAME_SIZE) < 0)
vah_error(ctl, 1, _("error copying UUID"));
break;
default:
vah_error(ctl, 1, _("unsupported option"));
break;
}
}
if (strchr("acDrR", ctl->cmd) == NULL)
vah_error(ctl, 1, _("bad command"));
if (valid_uuid(ctl->uuid) != 0)
vah_error(ctl, 1, _("invalid UUID"));
if (!ctl->cmd) {
vah_usage();
exit(EXIT_FAILURE);
}
if (ctl->cmd == 'c' || ctl->cmd == 'r') {
char *xmlStr = NULL;
if (virFileReadLimFD(STDIN_FILENO, MAX_FILE_LEN, &xmlStr) < 0)
vah_error(ctl, 1, _("could not read xml file"));
if (get_definition(ctl, xmlStr) != 0 || ctl->def == NULL) {
VIR_FREE(xmlStr);
vah_error(ctl, 1, _("could not get VM definition"));
}
VIR_FREE(xmlStr);
if (get_files(ctl) != 0)
vah_error(ctl, 1, _("invalid VM definition"));
}
return 0;
}
/*
* virt-aa-helper -c -u UUID < file.xml
* virt-aa-helper -r -u UUID [-f <file>] < file.xml
* virt-aa-helper -a -u UUID
* virt-aa-helper -R -u UUID
* virt-aa-helper -D -u UUID
*/
int
main(int argc, char **argv)
{
vahControl _ctl, *ctl = &_ctl;
int rc = -1;
char *profile = NULL;
char *include_file = NULL;
if (virGettextInitialize() < 0 ||
virErrorInitialize() < 0) {
fprintf(stderr, _("%s: initialization failed\n"), argv[0]);
exit(EXIT_FAILURE);
}
virFileActivateDirOverrideForProg(argv[0]);
/* Initialize the log system */
virLogSetFromEnv();
/* clear the environment */
environ = NULL;
if (g_setenv("PATH", "/sbin:/usr/sbin", TRUE) == FALSE)
vah_error(ctl, 1, _("could not set PATH"));
/* ensure the traditional IFS setting */
if (g_setenv("IFS", " \t\n", TRUE) == FALSE)
vah_error(ctl, 1, _("could not set IFS"));
if (!(progname = strrchr(argv[0], '/')))
progname = argv[0];
else
progname++;
memset(ctl, 0, sizeof(vahControl));
if (vahParseArgv(ctl, argc, argv) != 0)
vah_error(ctl, 1, _("could not parse arguments"));
profile = g_strdup_printf("%s/%s", APPARMOR_DIR "/libvirt", ctl->uuid);
include_file = g_strdup_printf("%s/%s.files", APPARMOR_DIR "/libvirt", ctl->uuid);
maint: use consistent if-else braces in remaining spots I'm about to add a syntax check that enforces our documented HACKING style of always using matching {} on if-else statements. This patch focuses on all remaining problems, where there weren't enough issues to warrant splitting it further. * src/remote/remote_driver.c (doRemoteOpen): Correct use of {}. * src/security/virt-aa-helper.c (vah_add_path, valid_path, main): Likewise. * src/rpc/virnetsocket.c (virNetSocketNewConnectLibSSH2): Likewise. * src/esx/esx_vi_types.c (esxVI_Type_FromString): Likewise. * src/uml/uml_driver.c (umlDomainDetachDevice): Likewise. * src/util/viralloc.c (virShrinkN): Likewise. * src/util/virbuffer.c (virBufferURIEncodeString): Likewise. * src/util/virdbus.c (virDBusCall): Likewise. * src/util/virnetdev.c (virNetDevValidateConfig): Likewise. * src/util/virnetdevvportprofile.c (virNetDevVPortProfileGetNthParent): Likewise. * src/util/virpci.c (virPCIDeviceIterDevices) (virPCIDeviceWaitForCleanup) (virPCIDeviceIsBehindSwitchLackingACS): Likewise. * src/util/virsocketaddr.c (virSocketAddrGetNumNetmaskBits): Likewise. * src/util/viruri.c (virURIParseParams): Likewise. * daemon/stream.c (daemonStreamHandleAbort): Likewise. * tests/testutils.c (virtTestResult): Likewise. * tests/cputest.c (cpuTestBaseline): Likewise. * tools/virsh-domain.c (cmdDomPMSuspend): Likewise. * tools/virsh-host.c (cmdNodeSuspend): Likewise. * src/esx/esx_vi_generator.py (Type.generate_typefromstring): Tweak generated code. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-09-03 19:39:21 +00:00
if (ctl->cmd == 'a') {
rc = parserLoad(ctl->uuid);
maint: use consistent if-else braces in remaining spots I'm about to add a syntax check that enforces our documented HACKING style of always using matching {} on if-else statements. This patch focuses on all remaining problems, where there weren't enough issues to warrant splitting it further. * src/remote/remote_driver.c (doRemoteOpen): Correct use of {}. * src/security/virt-aa-helper.c (vah_add_path, valid_path, main): Likewise. * src/rpc/virnetsocket.c (virNetSocketNewConnectLibSSH2): Likewise. * src/esx/esx_vi_types.c (esxVI_Type_FromString): Likewise. * src/uml/uml_driver.c (umlDomainDetachDevice): Likewise. * src/util/viralloc.c (virShrinkN): Likewise. * src/util/virbuffer.c (virBufferURIEncodeString): Likewise. * src/util/virdbus.c (virDBusCall): Likewise. * src/util/virnetdev.c (virNetDevValidateConfig): Likewise. * src/util/virnetdevvportprofile.c (virNetDevVPortProfileGetNthParent): Likewise. * src/util/virpci.c (virPCIDeviceIterDevices) (virPCIDeviceWaitForCleanup) (virPCIDeviceIsBehindSwitchLackingACS): Likewise. * src/util/virsocketaddr.c (virSocketAddrGetNumNetmaskBits): Likewise. * src/util/viruri.c (virURIParseParams): Likewise. * daemon/stream.c (daemonStreamHandleAbort): Likewise. * tests/testutils.c (virtTestResult): Likewise. * tests/cputest.c (cpuTestBaseline): Likewise. * tools/virsh-domain.c (cmdDomPMSuspend): Likewise. * tools/virsh-host.c (cmdNodeSuspend): Likewise. * src/esx/esx_vi_generator.py (Type.generate_typefromstring): Tweak generated code. Signed-off-by: Eric Blake <eblake@redhat.com>
2014-09-03 19:39:21 +00:00
} else if (ctl->cmd == 'R' || ctl->cmd == 'D') {
rc = parserRemove(ctl->uuid);
if (ctl->cmd == 'D') {
unlink(include_file);
unlink(profile);
}
} else if (ctl->cmd == 'c' || ctl->cmd == 'r') {
char *included_files = NULL;
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
if (ctl->cmd == 'c' && virFileExists(profile))
vah_error(ctl, 1, _("profile exists"));
if (ctl->append && ctl->newfile) {
if (vah_add_file(&buf, ctl->newfile, "rwk") != 0)
goto cleanup;
} else {
if (ctl->def->virtType == VIR_DOMAIN_VIRT_QEMU ||
ctl->def->virtType == VIR_DOMAIN_VIRT_KQEMU ||
ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
virBufferAsprintf(&buf, " \"%s/log/libvirt/**/%s.log\" w,\n",
LOCALSTATEDIR, ctl->def->name);
virBufferAsprintf(&buf, " \"%s/lib/libvirt/qemu/domain-%s/monitor.sock\" rw,\n",
LOCALSTATEDIR, ctl->def->name);
virBufferAsprintf(&buf, " \"%s/lib/libvirt/qemu/domain-%d-%.*s/*\" rw,\n",
LOCALSTATEDIR, ctl->def->id, 20, ctl->def->name);
virBufferAsprintf(&buf, " \"%s/libvirt/**/%s.pid\" rwk,\n",
RUNSTATEDIR, ctl->def->name);
virBufferAsprintf(&buf, " \"%s/libvirt/**/*.tunnelmigrate.dest.%s\" rw,\n",
RUNSTATEDIR, ctl->def->name);
}
if (ctl->files)
virBufferAdd(&buf, ctl->files, -1);
}
included_files = virBufferContentAndReset(&buf);
/* (re)create the include file using included_files */
if (ctl->dryrun) {
vah_info(include_file);
vah_info(included_files);
rc = 0;
} else if (ctl->def->virtType == VIR_DOMAIN_VIRT_LXC) {
rc = 0;
} else if ((rc = update_include_file(include_file,
included_files,
ctl->append)) != 0) {
goto cleanup;
}
/* create the profile from TEMPLATE */
if (ctl->cmd == 'c') {
char *tmp = NULL;
tmp = g_strdup_printf(" #include <libvirt/%s.files>\n", ctl->uuid);
if (ctl->dryrun) {
vah_info(profile);
vah_info(ctl->uuid);
vah_info(tmp);
rc = 0;
} else if ((rc = create_profile(profile, ctl->uuid, tmp,
ctl->def->virtType)) != 0) {
vah_error(ctl, 0, _("could not create profile"));
unlink(include_file);
}
VIR_FREE(tmp);
}
if (rc == 0 && !ctl->dryrun) {
if (ctl->cmd == 'c')
rc = parserLoad(ctl->uuid);
else
rc = parserReplace(ctl->uuid);
/* cleanup */
if (rc != 0) {
unlink(include_file);
if (ctl->cmd == 'c')
unlink(profile);
}
}
cleanup:
VIR_FREE(included_files);
}
vahDeinit(ctl);
VIR_FREE(profile);
VIR_FREE(include_file);
exit(rc == 0 ? EXIT_SUCCESS : EXIT_FAILURE);
}