External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-10 21:51:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
libvirt/src/security/security_selinux.c

1054 lines
30 KiB
C
Raw Normal View History

SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
/*
virFileResolveLink: fix return value virFileResolveLink was returning a positive value on error, thus confusing callers that assumed failure was < 0. The confusion is further evidenced by callers that would have ended up calling virReportSystemError with a negative value instead of a valid errno. Fixes Red Hat BZ #591363. * src/util/util.c (virFileResolveLink): Live up to documentation. * src/qemu/qemu_security_dac.c (qemuSecurityDACRestoreSecurityFileLabel): Adjust callers. * src/security/security_selinux.c (SELinuxRestoreSecurityFileLabel): Likewise. * src/storage/storage_backend_disk.c (virStorageBackendDiskDeleteVol): Likewise.
2010-05-14 14:50:27 -06:00
* Copyright (C) 2008-2010 Red Hat, Inc.
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* Authors:
* James Morris <jmorris@namei.org>
Improve security label error reporting & verification (Dan Walsh)
2009-04-03 10:55:51 +00:00
* Dan Walsh <dwalsh@redhat.com>
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
*
* SELinux security driver.
*/
#include <config.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
Move security drivers to src/security/ * src/Makefile.am, src/qemu/qemu_conf.h, src/qemu/qemu_driver.c, tests/seclabeltest.c: Adapt for changed paths * src/security.c: Rename to src/security/security_driver.c * src/security.h: Rename to src/security/security_driver.h * src/security_selinux.c, src/security_selinux.h: Move to src/security/
2009-09-15 19:06:37 +01:00
#include "security_driver.h"
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
#include "security_selinux.h"
#include "virterror_internal.h"
#include "util.h"
#include "memory.h"
Re-label shared and readonly images This patch was posted ages ago here: https://bugzilla.redhat.com/493692 But was never posted upstream AFAICT. Patch from Dan Berrange Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2009-07-03 10:26:37 +00:00
#include "logging.h"
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
#include "pci.h"
#include "hostusb.h"
Re-label image file backing stores Use virStorageFileGetMetadata() to find any backing stores for images and re-label them Without this, qemu cannot access qcow2 backing files, see: https://bugzilla.redhat.com/497131 * src/security/security_selinux.c: re-label backing store files in SELinuxSetSecurityImageLabel()
2009-09-25 14:20:13 +01:00
#include "storage_file.h"
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
#define VIR_FROM_THIS VIR_FROM_SECURITY
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
static char default_domain_context[1024];
Re-label shared and readonly images This patch was posted ages ago here: https://bugzilla.redhat.com/493692 But was never posted upstream AFAICT. Patch from Dan Berrange Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2009-07-03 10:26:37 +00:00
static char default_content_context[1024];
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
static char default_image_context[1024];
#define SECURITY_SELINUX_VOID_DOI "0"
#define SECURITY_SELINUX_NAME "selinux"
/* TODO
The data struct of used mcs should be replaced with a better data structure in the future
*/
struct MCS {
char *mcs;
struct MCS *next;
};
static struct MCS *mcsList = NULL;
static int
mcsAdd(const char *mcs)
{
struct MCS *ptr;
for (ptr = mcsList; ptr; ptr = ptr->next) {
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
if (STREQ(ptr->mcs, mcs))
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
return -1;
}
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
if (VIR_ALLOC(ptr) < 0)
return -1;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
ptr->mcs = strdup(mcs);
ptr->next = mcsList;
mcsList = ptr;
return 0;
}
static int
mcsRemove(const char *mcs)
{
struct MCS *prevptr = NULL;
struct MCS *ptr = NULL;
for (ptr = mcsList; ptr; ptr = ptr->next) {
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
if (STREQ(ptr->mcs, mcs)) {
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
if (prevptr)
prevptr->next = ptr->next;
else {
mcsList = ptr->next;
}
Add virBufferFreeAndReset() and replace free() Replace free(virBufferContentAndReset()) with virBufferFreeAndReset(). Update documentation and replace all remaining calls to free() with calls to VIR_FREE(). Also add missing calls to virBufferFreeAndReset() and virReportOOMError() in OOM error cases.
2009-12-10 00:00:50 +01:00
VIR_FREE(ptr->mcs);
VIR_FREE(ptr);
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
return 0;
}
prevptr = ptr;
}
return -1;
}
static char *
SELinuxGenNewContext(const char *oldcontext, const char *mcs)
{
char *newcontext = NULL;
char *scontext = strdup(oldcontext);
if (!scontext) goto err;
context_t con = context_new(scontext);
if (!con) goto err;
context_range_set(con, mcs);
newcontext = strdup(context_str(con));
context_free(con);
err:
freecon(scontext);
return (newcontext);
}
static int
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
SELinuxInitialize(void)
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
{
char *ptr = NULL;
int fd = 0;
fd = open(selinux_virtual_domain_context_path(), O_RDONLY);
if (fd < 0) {
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
virReportSystemError(errno,
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("cannot open SELinux virtual domain context file '%s'"),
selinux_virtual_domain_context_path());
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
return -1;
}
if (saferead(fd, default_domain_context, sizeof(default_domain_context)) < 0) {
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
virReportSystemError(errno,
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("cannot read SELinux virtual domain context file %s"),
selinux_virtual_domain_context_path());
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
close(fd);
return -1;
}
close(fd);
ptr = strchrnul(default_domain_context, '\n');
*ptr = '\0';
if ((fd = open(selinux_virtual_image_context_path(), O_RDONLY)) < 0) {
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
virReportSystemError(errno,
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("cannot open SELinux virtual image context file %s"),
selinux_virtual_image_context_path());
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
return -1;
}
if (saferead(fd, default_image_context, sizeof(default_image_context)) < 0) {
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
virReportSystemError(errno,
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("cannot read SELinux virtual image context file %s"),
selinux_virtual_image_context_path());
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
close(fd);
return -1;
}
close(fd);
ptr = strchrnul(default_image_context, '\n');
Re-label shared and readonly images This patch was posted ages ago here: https://bugzilla.redhat.com/493692 But was never posted upstream AFAICT. Patch from Dan Berrange Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2009-07-03 10:26:37 +00:00
if (*ptr == '\n') {
*ptr = '\0';
strcpy(default_content_context, ptr+1);
ptr = strchrnul(default_content_context, '\n');
if (*ptr == '\n')
*ptr = '\0';
}
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
return 0;
}
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxGenSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm)
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
{
int rc = -1;
char mcs[1024];
char *scontext = NULL;
int c1 = 0;
int c2 = 0;
Fix crash in svirt verification, and incorrect cleanup in VM failure paths
2009-04-03 14:10:17 +00:00
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
Fix crash in svirt verification, and incorrect cleanup in VM failure paths
2009-04-03 14:10:17 +00:00
if (vm->def->seclabel.label ||
vm->def->seclabel.model ||
vm->def->seclabel.imagelabel) {
Remove use of virConnectPtr from security driver APIs The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match
2010-02-09 19:18:21 +00:00
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
Fix crash in svirt verification, and incorrect cleanup in VM failure paths
2009-04-03 14:10:17 +00:00
"%s", _("security label already defined for VM"));
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
return rc;
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
}
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
do {
c1 = virRandom(1024);
c2 = virRandom(1024);
if ( c1 == c2 ) {
sprintf(mcs, "s0:c%d", c1);
} else {
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
if ( c1 < c2 )
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
sprintf(mcs, "s0:c%d,c%d", c1, c2);
else
sprintf(mcs, "s0:c%d,c%d", c2, c1);
}
} while(mcsAdd(mcs) == -1);
vm->def->seclabel.label = SELinuxGenNewContext(default_domain_context, mcs);
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
if (! vm->def->seclabel.label) {
Remove use of virConnectPtr from security driver APIs The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match
2010-02-09 19:18:21 +00:00
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
_("cannot generate selinux context for %s"), mcs);
goto err;
}
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
if (! vm->def->seclabel.imagelabel) {
Remove use of virConnectPtr from security driver APIs The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match
2010-02-09 19:18:21 +00:00
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
_("cannot generate selinux context for %s"), mcs);
goto err;
}
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME);
Fix crash in svirt verification, and incorrect cleanup in VM failure paths
2009-04-03 14:10:17 +00:00
if (!vm->def->seclabel.model) {
Remove conn parameter from virReportOOMError
2010-02-04 19:19:08 +01:00
virReportOOMError();
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
goto err;
}
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
rc = 0;
goto done;
err:
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
VIR_FREE(vm->def->seclabel.label);
VIR_FREE(vm->def->seclabel.imagelabel);
VIR_FREE(vm->def->seclabel.model);
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
done:
Misc sVirt bug fixes
2009-03-03 15:18:24 +00:00
VIR_FREE(scontext);
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
return rc;
}
Fix re-detection of transient VMs after libvirtd restart
2009-06-12 11:38:50 +00:00
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxReserveSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm)
Fix re-detection of transient VMs after libvirtd restart
2009-06-12 11:38:50 +00:00
{
security_context_t pctx;
context_t ctx = NULL;
const char *mcs;
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
Fix re-detection of transient VMs after libvirtd restart
2009-06-12 11:38:50 +00:00
if (getpidcon(vm->pid, &pctx) == -1) {
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
virReportSystemError(errno,
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("unable to get PID %d security context"), vm->pid);
Fix re-detection of transient VMs after libvirtd restart
2009-06-12 11:38:50 +00:00
return -1;
}
ctx = context_new(pctx);
VIR_FREE(pctx);
if (!ctx)
goto err;
mcs = context_range_get(ctx);
if (!mcs)
goto err;
mcsAdd(mcs);
context_free(ctx);
return 0;
err:
context_free(ctx);
return -1;
}
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
static int
SELinuxSecurityDriverProbe(void)
{
return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE;
}
static int
Disable all disk probing in QEMU driver & add config option to re-enable Disk format probing is now disabled by default. A new config option in /etc/qemu/qemu.conf will re-enable it for existing deployments where this causes trouble
2010-06-15 17:58:58 +01:00
SELinuxSecurityDriverOpen(virSecurityDriverPtr drv,
bool allowDiskFormatProbing)
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
{
/*
* Where will the DOI come from? SELinux configuration, or qemu
* configuration? For the moment, we'll just set it to "0".
*/
Remove use of virConnectPtr from security driver APIs The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match
2010-02-09 19:18:21 +00:00
virSecurityDriverSetDOI(drv, SECURITY_SELINUX_VOID_DOI);
Disable all disk probing in QEMU driver & add config option to re-enable Disk format probing is now disabled by default. A new config option in /etc/qemu/qemu.conf will re-enable it for existing deployments where this causes trouble
2010-06-15 17:58:58 +01:00
virSecurityDriverSetAllowDiskFormatProbing(drv, allowDiskFormatProbing);
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
return SELinuxInitialize();
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
}
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxGetSecurityProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm,
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
virSecurityLabelPtr sec)
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
{
security_context_t ctx;
if (getpidcon(vm->pid, &ctx) == -1) {
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
virReportSystemError(errno,
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("unable to get PID %d security context"),
vm->pid);
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
return -1;
}
if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
Remove use of virConnectPtr from security driver APIs The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match
2010-02-09 19:18:21 +00:00
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("security label exceeds "
Various error reporting fixes - Don't duplicate SystemError - Use proper error code in domain_conf - Fix a broken error call in qemu_conf - Don't use VIR_ERR_ERROR in security driver (isn't a valid code in this case)
2009-10-27 12:20:22 -04:00
"maximum length: %d"),
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
VIR_SECURITY_LABEL_BUFLEN - 1);
return -1;
}
strcpy(sec->label, (char *) ctx);
Add virBufferFreeAndReset() and replace free() Replace free(virBufferContentAndReset()) with virBufferFreeAndReset(). Update documentation and replace all remaining calls to free() with calls to VIR_FREE(). Also add missing calls to virBufferFreeAndReset() and virReportOOMError() in OOM error cases.
2009-12-10 00:00:50 +01:00
VIR_FREE(ctx);
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
sec->enforcing = security_getenforce();
if (sec->enforcing == -1) {
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
virReportSystemError(errno, "%s",
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("error calling security_getenforce()"));
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
return -1;
}
return 0;
}
static int
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
SELinuxSetFilecon(const char *path, char *tcon)
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
{
Don't unnecessarily try to change a file context As pointed out by Tim Waugh here: https://bugzilla.redhat.com/507555 We shouldn't bother trying to set the context of a file if it already matches what we want. (Fixed to use STREQ() and not use tabs, as pointed out by danpb) Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2009-07-03 10:27:46 +00:00
security_context_t econ;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
Re-label shared and readonly images This patch was posted ages ago here: https://bugzilla.redhat.com/493692 But was never posted upstream AFAICT. Patch from Dan Berrange Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2009-07-03 10:26:37 +00:00
VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
Don't unnecessarily try to change a file context As pointed out by Tim Waugh here: https://bugzilla.redhat.com/507555 We shouldn't bother trying to set the context of a file if it already matches what we want. (Fixed to use STREQ() and not use tabs, as pointed out by danpb) Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2009-07-03 10:27:46 +00:00
if (setfilecon(path, tcon) < 0) {
517157 fix selinux problem with images on NFS * src/security_selinux.c: ignores EOPNOTSUPP when attempting to access an NFS share
2009-08-21 16:57:29 +02:00
int setfilecon_errno = errno;
Don't unnecessarily try to change a file context As pointed out by Tim Waugh here: https://bugzilla.redhat.com/507555 We shouldn't bother trying to set the context of a file if it already matches what we want. (Fixed to use STREQ() and not use tabs, as pointed out by danpb) Signed-off-by: Mark McLoughlin <markmc@redhat.com>
2009-07-03 10:27:46 +00:00
if (getfilecon(path, &econ) >= 0) {
if (STREQ(tcon, econ)) {
freecon(econ);
/* It's alright, there's nothing to change anyway. */
return 0;
}
freecon(econ);
}
517157 fix selinux problem with images on NFS * src/security_selinux.c: ignores EOPNOTSUPP when attempting to access an NFS share
2009-08-21 16:57:29 +02:00
/* if the error complaint is related to an image hosted on
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
* an nfs mount, or a usbfs/sysfs filesystem not supporting
* labelling, then just ignore it & hope for the best.
Fix up a few typos in the tree. Signed-off-by: Chris Lalancette <clalance@redhat.com>
2009-09-22 11:42:06 +02:00
* The user hopefully set one of the necessary SELinux
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
* virt_use_{nfs,usb,pci} boolean tunables to allow it...
517157 fix selinux problem with images on NFS * src/security_selinux.c: ignores EOPNOTSUPP when attempting to access an NFS share
2009-08-21 16:57:29 +02:00
*/
if (setfilecon_errno != EOPNOTSUPP) {
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
virReportSystemError(setfilecon_errno,
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("unable to set security context '%s' on '%s'"),
tcon, path);
517157 fix selinux problem with images on NFS * src/security_selinux.c: ignores EOPNOTSUPP when attempting to access an NFS share
2009-08-21 16:57:29 +02:00
if (security_getenforce() == 1)
return -1;
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
} else {
VIR_INFO("Setting security context '%s' on '%s' not supported",
tcon, path);
517157 fix selinux problem with images on NFS * src/security_selinux.c: ignores EOPNOTSUPP when attempting to access an NFS share
2009-08-21 16:57:29 +02:00
}
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
}
return 0;
}
Don't raise errors in the selinux restore code The restore code is done in places where errors cannot be raised, since they will overwrite over pre-existing errors. * src/security/security_selinux.c: Only warn about failures in label restore, don't report errors
2010-05-28 12:19:13 +01:00
/* This method shouldn't raise errors, since they'll overwrite
* errors that the caller(s) are already dealing with */
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
static int
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
SELinuxRestoreSecurityFileLabel(const char *path)
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
{
Fix labelling of shared/readonly devices (Dan Walsh)
2009-03-17 11:35:40 +00:00
struct stat buf;
security_context_t fcon = NULL;
int rc = -1;
char *newpath = NULL;
Don't raise errors in the selinux restore code The restore code is done in places where errors cannot be raised, since they will overwrite over pre-existing errors. * src/security/security_selinux.c: Only warn about failures in label restore, don't report errors
2010-05-28 12:19:13 +01:00
char ebuf[1024];
Don't restore labels on shared/readonly disks * src/security_selinux.c: Skip relabelling of shared/readonly disks upon shutdown, since this breaks other VMs still active using those disks
2009-07-15 12:45:13 +01:00
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
VIR_INFO("Restoring SELinux context on '%s'", path);
virFileResolveLink: fix return value virFileResolveLink was returning a positive value on error, thus confusing callers that assumed failure was < 0. The confusion is further evidenced by callers that would have ended up calling virReportSystemError with a negative value instead of a valid errno. Fixes Red Hat BZ #591363. * src/util/util.c (virFileResolveLink): Live up to documentation. * src/qemu/qemu_security_dac.c (qemuSecurityDACRestoreSecurityFileLabel): Adjust callers. * src/security/security_selinux.c (SELinuxRestoreSecurityFileLabel): Likewise. * src/storage/storage_backend_disk.c (virStorageBackendDiskDeleteVol): Likewise.
2010-05-14 14:50:27 -06:00
if (virFileResolveLink(path, &newpath) < 0) {
Don't raise errors in the selinux restore code The restore code is done in places where errors cannot be raised, since they will overwrite over pre-existing errors. * src/security/security_selinux.c: Only warn about failures in label restore, don't report errors
2010-05-28 12:19:13 +01:00
VIR_WARN("cannot resolve symlink %s: %s", path,
virStrerror(errno, ebuf, sizeof(ebuf)));
Sanitize symlink resolution
2009-04-01 10:26:22 +00:00
goto err;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
}
Fix labelling of shared/readonly devices (Dan Walsh)
2009-03-17 11:35:40 +00:00
Report all errors in SELinuxRestoreSecurityFileLabel
2010-04-30 13:35:15 +02:00
if (stat(newpath, &buf) != 0) {
Don't raise errors in the selinux restore code The restore code is done in places where errors cannot be raised, since they will overwrite over pre-existing errors. * src/security/security_selinux.c: Only warn about failures in label restore, don't report errors
2010-05-28 12:19:13 +01:00
VIR_WARN("cannot stat %s: %s", newpath,
virStrerror(errno, ebuf, sizeof(ebuf)));
Sanitize symlink resolution
2009-04-01 10:26:22 +00:00
goto err;
Report all errors in SELinuxRestoreSecurityFileLabel
2010-04-30 13:35:15 +02:00
}
Sanitize symlink resolution
2009-04-01 10:26:22 +00:00
if (matchpathcon(newpath, buf.st_mode, &fcon) == 0) {
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
rc = SELinuxSetFilecon(newpath, fcon);
Report all errors in SELinuxRestoreSecurityFileLabel
2010-04-30 13:35:15 +02:00
} else {
Don't raise errors in the selinux restore code The restore code is done in places where errors cannot be raised, since they will overwrite over pre-existing errors. * src/security/security_selinux.c: Only warn about failures in label restore, don't report errors
2010-05-28 12:19:13 +01:00
VIR_WARN("cannot lookup default selinux label for %s",
newpath);
Fix labelling of shared/readonly devices (Dan Walsh)
2009-03-17 11:35:40 +00:00
}
Report all errors in SELinuxRestoreSecurityFileLabel
2010-04-30 13:35:15 +02:00
Fix labelling of shared/readonly devices (Dan Walsh)
2009-03-17 11:35:40 +00:00
err:
VIR_FREE(fcon);
VIR_FREE(newpath);
return rc;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
}
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxRestoreSecurityImageLabelInt(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm,
Don't reset user/group/security label on shared filesystems during migrate When QEMU runs with its disk on NFS, and as a non-root user, the disk is chownd to that non-root user. When migration completes the last step is shutting down the QEMU on the source host. THis normally resets user/group/security label. This is bad when the VM was just migrated because the file is still in use on the dest host. It is thus neccessary to skip the reset step for any files found to be on a shared filesystem * src/libvirt_private.syms: Export virStorageFileIsSharedFS * src/util/storage_file.c, src/util/storage_file.h: Add a new method virStorageFileIsSharedFS() to determine if a file is on a shared filesystem (NFS, GFS, OCFS2, etc) * src/qemu/qemu_driver.c: Tell security driver not to reset disk labels on migration completion * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_selinux.c, src/security/security_driver.h, src/security/security_apparmor.c: Add ability to skip disk restore step for files on shared filesystems.
2010-05-13 11:49:22 -04:00
virDomainDiskDefPtr disk,
int migrated)
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
{
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
/* Don't restore labels on readoly/shared disks, because
* other VMs may still be accessing these
* Alternatively we could iterate over all running
* domains and try to figure out if it is in use, but
* this would not work for clustered filesystems, since
* we can't see running VMs using the file on other nodes
* Safest bet is thus to skip the restore step.
*/
if (disk->readonly || disk->shared)
return 0;
if (!disk->src)
return 0;
Don't reset user/group/security label on shared filesystems during migrate When QEMU runs with its disk on NFS, and as a non-root user, the disk is chownd to that non-root user. When migration completes the last step is shutting down the QEMU on the source host. THis normally resets user/group/security label. This is bad when the VM was just migrated because the file is still in use on the dest host. It is thus neccessary to skip the reset step for any files found to be on a shared filesystem * src/libvirt_private.syms: Export virStorageFileIsSharedFS * src/util/storage_file.c, src/util/storage_file.h: Add a new method virStorageFileIsSharedFS() to determine if a file is on a shared filesystem (NFS, GFS, OCFS2, etc) * src/qemu/qemu_driver.c: Tell security driver not to reset disk labels on migration completion * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_selinux.c, src/security/security_driver.h, src/security/security_apparmor.c: Add ability to skip disk restore step for files on shared filesystems.
2010-05-13 11:49:22 -04:00
/* If we have a shared FS & doing migrated, we must not
* change ownership, because that kills access on the
* destination host which is sub-optimal for the guest
* VM's I/O attempts :-)
*/
if (migrated) {
int rc = virStorageFileIsSharedFS(disk->src);
if (rc < 0)
return -1;
if (rc == 1) {
VIR_DEBUG("Skipping image label restore on %s because FS is shared",
disk->src);
return 0;
}
}
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
return SELinuxRestoreSecurityFileLabel(disk->src);
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
}
Don't reset user/group/security label on shared filesystems during migrate When QEMU runs with its disk on NFS, and as a non-root user, the disk is chownd to that non-root user. When migration completes the last step is shutting down the QEMU on the source host. THis normally resets user/group/security label. This is bad when the VM was just migrated because the file is still in use on the dest host. It is thus neccessary to skip the reset step for any files found to be on a shared filesystem * src/libvirt_private.syms: Export virStorageFileIsSharedFS * src/util/storage_file.c, src/util/storage_file.h: Add a new method virStorageFileIsSharedFS() to determine if a file is on a shared filesystem (NFS, GFS, OCFS2, etc) * src/qemu/qemu_driver.c: Tell security driver not to reset disk labels on migration completion * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_selinux.c, src/security/security_driver.h, src/security/security_apparmor.c: Add ability to skip disk restore step for files on shared filesystems.
2010-05-13 11:49:22 -04:00
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxRestoreSecurityImageLabel(virSecurityDriverPtr drv,
virDomainObjPtr vm,
Don't reset user/group/security label on shared filesystems during migrate When QEMU runs with its disk on NFS, and as a non-root user, the disk is chownd to that non-root user. When migration completes the last step is shutting down the QEMU on the source host. THis normally resets user/group/security label. This is bad when the VM was just migrated because the file is still in use on the dest host. It is thus neccessary to skip the reset step for any files found to be on a shared filesystem * src/libvirt_private.syms: Export virStorageFileIsSharedFS * src/util/storage_file.c, src/util/storage_file.h: Add a new method virStorageFileIsSharedFS() to determine if a file is on a shared filesystem (NFS, GFS, OCFS2, etc) * src/qemu/qemu_driver.c: Tell security driver not to reset disk labels on migration completion * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_selinux.c, src/security/security_driver.h, src/security/security_apparmor.c: Add ability to skip disk restore step for files on shared filesystems.
2010-05-13 11:49:22 -04:00
virDomainDiskDefPtr disk)
{
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
return SELinuxRestoreSecurityImageLabelInt(drv, vm, disk, 0);
Don't reset user/group/security label on shared filesystems during migrate When QEMU runs with its disk on NFS, and as a non-root user, the disk is chownd to that non-root user. When migration completes the last step is shutting down the QEMU on the source host. THis normally resets user/group/security label. This is bad when the VM was just migrated because the file is still in use on the dest host. It is thus neccessary to skip the reset step for any files found to be on a shared filesystem * src/libvirt_private.syms: Export virStorageFileIsSharedFS * src/util/storage_file.c, src/util/storage_file.h: Add a new method virStorageFileIsSharedFS() to determine if a file is on a shared filesystem (NFS, GFS, OCFS2, etc) * src/qemu/qemu_driver.c: Tell security driver not to reset disk labels on migration completion * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_selinux.c, src/security/security_driver.h, src/security/security_apparmor.c: Add ability to skip disk restore step for files on shared filesystems.
2010-05-13 11:49:22 -04:00
}
Convert all disk backing store loops to shared helper API Update the QEMU cgroups code, QEMU DAC security driver, SELinux and AppArmour security drivers over to use the shared helper API virDomainDiskDefForeachPath(). * src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c, src/security/security_selinux.c, src/security/virt-aa-helper.c: Convert over to use virDomainDiskDefForeachPath()
2010-06-15 16:40:47 +01:00
static int
SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
const char *path,
size_t depth,
void *opaque)
{
const virSecurityLabelDefPtr secdef = opaque;
if (depth == 0) {
if (disk->shared) {
return SELinuxSetFilecon(path, default_image_context);
} else if (disk->readonly) {
return SELinuxSetFilecon(path, default_content_context);
} else if (secdef->imagelabel) {
return SELinuxSetFilecon(path, secdef->imagelabel);
} else {
return 0;
}
} else {
return SELinuxSetFilecon(path, default_content_context);
}
}
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
static int
Disable all disk probing in QEMU driver & add config option to re-enable Disk format probing is now disabled by default. A new config option in /etc/qemu/qemu.conf will re-enable it for existing deployments where this causes trouble
2010-06-15 17:58:58 +01:00
SELinuxSetSecurityImageLabel(virSecurityDriverPtr drv,
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
virDomainObjPtr vm,
Fix labelling of shared/readonly devices (Dan Walsh)
2009-03-17 11:35:40 +00:00
virDomainDiskDefPtr disk)
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
Disable all disk probing in QEMU driver & add config option to re-enable Disk format probing is now disabled by default. A new config option in /etc/qemu/qemu.conf will re-enable it for existing deployments where this causes trouble
2010-06-15 17:58:58 +01:00
bool allowDiskFormatProbing = virSecurityDriverGetAllowDiskFormatProbing(drv);
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
Convert all disk backing store loops to shared helper API Update the QEMU cgroups code, QEMU DAC security driver, SELinux and AppArmour security drivers over to use the shared helper API virDomainDiskDefForeachPath(). * src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c, src/security/security_selinux.c, src/security/virt-aa-helper.c: Convert over to use virDomainDiskDefForeachPath()
2010-06-15 16:40:47 +01:00
return virDomainDiskDefForeachPath(disk,
Disable all disk probing in QEMU driver & add config option to re-enable Disk format probing is now disabled by default. A new config option in /etc/qemu/qemu.conf will re-enable it for existing deployments where this causes trouble
2010-06-15 17:58:58 +01:00
allowDiskFormatProbing,
Convert all disk backing store loops to shared helper API Update the QEMU cgroups code, QEMU DAC security driver, SELinux and AppArmour security drivers over to use the shared helper API virDomainDiskDefForeachPath(). * src/qemu/qemu_driver.c, src/qemu/qemu_security_dac.c, src/security/security_selinux.c, src/security/virt-aa-helper.c: Convert over to use virDomainDiskDefForeachPath()
2010-06-15 16:40:47 +01:00
false,
SELinuxSetSecurityFileLabel,
secdef);
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
}
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
static int
Remove virConnectPtr from USB/PCI device iterators All callers now pass a NULL virConnectPtr into the USB/PCi device iterator functions. Therefore the virConnectPtr arg can now be removed from these functions * src/util/hostusb.h, src/util/hostusb.c: Remove virConnectPtr from usbDeviceFileIterate * src/util/pci.c, src/util/pci.h: Remove virConnectPtr arg from pciDeviceFileIterate * src/qemu/qemu_security_dac.c, src/security/security_selinux.c: Update to drop redundant virConnectPtr arg
2010-02-10 09:55:39 +00:00
SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
const char *file, void *opaque)
{
virDomainObjPtr vm = opaque;
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
return SELinuxSetFilecon(file, secdef->imagelabel);
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
}
static int
Remove virConnectPtr from USB/PCI device iterators All callers now pass a NULL virConnectPtr into the USB/PCi device iterator functions. Therefore the virConnectPtr arg can now be removed from these functions * src/util/hostusb.h, src/util/hostusb.c: Remove virConnectPtr from usbDeviceFileIterate * src/util/pci.c, src/util/pci.h: Remove virConnectPtr arg from pciDeviceFileIterate * src/qemu/qemu_security_dac.c, src/security/security_selinux.c: Update to drop redundant virConnectPtr arg
2010-02-10 09:55:39 +00:00
SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
const char *file, void *opaque)
{
virDomainObjPtr vm = opaque;
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
return SELinuxSetFilecon(file, secdef->imagelabel);
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
}
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxSetSecurityHostdevLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm,
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
virDomainHostdevDefPtr dev)
{
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
int ret = -1;
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
return 0;
switch (dev->source.subsys.type) {
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
Remove conn parameter from USB functions It was used for error reporting only.
2010-02-05 00:25:16 +01:00
usbDevice *usb = usbGetDevice(dev->source.subsys.u.usb.bus,
Fix USB passthrough based on product/vendor Changeset commit 5073aa994af460e775cb3e548528e28d7660fcc8 Author: Cole Robinson <crobinso@redhat.com> Date: Mon Jan 11 11:40:46 2010 -0500 Added support for product/vendor based passthrough, but it only worked at the security driver layer. The main guest XML config was not updated with the resolved bus/device ID. When the QEMU argv refactoring removed use of product/vendor, this then broke launching guests. THe solution is to move the product/vendor resolution up a layer into the QEMU driver. So the first thing QEMU does is resolve the product/vendor to a bus/device and updates the XML config with this info. The rest of the code, including security drivers and QEMU argv generated can now rely on bus/device always being set. * src/util/hostusb.c, src/util/hostusb.h: Split vendor/product resolution code out of usbGetDevice and into usbFindDevice. Add accessors for bus/device ID * src/security/virt-aa-helper.c, src/security/security_selinux.c, src/qemu/qemu_security_dac.c: Remove vendor/product from the usbGetDevice() calls * src/qemu/qemu_driver.c: Use usbFindDevice to resolve vendor/product into a bus/device ID
2010-03-04 11:48:16 +00:00
dev->source.subsys.u.usb.device);
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
Implement path lookup for USB by vendor:product Based off how QEMU does it, look through /sys/bus/usb/devices/* for matching vendor:product info, and if found, use info from the surrounding files to build the device's /dev/bus/usb path. This fixes USB device assignment by vendor:product when running qemu as non-root (well, it should, but for some reason I couldn't reproduce the failure people are seeing in [1], but it appears to work properly) [1] https://bugzilla.redhat.com/show_bug.cgi?id=542450
2010-01-11 11:40:46 -05:00
if (!usb)
goto done;
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
Remove virConnectPtr from USB/PCI device iterators All callers now pass a NULL virConnectPtr into the USB/PCi device iterator functions. Therefore the virConnectPtr arg can now be removed from these functions * src/util/hostusb.h, src/util/hostusb.c: Remove virConnectPtr from usbDeviceFileIterate * src/util/pci.c, src/util/pci.h: Remove virConnectPtr arg from pciDeviceFileIterate * src/qemu/qemu_security_dac.c, src/security/security_selinux.c: Update to drop redundant virConnectPtr arg
2010-02-10 09:55:39 +00:00
ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm);
Remove conn parameter from USB functions It was used for error reporting only.
2010-02-05 00:25:16 +01:00
usbFreeDevice(usb);
Fix USB device re-labelling A simple misplaced break out of a switch results in: libvir: error : Failed to open file '/sys/bus/pci/devices/0000:00:54c./vendor': No such file or directory libvir: error : Failed to open file '/sys/bus/pci/devices/0000:00:54c./device': No such file or directory libvir: error : this function is not supported by the hypervisor: Failed to read product/vendor ID for 0000:00:54c. when trying to passthrough a USB host device to qemu. * src/security_selinux.c: fix a switch/break thinko
2009-09-30 18:37:03 +01:00
break;
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
Remove conn parameter from PCI functions It was used for error reporting only.
2010-02-05 00:16:34 +01:00
pciDevice *pci = pciGetDevice(dev->source.subsys.u.pci.domain,
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
dev->source.subsys.u.pci.bus,
dev->source.subsys.u.pci.slot,
dev->source.subsys.u.pci.function);
if (!pci)
goto done;
Remove virConnectPtr from USB/PCI device iterators All callers now pass a NULL virConnectPtr into the USB/PCi device iterator functions. Therefore the virConnectPtr arg can now be removed from these functions * src/util/hostusb.h, src/util/hostusb.c: Remove virConnectPtr from usbDeviceFileIterate * src/util/pci.c, src/util/pci.h: Remove virConnectPtr arg from pciDeviceFileIterate * src/qemu/qemu_security_dac.c, src/security/security_selinux.c: Update to drop redundant virConnectPtr arg
2010-02-10 09:55:39 +00:00
ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm);
Remove conn parameter from PCI functions It was used for error reporting only.
2010-02-05 00:16:34 +01:00
pciFreeDevice(pci);
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
break;
}
default:
ret = 0;
break;
}
done:
return ret;
}
Fix save and restore with non-privileged guests and SELinux When running qemu:///system instance, libvirtd runs as root, but QEMU may optionally be configured to run non-root. When then saving a guest to a state file, the file is initially created as root, and thus QEMU cannot write to it. It is also missing labelling required to allow access via SELinux. * src/qemu/qemu_driver.c: Set ownership on save image before running migrate command in virDomainSave impl. Call out to security driver to set save image labelling * src/security/security_driver.h: Add driver APIs for setting and restoring saved state file labelling * src/security/security_selinux.c: Implement saved state file labelling for SELinux
2009-11-11 12:07:00 +00:00
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
static int
Remove virConnectPtr from USB/PCI device iterators All callers now pass a NULL virConnectPtr into the USB/PCi device iterator functions. Therefore the virConnectPtr arg can now be removed from these functions * src/util/hostusb.h, src/util/hostusb.c: Remove virConnectPtr from usbDeviceFileIterate * src/util/pci.c, src/util/pci.h: Remove virConnectPtr arg from pciDeviceFileIterate * src/qemu/qemu_security_dac.c, src/security/security_selinux.c: Update to drop redundant virConnectPtr arg
2010-02-10 09:55:39 +00:00
SELinuxRestoreSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
const char *file,
void *opaque ATTRIBUTE_UNUSED)
{
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
return SELinuxRestoreSecurityFileLabel(file);
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
}
static int
Remove virConnectPtr from USB/PCI device iterators All callers now pass a NULL virConnectPtr into the USB/PCi device iterator functions. Therefore the virConnectPtr arg can now be removed from these functions * src/util/hostusb.h, src/util/hostusb.c: Remove virConnectPtr from usbDeviceFileIterate * src/util/pci.c, src/util/pci.h: Remove virConnectPtr arg from pciDeviceFileIterate * src/qemu/qemu_security_dac.c, src/security/security_selinux.c: Update to drop redundant virConnectPtr arg
2010-02-10 09:55:39 +00:00
SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
const char *file,
void *opaque ATTRIBUTE_UNUSED)
{
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
return SELinuxRestoreSecurityFileLabel(file);
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
}
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxRestoreSecurityHostdevLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm,
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
virDomainHostdevDefPtr dev)
{
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
int ret = -1;
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
return 0;
switch (dev->source.subsys.type) {
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
Remove conn parameter from USB functions It was used for error reporting only.
2010-02-05 00:25:16 +01:00
usbDevice *usb = usbGetDevice(dev->source.subsys.u.usb.bus,
Fix USB passthrough based on product/vendor Changeset commit 5073aa994af460e775cb3e548528e28d7660fcc8 Author: Cole Robinson <crobinso@redhat.com> Date: Mon Jan 11 11:40:46 2010 -0500 Added support for product/vendor based passthrough, but it only worked at the security driver layer. The main guest XML config was not updated with the resolved bus/device ID. When the QEMU argv refactoring removed use of product/vendor, this then broke launching guests. THe solution is to move the product/vendor resolution up a layer into the QEMU driver. So the first thing QEMU does is resolve the product/vendor to a bus/device and updates the XML config with this info. The rest of the code, including security drivers and QEMU argv generated can now rely on bus/device always being set. * src/util/hostusb.c, src/util/hostusb.h: Split vendor/product resolution code out of usbGetDevice and into usbFindDevice. Add accessors for bus/device ID * src/security/virt-aa-helper.c, src/security/security_selinux.c, src/qemu/qemu_security_dac.c: Remove vendor/product from the usbGetDevice() calls * src/qemu/qemu_driver.c: Use usbFindDevice to resolve vendor/product into a bus/device ID
2010-03-04 11:48:16 +00:00
dev->source.subsys.u.usb.device);
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
if (!usb)
goto done;
Remove virConnectPtr from USB/PCI device iterators All callers now pass a NULL virConnectPtr into the USB/PCi device iterator functions. Therefore the virConnectPtr arg can now be removed from these functions * src/util/hostusb.h, src/util/hostusb.c: Remove virConnectPtr from usbDeviceFileIterate * src/util/pci.c, src/util/pci.h: Remove virConnectPtr arg from pciDeviceFileIterate * src/qemu/qemu_security_dac.c, src/security/security_selinux.c: Update to drop redundant virConnectPtr arg
2010-02-10 09:55:39 +00:00
ret = usbDeviceFileIterate(usb, SELinuxRestoreSecurityUSBLabel, NULL);
Remove conn parameter from USB functions It was used for error reporting only.
2010-02-05 00:25:16 +01:00
usbFreeDevice(usb);
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
break;
}
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
Remove conn parameter from PCI functions It was used for error reporting only.
2010-02-05 00:16:34 +01:00
pciDevice *pci = pciGetDevice(dev->source.subsys.u.pci.domain,
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
dev->source.subsys.u.pci.bus,
dev->source.subsys.u.pci.slot,
dev->source.subsys.u.pci.function);
if (!pci)
goto done;
Remove virConnectPtr from USB/PCI device iterators All callers now pass a NULL virConnectPtr into the USB/PCi device iterator functions. Therefore the virConnectPtr arg can now be removed from these functions * src/util/hostusb.h, src/util/hostusb.c: Remove virConnectPtr from usbDeviceFileIterate * src/util/pci.c, src/util/pci.h: Remove virConnectPtr arg from pciDeviceFileIterate * src/qemu/qemu_security_dac.c, src/security/security_selinux.c: Update to drop redundant virConnectPtr arg
2010-02-10 09:55:39 +00:00
ret = pciDeviceFileIterate(pci, SELinuxRestoreSecurityPCILabel, NULL);
Remove conn parameter from PCI functions It was used for error reporting only.
2010-02-05 00:16:34 +01:00
pciFreeDevice(pci);
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
break;
}
default:
ret = 0;
break;
}
done:
return ret;
}
Set labelling for character devices in security drivers When configuring serial, parallel, console or channel devices with a file, dev or pipe backend type, it is necessary to label the file path in the security drivers. For char devices of type file, it is neccessary to pre-create (touch) the file if it does not already exist since QEMU won't be allowed todo so itself. dev/pipe configs already require the admin to pre-create before starting the guest. * src/qemu/qemu_security_dac.c: set file ownership for character devices * src/security/security_selinux.c: Set file labeling for character devices * src/qemu/qemu_driver.c: Add character devices to cgroup ACL
2010-06-23 16:17:15 +01:00
static int
SELinuxSetSecurityChardevLabel(virDomainObjPtr vm,
virDomainChrDefPtr dev)
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
char *in = NULL, *out = NULL;
int ret = -1;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
switch (dev->type) {
case VIR_DOMAIN_CHR_TYPE_DEV:
case VIR_DOMAIN_CHR_TYPE_FILE:
ret = SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
break;
case VIR_DOMAIN_CHR_TYPE_PIPE:
if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
(virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) {
virReportOOMError();
goto done;
}
if ((SELinuxSetFilecon(in, secdef->imagelabel) < 0) ||
(SELinuxSetFilecon(out, secdef->imagelabel) < 0))
goto done;
ret = 0;
break;
default:
ret = 0;
break;
}
done:
VIR_FREE(in);
VIR_FREE(out);
return ret;
}
static int
SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
virDomainChrDefPtr dev)
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
char *in = NULL, *out = NULL;
int ret = -1;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
switch (dev->type) {
case VIR_DOMAIN_CHR_TYPE_DEV:
case VIR_DOMAIN_CHR_TYPE_FILE:
ret = SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
break;
case VIR_DOMAIN_CHR_TYPE_PIPE:
if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) ||
(virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) {
virReportOOMError();
goto done;
}
if ((SELinuxRestoreSecurityFileLabel(out) < 0) ||
(SELinuxRestoreSecurityFileLabel(in) < 0))
goto done;
ret = 0;
break;
default:
ret = 0;
break;
}
done:
VIR_FREE(in);
VIR_FREE(out);
return ret;
}
static int
SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainChrDefPtr dev,
void *opaque)
{
virDomainObjPtr vm = opaque;
return SELinuxRestoreSecurityChardevLabel(vm, dev);
}
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxRestoreSecurityAllLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm,
Don't reset user/group/security label on shared filesystems during migrate When QEMU runs with its disk on NFS, and as a non-root user, the disk is chownd to that non-root user. When migration completes the last step is shutting down the QEMU on the source host. THis normally resets user/group/security label. This is bad when the VM was just migrated because the file is still in use on the dest host. It is thus neccessary to skip the reset step for any files found to be on a shared filesystem * src/libvirt_private.syms: Export virStorageFileIsSharedFS * src/util/storage_file.c, src/util/storage_file.h: Add a new method virStorageFileIsSharedFS() to determine if a file is on a shared filesystem (NFS, GFS, OCFS2, etc) * src/qemu/qemu_driver.c: Tell security driver not to reset disk labels on migration completion * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_selinux.c, src/security/security_driver.h, src/security/security_apparmor.c: Add ability to skip disk restore step for files on shared filesystems.
2010-05-13 11:49:22 -04:00
int migrated ATTRIBUTE_UNUSED)
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int i;
int rc = 0;
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
VIR_DEBUG("Restoring security label on %s", vm->def->name);
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
if (SELinuxRestoreSecurityHostdevLabel(drv,
vm,
vm->def->hostdevs[i]) < 0)
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
rc = -1;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
}
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
for (i = 0 ; i < vm->def->ndisks ; i++) {
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
if (SELinuxRestoreSecurityImageLabelInt(drv,
vm,
Don't reset user/group/security label on shared filesystems during migrate When QEMU runs with its disk on NFS, and as a non-root user, the disk is chownd to that non-root user. When migration completes the last step is shutting down the QEMU on the source host. THis normally resets user/group/security label. This is bad when the VM was just migrated because the file is still in use on the dest host. It is thus neccessary to skip the reset step for any files found to be on a shared filesystem * src/libvirt_private.syms: Export virStorageFileIsSharedFS * src/util/storage_file.c, src/util/storage_file.h: Add a new method virStorageFileIsSharedFS() to determine if a file is on a shared filesystem (NFS, GFS, OCFS2, etc) * src/qemu/qemu_driver.c: Tell security driver not to reset disk labels on migration completion * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_selinux.c, src/security/security_driver.h, src/security/security_apparmor.c: Add ability to skip disk restore step for files on shared filesystems.
2010-05-13 11:49:22 -04:00
vm->def->disks[i],
migrated) < 0)
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
rc = -1;
}
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
Set labelling for character devices in security drivers When configuring serial, parallel, console or channel devices with a file, dev or pipe backend type, it is necessary to label the file path in the security drivers. For char devices of type file, it is neccessary to pre-create (touch) the file if it does not already exist since QEMU won't be allowed todo so itself. dev/pipe configs already require the admin to pre-create before starting the guest. * src/qemu/qemu_security_dac.c: set file ownership for character devices * src/security/security_selinux.c: Set file labeling for character devices * src/qemu/qemu_driver.c: Add character devices to cgroup ACL
2010-06-23 16:17:15 +01:00
if (virDomainChrDefForeach(vm->def,
false,
SELinuxRestoreSecurityChardevCallback,
vm) < 0)
rc = -1;
security: Set permissions for kernel/initrd Fixes URL installs when running virt-install as root on Fedora.
2010-03-12 13:38:39 -05:00
if (vm->def->os.kernel &&
SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
rc = -1;
if (vm->def->os.initrd &&
SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
rc = -1;
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
return rc;
}
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxReleaseSecurityLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm)
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
security: selinux: Fix crash when releasing non-existent label This can be triggered by the qemuStartVMDaemon cleanup path if a VM references a non-existent USB device (by product) in the XML.
2010-03-22 10:45:36 -04:00
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC ||
secdef->label == NULL)
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
return 0;
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
context_t con = context_new(secdef->label);
if (con) {
mcsRemove(context_range_get(con));
context_free(con);
}
VIR_FREE(secdef->model);
VIR_FREE(secdef->label);
VIR_FREE(secdef->imagelabel);
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
return 0;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
}
Fix save and restore with non-privileged guests and SELinux When running qemu:///system instance, libvirtd runs as root, but QEMU may optionally be configured to run non-root. When then saving a guest to a state file, the file is initially created as root, and thus QEMU cannot write to it. It is also missing labelling required to allow access via SELinux. * src/qemu/qemu_driver.c: Set ownership on save image before running migrate command in virDomainSave impl. Call out to security driver to set save image labelling * src/security/security_driver.h: Add driver APIs for setting and restoring saved state file labelling * src/security/security_selinux.c: Implement saved state file labelling for SELinux
2009-11-11 12:07:00 +00:00
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxSetSavedStateLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm,
Fix save and restore with non-privileged guests and SELinux When running qemu:///system instance, libvirtd runs as root, but QEMU may optionally be configured to run non-root. When then saving a guest to a state file, the file is initially created as root, and thus QEMU cannot write to it. It is also missing labelling required to allow access via SELinux. * src/qemu/qemu_driver.c: Set ownership on save image before running migrate command in virDomainSave impl. Call out to security driver to set save image labelling * src/security/security_driver.h: Add driver APIs for setting and restoring saved state file labelling * src/security/security_selinux.c: Implement saved state file labelling for SELinux
2009-11-11 12:07:00 +00:00
const char *savefile)
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
return SELinuxSetFilecon(savefile, secdef->imagelabel);
Fix save and restore with non-privileged guests and SELinux When running qemu:///system instance, libvirtd runs as root, but QEMU may optionally be configured to run non-root. When then saving a guest to a state file, the file is initially created as root, and thus QEMU cannot write to it. It is also missing labelling required to allow access via SELinux. * src/qemu/qemu_driver.c: Set ownership on save image before running migrate command in virDomainSave impl. Call out to security driver to set save image labelling * src/security/security_driver.h: Add driver APIs for setting and restoring saved state file labelling * src/security/security_selinux.c: Implement saved state file labelling for SELinux
2009-11-11 12:07:00 +00:00
}
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxRestoreSavedStateLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
virDomainObjPtr vm,
Fix save and restore with non-privileged guests and SELinux When running qemu:///system instance, libvirtd runs as root, but QEMU may optionally be configured to run non-root. When then saving a guest to a state file, the file is initially created as root, and thus QEMU cannot write to it. It is also missing labelling required to allow access via SELinux. * src/qemu/qemu_driver.c: Set ownership on save image before running migrate command in virDomainSave impl. Call out to security driver to set save image labelling * src/security/security_driver.h: Add driver APIs for setting and restoring saved state file labelling * src/security/security_selinux.c: Implement saved state file labelling for SELinux
2009-11-11 12:07:00 +00:00
const char *savefile)
{
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
return SELinuxRestoreSecurityFileLabel(savefile);
Fix save and restore with non-privileged guests and SELinux When running qemu:///system instance, libvirtd runs as root, but QEMU may optionally be configured to run non-root. When then saving a guest to a state file, the file is initially created as root, and thus QEMU cannot write to it. It is also missing labelling required to allow access via SELinux. * src/qemu/qemu_driver.c: Set ownership on save image before running migrate command in virDomainSave impl. Call out to security driver to set save image labelling * src/security/security_driver.h: Add driver APIs for setting and restoring saved state file labelling * src/security/security_selinux.c: Implement saved state file labelling for SELinux
2009-11-11 12:07:00 +00:00
}
Improve security label error reporting & verification (Dan Walsh)
2009-04-03 10:55:51 +00:00
static int
Remove use of virConnectPtr from security driver APIs The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match
2010-02-09 19:18:21 +00:00
SELinuxSecurityVerify(virDomainDefPtr def)
Improve security label error reporting & verification (Dan Walsh)
2009-04-03 10:55:51 +00:00
{
const virSecurityLabelDefPtr secdef = &def->seclabel;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
if (security_check_context(secdef->label) != 0) {
Remove use of virConnectPtr from security driver APIs The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match
2010-02-09 19:18:21 +00:00
virSecurityReportError(VIR_ERR_XML_ERROR,
Improve security label error reporting & verification (Dan Walsh)
2009-04-03 10:55:51 +00:00
_("Invalid security label %s"), secdef->label);
return -1;
}
}
return 0;
}
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
static int
Remove use of virConnectPtr from security driver APIs The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match
2010-02-09 19:18:21 +00:00
SELinuxSetSecurityProcessLabel(virSecurityDriverPtr drv,
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
virDomainObjPtr vm)
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
{
/* TODO: verify DOI */
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
Make security drivers responsible for checking dynamic vs static labelling The QEMU driver is doing 90% of the calls to check for static vs dynamic labelling. Except it is forgetting todo so in many places, in particular hotplug is mistakenly assigning disk labels. Move all this logic into the security drivers themselves, so the HV drivers don't have to think about it. * src/security/security_driver.h: Add virDomainObjPtr parameter to virSecurityDomainRestoreHostdevLabel and to virSecurityDomainRestoreSavedStateLabel * src/security/security_selinux.c, src/security/security_apparmor.c: Add explicit checks for VIR_DOMAIN_SECLABEL_STATIC and skip all chcon() code in those cases * src/qemu/qemu_driver.c: Remove all checks for VIR_DOMAIN_SECLABEL_STATIC or VIR_DOMAIN_SECLABEL_DYNAMIC. Add missing checks for possibly NULL driver entry points.
2010-01-13 14:03:04 +00:00
if (vm->def->seclabel.label == NULL)
return 0;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
if (!STREQ(drv->name, secdef->model)) {
Remove use of virConnectPtr from security driver APIs The virConnectPtr is no longer required for error reporting since that is recorded in a thread local. Remove use of virConnectPtr from all APIs in security_driver.{h,c} and update all callers to match
2010-02-09 19:18:21 +00:00
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("security label driver mismatch: "
"'%s' model configured for domain, but "
"hypervisor driver is '%s'."),
secdef->model, drv->name);
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
if (security_getenforce() == 1)
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
return -1;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
}
if (setexeccon(secdef->label) == -1) {
Remove conn parameter from virReportSystemError
2010-02-04 21:02:58 +01:00
virReportSystemError(errno,
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
_("unable to set security context '%s'"),
secdef->label);
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
if (security_getenforce() == 1)
Cleanup sec driver error reporting to use virReportSystemError * src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
2009-08-28 18:44:43 +01:00
return -1;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
}
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
return 0;
}
Add support for setting socket MLS level in SELinux driver When SELinux is running in MLS mode, libvirtd will have a different security level to the VMs. For libvirtd to be able to connect to the monitor console, the client end of the UNIX domain socket needs a different label. This adds infrastructure to set the socket label via the security driver framework * src/qemu/qemu_driver.c: Call out to socket label APIs in security driver * src/qemu/qemu_security_stacked.c: Wire up socket label drivers * src/security/security_driver.h: Define security driver entry points for socket labelling * src/security/security_selinux.c: Set socket label based on VM label
2010-05-27 16:44:47 +01:00
static int
SELinuxSetSecuritySocketLabel(virSecurityDriverPtr drv,
virDomainObjPtr vm)
{
/* TODO: verify DOI */
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
context_t execcon = NULL;
context_t proccon = NULL;
security_context_t scon = NULL;
int rc = -1;
if (vm->def->seclabel.label == NULL)
return 0;
if (!STREQ(drv->name, secdef->model)) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("security label driver mismatch: "
"'%s' model configured for domain, but "
"hypervisor driver is '%s'."),
secdef->model, drv->name);
goto done;
}
if ( !(execcon = context_new(secdef->label)) ) {
virReportSystemError(errno,
_("unable to allocate socket security context '%s'"),
secdef->label);
goto done;
}
if (getcon(&scon) == -1) {
virReportSystemError(errno,
_("unable to get current process context '%s'"),
secdef->label);
goto done;
}
if ( !(proccon = context_new(scon)) ) {
virReportSystemError(errno,
_("unable to set socket security context '%s'"),
secdef->label);
goto done;
}
if (context_range_set(proccon, context_range_get(execcon)) == -1) {
virReportSystemError(errno,
_("unable to set socket security context range '%s'"),
secdef->label);
goto done;
}
VIR_DEBUG("Setting VM %s socket context %s",
vm->def->name, context_str(proccon));
if (setsockcreatecon(context_str(proccon)) == -1) {
virReportSystemError(errno,
_("unable to set socket security context '%s'"),
context_str(proccon));
goto done;
}
rc = 0;
done:
if (security_getenforce() != 1)
rc = 0;
if (execcon) context_free(execcon);
if (proccon) context_free(proccon);
freecon(scon);
return rc;
}
static int
SELinuxClearSecuritySocketLabel(virSecurityDriverPtr drv,
virDomainObjPtr vm)
{
/* TODO: verify DOI */
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
if (vm->def->seclabel.label == NULL)
return 0;
if (!STREQ(drv->name, secdef->model)) {
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
_("security label driver mismatch: "
"'%s' model configured for domain, but "
"hypervisor driver is '%s'."),
secdef->model, drv->name);
if (security_getenforce() == 1)
return -1;
}
if (setsockcreatecon(NULL) == -1) {
virReportSystemError(errno,
_("unable to clear socket security context '%s'"),
secdef->label);
if (security_getenforce() == 1)
return -1;
}
return 0;
}
Set labelling for character devices in security drivers When configuring serial, parallel, console or channel devices with a file, dev or pipe backend type, it is necessary to label the file path in the security drivers. For char devices of type file, it is neccessary to pre-create (touch) the file if it does not already exist since QEMU won't be allowed todo so itself. dev/pipe configs already require the admin to pre-create before starting the guest. * src/qemu/qemu_security_dac.c: set file ownership for character devices * src/security/security_selinux.c: Set file labeling for character devices * src/qemu/qemu_driver.c: Add character devices to cgroup ACL
2010-06-23 16:17:15 +01:00
static int
SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
virDomainChrDefPtr dev,
void *opaque)
{
virDomainObjPtr vm = opaque;
return SELinuxSetSecurityChardevLabel(vm, dev);
}
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
static int
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
SELinuxSetSecurityAllLabel(virSecurityDriverPtr drv,
virDomainObjPtr vm,
const char *stdin_path)
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
int i;
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0;
for (i = 0 ; i < vm->def->ndisks ; i++) {
/* XXX fixme - we need to recursively label the entire tree :-( */
if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
VIR_WARN("Unable to relabel directory tree %s for disk %s",
vm->def->disks[i]->src, vm->def->disks[i]->dst);
continue;
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
}
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
if (SELinuxSetSecurityImageLabel(drv,
vm, vm->def->disks[i]) < 0)
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
return -1;
}
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
Pass security driver object into all security driver callbacks The implementation of security driver callbacks often needs to access the security driver object. Currently only a handful of callbacks include the driver object as a parameter. Later patches require this is many more places. * src/qemu/qemu_driver.c: Pass in the security driver object to all callbacks * src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c, src/security/security_apparmor.c, src/security/security_driver.h, src/security/security_selinux.c: Add a virSecurityDriverPtr param to all security callbacks
2010-06-15 17:44:19 +01:00
if (SELinuxSetSecurityHostdevLabel(drv,
vm,
vm->def->hostdevs[i]) < 0)
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
return -1;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
}
Set labelling for character devices in security drivers When configuring serial, parallel, console or channel devices with a file, dev or pipe backend type, it is necessary to label the file path in the security drivers. For char devices of type file, it is neccessary to pre-create (touch) the file if it does not already exist since QEMU won't be allowed todo so itself. dev/pipe configs already require the admin to pre-create before starting the guest. * src/qemu/qemu_security_dac.c: set file ownership for character devices * src/security/security_selinux.c: Set file labeling for character devices * src/qemu/qemu_driver.c: Add character devices to cgroup ACL
2010-06-23 16:17:15 +01:00
if (virDomainChrDefForeach(vm->def,
true,
SELinuxSetSecurityChardevCallback,
vm) < 0)
return -1;
security: Set permissions for kernel/initrd Fixes URL installs when running virt-install as root on Fedora.
2010-03-12 13:38:39 -05:00
if (vm->def->os.kernel &&
SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
return -1;
if (vm->def->os.initrd &&
SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
return -1;
Set proper selinux label on image file during qemu domain restore Also restore the label to its original value after qemu is finished with the file. Prior to this patch, qemu domain restore did not function properly if selinux was set to enforce.
2010-06-24 17:58:59 -04:00
if (stdin_path &&
SELinuxSetFilecon(stdin_path, default_content_context) < 0)
return -1;
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
return 0;
}
virSecurityDriver virSELinuxSecurityDriver = {
.name = SECURITY_SELINUX_NAME,
.probe = SELinuxSecurityDriverProbe,
.open = SELinuxSecurityDriverOpen,
Improve security label error reporting & verification (Dan Walsh)
2009-04-03 10:55:51 +00:00
.domainSecurityVerify = SELinuxSecurityVerify,
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
.domainSetSecurityImageLabel = SELinuxSetSecurityImageLabel,
Add support for setting socket MLS level in SELinux driver When SELinux is running in MLS mode, libvirtd will have a different security level to the VMs. For libvirtd to be able to connect to the monitor console, the client end of the UNIX domain socket needs a different label. This adds infrastructure to set the socket label via the security driver framework * src/qemu/qemu_driver.c: Call out to socket label APIs in security driver * src/qemu/qemu_security_stacked.c: Wire up socket label drivers * src/security/security_driver.h: Define security driver entry points for socket labelling * src/security/security_selinux.c: Set socket label based on VM label
2010-05-27 16:44:47 +01:00
.domainSetSecuritySocketLabel = SELinuxSetSecuritySocketLabel,
.domainClearSecuritySocketLabel = SELinuxClearSecuritySocketLabel,
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
.domainRestoreSecurityImageLabel = SELinuxRestoreSecurityImageLabel,
.domainGenSecurityLabel = SELinuxGenSecurityLabel,
Fix re-detection of transient VMs after libvirtd restart
2009-06-12 11:38:50 +00:00
.domainReserveSecurityLabel = SELinuxReserveSecurityLabel,
Refactor setup & cleanup of security labels in security driver The current security driver architecture has the following split of logic * domainGenSecurityLabel Allocate the unique label for the domain about to be started * domainGetSecurityLabel Retrieve the current live security label for a process * domainSetSecurityLabel Apply the previously allocated label to the current process Setup all disk image / device labelling * domainRestoreSecurityLabel Restore the original disk image / device labelling. Release the unique label for the domain The 'domainSetSecurityLabel' method is special because it runs in the context of the child process between the fork + exec. This is require in order to set the process label. It is not required in order to label disks/devices though. Having the disk labelling code run in the child process limits what it can do. In particularly libvirtd would like to remember the current disk image label, and only change shared image labels for the first VM to start. This requires use & update of global state in the libvirtd daemon, and thus cannot run in the child process context. The solution is to split domainSetSecurityLabel into two parts, one applies process label, and the other handles disk image labelling. At the same time domainRestoreSecurityLabel is similarly split, just so that it matches the style. Thus the previous 4 methods are replaced by the following 6 new methods * domainGenSecurityLabel Allocate the unique label for the domain about to be started No actual change here. * domainReleaseSecurityLabel Release the unique label for the domain * domainGetSecurityProcessLabel Retrieve the current live security label for a process Merely renamed for clarity. * domainSetSecurityProcessLabel Apply the previously allocated label to the current process * domainRestoreSecurityAllLabel Restore the original disk image / device labelling. * domainSetSecurityAllLabel Setup all disk image / device labelling The SELinux and AppArmour drivers are then updated to comply with this new spec. Notice that the AppArmour driver was actually a little different. It was creating its profile for the disk image and device labels in the 'domainGenSecurityLabel' method, where as the SELinux driver did it in 'domainSetSecurityLabel'. With the new method split, we can have consistency, with both drivers doing that in the domainSetSecurityAllLabel method. NB, the AppArmour changes here haven't been compiled so may not build.
2010-01-11 11:04:40 +00:00
.domainReleaseSecurityLabel = SELinuxReleaseSecurityLabel,
.domainGetSecurityProcessLabel = SELinuxGetSecurityProcessLabel,
.domainSetSecurityProcessLabel = SELinuxSetSecurityProcessLabel,
.domainRestoreSecurityAllLabel = SELinuxRestoreSecurityAllLabel,
.domainSetSecurityAllLabel = SELinuxSetSecurityAllLabel,
Support relabelling of USB and PCI devices * src/security.h: Driver API for relabelling host devices * src/security_selinux.c: Implement relabelling of PCI and USB devices * src/qemu_driver.c: Relabel USB/PCI devices before hotplug
2009-08-14 14:23:11 +01:00
.domainSetSecurityHostdevLabel = SELinuxSetSecurityHostdevLabel,
.domainRestoreSecurityHostdevLabel = SELinuxRestoreSecurityHostdevLabel,
Fix save and restore with non-privileged guests and SELinux When running qemu:///system instance, libvirtd runs as root, but QEMU may optionally be configured to run non-root. When then saving a guest to a state file, the file is initially created as root, and thus QEMU cannot write to it. It is also missing labelling required to allow access via SELinux. * src/qemu/qemu_driver.c: Set ownership on save image before running migrate command in virDomainSave impl. Call out to security driver to set save image labelling * src/security/security_driver.h: Add driver APIs for setting and restoring saved state file labelling * src/security/security_selinux.c: Implement saved state file labelling for SELinux
2009-11-11 12:07:00 +00:00
.domainSetSavedStateLabel = SELinuxSetSavedStateLabel,
.domainRestoreSavedStateLabel = SELinuxRestoreSavedStateLabel,
SELinux security driver for sVirt support (James Morris, Dan Walsh & Daniel Berrange)
2009-03-03 10:06:49 +00:00
};
Reference in New Issue Copy Permalink