2009-03-03 10:06:49 +00:00
|
|
|
/*
|
domain_conf: split source data out from ChrDef
This opens up the possibility of reusing the smaller ChrSourceDef
for both qemu monitor and a passthrough smartcard device.
* src/conf/domain_conf.h (_virDomainChrDef): Factor host
details...
(_virDomainChrSourceDef): ...into new struct.
(virDomainChrSourceDefFree): New prototype.
* src/conf/domain_conf.c (virDomainChrDefFree)
(virDomainChrDefParseXML, virDomainChrDefFormat): Split...
(virDomainChrSourceDefClear, virDomainChrSourceDefFree)
(virDomainChrSourceDefParseXML, virDomainChrSourceDefFormat):
...into new functions.
(virDomainChrDefParseTargetXML): Update clients to reflect type
split.
* src/vmx/vmx.c (virVMXParseSerial, virVMXParseParallel)
(virVMXFormatSerial, virVMXFormatParallel): Likewise.
* src/xen/xen_driver.c (xenUnifiedDomainOpenConsole): Likewise.
* src/xen/xend_internal.c (xenDaemonParseSxprChar)
(xenDaemonFormatSxprChr): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainDumpXML, vboxAttachSerial)
(vboxAttachParallel): Likewise.
* src/security/security_dac.c (virSecurityDACSetChardevLabel)
(virSecurityDACSetChardevCallback)
(virSecurityDACRestoreChardevLabel)
(virSecurityDACRestoreChardevCallback): Likewise.
* src/security/security_selinux.c (SELinuxSetSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback)
(SELinuxRestoreSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback): Likewise.
* src/security/virt-aa-helper.c (get_files): Likewise.
* src/lxc/lxc_driver.c (lxcVmStart, lxcDomainOpenConsole):
Likewise.
* src/uml/uml_conf.c (umlBuildCommandLineChr): Likewise.
* src/uml/uml_driver.c (umlIdentifyOneChrPTY, umlIdentifyChrPTY)
(umlDomainOpenConsole): Likewise.
* src/qemu/qemu_command.c (qemuBuildChrChardevStr)
(qemuBuildChrArgStr, qemuBuildCommandLine)
(qemuParseCommandLineChr): Likewise.
* src/qemu/qemu_domain.c (qemuDomainObjPrivateXMLFormat)
(qemuDomainObjPrivateXMLParse): Likewise.
* src/qemu/qemu_cgroup.c (qemuSetupChardevCgroup): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
* src/qemu/qemu_driver.c (qemudFindCharDevicePTYsMonitor)
(qemudFindCharDevicePTYs, qemuPrepareChardevDevice)
(qemuPrepareMonitorChr, qemudShutdownVMDaemon)
(qemuDomainOpenConsole): Likewise.
* src/qemu/qemu_command.h (qemuBuildChrChardevStr)
(qemuBuildChrArgStr): Delete, now that they are static.
* src/libvirt_private.syms (domain_conf.h): New exports.
* cfg.mk (useless_free_options): Update list.
* tests/qemuxml2argvtest.c (testCompareXMLToArgvFiles): Update
tests.
2011-01-07 22:45:01 +00:00
|
|
|
* Copyright (C) 2008-2011 Red Hat, Inc.
|
2009-03-03 10:06:49 +00:00
|
|
|
*
|
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* Authors:
|
|
|
|
|
* James Morris <jmorris@namei.org>
|
2009-04-03 10:55:51 +00:00
|
|
|
* Dan Walsh <dwalsh@redhat.com>
|
2009-03-03 10:06:49 +00:00
|
|
|
*
|
|
|
|
|
* SELinux security driver.
|
|
|
|
|
*/
|
|
|
|
|
#include <config.h>
|
|
|
|
|
#include <selinux/selinux.h>
|
|
|
|
|
#include <selinux/context.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <fcntl.h>
|
2010-12-15 00:07:52 +00:00
|
|
|
#if HAVE_SELINUX_LABEL_H
|
|
|
|
|
# include <selinux/label.h>
|
|
|
|
|
#endif
|
2009-03-03 10:06:49 +00:00
|
|
|
|
2009-09-15 18:06:37 +00:00
|
|
|
#include "security_driver.h"
|
2009-03-03 10:06:49 +00:00
|
|
|
#include "security_selinux.h"
|
|
|
|
|
#include "virterror_internal.h"
|
|
|
|
|
#include "util.h"
|
|
|
|
|
#include "memory.h"
|
2009-07-03 10:26:37 +00:00
|
|
|
#include "logging.h"
|
2009-08-14 13:23:11 +00:00
|
|
|
#include "pci.h"
|
|
|
|
|
#include "hostusb.h"
|
2009-09-25 13:20:13 +00:00
|
|
|
#include "storage_file.h"
|
2011-07-19 18:32:58 +00:00
|
|
|
#include "virfile.h"
|
2009-03-03 15:18:24 +00:00
|
|
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_SECURITY
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
static char default_domain_context[1024];
|
2009-07-03 10:26:37 +00:00
|
|
|
static char default_content_context[1024];
|
2009-03-03 10:06:49 +00:00
|
|
|
static char default_image_context[1024];
|
|
|
|
|
#define SECURITY_SELINUX_VOID_DOI "0"
|
|
|
|
|
#define SECURITY_SELINUX_NAME "selinux"
|
|
|
|
|
|
|
|
|
|
/* TODO
|
|
|
|
|
The data struct of used mcs should be replaced with a better data structure in the future
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
struct MCS {
|
|
|
|
|
char *mcs;
|
|
|
|
|
struct MCS *next;
|
|
|
|
|
};
|
|
|
|
|
static struct MCS *mcsList = NULL;
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
mcsAdd(const char *mcs)
|
|
|
|
|
{
|
|
|
|
|
struct MCS *ptr;
|
|
|
|
|
|
|
|
|
|
for (ptr = mcsList; ptr; ptr = ptr->next) {
|
2009-03-03 15:18:24 +00:00
|
|
|
if (STREQ(ptr->mcs, mcs))
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
2009-03-03 15:18:24 +00:00
|
|
|
if (VIR_ALLOC(ptr) < 0)
|
|
|
|
|
return -1;
|
2009-03-03 10:06:49 +00:00
|
|
|
ptr->mcs = strdup(mcs);
|
|
|
|
|
ptr->next = mcsList;
|
|
|
|
|
mcsList = ptr;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
mcsRemove(const char *mcs)
|
|
|
|
|
{
|
|
|
|
|
struct MCS *prevptr = NULL;
|
|
|
|
|
struct MCS *ptr = NULL;
|
|
|
|
|
|
|
|
|
|
for (ptr = mcsList; ptr; ptr = ptr->next) {
|
2009-03-03 15:18:24 +00:00
|
|
|
if (STREQ(ptr->mcs, mcs)) {
|
2009-03-03 10:06:49 +00:00
|
|
|
if (prevptr)
|
|
|
|
|
prevptr->next = ptr->next;
|
|
|
|
|
else {
|
|
|
|
|
mcsList = ptr->next;
|
|
|
|
|
}
|
2009-12-09 23:00:50 +00:00
|
|
|
VIR_FREE(ptr->mcs);
|
|
|
|
|
VIR_FREE(ptr);
|
2009-03-03 10:06:49 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
prevptr = ptr;
|
|
|
|
|
}
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static char *
|
|
|
|
|
SELinuxGenNewContext(const char *oldcontext, const char *mcs)
|
|
|
|
|
{
|
|
|
|
|
char *newcontext = NULL;
|
|
|
|
|
char *scontext = strdup(oldcontext);
|
build: detect potentential uninitialized variables
Even with -Wuninitialized (which is part of autobuild.sh
--enable-compile-warnings=error), gcc does NOT catch this
use of an uninitialized variable:
{
if (cond)
goto error;
int a = 1;
error:
printf("%d", a);
}
which prints 0 (supposing the stack started life wiped) if
cond was true. Clang will catch it, but we don't use clang
as often. Using gcc -Wjump-misses-init catches it, but also
gives false positives:
{
if (cond)
goto error;
int a = 1;
return a;
error:
return 0;
}
Here, a was never used in the scope of the error block, so
declaring it after goto is technically fine (and clang agrees).
However, given that our HACKING already documents a preference
to C89 decl-before-statement, the false positive warning is
enough of a prod to comply with HACKING.
[Personally, I'd _really_ rather use C99 decl-after-statement
to minimize scope, but until gcc can efficiently and reliably
catch scoping and uninitialized usage bugs, I'll settle with
the compromise of enforcing a coding standard that happens to
reject false positives if it can also detect real bugs.]
* acinclude.m4 (LIBVIRT_COMPILE_WARNINGS): Add -Wjump-misses-init.
* src/util/util.c (__virExec): Adjust offenders.
* src/conf/domain_conf.c (virDomainTimerDefParseXML): Likewise.
* src/remote/remote_driver.c (doRemoteOpen): Likewise.
* src/phyp/phyp_driver.c (phypGetLparNAME, phypGetLparProfile)
(phypGetVIOSFreeSCSIAdapter, phypVolumeGetKey)
(phypGetStoragePoolDevice)
(phypVolumeGetPhysicalVolumeByStoragePool)
(phypVolumeGetPath): Likewise.
* src/vbox/vbox_tmpl.c (vboxNetworkUndefineDestroy)
(vboxNetworkCreate, vboxNetworkDumpXML)
(vboxNetworkDefineCreateXML): Likewise.
* src/xenapi/xenapi_driver.c (getCapsObject)
(xenapiDomainDumpXML): Likewise.
* src/xenapi/xenapi_utils.c (createVMRecordFromXml): Likewise.
* src/security/security_selinux.c (SELinuxGenNewContext):
Likewise.
* src/qemu/qemu_command.c (qemuBuildCommandLine): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainChangeEjectableMedia):
Likewise.
* src/qemu/qemu_process.c (qemuProcessWaitForMonitor): Likewise.
* src/qemu/qemu_monitor_text.c (qemuMonitorTextGetPtyPaths):
Likewise.
* src/qemu/qemu_driver.c (qemudDomainShutdown)
(qemudDomainBlockStats, qemudDomainMemoryPeek): Likewise.
* src/storage/storage_backend_iscsi.c
(virStorageBackendCreateIfaceIQN): Likewise.
* src/node_device/node_device_udev.c (udevProcessPCI): Likewise.
2011-04-01 15:41:45 +00:00
|
|
|
context_t con;
|
2009-03-03 10:06:49 +00:00
|
|
|
if (!scontext) goto err;
|
build: detect potentential uninitialized variables
Even with -Wuninitialized (which is part of autobuild.sh
--enable-compile-warnings=error), gcc does NOT catch this
use of an uninitialized variable:
{
if (cond)
goto error;
int a = 1;
error:
printf("%d", a);
}
which prints 0 (supposing the stack started life wiped) if
cond was true. Clang will catch it, but we don't use clang
as often. Using gcc -Wjump-misses-init catches it, but also
gives false positives:
{
if (cond)
goto error;
int a = 1;
return a;
error:
return 0;
}
Here, a was never used in the scope of the error block, so
declaring it after goto is technically fine (and clang agrees).
However, given that our HACKING already documents a preference
to C89 decl-before-statement, the false positive warning is
enough of a prod to comply with HACKING.
[Personally, I'd _really_ rather use C99 decl-after-statement
to minimize scope, but until gcc can efficiently and reliably
catch scoping and uninitialized usage bugs, I'll settle with
the compromise of enforcing a coding standard that happens to
reject false positives if it can also detect real bugs.]
* acinclude.m4 (LIBVIRT_COMPILE_WARNINGS): Add -Wjump-misses-init.
* src/util/util.c (__virExec): Adjust offenders.
* src/conf/domain_conf.c (virDomainTimerDefParseXML): Likewise.
* src/remote/remote_driver.c (doRemoteOpen): Likewise.
* src/phyp/phyp_driver.c (phypGetLparNAME, phypGetLparProfile)
(phypGetVIOSFreeSCSIAdapter, phypVolumeGetKey)
(phypGetStoragePoolDevice)
(phypVolumeGetPhysicalVolumeByStoragePool)
(phypVolumeGetPath): Likewise.
* src/vbox/vbox_tmpl.c (vboxNetworkUndefineDestroy)
(vboxNetworkCreate, vboxNetworkDumpXML)
(vboxNetworkDefineCreateXML): Likewise.
* src/xenapi/xenapi_driver.c (getCapsObject)
(xenapiDomainDumpXML): Likewise.
* src/xenapi/xenapi_utils.c (createVMRecordFromXml): Likewise.
* src/security/security_selinux.c (SELinuxGenNewContext):
Likewise.
* src/qemu/qemu_command.c (qemuBuildCommandLine): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainChangeEjectableMedia):
Likewise.
* src/qemu/qemu_process.c (qemuProcessWaitForMonitor): Likewise.
* src/qemu/qemu_monitor_text.c (qemuMonitorTextGetPtyPaths):
Likewise.
* src/qemu/qemu_driver.c (qemudDomainShutdown)
(qemudDomainBlockStats, qemudDomainMemoryPeek): Likewise.
* src/storage/storage_backend_iscsi.c
(virStorageBackendCreateIfaceIQN): Likewise.
* src/node_device/node_device_udev.c (udevProcessPCI): Likewise.
2011-04-01 15:41:45 +00:00
|
|
|
con = context_new(scontext);
|
2009-03-03 10:06:49 +00:00
|
|
|
if (!con) goto err;
|
|
|
|
|
context_range_set(con, mcs);
|
|
|
|
|
newcontext = strdup(context_str(con));
|
|
|
|
|
context_free(con);
|
|
|
|
|
err:
|
|
|
|
|
freecon(scontext);
|
|
|
|
|
return (newcontext);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2010-02-04 20:02:58 +00:00
|
|
|
SELinuxInitialize(void)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
|
|
|
|
char *ptr = NULL;
|
|
|
|
|
int fd = 0;
|
|
|
|
|
|
|
|
|
|
fd = open(selinux_virtual_domain_context_path(), O_RDONLY);
|
|
|
|
|
if (fd < 0) {
|
2010-02-04 20:02:58 +00:00
|
|
|
virReportSystemError(errno,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("cannot open SELinux virtual domain context file '%s'"),
|
|
|
|
|
selinux_virtual_domain_context_path());
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (saferead(fd, default_domain_context, sizeof(default_domain_context)) < 0) {
|
2010-02-04 20:02:58 +00:00
|
|
|
virReportSystemError(errno,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("cannot read SELinux virtual domain context file %s"),
|
|
|
|
|
selinux_virtual_domain_context_path());
|
2010-11-09 20:48:48 +00:00
|
|
|
VIR_FORCE_CLOSE(fd);
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
2010-11-09 20:48:48 +00:00
|
|
|
VIR_FORCE_CLOSE(fd);
|
2009-03-03 10:06:49 +00:00
|
|
|
|
|
|
|
|
ptr = strchrnul(default_domain_context, '\n');
|
|
|
|
|
*ptr = '\0';
|
|
|
|
|
|
|
|
|
|
if ((fd = open(selinux_virtual_image_context_path(), O_RDONLY)) < 0) {
|
2010-02-04 20:02:58 +00:00
|
|
|
virReportSystemError(errno,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("cannot open SELinux virtual image context file %s"),
|
|
|
|
|
selinux_virtual_image_context_path());
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (saferead(fd, default_image_context, sizeof(default_image_context)) < 0) {
|
2010-02-04 20:02:58 +00:00
|
|
|
virReportSystemError(errno,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("cannot read SELinux virtual image context file %s"),
|
|
|
|
|
selinux_virtual_image_context_path());
|
2010-11-09 20:48:48 +00:00
|
|
|
VIR_FORCE_CLOSE(fd);
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
2010-11-09 20:48:48 +00:00
|
|
|
VIR_FORCE_CLOSE(fd);
|
2009-03-03 10:06:49 +00:00
|
|
|
|
|
|
|
|
ptr = strchrnul(default_image_context, '\n');
|
2009-07-03 10:26:37 +00:00
|
|
|
if (*ptr == '\n') {
|
|
|
|
|
*ptr = '\0';
|
|
|
|
|
strcpy(default_content_context, ptr+1);
|
|
|
|
|
ptr = strchrnul(default_content_context, '\n');
|
|
|
|
|
if (*ptr == '\n')
|
|
|
|
|
*ptr = '\0';
|
|
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxGenSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
|
|
|
|
int rc = -1;
|
2011-06-24 09:21:33 +00:00
|
|
|
char *mcs = NULL;
|
2009-03-03 10:06:49 +00:00
|
|
|
char *scontext = NULL;
|
|
|
|
|
int c1 = 0;
|
|
|
|
|
int c2 = 0;
|
2011-06-24 09:21:33 +00:00
|
|
|
context_t ctx = NULL;
|
2010-01-13 14:03:04 +00:00
|
|
|
|
2011-06-23 14:48:48 +00:00
|
|
|
if ((vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) &&
|
|
|
|
|
!vm->def->seclabel.baselabel &&
|
|
|
|
|
vm->def->seclabel.model) {
|
|
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
"%s", _("security model already defined for VM"));
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2011-06-24 09:21:33 +00:00
|
|
|
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
|
|
|
|
|
vm->def->seclabel.label) {
|
2010-02-09 19:18:21 +00:00
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
2009-04-03 14:10:17 +00:00
|
|
|
"%s", _("security label already defined for VM"));
|
2010-10-27 10:01:27 +00:00
|
|
|
return rc;
|
2009-03-03 15:18:24 +00:00
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
|
2011-06-24 09:21:33 +00:00
|
|
|
if (vm->def->seclabel.imagelabel) {
|
|
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
"%s", _("security image label already defined for VM"));
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2011-06-23 14:48:48 +00:00
|
|
|
if (vm->def->seclabel.model &&
|
|
|
|
|
STRNEQ(vm->def->seclabel.model, SECURITY_SELINUX_NAME)) {
|
|
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("security label model %s is not supported with selinux"),
|
|
|
|
|
vm->def->seclabel.model);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2011-06-24 09:21:33 +00:00
|
|
|
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC) {
|
|
|
|
|
if (!(ctx = context_new(vm->def->seclabel.label)) ) {
|
|
|
|
|
virReportSystemError(errno,
|
|
|
|
|
_("unable to allocate socket security context '%s'"),
|
|
|
|
|
vm->def->seclabel.label);
|
|
|
|
|
return rc;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
2011-06-24 09:21:33 +00:00
|
|
|
const char *range = context_range_get(ctx);
|
|
|
|
|
if (!range ||
|
|
|
|
|
!(mcs = strdup(range))) {
|
|
|
|
|
virReportOOMError();
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
do {
|
|
|
|
|
c1 = virRandom(1024);
|
|
|
|
|
c2 = virRandom(1024);
|
|
|
|
|
|
|
|
|
|
if ( c1 == c2 ) {
|
|
|
|
|
if (virAsprintf(&mcs, "s0:c%d", c1) < 0) {
|
|
|
|
|
virReportOOMError();
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
if (c1 > c2) {
|
|
|
|
|
c1 ^= c2;
|
|
|
|
|
c2 ^= c1;
|
|
|
|
|
c1 ^= c2;
|
|
|
|
|
}
|
|
|
|
|
if (virAsprintf(&mcs, "s0:c%d,c%d", c1, c2) < 0) {
|
|
|
|
|
virReportOOMError();
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} while (mcsAdd(mcs) == -1);
|
|
|
|
|
|
|
|
|
|
vm->def->seclabel.label =
|
|
|
|
|
SELinuxGenNewContext(vm->def->seclabel.baselabel ?
|
|
|
|
|
vm->def->seclabel.baselabel :
|
|
|
|
|
default_domain_context, mcs);
|
|
|
|
|
if (! vm->def->seclabel.label) {
|
|
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("cannot generate selinux context for %s"), mcs);
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
2009-03-03 15:18:24 +00:00
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
|
2011-06-24 09:21:33 +00:00
|
|
|
if (!vm->def->seclabel.imagelabel) {
|
2010-02-09 19:18:21 +00:00
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
2009-03-03 15:18:24 +00:00
|
|
|
_("cannot generate selinux context for %s"), mcs);
|
2011-06-24 09:21:33 +00:00
|
|
|
goto cleanup;
|
2009-03-03 15:18:24 +00:00
|
|
|
}
|
2011-06-24 09:21:33 +00:00
|
|
|
|
2011-06-23 14:48:48 +00:00
|
|
|
if (!vm->def->seclabel.model &&
|
|
|
|
|
!(vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME))) {
|
2010-02-04 18:19:08 +00:00
|
|
|
virReportOOMError();
|
2011-06-24 09:21:33 +00:00
|
|
|
goto cleanup;
|
2009-03-03 15:18:24 +00:00
|
|
|
}
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
rc = 0;
|
2011-06-24 09:21:33 +00:00
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
|
if (rc != 0) {
|
|
|
|
|
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC)
|
|
|
|
|
VIR_FREE(vm->def->seclabel.label);
|
|
|
|
|
VIR_FREE(vm->def->seclabel.imagelabel);
|
|
|
|
|
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC &&
|
|
|
|
|
!vm->def->seclabel.baselabel)
|
|
|
|
|
VIR_FREE(vm->def->seclabel.model);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ctx)
|
|
|
|
|
context_free(ctx);
|
2009-03-03 15:18:24 +00:00
|
|
|
VIR_FREE(scontext);
|
2011-06-24 09:21:33 +00:00
|
|
|
VIR_FREE(mcs);
|
|
|
|
|
|
|
|
|
|
VIR_DEBUG("model=%s label=%s imagelabel=%s baselabel=%s",
|
|
|
|
|
NULLSTR(vm->def->seclabel.model),
|
|
|
|
|
NULLSTR(vm->def->seclabel.label),
|
|
|
|
|
NULLSTR(vm->def->seclabel.imagelabel),
|
|
|
|
|
NULLSTR(vm->def->seclabel.baselabel));
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2009-06-12 11:38:50 +00:00
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxReserveSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm)
|
2009-06-12 11:38:50 +00:00
|
|
|
{
|
|
|
|
|
security_context_t pctx;
|
|
|
|
|
context_t ctx = NULL;
|
|
|
|
|
const char *mcs;
|
|
|
|
|
|
2010-01-13 14:03:04 +00:00
|
|
|
if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_STATIC)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2009-06-12 11:38:50 +00:00
|
|
|
if (getpidcon(vm->pid, &pctx) == -1) {
|
2010-02-04 20:02:58 +00:00
|
|
|
virReportSystemError(errno,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("unable to get PID %d security context"), vm->pid);
|
2009-06-12 11:38:50 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx = context_new(pctx);
|
2010-11-24 21:09:58 +00:00
|
|
|
freecon(pctx);
|
2009-06-12 11:38:50 +00:00
|
|
|
if (!ctx)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
mcs = context_range_get(ctx);
|
|
|
|
|
if (!mcs)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
mcsAdd(mcs);
|
|
|
|
|
|
|
|
|
|
context_free(ctx);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
context_free(ctx);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxSecurityDriverProbe(void)
|
|
|
|
|
{
|
|
|
|
|
return is_selinux_enabled() ? SECURITY_DRIVER_ENABLE : SECURITY_DRIVER_DISABLE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxSecurityDriverOpen(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
|
|
|
|
|
{
|
|
|
|
|
return SELinuxInitialize();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxSecurityDriverClose(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static const char *SELinuxSecurityGetModel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
|
|
|
|
|
{
|
|
|
|
|
return SECURITY_SELINUX_NAME;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const char *SELinuxSecurityGetDOI(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Where will the DOI come from? SELinux configuration, or qemu
|
|
|
|
|
* configuration? For the moment, we'll just set it to "0".
|
|
|
|
|
*/
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
return SECURITY_SELINUX_VOID_DOI;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxGetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm,
|
2010-01-11 11:04:40 +00:00
|
|
|
virSecurityLabelPtr sec)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
|
|
|
|
security_context_t ctx;
|
|
|
|
|
|
|
|
|
|
if (getpidcon(vm->pid, &ctx) == -1) {
|
2010-02-04 20:02:58 +00:00
|
|
|
virReportSystemError(errno,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("unable to get PID %d security context"),
|
|
|
|
|
vm->pid);
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
|
2010-02-09 19:18:21 +00:00
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("security label exceeds "
|
2009-10-27 16:20:22 +00:00
|
|
|
"maximum length: %d"),
|
2009-03-03 10:06:49 +00:00
|
|
|
VIR_SECURITY_LABEL_BUFLEN - 1);
|
2010-11-24 21:09:58 +00:00
|
|
|
freecon(ctx);
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
strcpy(sec->label, (char *) ctx);
|
2010-11-24 21:09:58 +00:00
|
|
|
freecon(ctx);
|
2009-03-03 10:06:49 +00:00
|
|
|
|
|
|
|
|
sec->enforcing = security_getenforce();
|
|
|
|
|
if (sec->enforcing == -1) {
|
2010-02-04 20:02:58 +00:00
|
|
|
virReportSystemError(errno, "%s",
|
2009-08-28 17:44:43 +00:00
|
|
|
_("error calling security_getenforce()"));
|
2009-03-03 10:06:49 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2010-02-04 20:02:58 +00:00
|
|
|
SELinuxSetFilecon(const char *path, char *tcon)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
2009-07-03 10:27:46 +00:00
|
|
|
security_context_t econ;
|
2009-03-03 10:06:49 +00:00
|
|
|
|
2009-07-03 10:26:37 +00:00
|
|
|
VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
|
|
|
|
|
|
2009-07-03 10:27:46 +00:00
|
|
|
if (setfilecon(path, tcon) < 0) {
|
2009-08-21 14:57:29 +00:00
|
|
|
int setfilecon_errno = errno;
|
|
|
|
|
|
2009-07-03 10:27:46 +00:00
|
|
|
if (getfilecon(path, &econ) >= 0) {
|
|
|
|
|
if (STREQ(tcon, econ)) {
|
|
|
|
|
freecon(econ);
|
|
|
|
|
/* It's alright, there's nothing to change anyway. */
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
freecon(econ);
|
|
|
|
|
}
|
2009-08-21 14:57:29 +00:00
|
|
|
|
|
|
|
|
/* if the error complaint is related to an image hosted on
|
2009-08-14 13:23:11 +00:00
|
|
|
* an nfs mount, or a usbfs/sysfs filesystem not supporting
|
|
|
|
|
* labelling, then just ignore it & hope for the best.
|
2009-09-22 09:42:06 +00:00
|
|
|
* The user hopefully set one of the necessary SELinux
|
2009-08-14 13:23:11 +00:00
|
|
|
* virt_use_{nfs,usb,pci} boolean tunables to allow it...
|
2009-08-21 14:57:29 +00:00
|
|
|
*/
|
2011-09-22 08:57:24 +00:00
|
|
|
if (setfilecon_errno != EOPNOTSUPP && setfilecon_errno != ENOTSUP) {
|
2010-02-04 20:02:58 +00:00
|
|
|
virReportSystemError(setfilecon_errno,
|
2011-09-22 08:57:24 +00:00
|
|
|
_("unable to set security context '%s' on '%s'"),
|
2009-08-28 17:44:43 +00:00
|
|
|
tcon, path);
|
2009-08-21 14:57:29 +00:00
|
|
|
if (security_getenforce() == 1)
|
|
|
|
|
return -1;
|
2009-08-28 17:44:43 +00:00
|
|
|
} else {
|
2011-09-22 08:57:24 +00:00
|
|
|
const char *msg;
|
|
|
|
|
if ((virStorageFileIsSharedFSType(path,
|
|
|
|
|
VIR_STORAGE_FILE_SHFS_NFS) == 1) &&
|
|
|
|
|
security_get_boolean_active("virt_use_nfs") != 1) {
|
|
|
|
|
msg = _("Setting security context '%s' on '%s' not supported. "
|
|
|
|
|
"Consider setting virt_use_nfs");
|
|
|
|
|
if (security_getenforce() == 1)
|
|
|
|
|
VIR_WARN(msg, tcon, path);
|
|
|
|
|
else
|
|
|
|
|
VIR_INFO(msg, tcon, path);
|
|
|
|
|
} else {
|
|
|
|
|
VIR_INFO("Setting security context '%s' on '%s' not supported",
|
|
|
|
|
tcon, path);
|
|
|
|
|
}
|
2009-08-21 14:57:29 +00:00
|
|
|
}
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-23 21:02:42 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxFSetFilecon(int fd, char *tcon)
|
|
|
|
|
{
|
|
|
|
|
security_context_t econ;
|
|
|
|
|
|
|
|
|
|
VIR_INFO("Setting SELinux context on fd %d to '%s'", fd, tcon);
|
|
|
|
|
|
|
|
|
|
if (fsetfilecon(fd, tcon) < 0) {
|
|
|
|
|
int fsetfilecon_errno = errno;
|
|
|
|
|
|
|
|
|
|
if (fgetfilecon(fd, &econ) >= 0) {
|
|
|
|
|
if (STREQ(tcon, econ)) {
|
|
|
|
|
freecon(econ);
|
|
|
|
|
/* It's alright, there's nothing to change anyway. */
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
freecon(econ);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* if the error complaint is related to an image hosted on
|
|
|
|
|
* an nfs mount, or a usbfs/sysfs filesystem not supporting
|
|
|
|
|
* labelling, then just ignore it & hope for the best.
|
|
|
|
|
* The user hopefully set one of the necessary SELinux
|
|
|
|
|
* virt_use_{nfs,usb,pci} boolean tunables to allow it...
|
|
|
|
|
*/
|
|
|
|
|
if (fsetfilecon_errno != EOPNOTSUPP) {
|
|
|
|
|
virReportSystemError(fsetfilecon_errno,
|
|
|
|
|
_("unable to set security context '%s' on fd %d"),
|
|
|
|
|
tcon, fd);
|
|
|
|
|
if (security_getenforce() == 1)
|
|
|
|
|
return -1;
|
|
|
|
|
} else {
|
|
|
|
|
VIR_INFO("Setting security context '%s' on fd %d not supported",
|
|
|
|
|
tcon, fd);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-15 00:07:52 +00:00
|
|
|
/* Set fcon to the appropriate label for path and mode, or return -1. */
|
|
|
|
|
static int
|
|
|
|
|
getContext(const char *newpath, mode_t mode, security_context_t *fcon)
|
|
|
|
|
{
|
|
|
|
|
#if HAVE_SELINUX_LABEL_H
|
|
|
|
|
struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (handle == NULL)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
ret = selabel_lookup(handle, fcon, newpath, mode);
|
|
|
|
|
selabel_close(handle);
|
|
|
|
|
return ret;
|
|
|
|
|
#else
|
|
|
|
|
return matchpathcon(newpath, mode, fcon);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2010-05-28 11:19:13 +00:00
|
|
|
|
|
|
|
|
/* This method shouldn't raise errors, since they'll overwrite
|
|
|
|
|
* errors that the caller(s) are already dealing with */
|
2009-03-03 10:06:49 +00:00
|
|
|
static int
|
2010-02-04 20:02:58 +00:00
|
|
|
SELinuxRestoreSecurityFileLabel(const char *path)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
2009-03-17 11:35:40 +00:00
|
|
|
struct stat buf;
|
|
|
|
|
security_context_t fcon = NULL;
|
|
|
|
|
int rc = -1;
|
|
|
|
|
char *newpath = NULL;
|
2010-05-28 11:19:13 +00:00
|
|
|
char ebuf[1024];
|
2009-07-15 11:45:13 +00:00
|
|
|
|
2009-08-28 17:44:43 +00:00
|
|
|
VIR_INFO("Restoring SELinux context on '%s'", path);
|
|
|
|
|
|
2010-05-14 20:50:27 +00:00
|
|
|
if (virFileResolveLink(path, &newpath) < 0) {
|
2010-05-28 11:19:13 +00:00
|
|
|
VIR_WARN("cannot resolve symlink %s: %s", path,
|
|
|
|
|
virStrerror(errno, ebuf, sizeof(ebuf)));
|
2009-04-01 10:26:22 +00:00
|
|
|
goto err;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
2009-03-17 11:35:40 +00:00
|
|
|
|
2010-04-30 11:35:15 +00:00
|
|
|
if (stat(newpath, &buf) != 0) {
|
2010-05-28 11:19:13 +00:00
|
|
|
VIR_WARN("cannot stat %s: %s", newpath,
|
|
|
|
|
virStrerror(errno, ebuf, sizeof(ebuf)));
|
2009-04-01 10:26:22 +00:00
|
|
|
goto err;
|
2010-04-30 11:35:15 +00:00
|
|
|
}
|
2009-04-01 10:26:22 +00:00
|
|
|
|
2010-12-15 00:07:52 +00:00
|
|
|
if (getContext(newpath, buf.st_mode, &fcon) < 0) {
|
2010-12-01 01:22:54 +00:00
|
|
|
VIR_WARN("cannot lookup default selinux label for %s", newpath);
|
2010-04-30 11:35:15 +00:00
|
|
|
} else {
|
2010-12-01 01:22:54 +00:00
|
|
|
rc = SELinuxSetFilecon(newpath, fcon);
|
2009-03-17 11:35:40 +00:00
|
|
|
}
|
2010-04-30 11:35:15 +00:00
|
|
|
|
2009-03-17 11:35:40 +00:00
|
|
|
err:
|
2010-11-24 21:09:58 +00:00
|
|
|
freecon(fcon);
|
2009-03-17 11:35:40 +00:00
|
|
|
VIR_FREE(newpath);
|
|
|
|
|
return rc;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
2009-08-14 13:23:11 +00:00
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm,
|
Don't reset user/group/security label on shared filesystems during migrate
When QEMU runs with its disk on NFS, and as a non-root user, the
disk is chownd to that non-root user. When migration completes
the last step is shutting down the QEMU on the source host. THis
normally resets user/group/security label. This is bad when the
VM was just migrated because the file is still in use on the dest
host. It is thus neccessary to skip the reset step for any files
found to be on a shared filesystem
* src/libvirt_private.syms: Export virStorageFileIsSharedFS
* src/util/storage_file.c, src/util/storage_file.h: Add a new
method virStorageFileIsSharedFS() to determine if a file is
on a shared filesystem (NFS, GFS, OCFS2, etc)
* src/qemu/qemu_driver.c: Tell security driver not to reset
disk labels on migration completion
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c,
src/security/security_selinux.c, src/security/security_driver.h,
src/security/security_apparmor.c: Add ability to skip disk
restore step for files on shared filesystems.
2010-05-13 15:49:22 +00:00
|
|
|
virDomainDiskDefPtr disk,
|
|
|
|
|
int migrated)
|
2009-08-14 13:23:11 +00:00
|
|
|
{
|
2010-01-13 14:03:04 +00:00
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
2011-07-05 09:49:51 +00:00
|
|
|
if (secdef->norelabel)
|
2010-01-13 14:03:04 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2009-08-14 13:23:11 +00:00
|
|
|
/* Don't restore labels on readoly/shared disks, because
|
|
|
|
|
* other VMs may still be accessing these
|
|
|
|
|
* Alternatively we could iterate over all running
|
|
|
|
|
* domains and try to figure out if it is in use, but
|
|
|
|
|
* this would not work for clustered filesystems, since
|
|
|
|
|
* we can't see running VMs using the file on other nodes
|
|
|
|
|
* Safest bet is thus to skip the restore step.
|
|
|
|
|
*/
|
|
|
|
|
if (disk->readonly || disk->shared)
|
|
|
|
|
return 0;
|
|
|
|
|
|
2010-12-21 02:30:58 +00:00
|
|
|
if (!disk->src || disk->type == VIR_DOMAIN_DISK_TYPE_NETWORK)
|
2009-08-14 13:23:11 +00:00
|
|
|
return 0;
|
|
|
|
|
|
Don't reset user/group/security label on shared filesystems during migrate
When QEMU runs with its disk on NFS, and as a non-root user, the
disk is chownd to that non-root user. When migration completes
the last step is shutting down the QEMU on the source host. THis
normally resets user/group/security label. This is bad when the
VM was just migrated because the file is still in use on the dest
host. It is thus neccessary to skip the reset step for any files
found to be on a shared filesystem
* src/libvirt_private.syms: Export virStorageFileIsSharedFS
* src/util/storage_file.c, src/util/storage_file.h: Add a new
method virStorageFileIsSharedFS() to determine if a file is
on a shared filesystem (NFS, GFS, OCFS2, etc)
* src/qemu/qemu_driver.c: Tell security driver not to reset
disk labels on migration completion
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c,
src/security/security_selinux.c, src/security/security_driver.h,
src/security/security_apparmor.c: Add ability to skip disk
restore step for files on shared filesystems.
2010-05-13 15:49:22 +00:00
|
|
|
/* If we have a shared FS & doing migrated, we must not
|
|
|
|
|
* change ownership, because that kills access on the
|
|
|
|
|
* destination host which is sub-optimal for the guest
|
|
|
|
|
* VM's I/O attempts :-)
|
|
|
|
|
*/
|
|
|
|
|
if (migrated) {
|
|
|
|
|
int rc = virStorageFileIsSharedFS(disk->src);
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
if (rc == 1) {
|
|
|
|
|
VIR_DEBUG("Skipping image label restore on %s because FS is shared",
|
|
|
|
|
disk->src);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-04 20:02:58 +00:00
|
|
|
return SELinuxRestoreSecurityFileLabel(disk->src);
|
2009-08-14 13:23:11 +00:00
|
|
|
}
|
|
|
|
|
|
Don't reset user/group/security label on shared filesystems during migrate
When QEMU runs with its disk on NFS, and as a non-root user, the
disk is chownd to that non-root user. When migration completes
the last step is shutting down the QEMU on the source host. THis
normally resets user/group/security label. This is bad when the
VM was just migrated because the file is still in use on the dest
host. It is thus neccessary to skip the reset step for any files
found to be on a shared filesystem
* src/libvirt_private.syms: Export virStorageFileIsSharedFS
* src/util/storage_file.c, src/util/storage_file.h: Add a new
method virStorageFileIsSharedFS() to determine if a file is
on a shared filesystem (NFS, GFS, OCFS2, etc)
* src/qemu/qemu_driver.c: Tell security driver not to reset
disk labels on migration completion
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c,
src/security/security_selinux.c, src/security/security_driver.h,
src/security/security_apparmor.c: Add ability to skip disk
restore step for files on shared filesystems.
2010-05-13 15:49:22 +00:00
|
|
|
|
|
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxRestoreSecurityImageLabel(virSecurityManagerPtr mgr,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm,
|
Don't reset user/group/security label on shared filesystems during migrate
When QEMU runs with its disk on NFS, and as a non-root user, the
disk is chownd to that non-root user. When migration completes
the last step is shutting down the QEMU on the source host. THis
normally resets user/group/security label. This is bad when the
VM was just migrated because the file is still in use on the dest
host. It is thus neccessary to skip the reset step for any files
found to be on a shared filesystem
* src/libvirt_private.syms: Export virStorageFileIsSharedFS
* src/util/storage_file.c, src/util/storage_file.h: Add a new
method virStorageFileIsSharedFS() to determine if a file is
on a shared filesystem (NFS, GFS, OCFS2, etc)
* src/qemu/qemu_driver.c: Tell security driver not to reset
disk labels on migration completion
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c,
src/security/security_selinux.c, src/security/security_driver.h,
src/security/security_apparmor.c: Add ability to skip disk
restore step for files on shared filesystems.
2010-05-13 15:49:22 +00:00
|
|
|
virDomainDiskDefPtr disk)
|
|
|
|
|
{
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
return SELinuxRestoreSecurityImageLabelInt(mgr, vm, disk, 0);
|
Don't reset user/group/security label on shared filesystems during migrate
When QEMU runs with its disk on NFS, and as a non-root user, the
disk is chownd to that non-root user. When migration completes
the last step is shutting down the QEMU on the source host. THis
normally resets user/group/security label. This is bad when the
VM was just migrated because the file is still in use on the dest
host. It is thus neccessary to skip the reset step for any files
found to be on a shared filesystem
* src/libvirt_private.syms: Export virStorageFileIsSharedFS
* src/util/storage_file.c, src/util/storage_file.h: Add a new
method virStorageFileIsSharedFS() to determine if a file is
on a shared filesystem (NFS, GFS, OCFS2, etc)
* src/qemu/qemu_driver.c: Tell security driver not to reset
disk labels on migration completion
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c,
src/security/security_selinux.c, src/security/security_driver.h,
src/security/security_apparmor.c: Add ability to skip disk
restore step for files on shared filesystems.
2010-05-13 15:49:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2010-06-15 15:40:47 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
|
|
|
|
|
const char *path,
|
|
|
|
|
size_t depth,
|
|
|
|
|
void *opaque)
|
|
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = opaque;
|
2010-11-10 19:39:43 +00:00
|
|
|
int ret;
|
2010-06-15 15:40:47 +00:00
|
|
|
|
|
|
|
|
if (depth == 0) {
|
|
|
|
|
if (disk->shared) {
|
2010-11-10 19:39:43 +00:00
|
|
|
ret = SELinuxSetFilecon(path, default_image_context);
|
2010-06-15 15:40:47 +00:00
|
|
|
} else if (disk->readonly) {
|
2010-11-10 19:39:43 +00:00
|
|
|
ret = SELinuxSetFilecon(path, default_content_context);
|
2010-06-15 15:40:47 +00:00
|
|
|
} else if (secdef->imagelabel) {
|
2010-11-10 19:39:43 +00:00
|
|
|
ret = SELinuxSetFilecon(path, secdef->imagelabel);
|
2010-06-15 15:40:47 +00:00
|
|
|
} else {
|
2010-11-10 19:39:43 +00:00
|
|
|
ret = 0;
|
2010-06-15 15:40:47 +00:00
|
|
|
}
|
|
|
|
|
} else {
|
2010-11-10 19:39:43 +00:00
|
|
|
ret = SELinuxSetFilecon(path, default_content_context);
|
2010-06-15 15:40:47 +00:00
|
|
|
}
|
2010-11-10 19:39:43 +00:00
|
|
|
if (ret < 0 &&
|
|
|
|
|
virStorageFileIsSharedFSType(path,
|
|
|
|
|
VIR_STORAGE_FILE_SHFS_NFS) == 1)
|
|
|
|
|
ret = 0;
|
|
|
|
|
return ret;
|
2010-06-15 15:40:47 +00:00
|
|
|
}
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm,
|
2009-03-17 11:35:40 +00:00
|
|
|
virDomainDiskDefPtr disk)
|
2009-03-03 10:06:49 +00:00
|
|
|
|
|
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
bool allowDiskFormatProbing = virSecurityManagerGetAllowDiskFormatProbing(mgr);
|
2009-03-03 10:06:49 +00:00
|
|
|
|
2011-07-05 09:49:51 +00:00
|
|
|
if (secdef->norelabel)
|
2010-01-13 14:03:04 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2010-06-15 15:40:47 +00:00
|
|
|
return virDomainDiskDefForeachPath(disk,
|
2010-06-15 16:58:58 +00:00
|
|
|
allowDiskFormatProbing,
|
2010-10-29 11:23:56 +00:00
|
|
|
true,
|
2010-06-15 15:40:47 +00:00
|
|
|
SELinuxSetSecurityFileLabel,
|
|
|
|
|
secdef);
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
2009-08-14 13:23:11 +00:00
|
|
|
|
|
|
|
|
static int
|
2010-02-10 09:55:39 +00:00
|
|
|
SELinuxSetSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
|
2009-08-14 13:23:11 +00:00
|
|
|
const char *file, void *opaque)
|
|
|
|
|
{
|
|
|
|
|
virDomainObjPtr vm = opaque;
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
2010-02-04 20:02:58 +00:00
|
|
|
return SELinuxSetFilecon(file, secdef->imagelabel);
|
2009-08-14 13:23:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2010-02-10 09:55:39 +00:00
|
|
|
SELinuxSetSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
|
2009-08-14 13:23:11 +00:00
|
|
|
const char *file, void *opaque)
|
|
|
|
|
{
|
|
|
|
|
virDomainObjPtr vm = opaque;
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
2010-02-04 20:02:58 +00:00
|
|
|
return SELinuxSetFilecon(file, secdef->imagelabel);
|
2009-08-14 13:23:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm,
|
2009-08-14 13:23:11 +00:00
|
|
|
virDomainHostdevDefPtr dev)
|
|
|
|
|
|
|
|
|
|
{
|
2010-01-13 14:03:04 +00:00
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
2009-08-14 13:23:11 +00:00
|
|
|
int ret = -1;
|
|
|
|
|
|
2011-07-05 09:49:51 +00:00
|
|
|
if (secdef->norelabel)
|
2010-01-13 14:03:04 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2009-08-14 13:23:11 +00:00
|
|
|
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
switch (dev->source.subsys.type) {
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
|
2010-02-04 23:25:16 +00:00
|
|
|
usbDevice *usb = usbGetDevice(dev->source.subsys.u.usb.bus,
|
2010-03-04 11:48:16 +00:00
|
|
|
dev->source.subsys.u.usb.device);
|
2009-08-14 13:23:11 +00:00
|
|
|
|
2010-01-11 16:40:46 +00:00
|
|
|
if (!usb)
|
|
|
|
|
goto done;
|
2009-08-14 13:23:11 +00:00
|
|
|
|
2010-02-10 09:55:39 +00:00
|
|
|
ret = usbDeviceFileIterate(usb, SELinuxSetSecurityUSBLabel, vm);
|
2010-02-04 23:25:16 +00:00
|
|
|
usbFreeDevice(usb);
|
2009-09-30 17:37:03 +00:00
|
|
|
break;
|
2009-08-14 13:23:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
|
2010-02-04 23:16:34 +00:00
|
|
|
pciDevice *pci = pciGetDevice(dev->source.subsys.u.pci.domain,
|
2009-08-14 13:23:11 +00:00
|
|
|
dev->source.subsys.u.pci.bus,
|
|
|
|
|
dev->source.subsys.u.pci.slot,
|
|
|
|
|
dev->source.subsys.u.pci.function);
|
|
|
|
|
|
|
|
|
|
if (!pci)
|
|
|
|
|
goto done;
|
|
|
|
|
|
2010-02-10 09:55:39 +00:00
|
|
|
ret = pciDeviceFileIterate(pci, SELinuxSetSecurityPCILabel, vm);
|
2010-02-04 23:16:34 +00:00
|
|
|
pciFreeDevice(pci);
|
2009-08-14 13:23:11 +00:00
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2009-11-11 12:07:00 +00:00
|
|
|
|
2009-08-14 13:23:11 +00:00
|
|
|
static int
|
2010-02-10 09:55:39 +00:00
|
|
|
SELinuxRestoreSecurityPCILabel(pciDevice *dev ATTRIBUTE_UNUSED,
|
2009-08-14 13:23:11 +00:00
|
|
|
const char *file,
|
|
|
|
|
void *opaque ATTRIBUTE_UNUSED)
|
|
|
|
|
{
|
2010-02-04 20:02:58 +00:00
|
|
|
return SELinuxRestoreSecurityFileLabel(file);
|
2009-08-14 13:23:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2010-02-10 09:55:39 +00:00
|
|
|
SELinuxRestoreSecurityUSBLabel(usbDevice *dev ATTRIBUTE_UNUSED,
|
2009-08-14 13:23:11 +00:00
|
|
|
const char *file,
|
|
|
|
|
void *opaque ATTRIBUTE_UNUSED)
|
|
|
|
|
{
|
2010-02-04 20:02:58 +00:00
|
|
|
return SELinuxRestoreSecurityFileLabel(file);
|
2009-08-14 13:23:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm,
|
2009-08-14 13:23:11 +00:00
|
|
|
virDomainHostdevDefPtr dev)
|
|
|
|
|
|
|
|
|
|
{
|
2010-01-13 14:03:04 +00:00
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
2009-08-14 13:23:11 +00:00
|
|
|
int ret = -1;
|
|
|
|
|
|
2011-07-05 09:49:51 +00:00
|
|
|
if (secdef->norelabel)
|
2010-01-13 14:03:04 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2009-08-14 13:23:11 +00:00
|
|
|
if (dev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
switch (dev->source.subsys.type) {
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: {
|
2010-02-04 23:25:16 +00:00
|
|
|
usbDevice *usb = usbGetDevice(dev->source.subsys.u.usb.bus,
|
2010-03-04 11:48:16 +00:00
|
|
|
dev->source.subsys.u.usb.device);
|
2009-08-14 13:23:11 +00:00
|
|
|
|
|
|
|
|
if (!usb)
|
|
|
|
|
goto done;
|
|
|
|
|
|
2010-02-10 09:55:39 +00:00
|
|
|
ret = usbDeviceFileIterate(usb, SELinuxRestoreSecurityUSBLabel, NULL);
|
2010-02-04 23:25:16 +00:00
|
|
|
usbFreeDevice(usb);
|
2009-08-14 13:23:11 +00:00
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
|
2010-02-04 23:16:34 +00:00
|
|
|
pciDevice *pci = pciGetDevice(dev->source.subsys.u.pci.domain,
|
2009-08-14 13:23:11 +00:00
|
|
|
dev->source.subsys.u.pci.bus,
|
|
|
|
|
dev->source.subsys.u.pci.slot,
|
|
|
|
|
dev->source.subsys.u.pci.function);
|
|
|
|
|
|
|
|
|
|
if (!pci)
|
|
|
|
|
goto done;
|
|
|
|
|
|
2010-02-10 09:55:39 +00:00
|
|
|
ret = pciDeviceFileIterate(pci, SELinuxRestoreSecurityPCILabel, NULL);
|
2010-02-04 23:16:34 +00:00
|
|
|
pciFreeDevice(pci);
|
2009-08-14 13:23:11 +00:00
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2010-06-23 15:17:15 +00:00
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxSetSecurityChardevLabel(virDomainObjPtr vm,
|
domain_conf: split source data out from ChrDef
This opens up the possibility of reusing the smaller ChrSourceDef
for both qemu monitor and a passthrough smartcard device.
* src/conf/domain_conf.h (_virDomainChrDef): Factor host
details...
(_virDomainChrSourceDef): ...into new struct.
(virDomainChrSourceDefFree): New prototype.
* src/conf/domain_conf.c (virDomainChrDefFree)
(virDomainChrDefParseXML, virDomainChrDefFormat): Split...
(virDomainChrSourceDefClear, virDomainChrSourceDefFree)
(virDomainChrSourceDefParseXML, virDomainChrSourceDefFormat):
...into new functions.
(virDomainChrDefParseTargetXML): Update clients to reflect type
split.
* src/vmx/vmx.c (virVMXParseSerial, virVMXParseParallel)
(virVMXFormatSerial, virVMXFormatParallel): Likewise.
* src/xen/xen_driver.c (xenUnifiedDomainOpenConsole): Likewise.
* src/xen/xend_internal.c (xenDaemonParseSxprChar)
(xenDaemonFormatSxprChr): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainDumpXML, vboxAttachSerial)
(vboxAttachParallel): Likewise.
* src/security/security_dac.c (virSecurityDACSetChardevLabel)
(virSecurityDACSetChardevCallback)
(virSecurityDACRestoreChardevLabel)
(virSecurityDACRestoreChardevCallback): Likewise.
* src/security/security_selinux.c (SELinuxSetSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback)
(SELinuxRestoreSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback): Likewise.
* src/security/virt-aa-helper.c (get_files): Likewise.
* src/lxc/lxc_driver.c (lxcVmStart, lxcDomainOpenConsole):
Likewise.
* src/uml/uml_conf.c (umlBuildCommandLineChr): Likewise.
* src/uml/uml_driver.c (umlIdentifyOneChrPTY, umlIdentifyChrPTY)
(umlDomainOpenConsole): Likewise.
* src/qemu/qemu_command.c (qemuBuildChrChardevStr)
(qemuBuildChrArgStr, qemuBuildCommandLine)
(qemuParseCommandLineChr): Likewise.
* src/qemu/qemu_domain.c (qemuDomainObjPrivateXMLFormat)
(qemuDomainObjPrivateXMLParse): Likewise.
* src/qemu/qemu_cgroup.c (qemuSetupChardevCgroup): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
* src/qemu/qemu_driver.c (qemudFindCharDevicePTYsMonitor)
(qemudFindCharDevicePTYs, qemuPrepareChardevDevice)
(qemuPrepareMonitorChr, qemudShutdownVMDaemon)
(qemuDomainOpenConsole): Likewise.
* src/qemu/qemu_command.h (qemuBuildChrChardevStr)
(qemuBuildChrArgStr): Delete, now that they are static.
* src/libvirt_private.syms (domain_conf.h): New exports.
* cfg.mk (useless_free_options): Update list.
* tests/qemuxml2argvtest.c (testCompareXMLToArgvFiles): Update
tests.
2011-01-07 22:45:01 +00:00
|
|
|
virDomainChrSourceDefPtr dev)
|
2010-06-23 15:17:15 +00:00
|
|
|
|
|
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
char *in = NULL, *out = NULL;
|
|
|
|
|
int ret = -1;
|
|
|
|
|
|
2011-07-05 09:49:51 +00:00
|
|
|
if (secdef->norelabel)
|
2010-06-23 15:17:15 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
switch (dev->type) {
|
|
|
|
|
case VIR_DOMAIN_CHR_TYPE_DEV:
|
|
|
|
|
case VIR_DOMAIN_CHR_TYPE_FILE:
|
|
|
|
|
ret = SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case VIR_DOMAIN_CHR_TYPE_PIPE:
|
2011-09-27 18:04:53 +00:00
|
|
|
if ((virAsprintf(&in, "%s.in", dev->data.file.path) < 0) ||
|
|
|
|
|
(virAsprintf(&out, "%s.out", dev->data.file.path) < 0)) {
|
|
|
|
|
virReportOOMError();
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
if (virFileExists(in) && virFileExists(out)) {
|
2011-03-29 14:46:48 +00:00
|
|
|
if ((SELinuxSetFilecon(in, secdef->imagelabel) < 0) ||
|
2011-09-27 18:04:53 +00:00
|
|
|
(SELinuxSetFilecon(out, secdef->imagelabel) < 0)) {
|
2011-03-29 14:46:48 +00:00
|
|
|
goto done;
|
2011-09-27 18:04:53 +00:00
|
|
|
}
|
|
|
|
|
} else if (SELinuxSetFilecon(dev->data.file.path, secdef->imagelabel) < 0) {
|
|
|
|
|
goto done;
|
2010-06-23 15:17:15 +00:00
|
|
|
}
|
|
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
VIR_FREE(in);
|
|
|
|
|
VIR_FREE(out);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxRestoreSecurityChardevLabel(virDomainObjPtr vm,
|
domain_conf: split source data out from ChrDef
This opens up the possibility of reusing the smaller ChrSourceDef
for both qemu monitor and a passthrough smartcard device.
* src/conf/domain_conf.h (_virDomainChrDef): Factor host
details...
(_virDomainChrSourceDef): ...into new struct.
(virDomainChrSourceDefFree): New prototype.
* src/conf/domain_conf.c (virDomainChrDefFree)
(virDomainChrDefParseXML, virDomainChrDefFormat): Split...
(virDomainChrSourceDefClear, virDomainChrSourceDefFree)
(virDomainChrSourceDefParseXML, virDomainChrSourceDefFormat):
...into new functions.
(virDomainChrDefParseTargetXML): Update clients to reflect type
split.
* src/vmx/vmx.c (virVMXParseSerial, virVMXParseParallel)
(virVMXFormatSerial, virVMXFormatParallel): Likewise.
* src/xen/xen_driver.c (xenUnifiedDomainOpenConsole): Likewise.
* src/xen/xend_internal.c (xenDaemonParseSxprChar)
(xenDaemonFormatSxprChr): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainDumpXML, vboxAttachSerial)
(vboxAttachParallel): Likewise.
* src/security/security_dac.c (virSecurityDACSetChardevLabel)
(virSecurityDACSetChardevCallback)
(virSecurityDACRestoreChardevLabel)
(virSecurityDACRestoreChardevCallback): Likewise.
* src/security/security_selinux.c (SELinuxSetSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback)
(SELinuxRestoreSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback): Likewise.
* src/security/virt-aa-helper.c (get_files): Likewise.
* src/lxc/lxc_driver.c (lxcVmStart, lxcDomainOpenConsole):
Likewise.
* src/uml/uml_conf.c (umlBuildCommandLineChr): Likewise.
* src/uml/uml_driver.c (umlIdentifyOneChrPTY, umlIdentifyChrPTY)
(umlDomainOpenConsole): Likewise.
* src/qemu/qemu_command.c (qemuBuildChrChardevStr)
(qemuBuildChrArgStr, qemuBuildCommandLine)
(qemuParseCommandLineChr): Likewise.
* src/qemu/qemu_domain.c (qemuDomainObjPrivateXMLFormat)
(qemuDomainObjPrivateXMLParse): Likewise.
* src/qemu/qemu_cgroup.c (qemuSetupChardevCgroup): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
* src/qemu/qemu_driver.c (qemudFindCharDevicePTYsMonitor)
(qemudFindCharDevicePTYs, qemuPrepareChardevDevice)
(qemuPrepareMonitorChr, qemudShutdownVMDaemon)
(qemuDomainOpenConsole): Likewise.
* src/qemu/qemu_command.h (qemuBuildChrChardevStr)
(qemuBuildChrArgStr): Delete, now that they are static.
* src/libvirt_private.syms (domain_conf.h): New exports.
* cfg.mk (useless_free_options): Update list.
* tests/qemuxml2argvtest.c (testCompareXMLToArgvFiles): Update
tests.
2011-01-07 22:45:01 +00:00
|
|
|
virDomainChrSourceDefPtr dev)
|
2010-06-23 15:17:15 +00:00
|
|
|
|
|
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
char *in = NULL, *out = NULL;
|
|
|
|
|
int ret = -1;
|
|
|
|
|
|
2011-07-05 09:49:51 +00:00
|
|
|
if (secdef->norelabel)
|
2010-06-23 15:17:15 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
switch (dev->type) {
|
|
|
|
|
case VIR_DOMAIN_CHR_TYPE_DEV:
|
|
|
|
|
case VIR_DOMAIN_CHR_TYPE_FILE:
|
2010-11-18 16:55:14 +00:00
|
|
|
if (SELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0)
|
|
|
|
|
goto done;
|
|
|
|
|
ret = 0;
|
2010-06-23 15:17:15 +00:00
|
|
|
break;
|
|
|
|
|
case VIR_DOMAIN_CHR_TYPE_PIPE:
|
|
|
|
|
if ((virAsprintf(&out, "%s.out", dev->data.file.path) < 0) ||
|
|
|
|
|
(virAsprintf(&in, "%s.in", dev->data.file.path) < 0)) {
|
|
|
|
|
virReportOOMError();
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
2011-09-27 18:04:53 +00:00
|
|
|
if (virFileExists(in) && virFileExists(out)) {
|
|
|
|
|
if ((SELinuxRestoreSecurityFileLabel(out) < 0) ||
|
|
|
|
|
(SELinuxRestoreSecurityFileLabel(in) < 0)) {
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
} else if (SELinuxRestoreSecurityFileLabel(dev->data.file.path) < 0) {
|
2010-06-23 15:17:15 +00:00
|
|
|
goto done;
|
2011-09-27 18:04:53 +00:00
|
|
|
}
|
2010-06-23 15:17:15 +00:00
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
ret = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
VIR_FREE(in);
|
|
|
|
|
VIR_FREE(out);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxRestoreSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
|
|
|
|
|
virDomainChrDefPtr dev,
|
|
|
|
|
void *opaque)
|
|
|
|
|
{
|
|
|
|
|
virDomainObjPtr vm = opaque;
|
|
|
|
|
|
domain_conf: split source data out from ChrDef
This opens up the possibility of reusing the smaller ChrSourceDef
for both qemu monitor and a passthrough smartcard device.
* src/conf/domain_conf.h (_virDomainChrDef): Factor host
details...
(_virDomainChrSourceDef): ...into new struct.
(virDomainChrSourceDefFree): New prototype.
* src/conf/domain_conf.c (virDomainChrDefFree)
(virDomainChrDefParseXML, virDomainChrDefFormat): Split...
(virDomainChrSourceDefClear, virDomainChrSourceDefFree)
(virDomainChrSourceDefParseXML, virDomainChrSourceDefFormat):
...into new functions.
(virDomainChrDefParseTargetXML): Update clients to reflect type
split.
* src/vmx/vmx.c (virVMXParseSerial, virVMXParseParallel)
(virVMXFormatSerial, virVMXFormatParallel): Likewise.
* src/xen/xen_driver.c (xenUnifiedDomainOpenConsole): Likewise.
* src/xen/xend_internal.c (xenDaemonParseSxprChar)
(xenDaemonFormatSxprChr): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainDumpXML, vboxAttachSerial)
(vboxAttachParallel): Likewise.
* src/security/security_dac.c (virSecurityDACSetChardevLabel)
(virSecurityDACSetChardevCallback)
(virSecurityDACRestoreChardevLabel)
(virSecurityDACRestoreChardevCallback): Likewise.
* src/security/security_selinux.c (SELinuxSetSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback)
(SELinuxRestoreSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback): Likewise.
* src/security/virt-aa-helper.c (get_files): Likewise.
* src/lxc/lxc_driver.c (lxcVmStart, lxcDomainOpenConsole):
Likewise.
* src/uml/uml_conf.c (umlBuildCommandLineChr): Likewise.
* src/uml/uml_driver.c (umlIdentifyOneChrPTY, umlIdentifyChrPTY)
(umlDomainOpenConsole): Likewise.
* src/qemu/qemu_command.c (qemuBuildChrChardevStr)
(qemuBuildChrArgStr, qemuBuildCommandLine)
(qemuParseCommandLineChr): Likewise.
* src/qemu/qemu_domain.c (qemuDomainObjPrivateXMLFormat)
(qemuDomainObjPrivateXMLParse): Likewise.
* src/qemu/qemu_cgroup.c (qemuSetupChardevCgroup): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
* src/qemu/qemu_driver.c (qemudFindCharDevicePTYsMonitor)
(qemudFindCharDevicePTYs, qemuPrepareChardevDevice)
(qemuPrepareMonitorChr, qemudShutdownVMDaemon)
(qemuDomainOpenConsole): Likewise.
* src/qemu/qemu_command.h (qemuBuildChrChardevStr)
(qemuBuildChrArgStr): Delete, now that they are static.
* src/libvirt_private.syms (domain_conf.h): New exports.
* cfg.mk (useless_free_options): Update list.
* tests/qemuxml2argvtest.c (testCompareXMLToArgvFiles): Update
tests.
2011-01-07 22:45:01 +00:00
|
|
|
return SELinuxRestoreSecurityChardevLabel(vm, &dev->source);
|
2010-06-23 15:17:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-01-14 19:17:17 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
|
|
|
|
|
virDomainSmartcardDefPtr dev,
|
|
|
|
|
void *opaque)
|
|
|
|
|
{
|
|
|
|
|
virDomainObjPtr vm = opaque;
|
|
|
|
|
const char *database;
|
|
|
|
|
|
|
|
|
|
switch (dev->type) {
|
|
|
|
|
case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
|
|
|
|
|
database = dev->data.cert.database;
|
|
|
|
|
if (!database)
|
|
|
|
|
database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
|
|
|
|
|
return SELinuxRestoreSecurityFileLabel(database);
|
|
|
|
|
|
|
|
|
|
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
|
|
|
|
|
return SELinuxRestoreSecurityChardevLabel(vm, &dev->data.passthru);
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("unknown smartcard type %d"),
|
|
|
|
|
dev->type);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm,
|
Don't reset user/group/security label on shared filesystems during migrate
When QEMU runs with its disk on NFS, and as a non-root user, the
disk is chownd to that non-root user. When migration completes
the last step is shutting down the QEMU on the source host. THis
normally resets user/group/security label. This is bad when the
VM was just migrated because the file is still in use on the dest
host. It is thus neccessary to skip the reset step for any files
found to be on a shared filesystem
* src/libvirt_private.syms: Export virStorageFileIsSharedFS
* src/util/storage_file.c, src/util/storage_file.h: Add a new
method virStorageFileIsSharedFS() to determine if a file is
on a shared filesystem (NFS, GFS, OCFS2, etc)
* src/qemu/qemu_driver.c: Tell security driver not to reset
disk labels on migration completion
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c,
src/security/security_selinux.c, src/security/security_driver.h,
src/security/security_apparmor.c: Add ability to skip disk
restore step for files on shared filesystems.
2010-05-13 15:49:22 +00:00
|
|
|
int migrated ATTRIBUTE_UNUSED)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
int i;
|
|
|
|
|
int rc = 0;
|
2009-08-28 17:44:43 +00:00
|
|
|
|
|
|
|
|
VIR_DEBUG("Restoring security label on %s", vm->def->name);
|
|
|
|
|
|
2011-07-05 09:49:51 +00:00
|
|
|
if (secdef->norelabel)
|
2010-01-13 14:03:04 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
if (SELinuxRestoreSecurityHostdevLabel(mgr,
|
2010-06-15 16:44:19 +00:00
|
|
|
vm,
|
|
|
|
|
vm->def->hostdevs[i]) < 0)
|
2010-01-13 14:03:04 +00:00
|
|
|
rc = -1;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
2010-01-13 14:03:04 +00:00
|
|
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
if (SELinuxRestoreSecurityImageLabelInt(mgr,
|
2010-06-15 16:44:19 +00:00
|
|
|
vm,
|
Don't reset user/group/security label on shared filesystems during migrate
When QEMU runs with its disk on NFS, and as a non-root user, the
disk is chownd to that non-root user. When migration completes
the last step is shutting down the QEMU on the source host. THis
normally resets user/group/security label. This is bad when the
VM was just migrated because the file is still in use on the dest
host. It is thus neccessary to skip the reset step for any files
found to be on a shared filesystem
* src/libvirt_private.syms: Export virStorageFileIsSharedFS
* src/util/storage_file.c, src/util/storage_file.h: Add a new
method virStorageFileIsSharedFS() to determine if a file is
on a shared filesystem (NFS, GFS, OCFS2, etc)
* src/qemu/qemu_driver.c: Tell security driver not to reset
disk labels on migration completion
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_stacked.c,
src/security/security_selinux.c, src/security/security_driver.h,
src/security/security_apparmor.c: Add ability to skip disk
restore step for files on shared filesystems.
2010-05-13 15:49:22 +00:00
|
|
|
vm->def->disks[i],
|
|
|
|
|
migrated) < 0)
|
2010-01-13 14:03:04 +00:00
|
|
|
rc = -1;
|
|
|
|
|
}
|
2010-01-11 11:04:40 +00:00
|
|
|
|
2010-06-23 15:17:15 +00:00
|
|
|
if (virDomainChrDefForeach(vm->def,
|
|
|
|
|
false,
|
|
|
|
|
SELinuxRestoreSecurityChardevCallback,
|
|
|
|
|
vm) < 0)
|
|
|
|
|
rc = -1;
|
|
|
|
|
|
2011-01-14 19:17:17 +00:00
|
|
|
if (virDomainSmartcardDefForeach(vm->def,
|
|
|
|
|
false,
|
|
|
|
|
SELinuxRestoreSecuritySmartcardCallback,
|
|
|
|
|
vm) < 0)
|
|
|
|
|
rc = -1;
|
|
|
|
|
|
2010-03-12 18:38:39 +00:00
|
|
|
if (vm->def->os.kernel &&
|
|
|
|
|
SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
|
|
|
|
|
rc = -1;
|
|
|
|
|
|
|
|
|
|
if (vm->def->os.initrd &&
|
|
|
|
|
SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
|
|
|
|
|
rc = -1;
|
|
|
|
|
|
2010-01-11 11:04:40 +00:00
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm)
|
2010-01-11 11:04:40 +00:00
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
2011-06-24 09:21:33 +00:00
|
|
|
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
|
|
|
|
|
if (secdef->label != NULL) {
|
|
|
|
|
context_t con = context_new(secdef->label);
|
|
|
|
|
if (con) {
|
|
|
|
|
mcsRemove(context_range_get(con));
|
|
|
|
|
context_free(con);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
VIR_FREE(secdef->label);
|
|
|
|
|
if (!secdef->baselabel)
|
|
|
|
|
VIR_FREE(secdef->model);
|
2010-01-13 14:03:04 +00:00
|
|
|
}
|
|
|
|
|
VIR_FREE(secdef->imagelabel);
|
|
|
|
|
|
2010-01-11 11:04:40 +00:00
|
|
|
return 0;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
2009-11-11 12:07:00 +00:00
|
|
|
|
|
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm,
|
2009-11-11 12:07:00 +00:00
|
|
|
const char *savefile)
|
|
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
2011-07-05 09:49:51 +00:00
|
|
|
if (secdef->norelabel)
|
2010-01-13 14:03:04 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2010-02-04 20:02:58 +00:00
|
|
|
return SELinuxSetFilecon(savefile, secdef->imagelabel);
|
2009-11-11 12:07:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm,
|
2009-11-11 12:07:00 +00:00
|
|
|
const char *savefile)
|
|
|
|
|
{
|
2010-01-13 14:03:04 +00:00
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
2011-07-05 09:49:51 +00:00
|
|
|
if (secdef->norelabel)
|
2010-01-13 14:03:04 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2010-02-04 20:02:58 +00:00
|
|
|
return SELinuxRestoreSecurityFileLabel(savefile);
|
2009-11-11 12:07:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2009-04-03 10:55:51 +00:00
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|
|
|
|
virDomainDefPtr def)
|
2009-04-03 10:55:51 +00:00
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &def->seclabel;
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
|
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("security label driver mismatch: "
|
|
|
|
|
"'%s' model configured for domain, but "
|
|
|
|
|
"hypervisor driver is '%s'."),
|
|
|
|
|
secdef->model, virSecurityManagerGetModel(mgr));
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2009-04-03 10:55:51 +00:00
|
|
|
if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) {
|
|
|
|
|
if (security_check_context(secdef->label) != 0) {
|
2010-02-09 19:18:21 +00:00
|
|
|
virSecurityReportError(VIR_ERR_XML_ERROR,
|
2009-04-03 10:55:51 +00:00
|
|
|
_("Invalid security label %s"), secdef->label);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr,
|
2010-01-11 11:04:40 +00:00
|
|
|
virDomainObjPtr vm)
|
2009-03-03 10:06:49 +00:00
|
|
|
{
|
|
|
|
|
/* TODO: verify DOI */
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
2010-01-13 14:03:04 +00:00
|
|
|
if (vm->def->seclabel.label == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
2010-02-09 19:18:21 +00:00
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("security label driver mismatch: "
|
|
|
|
|
"'%s' model configured for domain, but "
|
|
|
|
|
"hypervisor driver is '%s'."),
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
secdef->model, virSecurityManagerGetModel(mgr));
|
2009-03-03 10:06:49 +00:00
|
|
|
if (security_getenforce() == 1)
|
2009-08-28 17:44:43 +00:00
|
|
|
return -1;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (setexeccon(secdef->label) == -1) {
|
2010-02-04 20:02:58 +00:00
|
|
|
virReportSystemError(errno,
|
2009-08-28 17:44:43 +00:00
|
|
|
_("unable to set security context '%s'"),
|
|
|
|
|
secdef->label);
|
2009-03-03 10:06:49 +00:00
|
|
|
if (security_getenforce() == 1)
|
2009-08-28 17:44:43 +00:00
|
|
|
return -1;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
2010-01-11 11:04:40 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-05-27 15:44:47 +00:00
|
|
|
static int
|
2011-08-26 07:05:57 +00:00
|
|
|
SELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr,
|
|
|
|
|
virDomainObjPtr vm)
|
2010-05-27 15:44:47 +00:00
|
|
|
{
|
|
|
|
|
/* TODO: verify DOI */
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
context_t execcon = NULL;
|
|
|
|
|
context_t proccon = NULL;
|
|
|
|
|
security_context_t scon = NULL;
|
|
|
|
|
int rc = -1;
|
|
|
|
|
|
|
|
|
|
if (vm->def->seclabel.label == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
2010-05-27 15:44:47 +00:00
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("security label driver mismatch: "
|
|
|
|
|
"'%s' model configured for domain, but "
|
|
|
|
|
"hypervisor driver is '%s'."),
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
secdef->model, virSecurityManagerGetModel(mgr));
|
2010-05-27 15:44:47 +00:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( !(execcon = context_new(secdef->label)) ) {
|
|
|
|
|
virReportSystemError(errno,
|
|
|
|
|
_("unable to allocate socket security context '%s'"),
|
|
|
|
|
secdef->label);
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (getcon(&scon) == -1) {
|
|
|
|
|
virReportSystemError(errno,
|
|
|
|
|
_("unable to get current process context '%s'"),
|
|
|
|
|
secdef->label);
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ( !(proccon = context_new(scon)) ) {
|
|
|
|
|
virReportSystemError(errno,
|
|
|
|
|
_("unable to set socket security context '%s'"),
|
|
|
|
|
secdef->label);
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (context_range_set(proccon, context_range_get(execcon)) == -1) {
|
|
|
|
|
virReportSystemError(errno,
|
|
|
|
|
_("unable to set socket security context range '%s'"),
|
|
|
|
|
secdef->label);
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
VIR_DEBUG("Setting VM %s socket context %s",
|
|
|
|
|
vm->def->name, context_str(proccon));
|
|
|
|
|
if (setsockcreatecon(context_str(proccon)) == -1) {
|
|
|
|
|
virReportSystemError(errno,
|
|
|
|
|
_("unable to set socket security context '%s'"),
|
|
|
|
|
context_str(proccon));
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rc = 0;
|
|
|
|
|
done:
|
|
|
|
|
|
|
|
|
|
if (security_getenforce() != 1)
|
|
|
|
|
rc = 0;
|
|
|
|
|
if (execcon) context_free(execcon);
|
|
|
|
|
if (proccon) context_free(proccon);
|
|
|
|
|
freecon(scon);
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2011-08-26 07:39:32 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
|
|
|
|
|
virDomainObjPtr vm)
|
|
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
int rc = -1;
|
|
|
|
|
|
|
|
|
|
if (secdef->label == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
|
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("security label driver mismatch: "
|
|
|
|
|
"'%s' model configured for domain, but "
|
|
|
|
|
"hypervisor driver is '%s'."),
|
|
|
|
|
secdef->model, virSecurityManagerGetModel(mgr));
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
VIR_DEBUG("Setting VM %s socket context %s",
|
|
|
|
|
vm->def->name, secdef->label);
|
|
|
|
|
if (setsockcreatecon(secdef->label) == -1) {
|
|
|
|
|
virReportSystemError(errno,
|
|
|
|
|
_("unable to set socket security context '%s'"),
|
|
|
|
|
secdef->label);
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rc = 0;
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
if (security_getenforce() != 1)
|
|
|
|
|
rc = 0;
|
|
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
|
}
|
|
|
|
|
|
2010-05-27 15:44:47 +00:00
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
|
2010-05-27 15:44:47 +00:00
|
|
|
virDomainObjPtr vm)
|
|
|
|
|
{
|
|
|
|
|
/* TODO: verify DOI */
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
|
|
|
|
if (vm->def->seclabel.label == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
|
2010-05-27 15:44:47 +00:00
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("security label driver mismatch: "
|
|
|
|
|
"'%s' model configured for domain, but "
|
|
|
|
|
"hypervisor driver is '%s'."),
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
secdef->model, virSecurityManagerGetModel(mgr));
|
2010-05-27 15:44:47 +00:00
|
|
|
if (security_getenforce() == 1)
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (setsockcreatecon(NULL) == -1) {
|
|
|
|
|
virReportSystemError(errno,
|
|
|
|
|
_("unable to clear socket security context '%s'"),
|
|
|
|
|
secdef->label);
|
|
|
|
|
if (security_getenforce() == 1)
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2010-06-23 15:17:15 +00:00
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
SELinuxSetSecurityChardevCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
|
|
|
|
|
virDomainChrDefPtr dev,
|
|
|
|
|
void *opaque)
|
|
|
|
|
{
|
|
|
|
|
virDomainObjPtr vm = opaque;
|
|
|
|
|
|
domain_conf: split source data out from ChrDef
This opens up the possibility of reusing the smaller ChrSourceDef
for both qemu monitor and a passthrough smartcard device.
* src/conf/domain_conf.h (_virDomainChrDef): Factor host
details...
(_virDomainChrSourceDef): ...into new struct.
(virDomainChrSourceDefFree): New prototype.
* src/conf/domain_conf.c (virDomainChrDefFree)
(virDomainChrDefParseXML, virDomainChrDefFormat): Split...
(virDomainChrSourceDefClear, virDomainChrSourceDefFree)
(virDomainChrSourceDefParseXML, virDomainChrSourceDefFormat):
...into new functions.
(virDomainChrDefParseTargetXML): Update clients to reflect type
split.
* src/vmx/vmx.c (virVMXParseSerial, virVMXParseParallel)
(virVMXFormatSerial, virVMXFormatParallel): Likewise.
* src/xen/xen_driver.c (xenUnifiedDomainOpenConsole): Likewise.
* src/xen/xend_internal.c (xenDaemonParseSxprChar)
(xenDaemonFormatSxprChr): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainDumpXML, vboxAttachSerial)
(vboxAttachParallel): Likewise.
* src/security/security_dac.c (virSecurityDACSetChardevLabel)
(virSecurityDACSetChardevCallback)
(virSecurityDACRestoreChardevLabel)
(virSecurityDACRestoreChardevCallback): Likewise.
* src/security/security_selinux.c (SELinuxSetSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback)
(SELinuxRestoreSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback): Likewise.
* src/security/virt-aa-helper.c (get_files): Likewise.
* src/lxc/lxc_driver.c (lxcVmStart, lxcDomainOpenConsole):
Likewise.
* src/uml/uml_conf.c (umlBuildCommandLineChr): Likewise.
* src/uml/uml_driver.c (umlIdentifyOneChrPTY, umlIdentifyChrPTY)
(umlDomainOpenConsole): Likewise.
* src/qemu/qemu_command.c (qemuBuildChrChardevStr)
(qemuBuildChrArgStr, qemuBuildCommandLine)
(qemuParseCommandLineChr): Likewise.
* src/qemu/qemu_domain.c (qemuDomainObjPrivateXMLFormat)
(qemuDomainObjPrivateXMLParse): Likewise.
* src/qemu/qemu_cgroup.c (qemuSetupChardevCgroup): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
* src/qemu/qemu_driver.c (qemudFindCharDevicePTYsMonitor)
(qemudFindCharDevicePTYs, qemuPrepareChardevDevice)
(qemuPrepareMonitorChr, qemudShutdownVMDaemon)
(qemuDomainOpenConsole): Likewise.
* src/qemu/qemu_command.h (qemuBuildChrChardevStr)
(qemuBuildChrArgStr): Delete, now that they are static.
* src/libvirt_private.syms (domain_conf.h): New exports.
* cfg.mk (useless_free_options): Update list.
* tests/qemuxml2argvtest.c (testCompareXMLToArgvFiles): Update
tests.
2011-01-07 22:45:01 +00:00
|
|
|
return SELinuxSetSecurityChardevLabel(vm, &dev->source);
|
2010-06-23 15:17:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2011-01-14 19:17:17 +00:00
|
|
|
static int
|
|
|
|
|
SELinuxSetSecuritySmartcardCallback(virDomainDefPtr def ATTRIBUTE_UNUSED,
|
|
|
|
|
virDomainSmartcardDefPtr dev,
|
|
|
|
|
void *opaque)
|
|
|
|
|
{
|
|
|
|
|
virDomainObjPtr vm = opaque;
|
|
|
|
|
const char *database;
|
|
|
|
|
|
|
|
|
|
switch (dev->type) {
|
|
|
|
|
case VIR_DOMAIN_SMARTCARD_TYPE_HOST:
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case VIR_DOMAIN_SMARTCARD_TYPE_HOST_CERTIFICATES:
|
|
|
|
|
database = dev->data.cert.database;
|
|
|
|
|
if (!database)
|
|
|
|
|
database = VIR_DOMAIN_SMARTCARD_DEFAULT_DATABASE;
|
|
|
|
|
return SELinuxSetFilecon(database, default_content_context);
|
|
|
|
|
|
|
|
|
|
case VIR_DOMAIN_SMARTCARD_TYPE_PASSTHROUGH:
|
|
|
|
|
return SELinuxSetSecurityChardevLabel(vm, &dev->data.passthru);
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
|
|
|
|
|
_("unknown smartcard type %d"),
|
|
|
|
|
dev->type);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2010-01-11 11:04:40 +00:00
|
|
|
static int
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
|
2010-06-15 16:44:19 +00:00
|
|
|
virDomainObjPtr vm,
|
|
|
|
|
const char *stdin_path)
|
2010-01-11 11:04:40 +00:00
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
int i;
|
|
|
|
|
|
2011-07-05 09:49:51 +00:00
|
|
|
if (secdef->norelabel)
|
2010-01-11 11:04:40 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
for (i = 0 ; i < vm->def->ndisks ; i++) {
|
|
|
|
|
/* XXX fixme - we need to recursively label the entire tree :-( */
|
|
|
|
|
if (vm->def->disks[i]->type == VIR_DOMAIN_DISK_TYPE_DIR) {
|
|
|
|
|
VIR_WARN("Unable to relabel directory tree %s for disk %s",
|
|
|
|
|
vm->def->disks[i]->src, vm->def->disks[i]->dst);
|
|
|
|
|
continue;
|
2009-08-14 13:23:11 +00:00
|
|
|
}
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
if (SELinuxSetSecurityImageLabel(mgr,
|
2010-06-15 16:44:19 +00:00
|
|
|
vm, vm->def->disks[i]) < 0)
|
2010-01-11 11:04:40 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
2011-06-24 09:21:33 +00:00
|
|
|
/* XXX fixme process vm->def->fss if relabel == true */
|
|
|
|
|
|
2010-01-11 11:04:40 +00:00
|
|
|
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
if (SELinuxSetSecurityHostdevLabel(mgr,
|
2010-06-15 16:44:19 +00:00
|
|
|
vm,
|
|
|
|
|
vm->def->hostdevs[i]) < 0)
|
2010-01-11 11:04:40 +00:00
|
|
|
return -1;
|
2009-03-03 10:06:49 +00:00
|
|
|
}
|
|
|
|
|
|
2010-06-23 15:17:15 +00:00
|
|
|
if (virDomainChrDefForeach(vm->def,
|
|
|
|
|
true,
|
|
|
|
|
SELinuxSetSecurityChardevCallback,
|
|
|
|
|
vm) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
2011-01-14 19:17:17 +00:00
|
|
|
if (virDomainSmartcardDefForeach(vm->def,
|
|
|
|
|
true,
|
|
|
|
|
SELinuxSetSecuritySmartcardCallback,
|
|
|
|
|
vm) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
2010-03-12 18:38:39 +00:00
|
|
|
if (vm->def->os.kernel &&
|
|
|
|
|
SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
if (vm->def->os.initrd &&
|
|
|
|
|
SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
|
|
|
|
|
return -1;
|
|
|
|
|
|
2010-10-29 11:20:40 +00:00
|
|
|
if (stdin_path) {
|
|
|
|
|
if (SELinuxSetFilecon(stdin_path, default_content_context) < 0 &&
|
|
|
|
|
virStorageFileIsSharedFSType(stdin_path,
|
|
|
|
|
VIR_STORAGE_FILE_SHFS_NFS) != 1)
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2010-06-24 21:58:59 +00:00
|
|
|
|
2009-03-03 10:06:49 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2011-01-23 21:02:42 +00:00
|
|
|
static int
|
2011-06-24 13:43:43 +00:00
|
|
|
SELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
|
|
|
|
virDomainObjPtr vm,
|
|
|
|
|
int fd)
|
2011-01-23 21:02:42 +00:00
|
|
|
{
|
|
|
|
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
|
|
|
|
|
|
|
|
|
if (secdef->imagelabel == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return SELinuxFSetFilecon(fd, secdef->imagelabel);
|
|
|
|
|
}
|
|
|
|
|
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
virSecurityDriver virSecurityDriverSELinux = {
|
|
|
|
|
0,
|
|
|
|
|
SECURITY_SELINUX_NAME,
|
|
|
|
|
SELinuxSecurityDriverProbe,
|
|
|
|
|
SELinuxSecurityDriverOpen,
|
|
|
|
|
SELinuxSecurityDriverClose,
|
|
|
|
|
|
|
|
|
|
SELinuxSecurityGetModel,
|
|
|
|
|
SELinuxSecurityGetDOI,
|
|
|
|
|
|
|
|
|
|
SELinuxSecurityVerify,
|
|
|
|
|
|
|
|
|
|
SELinuxSetSecurityImageLabel,
|
|
|
|
|
SELinuxRestoreSecurityImageLabel,
|
|
|
|
|
|
2011-08-26 07:05:57 +00:00
|
|
|
SELinuxSetSecurityDaemonSocketLabel,
|
2011-08-26 07:39:32 +00:00
|
|
|
SELinuxSetSecuritySocketLabel,
|
Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityHostdevLabel &&
driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply
if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
vm, hostdev) < 0)
The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.
The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.
* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c, src/qemu/qemu_security_dac.h
src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
src/security/security_dac.c, src/security/security_dac.h: Generic
versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
src/security/security_driver.c, src/security/security_driver.h,
src/security/security_selinux.c, src/security/security_selinux.h:
Update to take virSecurityManagerPtr object as the first param
in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2010-11-17 20:26:30 +00:00
|
|
|
SELinuxClearSecuritySocketLabel,
|
|
|
|
|
|
|
|
|
|
SELinuxGenSecurityLabel,
|
|
|
|
|
SELinuxReserveSecurityLabel,
|
|
|
|
|
SELinuxReleaseSecurityLabel,
|
|
|
|
|
|
|
|
|
|
SELinuxGetSecurityProcessLabel,
|
|
|
|
|
SELinuxSetSecurityProcessLabel,
|
|
|
|
|
|
|
|
|
|
SELinuxSetSecurityAllLabel,
|
|
|
|
|
SELinuxRestoreSecurityAllLabel,
|
|
|
|
|
|
|
|
|
|
SELinuxSetSecurityHostdevLabel,
|
|
|
|
|
SELinuxRestoreSecurityHostdevLabel,
|
|
|
|
|
|
|
|
|
|
SELinuxSetSavedStateLabel,
|
|
|
|
|
SELinuxRestoreSavedStateLabel,
|
2011-01-23 21:02:42 +00:00
|
|
|
|
2011-06-24 13:43:43 +00:00
|
|
|
SELinuxSetImageFDLabel,
|
2009-03-03 10:06:49 +00:00
|
|
|
};
|
