mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-03-07 17:28:15 +00:00
Cleanup sec driver error reporting to use virReportSystemError
* src/security_selinux.c: Use virReportSystemError whereever an errno is involved * src/qemu_driver.c: Don't overwrite error message from the security driver
This commit is contained in:
Daniel P. Berrange
parent
0e9ae444bd
commit
7887e00355
@ -1780,6 +1780,8 @@ static int qemuDomainSetHostdevUSBOwnershipActor(virConnectPtr conn,
|
|||||||
{
|
{
|
||||||
struct qemuFileOwner *owner = opaque;
|
struct qemuFileOwner *owner = opaque;
|
||||||
|
|
||||||
|
VIR_DEBUG("Setting ownership on %s to %d:%d", file, owner->uid, owner->gid);
|
||||||
|
|
||||||
if (chown(file, owner->uid, owner->gid) < 0) {
|
if (chown(file, owner->uid, owner->gid) < 0) {
|
||||||
virReportSystemError(conn, errno, _("cannot set ownership on %s"), file);
|
virReportSystemError(conn, errno, _("cannot set ownership on %s"), file);
|
||||||
return -1;
|
return -1;
|
||||||
@ -1821,6 +1823,8 @@ static int qemuDomainSetHostdevPCIOwnershipActor(virConnectPtr conn,
|
|||||||
{
|
{
|
||||||
struct qemuFileOwner *owner = opaque;
|
struct qemuFileOwner *owner = opaque;
|
||||||
|
|
||||||
|
VIR_DEBUG("Setting ownership on %s to %d:%d", file, owner->uid, owner->gid);
|
||||||
|
|
||||||
if (chown(file, owner->uid, owner->gid) < 0) {
|
if (chown(file, owner->uid, owner->gid) < 0) {
|
||||||
virReportSystemError(conn, errno, _("cannot set ownership on %s"), file);
|
virReportSystemError(conn, errno, _("cannot set ownership on %s"), file);
|
||||||
return -1;
|
return -1;
|
||||||
@ -1985,18 +1989,15 @@ static int qemudSecurityHook(void *data) {
|
|||||||
if (qemuAddToCgroup(h->driver, h->vm->def) < 0)
|
if (qemuAddToCgroup(h->driver, h->vm->def) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
if (qemudDomainSetSecurityLabel(h->conn, h->driver, h->vm) < 0) {
|
if (qemudDomainSetSecurityLabel(h->conn, h->driver, h->vm) < 0)
|
||||||
qemudReportError(h->conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
|
|
||||||
"%s", _("Failed to set security label"));
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
|
||||||
|
|
||||||
if (h->driver->privileged) {
|
if (h->driver->privileged) {
|
||||||
DEBUG("Dropping privileges of VM to %d:%d", h->driver->user, h->driver->group);
|
|
||||||
|
|
||||||
if (qemuDomainSetAllDeviceOwnership(h->conn, h->driver, h->vm->def, 0) < 0)
|
if (qemuDomainSetAllDeviceOwnership(h->conn, h->driver, h->vm->def, 0) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
|
DEBUG("Dropping privileges of VM to %d:%d", h->driver->user, h->driver->group);
|
||||||
|
|
||||||
if (h->driver->group) {
|
if (h->driver->group) {
|
||||||
if (setregid(h->driver->group, h->driver->group) < 0) {
|
if (setregid(h->driver->group, h->driver->group) < 0) {
|
||||||
virReportSystemError(NULL, errno,
|
virReportSystemError(NULL, errno,
|
||||||
|
|||||||
@ -106,24 +106,21 @@ SELinuxInitialize(virConnectPtr conn)
|
|||||||
{
|
{
|
||||||
char *ptr = NULL;
|
char *ptr = NULL;
|
||||||
int fd = 0;
|
int fd = 0;
|
||||||
char ebuf[1024];
|
|
||||||
|
|
||||||
virRandomInitialize(time(NULL) ^ getpid());
|
virRandomInitialize(time(NULL) ^ getpid());
|
||||||
|
|
||||||
fd = open(selinux_virtual_domain_context_path(), O_RDONLY);
|
fd = open(selinux_virtual_domain_context_path(), O_RDONLY);
|
||||||
if (fd < 0) {
|
if (fd < 0) {
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR,
|
virReportSystemError(conn, errno,
|
||||||
_("%s: cannot open SELinux virtual domain context file %s: %s"),
|
_("cannot open SELinux virtual domain context file '%s'"),
|
||||||
__func__,selinux_virtual_domain_context_path(),
|
selinux_virtual_domain_context_path());
|
||||||
virStrerror(errno, ebuf, sizeof ebuf));
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (saferead(fd, default_domain_context, sizeof(default_domain_context)) < 0) {
|
if (saferead(fd, default_domain_context, sizeof(default_domain_context)) < 0) {
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR,
|
virReportSystemError(conn, errno,
|
||||||
_("%s: cannot read SELinux virtual domain context file %s: %s"),
|
_("cannot read SELinux virtual domain context file %s"),
|
||||||
__func__,selinux_virtual_domain_context_path(),
|
selinux_virtual_domain_context_path());
|
||||||
virStrerror(errno, ebuf, sizeof ebuf));
|
|
||||||
close(fd);
|
close(fd);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@ -133,18 +130,16 @@ SELinuxInitialize(virConnectPtr conn)
|
|||||||
*ptr = '\0';
|
*ptr = '\0';
|
||||||
|
|
||||||
if ((fd = open(selinux_virtual_image_context_path(), O_RDONLY)) < 0) {
|
if ((fd = open(selinux_virtual_image_context_path(), O_RDONLY)) < 0) {
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR,
|
virReportSystemError(conn, errno,
|
||||||
_("%s: cannot open SELinux virtual image context file %s: %s"),
|
_("cannot open SELinux virtual image context file %s"),
|
||||||
__func__,selinux_virtual_image_context_path(),
|
selinux_virtual_image_context_path());
|
||||||
virStrerror(errno, ebuf, sizeof ebuf));
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (saferead(fd, default_image_context, sizeof(default_image_context)) < 0) {
|
if (saferead(fd, default_image_context, sizeof(default_image_context)) < 0) {
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR,
|
virReportSystemError(conn, errno,
|
||||||
_("%s: cannot read SELinux virtual image context file %s: %s"),
|
_("cannot read SELinux virtual image context file %s"),
|
||||||
__func__,selinux_virtual_image_context_path(),
|
selinux_virtual_image_context_path());
|
||||||
virStrerror(errno, ebuf, sizeof ebuf));
|
|
||||||
close(fd);
|
close(fd);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@ -232,10 +227,8 @@ SELinuxReserveSecurityLabel(virConnectPtr conn,
|
|||||||
const char *mcs;
|
const char *mcs;
|
||||||
|
|
||||||
if (getpidcon(vm->pid, &pctx) == -1) {
|
if (getpidcon(vm->pid, &pctx) == -1) {
|
||||||
char ebuf[1024];
|
virReportSystemError(conn, errno,
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR, _("%s: error calling "
|
_("unable to get PID %d security context"), vm->pid);
|
||||||
"getpidcon(): %s"), __func__,
|
|
||||||
virStrerror(errno, ebuf, sizeof ebuf));
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -286,17 +279,16 @@ SELinuxGetSecurityLabel(virConnectPtr conn,
|
|||||||
security_context_t ctx;
|
security_context_t ctx;
|
||||||
|
|
||||||
if (getpidcon(vm->pid, &ctx) == -1) {
|
if (getpidcon(vm->pid, &ctx) == -1) {
|
||||||
char ebuf[1024];
|
virReportSystemError(conn, errno,
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR, _("%s: error calling "
|
_("unable to get PID %d security context"),
|
||||||
"getpidcon(): %s"), __func__,
|
vm->pid);
|
||||||
virStrerror(errno, ebuf, sizeof ebuf));
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
|
if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR,
|
virSecurityReportError(conn, VIR_ERR_ERROR,
|
||||||
_("%s: security label exceeds "
|
_("security label exceeds "
|
||||||
"maximum lenth: %d"), __func__,
|
"maximum lenth: %d"),
|
||||||
VIR_SECURITY_LABEL_BUFLEN - 1);
|
VIR_SECURITY_LABEL_BUFLEN - 1);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@ -306,10 +298,8 @@ SELinuxGetSecurityLabel(virConnectPtr conn,
|
|||||||
|
|
||||||
sec->enforcing = security_getenforce();
|
sec->enforcing = security_getenforce();
|
||||||
if (sec->enforcing == -1) {
|
if (sec->enforcing == -1) {
|
||||||
char ebuf[1024];
|
virReportSystemError(conn, errno, "%s",
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR, _("%s: error calling "
|
_("error calling security_getenforce()"));
|
||||||
"security_getenforce(): %s"), __func__,
|
|
||||||
virStrerror(errno, ebuf, sizeof ebuf));
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -319,7 +309,6 @@ SELinuxGetSecurityLabel(virConnectPtr conn,
|
|||||||
static int
|
static int
|
||||||
SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
|
SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
|
||||||
{
|
{
|
||||||
char ebuf[1024];
|
|
||||||
security_context_t econ;
|
security_context_t econ;
|
||||||
|
|
||||||
VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
|
VIR_INFO("Setting SELinux context on '%s' to '%s'", path, tcon);
|
||||||
@ -343,14 +332,14 @@ SELinuxSetFilecon(virConnectPtr conn, const char *path, char *tcon)
|
|||||||
* virt_use_{nfs,usb,pci} boolean tunables to allow it...
|
* virt_use_{nfs,usb,pci} boolean tunables to allow it...
|
||||||
*/
|
*/
|
||||||
if (setfilecon_errno != EOPNOTSUPP) {
|
if (setfilecon_errno != EOPNOTSUPP) {
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR,
|
virReportSystemError(conn, setfilecon_errno,
|
||||||
_("%s: unable to set security context "
|
_("unable to set security context '%s' on '%s'"),
|
||||||
"'\%s\' on %s: %s."), __func__,
|
tcon, path);
|
||||||
tcon,
|
|
||||||
path,
|
|
||||||
virStrerror(errno, ebuf, sizeof ebuf));
|
|
||||||
if (security_getenforce() == 1)
|
if (security_getenforce() == 1)
|
||||||
return -1;
|
return -1;
|
||||||
|
} else {
|
||||||
|
VIR_INFO("Setting security context '%s' on '%s' not supported",
|
||||||
|
tcon, path);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
@ -366,6 +355,8 @@ SELinuxRestoreSecurityFileLabel(virConnectPtr conn,
|
|||||||
int err;
|
int err;
|
||||||
char *newpath = NULL;
|
char *newpath = NULL;
|
||||||
|
|
||||||
|
VIR_INFO("Restoring SELinux context on '%s'", path);
|
||||||
|
|
||||||
if ((err = virFileResolveLink(path, &newpath)) < 0) {
|
if ((err = virFileResolveLink(path, &newpath)) < 0) {
|
||||||
virReportSystemError(conn, err,
|
virReportSystemError(conn, err,
|
||||||
_("cannot resolve symlink %s"), path);
|
_("cannot resolve symlink %s"), path);
|
||||||
@ -581,6 +572,9 @@ SELinuxRestoreSecurityLabel(virConnectPtr conn,
|
|||||||
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
||||||
int i;
|
int i;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
|
VIR_DEBUG("Restoring security label on %s", vm->def->name);
|
||||||
|
|
||||||
if (secdef->imagelabel) {
|
if (secdef->imagelabel) {
|
||||||
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
|
for (i = 0 ; i < vm->def->nhostdevs ; i++) {
|
||||||
if (SELinuxRestoreSecurityHostdevLabel(conn, vm->def->hostdevs[i]) < 0)
|
if (SELinuxRestoreSecurityHostdevLabel(conn, vm->def->hostdevs[i]) < 0)
|
||||||
@ -624,25 +618,23 @@ SELinuxSetSecurityLabel(virConnectPtr conn,
|
|||||||
/* TODO: verify DOI */
|
/* TODO: verify DOI */
|
||||||
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
|
||||||
int i;
|
int i;
|
||||||
char ebuf[1024];
|
|
||||||
|
|
||||||
if (!STREQ(drv->name, secdef->model)) {
|
if (!STREQ(drv->name, secdef->model)) {
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR,
|
virSecurityReportError(conn, VIR_ERR_ERROR,
|
||||||
_("%s: security label driver mismatch: "
|
_("security label driver mismatch: "
|
||||||
"\'%s\' model configured for domain, but "
|
"'%s' model configured for domain, but "
|
||||||
"hypervisor driver is \'%s\'."),
|
"hypervisor driver is '%s'."),
|
||||||
__func__, secdef->model, drv->name);
|
secdef->model, drv->name);
|
||||||
if (security_getenforce() == 1)
|
if (security_getenforce() == 1)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (setexeccon(secdef->label) == -1) {
|
if (setexeccon(secdef->label) == -1) {
|
||||||
virSecurityReportError(conn, VIR_ERR_ERROR,
|
virReportSystemError(conn, errno,
|
||||||
_("%s: unable to set security context "
|
_("unable to set security context '%s'"),
|
||||||
"'\%s\': %s."), __func__, secdef->label,
|
secdef->label);
|
||||||
virStrerror(errno, ebuf, sizeof ebuf));
|
|
||||||
if (security_getenforce() == 1)
|
if (security_getenforce() == 1)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (secdef->imagelabel) {
|
if (secdef->imagelabel) {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user