External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

SELinux: don't fail silently when no label is present

Browse Source 
This fixes startup of a domain with:
<seclabel type='none' model='dac'/>
on a host with selinux and dac drivers and
security_default_confined = 0

https://bugzilla.redhat.com/show_bug.cgi?id=1105939
https://bugzilla.redhat.com/show_bug.cgi?id=1102611
This commit is contained in:
Ján Tomko 2014-06-09 16:23:52 +02:00
parent a7b0040ad2
commit f9bf63e673
1 changed files with 29 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
src/security/security_selinux.c
View File

@ -585,7 +585,7 @@ virSecuritySELinuxGenSecurityLabel(virSecurityManagerPtr mgr,
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (seclabel == NULL) if (seclabel == NULL)
return rc; return 0;
data = virSecurityManagerGetPrivateData(mgr); data = virSecurityManagerGetPrivateData(mgr);
@ -739,11 +739,7 @@ virSecuritySELinuxReserveSecurityLabel(virSecurityManagerPtr mgr,
virSecurityLabelDefPtr seclabel; virSecurityLabelDefPtr seclabel;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (seclabel == NULL) { if (!seclabel || seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
return -1;
}
if (seclabel->type == VIR_DOMAIN_SECLABEL_STATIC)
return 0; return 0;
if (getpidcon_raw(pid, &pctx) == -1) { if (getpidcon_raw(pid, &pctx) == -1) {
@ -1060,7 +1056,7 @@ virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (seclabel == NULL) if (seclabel == NULL)
return -1; return 0;
switch (tpm->type) { switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
@ -1102,7 +1098,7 @@ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (seclabel == NULL) if (seclabel == NULL)
return -1; return 0;
switch (tpm->type) { switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
@ -1136,7 +1132,7 @@ virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (seclabel == NULL) if (seclabel == NULL)
return -1; return 0;
disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk, disk_seclabel = virDomainDiskDefGetSecurityLabelDef(disk,
SECURITY_SELINUX_NAME); SECURITY_SELINUX_NAME);
@ -1256,10 +1252,7 @@ virSecuritySELinuxSetSecurityImageLabel(virSecurityManagerPtr mgr,
cbdata.manager = mgr; cbdata.manager = mgr;
cbdata.secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); cbdata.secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (cbdata.secdef == NULL) if (!cbdata.secdef || cbdata.secdef->norelabel)
return -1;
if (cbdata.secdef->norelabel)
return 0; return 0;
if (virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK) if (virDomainDiskGetType(disk) == VIR_STORAGE_TYPE_NETWORK)
@ -1279,7 +1272,7 @@ virSecuritySELinuxSetSecurityHostdevLabelHelper(const char *file, void *opaque)
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (secdef == NULL)
return -1; return 0;
return virSecuritySELinuxSetFilecon(file, secdef->imagelabel); return virSecuritySELinuxSetFilecon(file, secdef->imagelabel);
} }
@ -1397,7 +1390,7 @@ virSecuritySELinuxSetSecurityHostdevCapsLabel(virDomainDefPtr def,
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (secdef == NULL)
return -1; return 0;
switch (dev->source.caps.type) { switch (dev->source.caps.type) {
case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: { case VIR_DOMAIN_HOSTDEV_CAPS_TYPE_STORAGE: {
@ -1447,10 +1440,7 @@ virSecuritySELinuxSetSecurityHostdevLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
virSecurityLabelDefPtr secdef; virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || secdef->norelabel)
return -1;
if (secdef->norelabel)
return 0; return 0;
switch (dev->mode) { switch (dev->mode) {
@ -1635,10 +1625,7 @@ virSecuritySELinuxRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
virSecurityLabelDefPtr secdef; virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || secdef->norelabel)
return -1;
if (secdef->norelabel)
return 0; return 0;
switch (dev->mode) { switch (dev->mode) {
@ -1667,14 +1654,14 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
int ret = -1; int ret = -1;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (seclabel == NULL) if (!seclabel || seclabel->norelabel)
return -1; return 0;
if (dev) if (dev)
chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev, chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
SECURITY_SELINUX_NAME); SECURITY_SELINUX_NAME);
if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel)) if (chr_seclabel && chr_seclabel->norelabel)
return 0; return 0;
if (chr_seclabel) if (chr_seclabel)
@ -1738,13 +1725,13 @@ virSecuritySELinuxRestoreSecurityChardevLabel(virSecurityManagerPtr mgr,
int ret = -1; int ret = -1;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (seclabel == NULL) if (!seclabel || seclabel->norelabel)
return -1; return 0;
if (dev) if (dev)
chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev, chr_seclabel = virDomainChrDefGetSecurityLabelDef(dev,
SECURITY_SELINUX_NAME); SECURITY_SELINUX_NAME);
if (seclabel->norelabel || (chr_seclabel && chr_seclabel->norelabel)) if (chr_seclabel && chr_seclabel->norelabel)
return 0; return 0;
switch (dev_source->type) { switch (dev_source->type) {
@ -1864,7 +1851,7 @@ virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (secdef == NULL)
return -1; return 0;
if (secdef->norelabel || data->skipAllLabel) if (secdef->norelabel || data->skipAllLabel)
return 0; return 0;
@ -1925,7 +1912,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (secdef == NULL)
return -1; return 0;
if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) { if (secdef->type == VIR_DOMAIN_SECLABEL_DYNAMIC) {
if (secdef->label != NULL) { if (secdef->label != NULL) {
@ -1953,10 +1940,7 @@ virSecuritySELinuxSetSavedStateLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virSecurityLabelDefPtr secdef; virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || secdef->norelabel)
return -1;
if (secdef->norelabel)
return 0; return 0;
return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel); return virSecuritySELinuxSetFilecon(savefile, secdef->imagelabel);
@ -1971,10 +1955,7 @@ virSecuritySELinuxRestoreSavedStateLabel(virSecurityManagerPtr mgr,
virSecurityLabelDefPtr secdef; virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || secdef->norelabel)
return -1;
if (secdef->norelabel)
return 0; return 0;
return virSecuritySELinuxRestoreSecurityFileLabel(mgr, savefile); return virSecuritySELinuxRestoreSecurityFileLabel(mgr, savefile);
@ -1989,7 +1970,7 @@ virSecuritySELinuxSecurityVerify(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (secdef == NULL)
return -1; return 0;
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
virReportError(VIR_ERR_INTERNAL_ERROR, virReportError(VIR_ERR_INTERNAL_ERROR,
@ -2018,10 +1999,7 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
virSecurityLabelDefPtr secdef; virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || !secdef->label)
return -1;
if (secdef->label == NULL)
return 0; return 0;
VIR_DEBUG("label=%s", secdef->label); VIR_DEBUG("label=%s", secdef->label);
@ -2055,10 +2033,7 @@ virSecuritySELinuxSetSecurityChildProcessLabel(virSecurityManagerPtr mgr ATTRIBU
virSecurityLabelDefPtr secdef; virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || !secdef->label)
return -1;
if (secdef->label == NULL)
return 0; return 0;
VIR_DEBUG("label=%s", secdef->label); VIR_DEBUG("label=%s", secdef->label);
@ -2088,10 +2063,7 @@ virSecuritySELinuxSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBU
int rc = -1; int rc = -1;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || !secdef->label)
return -1;
if (secdef->label == NULL)
return 0; return 0;
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
@ -2138,10 +2110,7 @@ virSecuritySELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNU
int rc = -1; int rc = -1;
secdef = virDomainDefGetSecurityLabelDef(vm, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(vm, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || !secdef->label)
return -1;
if (secdef->label == NULL)
return 0; return 0;
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
@ -2179,10 +2148,7 @@ virSecuritySELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_U
virSecurityLabelDefPtr secdef; virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || !secdef->label)
return -1;
if (secdef->label == NULL)
return 0; return 0;
if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) { if (!STREQ(SECURITY_SELINUX_NAME, secdef->model)) {
@ -2264,7 +2230,7 @@ virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (secdef == NULL)
return -1; return 0;
if (secdef->norelabel || data->skipAllLabel) if (secdef->norelabel || data->skipAllLabel)
return 0; return 0;
@ -2337,10 +2303,7 @@ virSecuritySELinuxSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virSecurityLabelDefPtr secdef; virSecurityLabelDefPtr secdef;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || !secdef->imagelabel)
return -1;
if (secdef->imagelabel == NULL)
return 0; return 0;
return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel); return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
@ -2358,10 +2321,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
int rc = -1; int rc = -1;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
if (secdef == NULL) if (!secdef || !secdef->label)
return rc;
if (secdef->label == NULL)
return 0; return 0;
if (fstat(fd, &buf) < 0) { if (fstat(fd, &buf) < 0) {