Commit Graph

571 Commits

Author SHA1 Message Date
Christian Ehrhardt
a150b86c4c virt-aa-helper: apparmor wildcards to forbidden chars
Some globbing chars in the domain name could be used to break out of
apparmor rules, so lets forbid these when in virt-aa-helper.

Also adding a test to ensure all those cases were detected as bad char.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2017-10-27 10:32:02 +02:00
Christian Ehrhardt
07fc5c9c06 virt-aa-helper: grant locking permission on -f
Hot-adding disks does not parse the full XML to generate apparmor rules.
Instead it uses -f <PATH> to append a generic rule for that file path.

580cdaa7: "virt-aa-helper: locking disk files for qemu 2.10" implemented
the qemu 2.10 requirement to allow locking on disks images that are part of
the domain xml.

But on attach-device a user will still trigger an apparmor deny by going
through virt-aa-helper -f, to fix that add the lock "k" permission to the
append file case of virt-aa-helper.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2017-10-26 12:48:32 +02:00
Peter Krempa
0a294a8e28 util: storagefile: Add helpers to check presence of backing store
Add helpers that will simplify checking if a backing file is valid or
whether it has backing store. The helper virStorageSourceIsBacking
returns true if the given virStorageSource is a valid backing store
member. virStorageSourceHasBacking returns true if the virStorageSource
has a backing store child.

Adding these functions creates a central points for further refactors.
2017-10-17 06:19:18 +02:00
Christian Ehrhardt
cbd609524d virt-aa-helper: put static rules in quotes
To avoid any issues later on if paths ever change (unlikely but
possible) and to match the style of other generated rules the paths
of the static rules have to be quoted as well.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2017-10-06 11:14:49 +02:00
Christian Ehrhardt
e79211ed23 virt-aa-helper: allow spaces in vm names
libvirt allows spaces in vm names, there were issues in the past but it
seems not removed so the assumption has to be that spaces are continuing
to be allowed.

Therefore virt-aa-helper should not reject spaces in vm names anymore if
it is going to be refused causing issues then the parser or xml schema
should do so.
Apparmor rules are in quotes, so a space in a path based on the name works.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-10-06 11:14:49 +02:00
Christian Ehrhardt
750e08443a virt-aa-helper: fix paths for usb hostdevs
If users only specified vendor&product (the common case) then parsing
the xml via virDomainHostdevSubsysUSBDefParseXML would only set these.
Bus and Device would much later be added when the devices are prepared
to be added.

Due to that a hot-add of a usb hostdev works as the device is prepared
and virt-aa-helper processes the new internal xml. But on an initial
guest start at the time virt-aa-helper renders the apparmor rules the
bus/device id's are not set yet:

p ctl->def->hostdevs[0]->source.subsys.u.usb
$12 = {autoAddress = false, bus = 0, device = 0, vendor = 1921, product
= 21888}

That causes rules to be wrong:
  "/dev/bus/usb/000/000" rw,

The fix calls virHostdevFindUSBDevice after reading the XML from
virt-aa-helper to only add apparmor rules for devices that could be found
and now are fully known to be able to write the rule correctly.

It uncondtionally sets virHostdevFindUSBDevice mandatory attribute as
adding an apparmor rule for a device not found makes no sense no matter
what startup policy it has set.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-10-06 11:14:49 +02:00
Daniel P. Berrange
32d6c7386d Print hex values with '0x' prefix and octal with '0' in debug messages
Seeing a log message saying 'flags=93' is ambiguous & confusing unless
you happen to know that libvirt always prints flags as hex.  Change our
debug messages so that they always add a '0x' prefix when printing flags,
and '0' prefix when printing mode. A few other misc places gain a '0x'
prefix in error messages too.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-09-25 13:34:53 +01:00
Guido Günther
eba2225bc5 apparmor: delete profile on VM shutdown
instead of only unloading it. This makes sure old profiles don't pile up
in /etc/apparmor.d/libvirt and we get updates to modified templates on
VM restart.

Reviewed-by: Jim Fehlig <jfehlig@suse.com>
2017-09-22 12:32:49 +02:00
Guido Günther
3faf3ca60a apparmor: cater for new AAVMF image location
Things moved again, sigh.

Reviewed-By: Jamie Strandboge <jamie@canonical.com>
Michal Privoznik <mprivozn@redhat.com>
2017-09-18 19:06:53 +02:00
Cole Robinson
98931187ee security: dac: relabel spice rendernode
For a logged in user this a path like /dev/dri/renderD128 will have
default ownership root:video which won't work for the qemu:qemu user,
so we need to chown it.

We only do this when mount namespaces are enabled in the qemu driver,
so the chown'ing doesn't interfere with other users of the shared
render node path

https://bugzilla.redhat.com/show_bug.cgi?id=1460804
2017-09-12 12:27:42 -04:00
Cole Robinson
321031e482 security: add MANAGER_MOUNT_NAMESPACE flag
The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver
if mount namespaces are in use for the VM. Will be used for future
changes.

Wire it up in the qemu driver
2017-09-12 12:27:42 -04:00
Jim Fehlig
0f1993aa15 Don't autogenerate seclabels of type 'none'
When security drivers are active but confinement is not enabled,
there is no need to autogenerate <seclabel> elements when starting
a domain def that contains no <seclabel> elements. In fact,
autogenerating the elements can result in needless save/restore and
migration failures when the security driver is not active on the
restore/migration target.

This patch changes the virSecurityManagerGenLabel function in
src/security_manager.c to only autogenerate a <seclabel> element
if none is already defined for the domain *and* default
confinement is enabled. Otherwise the needless <seclabel>
autogeneration is skipped.

Resolves: https://bugzilla.opensuse.org/show_bug.cgi?id=1051017
2017-08-21 09:22:26 -06:00
Christian Ehrhardt
03fb4e3dea virt-aa-helper: locking loader/nvram for qemu 2.10
Testing qemu-2.10-rc3 shows issues like:
  qemu-system-aarch64: -drive file=/home/ubuntu/vm-start-stop/vms/
  7936-0_CODE.fd,if=pflash,format=raw,unit=1: Failed to unlock byte 100

There is an apparmor deny due to qemu now locking those files:
 apparmor="DENIED" operation="file_lock" [...]
 name="/home/ubuntu/vm-start-stop/vms/7936-0_CODE.fd"
 name="/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow"
 [...] comm="qemu-system-aarch64" requested_mask="k" denied_mask="k"

The profile needs to allow locking for loader and nvram files via
the locking (k) rule.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2017-08-17 16:11:59 +02:00
Christian Ehrhardt
580cdaa7e7 virt-aa-helper: locking disk files for qemu 2.10
Testing qemu-2.10-rc2 shows issues like:
  qemu-system-x86_64: -drive file=/var/lib/uvtool/libvirt/images/kvmguest- \
  artful-normal.qcow,format=qcow2,if=none,id=drive-virtio-disk0:
  Failed to lock byte 100

It seems the following qemu commit changed the needs for the backing
image rules:

(qemu) commit 244a5668106297378391b768e7288eb157616f64
Author: Fam Zheng <famz@redhat.com>
    file-posix: Add image locking to perm operations

The block appears as:
 apparmor="DENIED" operation="file_lock" [...]
 name="/var/lib/uvtool/libvirt/images/kvmguest-artful-normal.qcow"
 [...] comm="qemu-system-x86" requested_mask="k" denied_mask="k"

With that qemu change in place the rules generated for the image
and backing files need the allowance to also lock (k) the files.

Disks are added via add_file_path and with this fix rules now get
that permission, but no other rules are changed, example:
  -  "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rw,
  +  "/var/lib/uvtool/libvirt/images/kvmguest-artful-normal-a2.qcow" rwk

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2017-08-17 16:11:59 +02:00
Pavel Hrdina
068606f85c use virXMLNodeNameEqual instead of xmlStrEqual
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2017-08-14 14:31:52 +02:00
Peter Krempa
6cf7fc573f security: apparmor: load the storage driver dynamically
In commit 5e515b542d I've attempted to fix the inability to access
storage from the apparmor helper program by linking with the storage
driver. By linking with the .so the linker complains that it's not
portable. Fix this by loading the module dynamically as we are supposed
to do.

Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-27 12:00:35 +02:00
Peter Krempa
5e515b542d security: apparmor: Properly link with storage driver in helper program
The refactor to split up storage driver into modules broke the apparmor
helper program, since that did not initialize the storage driver
properly and thus detection of the backing chain could not work.

Register the storage driver backends explicitly. Unfortunately it's now
necessary to link with the full storage driver to satisfy dependencies
of the loadable modules.

Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reported-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2017-07-19 09:54:51 +02:00
Peter Krempa
9506bd25a3 storage: Split out virStorageSource accessors to separate file
The helper methods for actually accessing the storage objects don't
really belong to the main storage driver implementation file. Split them
out.
2017-07-11 17:07:04 +02:00
Michal Privoznik
e0d1a378dc security: Don't skip relabel for all chardevs
Our commit e13e8808f9 was way too generic. Currently, virtlogd is
used only for chardevs type of file and nothing else. True, we
must not relabel the path in this case, but we have to in all
other cases. For instance, if you want to have a physical console
attached to your guest:

    <console type='dev'>
      <source path='/dev/ttyS0'/>
      <target type='virtio' port='1'/>
    </console>

Starting such domain fails because qemu doesn't have access to
/dev/ttyS0 because we haven't relabelled the path.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2017-06-22 14:28:15 +02:00
Pavel Hrdina
e13e8808f9 security: don't relabel chardev source if virtlogd is used as stdio handler
In the case that virtlogd is used as stdio handler we pass to QEMU
only FD to a PIPE connected to virtlogd instead of the file itself.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1430988

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2017-06-16 16:00:10 +02:00
Pavel Hrdina
1763a2e7e2 conf: move seclabel for chardev source to the correct sturcture
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2017-06-16 15:42:59 +02:00
William Grant
f3b0f324eb apparmor, virt-aa-helper: Allow aarch64 UEFI.
Allow access to aarch64 UEFI images.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Guido Günther <agx@sigxcpu.org>
2017-06-16 10:38:52 +02:00
Simon McVittie
8d4aad6412 virt-aa-helper, apparmor: allow /usr/share/OVMF/ too
The split firmware and variables files introduced by
https://bugs.debian.org/764918 are in a different directory for
some reason. Let the virtual machine read both.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
2017-06-16 10:38:52 +02:00
Jiri Denemark
25af7e950a conf: Add save cookie callbacks to xmlopt
virDomainXMLOption gains driver specific callbacks for parsing and
formatting save cookies.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2017-06-07 13:36:01 +02:00
Michal Privoznik
4f0aeed871 virDomainXMLOption: Introduce virDomainABIStabilityDomain
While checking for ABI stability, drivers might pose additional
checks that are not valid for general case. For instance, qemu
driver might check some memory backing attributes because of how
qemu works. But those attributes may work well in other drivers.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-06-05 09:08:52 +02:00
Pavel Hrdina
0c53382d82 conf: don't iterate over backcompat console in virDomainChrDefForeach
If the first console is just a copy of the first serial device we
don't need to iterate over the same device twice in order to perform
actions like security labeling, cgroup configuring, etc.

Currently only security SELinux manager was aware of this fact.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2017-05-24 12:50:09 +02:00
Erik Skultety
3a2a2a7401 mdev: Pass a uuidstr rather than an mdev object to some util functions
Namely, this patch is about virMediatedDeviceGetIOMMUGroup{Dev,Num}
functions. There's no compelling reason why these functions should take
an object, on the contrary, having to create an object every time one
needs to query the IOMMU group number, discarding the object afterwards,
seems odd.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2017-05-18 12:20:15 +02:00
Michal Privoznik
1a4a4ffa3e lib: Fix c99 style comments
We prefer c89 style of comments.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-04-27 14:13:19 +02:00
Erik Skultety
606afafba4 security: Enable labeling of vfio mediated devices
This patch updates all of our security driver to start labeling the
VFIO IOMMU devices under /dev/vfio/ as well.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2017-03-27 15:39:35 +02:00
Erik Skultety
ec783d7c77 conf: Introduce new hostdev device type mdev
A mediated device will be identified by a UUID (with 'model' now being
a mandatory <hostdev> attribute to represent the mediated device API) of
the user pre-created mediated device. We also need to make sure that if
user explicitly provides a guest address for a mdev device, the address
type will be matching the device API supported on that specific mediated
device and error out with an incorrect XML message.

The resulting device XML:
<devices>
  <hostdev mode='subsystem' type='mdev' model='vfio-pci'>
    <source>
      <address uuid='c2177883-f1bb-47f0-914d-32a22e3a8804'>
    </source>
  </hostdev>
</devices>

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2017-03-27 15:39:35 +02:00
Michal Privoznik
679bf50120 secdrivers: Implement memdev relabel APIs
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-03-15 16:48:24 +01:00
Michal Privoznik
0064c4e2bc security: Introduce internal APIs for memdev labelling
These APIs will be used whenever we are hot (un-)plugging a
memdev.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-03-15 16:45:53 +01:00
Michal Privoznik
cde8e31938 security_selinux: Label host side of NVDIMM
When domain is being started up, we ought to relabel the host
side of NVDIMM so qemu has access to it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-03-15 16:45:42 +01:00
Michal Privoznik
ea416faf74 security_dac: Label host side of NVDIMM
When domain is being started up, we ought to relabel the host
side of NVDIMM so qemu has access to it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-03-15 14:39:53 +01:00
Jim Fehlig
ec94e14b68 apparmor: don't fail on non-apparmor <seclabel>
If the apparmor security driver is loaded/enabled and domain config
contains a <seclabel> element whose type attribute is not 'apparmor',
starting the domain fails when attempting to label resources such
as tap FDs.

Many of the apparmor driver entry points attempt to retrieve the
apparmor security label from the domain def, returning failure if
not found. Functions such as AppArmorSetFDLabel fail even though
domain config contains an explicit 'none' secuirty driver, e.g.

  <seclabel type='none' model='none'/>

Change the entry points to succeed if the domain config <seclabel>
is not apparmor. This matches the behavior of the selinux driver.
2017-02-14 16:53:30 -07:00
Jim Fehlig
5cdfc80ba8 apparmor: don't overwrite error from reload_profile
Like other callers of reload_profile, don't overwrite errors in
AppArmorSetSecurityHostdevLabelHelper.
2017-02-14 16:53:30 -07:00
Erik Skultety
7e8b2da74f security: SELinux: fix the transaction model's list append
The problem is in the way how the list item is created prior to
appending it to the transaction list - the @path argument is just a
shallow copy instead of deep copy of the hostdev device's path.
Unfortunately, the hostdev devices from which the @path is extracted, in
order to add them into the transaction list, are only temporary and
freed before the buildup of the qemu namespace, thus making the @path
attribute in the transaction list NULL, causing 'permission denied' or
'double free' or 'unknown cause' errors.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1413773

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2017-01-17 15:49:57 +01:00
Erik Skultety
df7f42d5be security: DAC: fix the transaction model's list append
The problem is in the way how the list item is created prior to
appending it to the transaction list - the @path attribute is just a
shallow copy instead of deep copy of the hostdev device's path.
Unfortunately, the hostdev devices from which the @path is extracted, in
order to add them into the transaction list, are only temporary and
freed before the buildup of the qemu namespace, thus making the @path
attribute in the transaction list NULL, causing 'permission denied' or
'double free' or 'unknown cause' errors.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1413773

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2017-01-17 15:49:57 +01:00
Michal Privoznik
3027bacf95 virSecuritySELinuxSetFileconHelper: Fix build with broken selinux.h
There are still some systems out there that have broken
setfilecon*() prototypes. Instead of taking 'const char *tcon' it
is taking 'char *tcon'. The function should just set the context,
not modify it.

We had been bitten with this problem before which resulted in
292d3f2d and subsequently b109c09765. However, with one my latest
commits (4674fc6afd) I've changed the type of @tcon variable to
'const char *' which results in build failure on the systems from
above.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-01-10 19:23:49 +01:00
Michal Privoznik
4674fc6afd security_selinux: Implement transaction APIs
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-01-10 12:50:00 +01:00
Michal Privoznik
67232478db security_dac: Implement transaction APIs
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-01-10 12:50:00 +01:00
Michal Privoznik
95576b4df0 security driver: Introduce transaction APIs
With our new qemu namespace code in place, the relabelling of
devices is done not as good is it could: a child process is
spawned, it enters the mount namespace of the qemu process and
then runs desired API of the security driver.

Problem with this approach is that internal state transition of
the security driver done in the child process is not reflected in
the parent process. While currently it wouldn't matter that much,
it is fairly easy to forget about that. We should take the extra
step now while this limitation is still fresh in our minds.

Three new APIs are introduced here:
  virSecurityManagerTransactionStart()
  virSecurityManagerTransactionCommit()
  virSecurityManagerTransactionAbort()

The Start() is going to be used to let security driver know that
we are starting a new transaction. During a transaction no
security labels are actually touched, but rather recorded and
only at Commit() phase they are actually updated. Should
something go wrong Abort() aborts the transaction freeing up all
memory allocated by transaction.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-01-10 12:49:59 +01:00
Michal Privoznik
39779eb195 security_dac: Resolve virSecurityDACSetOwnershipInternal const correctness
The code at the very bottom of the DAC secdriver that calls
chown() should be fine with read-only data. If something needs to
be prepared it should have been done beforehand.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-01-10 12:49:59 +01:00
Michal Privoznik
65fb0b79f7 security_selinux: s/virSecuritySELinuxSecurity/virSecuritySELinux/
It doesn't make much sense to have two different prefix for
functions within the same driver.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2017-01-09 09:17:42 +01:00
Michal Privoznik
ce937d3710 security: Drop virSecurityManagerSetHugepages
Since its introduction in 2012 this internal API did nothing.
Moreover we have the same API that does exactly the same:
virSecurityManagerDomainSetPathLabel.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-12-08 15:45:52 +01:00
Christian Ehrhardt
dffdac06c0 virt-aa-helper: fix parsing security labels by introducing VIR_DOMAIN_DEF_PARSE_SKIP_SECLABEL
When virt-aa-helper parses xml content it can fail on security labels.

It fails by requiring to parse active domain content on seclabels that
are not yet filled in.

Testcase with virt-aa-helper on a minimal xml:
 $ cat << EOF > /tmp/test.xml
<domain type='kvm'>
    <name>test-seclabel</name>
    <uuid>12345678-9abc-def1-2345-6789abcdef00</uuid>
    <memory unit='KiB'>1</memory>
    <os><type arch='x86_64'>hvm</type></os>
    <seclabel type='dynamic' model='apparmor' relabel='yes'/>
    <seclabel type='dynamic' model='dac' relabel='yes'/>
</domain>
EOF
 $ /usr/lib/libvirt/virt-aa-helper -d -r -p 0 \
   -u libvirt-12345678-9abc-def1-2345-6789abcdef00 < /tmp/test.xml

Current Result:
 virt-aa-helper: error: could not parse XML
 virt-aa-helper: error: could not get VM definition
Expected Result is a valid apparmor profile

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Signed-off-by: Guido Günther <agx@sigxcpu.org>
2016-11-30 08:15:57 +01:00
Eric Farman
81a206f52b security: Include vhost-scsi in security labels
Ensure that the vhost-scsi wwpn information is passed to the
different security policies.

Signed-off-by: Eric Farman <farman@linux.vnet.ibm.com>
2016-11-24 12:16:26 -05:00
Eric Farman
fc0e627bac Introduce framework for a hostdev SCSI_host subsystem type
We already have a "scsi" hostdev subsys type, which refers to a single
LUN that is passed through to a guest.  But what of things where
multiple LUNs are passed through via a single SCSI HBA, such as with
the vhost-scsi target?  Create a new hostdev subsys type that will
carry this.

Signed-off-by: Eric Farman <farman@linux.vnet.ibm.com>
2016-11-24 12:15:26 -05:00
Eric Farman
85b0721095 Cleanup switch statements on the hostdev subsystem type
As was suggested in an earlier review comment[1], we can
catch some additional code points by cleaning up how we use the
hostdev subsystem type in some switch statements.

[1] End of https://www.redhat.com/archives/libvir-list/2016-September/msg00399.html

Signed-off-by: Eric Farman <farman@linux.vnet.ibm.com>
Signed-off-by: John Ferlan <jferlan@redhat.com>
2016-11-11 16:58:56 -05:00
John Ferlan
8f67b9ecd2 conf: Use virDomainChrSourceDefPtr for _virDomainSmartcardDef 'passthru'
Use a pointer and the virDomainChrSourceDefNew() function in order to
allocate the structure for _virDomainSmartcardDef.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2016-10-24 06:44:23 -04:00
John Ferlan
77a12987a4 Introduce virDomainChrSourceDefNew for virDomainChrDefPtr
Change the virDomainChrDef to use a pointer to 'source' and allocate
that pointer during virDomainChrDefNew.

This has tremendous "fallout" in the rest of the code which mainly
has to change source.$field to source->$field.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2016-10-21 14:03:36 -04:00
Michal Privoznik
c41b989112 virDomainDefParse{File,String}: Introduce @parseOpaque argument
We want to pass the proper opaque pointer instead of NULL to
virDomainDefParse and subsequently virDomainDefParseNode too.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-09-26 16:50:12 +02:00
Julio Faracco
fe94ee5db5 security: Fixing wrong label in virt-aa-helper.c.
There is an issue with a wrong label inside vah_add_path().
The compilation fails with the error:
make[3]: Entering directory '/tmp/libvirt/src'
  CC       security/virt_aa_helper-virt-aa-helper.o
security/virt-aa-helper.c: In function 'vah_add_path':
security/virt-aa-helper.c:769:9: error: label 'clean' used but not defined
         goto clean;

This patch moves 'clean' label to 'cleanup' label.

Signed-off-by: Julio Faracco <jcfaracco@gmail.com>
2016-09-07 18:06:31 -04:00
Rufo Dogav
b3c1bcb9fd Avoid segfault in virt-aa-helper when handling read-only filesystems
This patch fixes a segfault in virt-aa-helper caused by attempting to
modify a static string literal. It is triggered when a domain has a
<filesystem> with type='mount' configured read-only and libvirt is
using the AppArmor security driver for sVirt confinement. An "R" is
passed into the function and converted to 'r'.
2016-09-07 16:29:02 -04:00
Guido Günther
0d55e0b24c virt-aa-helper: Make help output match option name 2016-07-22 07:55:59 -04:00
Cédric Bosdonnat
cedd2ab282 virt-aa-helper: better write denials handling
Better fix replacing c726af2d: introducing an 'R' permission to
add read rule, but no explicit deny write rule.
2016-07-19 16:21:36 +02:00
Julio Faracco
fc624d86ea security: compilation error due to wrong parameter for vah_add_path().
The commit da665fbd introduced virStorageSourcePtr inside the structure
_virDomainFSDef. This is causing an error when libvirt is being compiled.

make[3]: Entering directory `/media/julio/8d65c59c-6ade-4740-9cdc-38016a4cb8ae
/home/julio/Desktop/virt/libvirt/src'
  CC       security/virt_aa_helper-virt-aa-helper.o
security/virt-aa-helper.c: In function 'get_files':
security/virt-aa-helper.c:1087:13: error: passing argument 2 of 'vah_add_path'
from incompatible pointer type [-Werror]
             if (vah_add_path(&buf, fs->src, "rw", true) != 0)
             ^
security/virt-aa-helper.c:732:1: note: expected 'const char *' but argument is
of type 'virStorageSourcePtr'
 vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool
recursive)
 ^
cc1: all warnings being treated as errors

Adding the attribute "path" from virStorageSourcePtr fixes this issue.

Signed-off-by: Julio Faracco <jcfaracco@gmail.com>
2016-07-19 09:02:51 +02:00
Daniel P. Berrange
b9c8af4d71 selinux: convert to typesafe virConf accessors
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-12 09:58:22 +01:00
Pavel Hrdina
acc83afe33 vnc: add support for listen type 'socket'
VNC graphics already supports sockets but only via 'socket' attribute.
This patch coverts that attribute into listen type 'socket'.

For backward compatibility we need to handle listen type 'socket' and 'socket'
attribute properly to support old XMLs and new XMLs.  If both are provided they
have to match, if only one of them is provided we need to be able to parse that
configuration too.

To not break migration back to old libvirt if the socket is provided by user we
need to generate migratable XML without the listen element and use only 'socket'
attribute.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-06-09 14:42:48 +02:00
Pavel Hrdina
b6465e1aa4 graphics: introduce new listen type 'socket'
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-06-09 14:24:00 +02:00
Peter Krempa
b394af162a conf: Add infrastructure for adding configuration validation
Until now we weren't able to add checks that would reject configuration
once accepted by the parser. This patch adds a new callback and
infrastructure to add such checks. In this patch all the places where
rejecting a now-invalid configuration wouldn't be a good idea are marked
with a new parser flag.
2016-06-07 13:02:20 +02:00
Ján Tomko
5da23bbedf security: label the slic_table
Add support for the slic_table to the security drivers.
2016-05-25 17:15:21 +02:00
Pavel Hrdina
3902f634bf virt-aa-helper: remove replace_string and use virStringReplace instead
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-05-13 17:42:57 +02:00
Simon Arlott
ab9569e546 virt-aa-helper: disallow VNC socket read permissions
The VM does not need read permission for its own VNC socket to create(),
bind(), accept() connections or to receive(), send(), etc. on connections.

https://bugzilla.redhat.com/show_bug.cgi?id=1312573
2016-04-20 09:58:47 -04:00
Martin Kletzander
32f3f0835e security: Rename DomainSetDirLabel to DomainSetPathLabel
It already labels abritrary paths, so it's just the naming that was
wrong.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-04-18 20:34:30 +02:00
Cole Robinson
e7db227810 util: Add virGettextInitialize, convert the code
Take setlocale/gettext error handling pattern from tools/virsh-*
and use it for all standalone binaries via a new shared
virGettextInitialize routine. The virsh* pattern differed slightly
from other callers. All users now consistently:

* Ignore setlocale errors. virsh has done this forever, presumably for
  good reason. This has been partially responsible for some bug reports:

  https://bugzilla.redhat.com/show_bug.cgi?id=1312688
  https://bugzilla.redhat.com/show_bug.cgi?id=1026514
  https://bugzilla.redhat.com/show_bug.cgi?id=1016158

* Report the failed function name
* Report strerror
2016-04-14 13:22:40 -04:00
Pavel Hrdina
d713a6b120 build: add GCC 6.0 -Wlogical-op workaround
fdstream.c: In function 'virFDStreamWrite':
fdstream.c:390:29: error: logical 'or' of equal expressions [-Werror=logical-op]
        if (errno == EAGAIN || errno == EWOULDBLOCK) {
                            ^~

Fedora rawhide now uses gcc 6.0 and there is a bug with -Wlogical-op
producing false warnings.

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69602

Use GCC pragma push/pop and ignore -Wlogical-op for GCC that supports
push/pop pragma and also has this bug.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-04-11 12:09:14 +02:00
Guido Günther
dfbc9a8382 apparmor: QEMU monitor socket moved
The directory name changed in a89f05ba8d.

This unbreaks launching QEMU/KVM VMs with apparmor enabled. It also adds
the directory for the qemu guest-agent socket which is not known when
parsing the domain XML.
2016-04-02 12:49:28 +02:00
Laurent Bigonville
0b6e5ddd89 security_selinux: Fix typo in error message 2016-02-19 17:15:31 +00:00
Peter Krempa
41c987b72d Fix build after recent patches
Few build breaking mistakes in less-popular parts of our code.
2016-02-04 16:34:28 +01:00
Martin Kletzander
1794a0103a qemu: Don't crash when create fails early
Since commit 7140807917 we are generating
socket path later than before -- when starting a domain.  That makes one
particular inconsistent state of a chardev, which was not possible
before, currently valid.  However, SELinux security driver forgot to
guard the main restoring function by a check for NULL-paths.  So make it
no-op for NULL paths, as in the DAC driver.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1300532

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-02-03 11:01:42 +01:00
Jiri Denemark
8f0a15727f security: Do not restore labels on device tree binary
A device tree binary file specified by /domain/os/dtb element is a
read-only resource similar to kernel and initrd files. We shouldn't
restore its label when destroying a domain to avoid breaking other
domains configure with the same device tree.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2016-01-15 16:34:37 +01:00
Jiri Denemark
68acc701bd security: Do not restore kernel and initrd labels
Kernel/initrd files are essentially read-only shareable images and thus
should be handled in the same way. We already use the appropriate label
for kernel/initrd files when starting a domain, but when a domain gets
destroyed we would remove the labels which would make other running
domains using the same files very unhappy.

https://bugzilla.redhat.com/show_bug.cgi?id=921135

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2016-01-15 10:55:58 +01:00
Cédric Bosdonnat
c726af2d5a virt-aa-helper: don't deny writes to readonly mounts
There is no need to deny writes on a readonly mount: write still
won't be accepted, even if the user remounts the folder as RW in
the guest as qemu sets the 9p mount as ro.

This deny rule was leading to problems for example with readonly /:
The qemu process had to write to a bunch of files in / like logs,
sockets, etc. This deny rule was also preventing auditing of these
denials, making it harder to debug.
2016-01-14 15:42:05 +01:00
Ján Tomko
077bdba5c2 security_stack: remove extra Security from function names
Many of the functions follow the pattern:
virSecurity.*Security.*Label

Remove the second 'Security' from the names, it should be
obvious that the virSecurity* functions deal with security
labels even without it.
2015-12-15 16:06:08 +01:00
Ján Tomko
ba9285b3a3 security_selinux: remove extra Security from function names
Many of the functions follow the pattern:
virSecurity.*Security.*Label

Remove the second 'Security' from the names, it should be obvious
that the virSecurity* functions deal with security labels even
without it.
2015-12-15 16:06:08 +01:00
Ján Tomko
be33e96533 security_dac: remove extra Security from function names
Many of the functions follow the pattern:
virSecurity.*Security.*Label

Remove the second 'Security' from the names, it should be obvious
that the virSecurity* functions deal with security labels even
without it.
2015-12-15 16:06:08 +01:00
Ján Tomko
bfc29df3e0 security_selinux: fix indentation 2015-12-09 10:44:26 +01:00
Ján Tomko
63cc969a84 security_dac: check if virSecurityDACGetIds returns negative
Use the customary check '< 0' instead of checking for non-zero.

No functional change.
2015-12-09 10:44:26 +01:00
Ján Tomko
d5aba1a4d9 security: label the evdev for input device passthrough
Add functions for setting and restoring the label of input devices
to DAC and SELinux drivers.

https://bugzilla.redhat.com/show_bug.cgi?id=1231114
2015-11-30 12:57:43 +01:00
Jiri Denemark
c6172260a5 security: Cleanup DAC driver
Fixes several style issues and removes "DEF" (what is it supposed to
mean anyway?) from debug messages.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-11-11 17:02:53 +01:00
Ishmanpreet Kaur Khera
32cee5b2f0 Avoid using !STREQ and !STRNEQ
We have macros for both positive and negative string matching.
Therefore there is no need to use !STREQ or !STRNEQ. At the same
time as we are dropping this, new syntax-check rule is
introduced to make sure we won't introduce it again.

Signed-off-by: Ishmanpreet Kaur Khera <khera.ishman@gmail.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-21 15:03:35 +02:00
Michal Privoznik
6222a6fee3 security_dac: Introduce remember/recall APIs
Even though the APIs are not implemented yet, they create a
skeleton that can be filled in later.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
ec04c18bc5 security_dac: Limit usage of virSecurityDACSetOwnershipInternal
This function should really be called only when we want to change
ownership of a file (or disk source). Lets switch to calling a
wrapper function which will eventually record the current owner
of the file and call virSecurityDACSetOwnershipInternal
subsequently.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
fdf44d5b47 virSecurityDACRestoreSecurityFileLabel: Pass virSecurityDACDataPtr
This is pure code adjustment. The structure is going to be needed
later as it will hold a reference that will be used to talk to
virtlockd. However, so far this is no functional change just code
preparation.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
607f34319d virSecurityDACSetOwnership: Pass virSecurityDACDataPtr
This is pure code adjustment. The structure is going to be needed
later as it will hold a reference that will be used to talk to
virtlockd. However, so far this is no functional change just code
preparation.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
a0f43d820d virSecurityDACSetOwnershipInternal: Don't chown so often
It's better if we stat() file that we are about to chown() at
first and check if there's something we need to change. Not that
it would make much difference, but for the upcoming patches we
need to be doing stat() anyway. Moreover, if we do things this
way, we can drop @chown_errno variable which will become
redundant.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
d37d8f78c0 security_dac: Fix TODO marks
Correctly mark the places where we need to remember and recall
file ownership. We don't want to mislead any potential developer.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
79bd55b302 virSecurityManagerNew: Turn array of booleans into flags
So imagine you want to crate new security manager:

  if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true)));

Hard to parse, right? What about this:

  if (!(mgr = virSecurityManagerNew("selinux", "QEMU",
                                    VIR_SECURITY_MANAGER_DEFAULT_CONFINED |
                                    VIR_SECURITY_MANAGER_PRIVILEGED)));

Now that's better! This is what the commit does.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-07 17:51:28 +02:00
Cédric Bosdonnat
a1bdf04b27 apparmor: differentiate between error and unconfined profiles
profile_status function was not making any difference between error
cases and unconfined profiles. The problem with this approach is that
dominfo was throwing an error on unconfined domains.
2015-10-06 13:47:01 +02:00
Michal Privoznik
00e5b96716 security_selinux: Take @privileged into account
https://bugzilla.redhat.com/show_bug.cgi?id=1124841

If running in session mode it may happen that we fail to set
correct SELinux label, but the image may still be readable to
the qemu process. Take this into account.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-09-15 11:30:14 +02:00
Michal Privoznik
307fb9044c virSecurityManager: Track if running as privileged
We may want to do some decisions in drivers based on fact if we
are running as privileged user or not. Propagate this info there.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-09-15 11:30:14 +02:00
Michal Privoznik
276c409163 security_selinux: Replace SELinuxSCSICallbackData with proper struct
We have plenty of callbacks in the driver. Some of these
callbacks require more than one argument to be passed. For that
we currently have a data type (struct) per each callback. Well,
so far for only one - SELinuxSCSICallbackData. But lets turn it
into more general name so it can be reused in other callbacks too
instead of each one introducing a new, duplicate data type.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-09-15 11:30:13 +02:00
Michal Privoznik
370461d1db virSecuritySELinuxSetSecurityAllLabel: drop useless virFileIsSharedFSType
The check is done in virSecuritySELinuxSetFilecon itself. There's
no need to check it again.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-09-15 11:30:13 +02:00
Guido Günther
ee7d5c312b apparmor: Adjust path to domain monitor socket
f1f68ca33 moved the monitor socket to a per domain directory. Adjust the
path accordingly.
2015-08-29 18:15:49 +02:00
Michal Privoznik
52970dec5b virt-aa-helper: Improve valid_path
So, after some movement in virt-aa-helper, I've noticed the
virt-aa-helper-test failing. I've ran gdb (it took me a while to
realize how to do that) and this showed up immediately:

  Program received signal SIGSEGV, Segmentation fault.
  strlen () at ../sysdeps/x86_64/strlen.S:106
  106     ../sysdeps/x86_64/strlen.S: No such file or directory.
  (gdb) bt
  #0  strlen () at ../sysdeps/x86_64/strlen.S:106
  #1  0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525
  #2  0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617
  #3  0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823
  #4  0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854
  #5  0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931
  #6  0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 <add_file_path>, opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286
  #7  0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982
  #8  0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277
  #9  0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332

So I've taken look at valid_path() because it is obviously
calling array_starts_with() with malformed @size. And here's the
result: there are two variables to hold the size of three arrays
and their value is recalculated before each call of
array_starts_with(). What if we just use three variables,
initialize them and do not touch them afterwards?

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-08-27 15:05:25 +02:00
Peter Kieser
91fdcefa7f virt-aa-helper: add NVRAM store file for read/write
This is a cryptographically signed message in MIME format.

Some UEFI firmwares may want to use a non-volatile memory to store some
variables.
If AppArmor is enabled, and NVRAM store file is set currently
virt-aa-helper does
not add the NVRAM store file to the template. Add this file for
read/write when
this functionality is defined in domain XML.

Signed-off-by: Peter Kieser <peter@kieser.ca>
2015-08-26 16:25:44 +02:00
Guido Günther
4d4c90dfd5 selinux: fix compile errors
Remove unused variable, tag unused parameter and adjust return type.

introduced by 3f48345f7e

CC     security/libvirt_security_manager_la-security_selinux.lo
security/security_selinux.c: In function 'virSecuritySELinuxDomainSetDirLabel':
security/security_selinux.c:2520:5: error: return makes pointer from integer without a cast [-Werror]
security/security_selinux.c:2514:9: error: unused variable 'ret' [-Werror=unused-variable]
security/security_selinux.c:2509:59: error: unused parameter 'mgr' [-Werror=unused-parameter]
2015-08-24 14:15:12 +02:00
intrigeri
2f01cfdf05 virt-aa-helper: allow access to /usr/share/ovmf/
We forbid access to /usr/share/, but (at least on Debian-based systems)
the Open Virtual Machine Firmware files needed for booting UEFI virtual
machines in QEMU live in /usr/share/ovmf/. Therefore, we need to add
that directory to the list of read only paths.

A similar patch was suggested by Jamie Strandboge <jamie@canonical.com>
on https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071.
2015-08-24 13:00:39 +02:00
Guido Günther
d25a5e087a virt-aa-helper: Simplify restriction logic
First check overrides, then read only files then restricted access
itself.

This allows us to mark files for read only access whose parents were
already restricted for read write.

Based on a proposal by Martin Kletzander
2015-08-24 13:00:39 +02:00