Commit Graph

571 Commits

Author SHA1 Message Date
John Ferlan
77a12987a4 Introduce virDomainChrSourceDefNew for virDomainChrDefPtr
Change the virDomainChrDef to use a pointer to 'source' and allocate
that pointer during virDomainChrDefNew.

This has tremendous "fallout" in the rest of the code which mainly
has to change source.$field to source->$field.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2016-10-21 14:03:36 -04:00
Michal Privoznik
c41b989112 virDomainDefParse{File,String}: Introduce @parseOpaque argument
We want to pass the proper opaque pointer instead of NULL to
virDomainDefParse and subsequently virDomainDefParseNode too.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-09-26 16:50:12 +02:00
Julio Faracco
fe94ee5db5 security: Fixing wrong label in virt-aa-helper.c.
There is an issue with a wrong label inside vah_add_path().
The compilation fails with the error:
make[3]: Entering directory '/tmp/libvirt/src'
  CC       security/virt_aa_helper-virt-aa-helper.o
security/virt-aa-helper.c: In function 'vah_add_path':
security/virt-aa-helper.c:769:9: error: label 'clean' used but not defined
         goto clean;

This patch moves 'clean' label to 'cleanup' label.

Signed-off-by: Julio Faracco <jcfaracco@gmail.com>
2016-09-07 18:06:31 -04:00
Rufo Dogav
b3c1bcb9fd Avoid segfault in virt-aa-helper when handling read-only filesystems
This patch fixes a segfault in virt-aa-helper caused by attempting to
modify a static string literal. It is triggered when a domain has a
<filesystem> with type='mount' configured read-only and libvirt is
using the AppArmor security driver for sVirt confinement. An "R" is
passed into the function and converted to 'r'.
2016-09-07 16:29:02 -04:00
Guido Günther
0d55e0b24c virt-aa-helper: Make help output match option name 2016-07-22 07:55:59 -04:00
Cédric Bosdonnat
cedd2ab282 virt-aa-helper: better write denials handling
Better fix replacing c726af2d: introducing an 'R' permission to
add read rule, but no explicit deny write rule.
2016-07-19 16:21:36 +02:00
Julio Faracco
fc624d86ea security: compilation error due to wrong parameter for vah_add_path().
The commit da665fbd introduced virStorageSourcePtr inside the structure
_virDomainFSDef. This is causing an error when libvirt is being compiled.

make[3]: Entering directory `/media/julio/8d65c59c-6ade-4740-9cdc-38016a4cb8ae
/home/julio/Desktop/virt/libvirt/src'
  CC       security/virt_aa_helper-virt-aa-helper.o
security/virt-aa-helper.c: In function 'get_files':
security/virt-aa-helper.c:1087:13: error: passing argument 2 of 'vah_add_path'
from incompatible pointer type [-Werror]
             if (vah_add_path(&buf, fs->src, "rw", true) != 0)
             ^
security/virt-aa-helper.c:732:1: note: expected 'const char *' but argument is
of type 'virStorageSourcePtr'
 vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool
recursive)
 ^
cc1: all warnings being treated as errors

Adding the attribute "path" from virStorageSourcePtr fixes this issue.

Signed-off-by: Julio Faracco <jcfaracco@gmail.com>
2016-07-19 09:02:51 +02:00
Daniel P. Berrange
b9c8af4d71 selinux: convert to typesafe virConf accessors
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-07-12 09:58:22 +01:00
Pavel Hrdina
acc83afe33 vnc: add support for listen type 'socket'
VNC graphics already supports sockets but only via 'socket' attribute.
This patch coverts that attribute into listen type 'socket'.

For backward compatibility we need to handle listen type 'socket' and 'socket'
attribute properly to support old XMLs and new XMLs.  If both are provided they
have to match, if only one of them is provided we need to be able to parse that
configuration too.

To not break migration back to old libvirt if the socket is provided by user we
need to generate migratable XML without the listen element and use only 'socket'
attribute.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-06-09 14:42:48 +02:00
Pavel Hrdina
b6465e1aa4 graphics: introduce new listen type 'socket'
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-06-09 14:24:00 +02:00
Peter Krempa
b394af162a conf: Add infrastructure for adding configuration validation
Until now we weren't able to add checks that would reject configuration
once accepted by the parser. This patch adds a new callback and
infrastructure to add such checks. In this patch all the places where
rejecting a now-invalid configuration wouldn't be a good idea are marked
with a new parser flag.
2016-06-07 13:02:20 +02:00
Ján Tomko
5da23bbedf security: label the slic_table
Add support for the slic_table to the security drivers.
2016-05-25 17:15:21 +02:00
Pavel Hrdina
3902f634bf virt-aa-helper: remove replace_string and use virStringReplace instead
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-05-13 17:42:57 +02:00
Simon Arlott
ab9569e546 virt-aa-helper: disallow VNC socket read permissions
The VM does not need read permission for its own VNC socket to create(),
bind(), accept() connections or to receive(), send(), etc. on connections.

https://bugzilla.redhat.com/show_bug.cgi?id=1312573
2016-04-20 09:58:47 -04:00
Martin Kletzander
32f3f0835e security: Rename DomainSetDirLabel to DomainSetPathLabel
It already labels abritrary paths, so it's just the naming that was
wrong.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-04-18 20:34:30 +02:00
Cole Robinson
e7db227810 util: Add virGettextInitialize, convert the code
Take setlocale/gettext error handling pattern from tools/virsh-*
and use it for all standalone binaries via a new shared
virGettextInitialize routine. The virsh* pattern differed slightly
from other callers. All users now consistently:

* Ignore setlocale errors. virsh has done this forever, presumably for
  good reason. This has been partially responsible for some bug reports:

  https://bugzilla.redhat.com/show_bug.cgi?id=1312688
  https://bugzilla.redhat.com/show_bug.cgi?id=1026514
  https://bugzilla.redhat.com/show_bug.cgi?id=1016158

* Report the failed function name
* Report strerror
2016-04-14 13:22:40 -04:00
Pavel Hrdina
d713a6b120 build: add GCC 6.0 -Wlogical-op workaround
fdstream.c: In function 'virFDStreamWrite':
fdstream.c:390:29: error: logical 'or' of equal expressions [-Werror=logical-op]
        if (errno == EAGAIN || errno == EWOULDBLOCK) {
                            ^~

Fedora rawhide now uses gcc 6.0 and there is a bug with -Wlogical-op
producing false warnings.

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69602

Use GCC pragma push/pop and ignore -Wlogical-op for GCC that supports
push/pop pragma and also has this bug.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2016-04-11 12:09:14 +02:00
Guido Günther
dfbc9a8382 apparmor: QEMU monitor socket moved
The directory name changed in a89f05ba8d.

This unbreaks launching QEMU/KVM VMs with apparmor enabled. It also adds
the directory for the qemu guest-agent socket which is not known when
parsing the domain XML.
2016-04-02 12:49:28 +02:00
Laurent Bigonville
0b6e5ddd89 security_selinux: Fix typo in error message 2016-02-19 17:15:31 +00:00
Peter Krempa
41c987b72d Fix build after recent patches
Few build breaking mistakes in less-popular parts of our code.
2016-02-04 16:34:28 +01:00
Martin Kletzander
1794a0103a qemu: Don't crash when create fails early
Since commit 7140807917 we are generating
socket path later than before -- when starting a domain.  That makes one
particular inconsistent state of a chardev, which was not possible
before, currently valid.  However, SELinux security driver forgot to
guard the main restoring function by a check for NULL-paths.  So make it
no-op for NULL paths, as in the DAC driver.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1300532

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2016-02-03 11:01:42 +01:00
Jiri Denemark
8f0a15727f security: Do not restore labels on device tree binary
A device tree binary file specified by /domain/os/dtb element is a
read-only resource similar to kernel and initrd files. We shouldn't
restore its label when destroying a domain to avoid breaking other
domains configure with the same device tree.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2016-01-15 16:34:37 +01:00
Jiri Denemark
68acc701bd security: Do not restore kernel and initrd labels
Kernel/initrd files are essentially read-only shareable images and thus
should be handled in the same way. We already use the appropriate label
for kernel/initrd files when starting a domain, but when a domain gets
destroyed we would remove the labels which would make other running
domains using the same files very unhappy.

https://bugzilla.redhat.com/show_bug.cgi?id=921135

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2016-01-15 10:55:58 +01:00
Cédric Bosdonnat
c726af2d5a virt-aa-helper: don't deny writes to readonly mounts
There is no need to deny writes on a readonly mount: write still
won't be accepted, even if the user remounts the folder as RW in
the guest as qemu sets the 9p mount as ro.

This deny rule was leading to problems for example with readonly /:
The qemu process had to write to a bunch of files in / like logs,
sockets, etc. This deny rule was also preventing auditing of these
denials, making it harder to debug.
2016-01-14 15:42:05 +01:00
Ján Tomko
077bdba5c2 security_stack: remove extra Security from function names
Many of the functions follow the pattern:
virSecurity.*Security.*Label

Remove the second 'Security' from the names, it should be
obvious that the virSecurity* functions deal with security
labels even without it.
2015-12-15 16:06:08 +01:00
Ján Tomko
ba9285b3a3 security_selinux: remove extra Security from function names
Many of the functions follow the pattern:
virSecurity.*Security.*Label

Remove the second 'Security' from the names, it should be obvious
that the virSecurity* functions deal with security labels even
without it.
2015-12-15 16:06:08 +01:00
Ján Tomko
be33e96533 security_dac: remove extra Security from function names
Many of the functions follow the pattern:
virSecurity.*Security.*Label

Remove the second 'Security' from the names, it should be obvious
that the virSecurity* functions deal with security labels even
without it.
2015-12-15 16:06:08 +01:00
Ján Tomko
bfc29df3e0 security_selinux: fix indentation 2015-12-09 10:44:26 +01:00
Ján Tomko
63cc969a84 security_dac: check if virSecurityDACGetIds returns negative
Use the customary check '< 0' instead of checking for non-zero.

No functional change.
2015-12-09 10:44:26 +01:00
Ján Tomko
d5aba1a4d9 security: label the evdev for input device passthrough
Add functions for setting and restoring the label of input devices
to DAC and SELinux drivers.

https://bugzilla.redhat.com/show_bug.cgi?id=1231114
2015-11-30 12:57:43 +01:00
Jiri Denemark
c6172260a5 security: Cleanup DAC driver
Fixes several style issues and removes "DEF" (what is it supposed to
mean anyway?) from debug messages.

Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
2015-11-11 17:02:53 +01:00
Ishmanpreet Kaur Khera
32cee5b2f0 Avoid using !STREQ and !STRNEQ
We have macros for both positive and negative string matching.
Therefore there is no need to use !STREQ or !STRNEQ. At the same
time as we are dropping this, new syntax-check rule is
introduced to make sure we won't introduce it again.

Signed-off-by: Ishmanpreet Kaur Khera <khera.ishman@gmail.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-21 15:03:35 +02:00
Michal Privoznik
6222a6fee3 security_dac: Introduce remember/recall APIs
Even though the APIs are not implemented yet, they create a
skeleton that can be filled in later.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
ec04c18bc5 security_dac: Limit usage of virSecurityDACSetOwnershipInternal
This function should really be called only when we want to change
ownership of a file (or disk source). Lets switch to calling a
wrapper function which will eventually record the current owner
of the file and call virSecurityDACSetOwnershipInternal
subsequently.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
fdf44d5b47 virSecurityDACRestoreSecurityFileLabel: Pass virSecurityDACDataPtr
This is pure code adjustment. The structure is going to be needed
later as it will hold a reference that will be used to talk to
virtlockd. However, so far this is no functional change just code
preparation.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
607f34319d virSecurityDACSetOwnership: Pass virSecurityDACDataPtr
This is pure code adjustment. The structure is going to be needed
later as it will hold a reference that will be used to talk to
virtlockd. However, so far this is no functional change just code
preparation.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
a0f43d820d virSecurityDACSetOwnershipInternal: Don't chown so often
It's better if we stat() file that we are about to chown() at
first and check if there's something we need to change. Not that
it would make much difference, but for the upcoming patches we
need to be doing stat() anyway. Moreover, if we do things this
way, we can drop @chown_errno variable which will become
redundant.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
d37d8f78c0 security_dac: Fix TODO marks
Correctly mark the places where we need to remember and recall
file ownership. We don't want to mislead any potential developer.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-16 16:51:41 +02:00
Michal Privoznik
79bd55b302 virSecurityManagerNew: Turn array of booleans into flags
So imagine you want to crate new security manager:

  if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false, true)));

Hard to parse, right? What about this:

  if (!(mgr = virSecurityManagerNew("selinux", "QEMU",
                                    VIR_SECURITY_MANAGER_DEFAULT_CONFINED |
                                    VIR_SECURITY_MANAGER_PRIVILEGED)));

Now that's better! This is what the commit does.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-10-07 17:51:28 +02:00
Cédric Bosdonnat
a1bdf04b27 apparmor: differentiate between error and unconfined profiles
profile_status function was not making any difference between error
cases and unconfined profiles. The problem with this approach is that
dominfo was throwing an error on unconfined domains.
2015-10-06 13:47:01 +02:00
Michal Privoznik
00e5b96716 security_selinux: Take @privileged into account
https://bugzilla.redhat.com/show_bug.cgi?id=1124841

If running in session mode it may happen that we fail to set
correct SELinux label, but the image may still be readable to
the qemu process. Take this into account.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-09-15 11:30:14 +02:00
Michal Privoznik
307fb9044c virSecurityManager: Track if running as privileged
We may want to do some decisions in drivers based on fact if we
are running as privileged user or not. Propagate this info there.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-09-15 11:30:14 +02:00
Michal Privoznik
276c409163 security_selinux: Replace SELinuxSCSICallbackData with proper struct
We have plenty of callbacks in the driver. Some of these
callbacks require more than one argument to be passed. For that
we currently have a data type (struct) per each callback. Well,
so far for only one - SELinuxSCSICallbackData. But lets turn it
into more general name so it can be reused in other callbacks too
instead of each one introducing a new, duplicate data type.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-09-15 11:30:13 +02:00
Michal Privoznik
370461d1db virSecuritySELinuxSetSecurityAllLabel: drop useless virFileIsSharedFSType
The check is done in virSecuritySELinuxSetFilecon itself. There's
no need to check it again.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-09-15 11:30:13 +02:00
Guido Günther
ee7d5c312b apparmor: Adjust path to domain monitor socket
f1f68ca33 moved the monitor socket to a per domain directory. Adjust the
path accordingly.
2015-08-29 18:15:49 +02:00
Michal Privoznik
52970dec5b virt-aa-helper: Improve valid_path
So, after some movement in virt-aa-helper, I've noticed the
virt-aa-helper-test failing. I've ran gdb (it took me a while to
realize how to do that) and this showed up immediately:

  Program received signal SIGSEGV, Segmentation fault.
  strlen () at ../sysdeps/x86_64/strlen.S:106
  106     ../sysdeps/x86_64/strlen.S: No such file or directory.
  (gdb) bt
  #0  strlen () at ../sysdeps/x86_64/strlen.S:106
  #1  0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525
  #2  0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617
  #3  0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823
  #4  0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854
  #5  0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931
  #6  0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 <add_file_path>, opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286
  #7  0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982
  #8  0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277
  #9  0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332

So I've taken look at valid_path() because it is obviously
calling array_starts_with() with malformed @size. And here's the
result: there are two variables to hold the size of three arrays
and their value is recalculated before each call of
array_starts_with(). What if we just use three variables,
initialize them and do not touch them afterwards?

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-08-27 15:05:25 +02:00
Peter Kieser
91fdcefa7f virt-aa-helper: add NVRAM store file for read/write
This is a cryptographically signed message in MIME format.

Some UEFI firmwares may want to use a non-volatile memory to store some
variables.
If AppArmor is enabled, and NVRAM store file is set currently
virt-aa-helper does
not add the NVRAM store file to the template. Add this file for
read/write when
this functionality is defined in domain XML.

Signed-off-by: Peter Kieser <peter@kieser.ca>
2015-08-26 16:25:44 +02:00
Guido Günther
4d4c90dfd5 selinux: fix compile errors
Remove unused variable, tag unused parameter and adjust return type.

introduced by 3f48345f7e

CC     security/libvirt_security_manager_la-security_selinux.lo
security/security_selinux.c: In function 'virSecuritySELinuxDomainSetDirLabel':
security/security_selinux.c:2520:5: error: return makes pointer from integer without a cast [-Werror]
security/security_selinux.c:2514:9: error: unused variable 'ret' [-Werror=unused-variable]
security/security_selinux.c:2509:59: error: unused parameter 'mgr' [-Werror=unused-parameter]
2015-08-24 14:15:12 +02:00
intrigeri
2f01cfdf05 virt-aa-helper: allow access to /usr/share/ovmf/
We forbid access to /usr/share/, but (at least on Debian-based systems)
the Open Virtual Machine Firmware files needed for booting UEFI virtual
machines in QEMU live in /usr/share/ovmf/. Therefore, we need to add
that directory to the list of read only paths.

A similar patch was suggested by Jamie Strandboge <jamie@canonical.com>
on https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1483071.
2015-08-24 13:00:39 +02:00
Guido Günther
d25a5e087a virt-aa-helper: Simplify restriction logic
First check overrides, then read only files then restricted access
itself.

This allows us to mark files for read only access whose parents were
already restricted for read write.

Based on a proposal by Martin Kletzander
2015-08-24 13:00:39 +02:00
Guido Günther
26c5fa3a9b virt-aa-helper: document --probing and --dry-run 2015-08-24 13:00:39 +02:00
Martin Kletzander
f4c60dfbf2 security_dac: Add SetDirLabel support
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2015-08-24 11:53:17 +02:00
Martin Kletzander
3f48345f7e security_selinux: Add SetDirLabel support
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2015-08-24 11:53:17 +02:00
Martin Kletzander
99cf04e32d security_stack: Add SetDirLabel support
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2015-08-24 11:53:17 +02:00
Martin Kletzander
f65a2a12f4 security: Add virSecurityDomainSetDirLabel
That function can be used for setting security labels on arbitrary
directories.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2015-08-24 11:53:17 +02:00
Martin Kletzander
7b6953bc22 security_dac: Label non-listening sockets
SELinux security driver already does that, but DAC driver somehow missed
the memo.  Let's fix it so it works the same way.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2015-08-24 11:53:17 +02:00
Martin Kletzander
4ac6ce38d3 security_selinux: Use proper structure to access socket data
In virSecuritySELinuxSetSecurityChardevLabel() we are labelling unix
socket path, but accessing another structure of the union.  This does
not pose a problem currently as both paths are at the same offset, but
this should be fixed for the future.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2015-08-24 11:53:17 +02:00
Cédric Bosdonnat
24f3c2f7e0 virt-aa-helper: add DomainGuest to mockup caps
With commit 3f9868a virt-aa-helper stopped working due to missing
DomainGuest in the caps.

The test with -c without arch also needs to be
removed since the new capabilities code uses the host arch when none is
provided.
2015-07-10 11:30:36 +02:00
Cédric Bosdonnat
61dab0f74e virt-aa-helper: rename ctl->hvm to ctl->os
ctl->hvm contains os.type string value, change the name to reflect it.
2015-07-10 11:30:36 +02:00
Cédric Bosdonnat
a55a5e7cfe Get more libvirt errors from virt-aa-helper
Initializing libvirt log in virt-aa-helper and getting it to output
libvirt log to stderr. This will help debugging problems happening in
libvirt functions called from within virt-aa-helper
2015-07-10 11:30:36 +02:00
Cédric Bosdonnat
e44bcae9f0 virt-aa-helper: fix rules for paths with trailing slash
Rules generated for a path like '/' were having '//' which isn't
correct for apparmor. Make virt-aa-helper smarter to avoid these.
2015-07-10 11:30:36 +02:00
Serge Hallyn
56ba2f99a5 virt-aa-helper: add unix channels for nserials as well
Commit 03d7462d added it for channels, but it is also needed for serials.  Add
it for serials, parallels, and consoles as well.

This solves https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1015154

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2015-07-08 13:49:58 +02:00
Michal Dubiel
a188c57d54 virt-aa-helper: Fix permissions for vhost-user socket files
QEMU working in vhost-user mode communicates with the other end (i.e.
some virtual router application) via unix domain sockets. This requires
that permissions for the socket files are correctly written into
/etc/apparmor.d/libvirt/libvirt-UUID.files.

Signed-off-by: Michal Dubiel <md@semihalf.com>
2015-07-02 11:17:03 +02:00
Cole Robinson
835cf84b7e domain: conf: Drop expectedVirtTypes
This needs to specified in way too many places for a simple validation
check. The ostype/arch/virttype validation checks later in
DomainDefParseXML should catch most of the cases that this was covering.
2015-04-20 16:43:43 -04:00
Cole Robinson
d0440e3269 caps: Switch AddGuest to take VIR_DOMAIN_OSTYPE value
Rather than an opencoded string. This should be a no-op
2015-04-20 16:38:09 -04:00
Serge Hallyn
03d7462d87 virt-aa-helper: add unix channels (esp for qemu-guest-agent)
The original bug report was at
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1393842

Also skip abstract unix sockets.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2015-04-14 14:06:27 +02:00
John Ferlan
5a36cdbcce security: Resolve Coverity RESOURCE_LEAK
Introduced by commit id 'c3d9d3bb' - return from virSecurityManagerCheckModel
wasn't VIR_FREE()'ing the virSecurityManagerGetNested allocated memory.
2015-02-14 07:31:36 -05:00
Erik Skultety
aee3b77c33 security: Refactor virSecurityManagerGenLabel
if (mgr == NULL || mgr->drv == NULL)
    return ret;

This check isn't really necessary, security manager cannot be a NULL
pointer as it is either selinux (by default) or 'none', if no other driver is
set in the config. Even with no config file driver name yields 'none'.

The other hunk checks for domain's security model validity, but we should
also check devices' security model as well, therefore this hunk is moved into
a separate function which is called by virSecurityManagerCheckAllLabel that
checks both the domain's security model and devices' security model.

https://bugzilla.redhat.com/show_bug.cgi?id=1165485
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2015-02-13 14:49:23 +01:00
Erik Skultety
c3d9d3bbc9 security: introduce virSecurityManagerCheckAllLabel function
We do have a check for valid per-domain security model, however we still
do permit an invalid security model for a domain's device (those which
are specified with <source> element).
This patch introduces a new function virSecurityManagerCheckAllLabel
which compares user specified security model against currently
registered security drivers. That being said, it also permits 'none'
being specified as a device security model.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1165485
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2015-02-13 14:37:54 +01:00
Daniel P. Berrange
0ecd685109 Give virDomainDef parser & formatter their own flags
The virDomainDefParse* and virDomainDefFormat* methods both
accept the VIR_DOMAIN_XML_* flags defined in the public API,
along with a set of other VIR_DOMAIN_XML_INTERNAL_* flags
defined in domain_conf.c.

This is seriously confusing & error prone for a number of
reasons:

 - VIR_DOMAIN_XML_SECURE, VIR_DOMAIN_XML_MIGRATABLE and
   VIR_DOMAIN_XML_UPDATE_CPU are only relevant for the
   formatting operation
 - Some of the VIR_DOMAIN_XML_INTERNAL_* flags only apply
   to parse or to format, but not both.

This patch cleanly separates out the flags. There are two
distint VIR_DOMAIN_DEF_PARSE_* and VIR_DOMAIN_DEF_FORMAT_*
flags that are used by the corresponding methods. The
VIR_DOMAIN_XML_* flags received via public API calls must
be converted to the VIR_DOMAIN_DEF_FORMAT_* flags where
needed.

The various calls to virDomainDefParse which hardcoded the
use of the VIR_DOMAIN_XML_INACTIVE flag change to use the
VIR_DOMAIN_DEF_PARSE_INACTIVE flag.
2015-01-13 16:26:12 +00:00
Ján Tomko
2764977314 Fix build on mingw
Add missing ATTRIBUTE_UNUSED markers.
2014-12-11 11:13:43 +01:00
Luyao Huang
c7c96647e9 dac: Add a new func to get DAC label of a running process
When using qemuProcessAttach to attach a qemu process,
the DAC label is not filled correctly.

Introduce a new function to get the uid:gid from the system
and fill the label.

This fixes the daemon crash when 'virsh screenshot' is called:
https://bugzilla.redhat.com/show_bug.cgi?id=1161831

It also fixes qemu-attach after the prerequisite of this patch
(commit f8c1fb3) was pushed out of order.

Signed-off-by: Luyao Huang <lhuang@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2014-12-11 10:29:43 +01:00
John Ferlan
f36d9285cd security: Manage SELinux labels on shared/readonly hostdev's
https://bugzilla.redhat.com/show_bug.cgi?id=1082521

Support for shared hostdev's was added in a number of commits, initially
starting with 'f2c1d9a80' and most recently commit id 'fd243fc4' to fix
issues with the initial implementation.  Missed in all those changes was
the need to mimic the virSELinux{Set|Restore}SecurityDiskLabel code to
handle the "shared" (or shareable) and readonly options when Setting
or Restoring the SELinux labels.

This patch will adjust the virSecuritySELinuxSetSecuritySCSILabel to not
use the virSecuritySELinuxSetSecurityHostdevLabelHelper in order to set
the label. Rather follow what the Disk code does by setting the label
differently based on whether shareable/readonly is set.  This patch will
also modify the virSecuritySELinuxRestoreSecuritySCSILabel to follow
the same logic as virSecuritySELinuxRestoreSecurityImageLabelInt and not
restore the label if shared/readonly
2014-12-09 10:48:38 -05:00
John Ferlan
5e5cf8e0ff Resolve build breaker
Commit 'c264eeaa' didn't do the prerequisite 'make syntax-check' before
pushing. There was a <tab> in the whitespace for the comment.  Replaced
with spaces and aligned.

pushed as build breaker since Jenkins complained loudly
2014-11-25 07:06:46 -05:00
Cédric Bosdonnat
c264eeaa38 virt-aa-helper: /etc/libvirt-sandbox/services isn't restricted
To get virt-sandbox-service working with AppArmor, virt-aa-helper
needs not to choke on path in /etc/libvirt-sandbox/services.
2014-11-25 11:40:55 +01:00
Cédric Bosdonnat
22221233d0 virt-aa-helper wasn't running virErrorInitialize
This turns out to be working by magic but needs to be fixed.
2014-11-25 11:40:55 +01:00
Martin Kletzander
8c38594b35 Remove unnecessary curly brackets in rest of src/[o-u]*/
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-11-14 17:13:36 +01:00
Martin Kletzander
9fdb2b55d5 virt-aa-helper: Trick invalid syntax-check
Rule sc_prohibit_newline_at_end_of_diagnostic for syntax-check does
check for passing strings ending with '\n' two lines after known
functions.  This is, of course subject to false positives, so for the
sake of future changes, trick that syntax-check by adding one more line
with a comment.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-11-14 17:13:00 +01:00
Cédric Bosdonnat
16d2bc8b98 Teach virt-aa-helper to use TEMPLATE.qemu if the domain is kvm or kqemu 2014-10-29 15:11:59 -06:00
Eric Blake
ff99c79195 maint: avoid static zero init in helpers
C guarantees that static variables are zero-initialized.  Some older
compilers (and also gcc -fno-zero-initialized-in-bss) create larger
binaries if you explicitly zero-initialize a static variable.

* src/conf/nwfilter_conf.c: Fix initialization.
* src/cpu/cpu_x86.c: Likewise.
* src/interface/interface_backend_netcf.c: Likewise.
* src/locking/lock_daemon.c: Likewise.
* src/locking/lock_driver_lockd.c: Likewise.
* src/locking/lock_driver_sanlock.c: Likewise.
* src/network/bridge_driver.c: Likewise.
* src/node_device/node_device_udev.c: Likewise.
* src/nwfilter/nwfilter_learnipaddr.c: Likewise.
* src/rpc/virnetserver.c: Likewise.
* src/security/security_selinux.c
(virSecuritySELinuxGenSecurityLabel): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-10-29 09:55:09 -06:00
Michal Privoznik
ebc0526396 security_selinux: Don't relabel /dev/net/tun
https://bugzilla.redhat.com/show_bug.cgi?id=1147057

The code for relabelling the TAP FD is there due to a race. When
libvirt creates a /dev/tapN device it's labeled as
'system_u:object_r:device_t:s0' by default. Later, when
udev/systemd reacts to this device, it's relabelled to the
expected label 'system_u:object_r:tun_tap_device_t:s0'. Hence, we
have a code that relabels the device, to cut the race down. For
more info see ae368ebfcc.

But the problem is, the relabel function is called on all TUN/TAP
devices. Yes, on /dev/net/tun too. This is however a special kind
of device - other processes uses it too. We shouldn't touch it's
label then.

Ideally, there would an API in SELinux that would label just the
passed FD and not the underlying path. That way, we wouldn't need
to care as we would be not labeling /dev/net/tun but the FD
passed to the domain. Unfortunately, there's no such API so we
have to workaround until then.

Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-10-08 15:15:58 +02:00
Cole Robinson
d3489548b5 security: Fix labelling host devices (bz 1145968)
The check for ISCSI devices was missing a check of subsys type, which
meant we could skip labelling of other host devices as well. This fixes
USB hotplug on F21

https://bugzilla.redhat.com/show_bug.cgi?id=1145968
2014-09-24 17:04:28 -04:00
Peter Krempa
b8549877a1 util: storage: Allow metadata crawler to report useful errors
Add a new parameter to virStorageFileGetMetadata that will break the
backing chain detection process and report useful error message rather
than having to use virStorageFileChainGetBroken.

This patch just introduces the option, usage will be provided
separately.
2014-09-24 09:28:29 +02:00
Michal Privoznik
ba7468dbb1 virSecuritySELinuxSetTapFDLabel: Temporarily revert to old behavior
https://bugzilla.redhat.com/show_bug.cgi?id=1141879

A long time ago I've implemented support for so called multiqueue
net.  The idea was to let guest network traffic be processed by
multiple host CPUs and thus increasing performance. However, this
behavior is enabled by QEMU via special ioctl() iterated over the
all tap FDs passed in by libvirt. Unfortunately, SELinux comes in
and disallows the ioctl() call because the /dev/net/tun has label
system_u:object_r:tun_tap_device_t:s0 and 'attach_queue' ioctl()
is not allowed on tun_tap_device_t type. So after discussion with
a SELinux developer we've decided that the FDs passed to the QEMU
should be labelled with svirt_t type and SELinux policy will
allow the ioctl(). Therefore I've made a patch
(cf976d9dcf) that does exactly this. The patch
was fixed then by a443193139 and
b635b7a1af. However, things are not
that easy - even though the API to label FD is called
(fsetfilecon_raw) the underlying file is labelled too! So
effectively we are mangling /dev/net/tun label. Yes, that broke
dozen of other application from openvpn, or boxes, to qemu
running other domains.

The best solution would be if SELinux provides a way to label an
FD only, which could be then labeled when passed to the qemu.
However that's a long path to go and we should fix this
regression AQAP. So I went to talk to the SELinux developer again
and we agreed on temporary solution that:

1) All the three patches are reverted
2) SELinux temporarily allows 'attach_queue' on the
tun_tap_device_t

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-09-18 19:02:47 +02:00
Michal Privoznik
37d8c75fad nvram: Fix permissions
I've noticed two problem with the automatically created NVRAM varstore
file. The first, even though I run qemu as root:root for some reason I
get Permission denied when trying to open the _VARS.fd file. The
problem is, the upper directory misses execute permissions, which in
combination with us dropping some capabilities result in EPERM.

The next thing is, that if I switch SELinux to enforcing mode, I get
another EPERM because the vars file is not labeled correctly. It is
passed to qemu as disk and hence should be labelled as disk. QEMU may
write to it eventually, so this is different to kernel or initrd.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-09-11 16:16:27 +02:00
Michal Privoznik
b635b7a1af selinux: Properly check TAP FD label
After a4431931 the TAP FDs ale labeled with image label instead
of the process label. On the other hand, the commit was
incomplete as a few lines above, there's still old check for the
process label presence while it should be check for the image
label instead.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-09-11 10:04:35 +02:00
Michal Privoznik
542899168c qemu: Implement extended loader and nvram
QEMU now supports UEFI with the following command line:

  -drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on \
  -drive file=/usr/share/OVMF/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \

where the first line reflects <loader> and the second one <nvram>.
Moreover, these two lines obsolete the -bios argument.

Note that UEFI is unusable without ACPI. This is handled properly now.
Among with this extension, the variable file is expected to be
writable and hence we need security drivers to label it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
2014-09-10 09:38:07 +02:00
Michal Privoznik
68bf13dbef conf: Extend <loader/> and introduce <nvram/>
Up to now, users can configure BIOS via the <loader/> element. With
the upcoming implementation of UEFI this is not enough as BIOS and
UEFI are conceptually different. For instance, while BIOS is ROM, UEFI
is programmable flash (although all writes to code section are
denied). Therefore we need new attribute @type which will
differentiate the two. Then, new attribute @readonly is introduced to
reflect the fact that some images are RO.

Moreover, the OVMF (which is going to be used mostly), works in two
modes:
1) Code and UEFI variable store is mixed in one file.
2) Code and UEFI variable store is separated in two files

The latter has advantage of updating the UEFI code without losing the
configuration. However, in order to represent the latter case we need
yet another XML element: <nvram/>. Currently, it has no additional
attributes, it's just a bare element containing path to the variable
store file.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-09-10 09:38:07 +02:00
Shivaprasad G Bhat
a48362cdfe selinux: Avoid label reservations for type = none
For security type='none' libvirt according to the docs should not
generate seclabel be it for selinux or any model. So, skip the
reservation of labels when type is none.

Signed-off-by: Shivaprasad G Bhat <sbhat@linux.vnet.ibm.com>
2014-09-07 17:09:34 +02:00
Eric Blake
d194d6e7e6 maint: use consistent if-else braces in remaining spots
I'm about to add a syntax check that enforces our documented
HACKING style of always using matching {} on if-else statements.

This patch focuses on all remaining problems, where there weren't
enough issues to warrant splitting it further.

* src/remote/remote_driver.c (doRemoteOpen): Correct use of {}.
* src/security/virt-aa-helper.c (vah_add_path, valid_path, main):
Likewise.
* src/rpc/virnetsocket.c (virNetSocketNewConnectLibSSH2):
Likewise.
* src/esx/esx_vi_types.c (esxVI_Type_FromString): Likewise.
* src/uml/uml_driver.c (umlDomainDetachDevice): Likewise.
* src/util/viralloc.c (virShrinkN): Likewise.
* src/util/virbuffer.c (virBufferURIEncodeString): Likewise.
* src/util/virdbus.c (virDBusCall): Likewise.
* src/util/virnetdev.c (virNetDevValidateConfig): Likewise.
* src/util/virnetdevvportprofile.c
(virNetDevVPortProfileGetNthParent): Likewise.
* src/util/virpci.c (virPCIDeviceIterDevices)
(virPCIDeviceWaitForCleanup)
(virPCIDeviceIsBehindSwitchLackingACS): Likewise.
* src/util/virsocketaddr.c (virSocketAddrGetNumNetmaskBits):
Likewise.
* src/util/viruri.c (virURIParseParams): Likewise.
* daemon/stream.c (daemonStreamHandleAbort): Likewise.
* tests/testutils.c (virtTestResult): Likewise.
* tests/cputest.c (cpuTestBaseline): Likewise.
* tools/virsh-domain.c (cmdDomPMSuspend): Likewise.
* tools/virsh-host.c (cmdNodeSuspend): Likewise.
* src/esx/esx_vi_generator.py (Type.generate_typefromstring):
Tweak generated code.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-09-04 14:34:03 -06:00
Martin Kletzander
a443193139 selinux: properly label tap FDs with imagelabel
The cleanup in commit cf976d9d used secdef->label to label the tap
FDs, but that is not possible since it's process-only label (svirt_t)
and not a object label (e.g. svirt_image_t).  Starting a domain failed
with EPERM, but simply using secdef->imagelabel instead of
secdef->label fixes it.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-09-01 15:36:23 +02:00
Martin Kletzander
93cf8f9861 cleanup spaces between parentheses and braces
And add a syntax-check for '){$'.  It's not perfect, but better than
nothing.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-08-20 14:50:21 +02:00
Michal Privoznik
cf976d9dcf qemu: Label all TAP FDs
https://bugzilla.redhat.com/show_bug.cgi?id=1095636

When starting up the domain the domain's NICs are allocated. As of
1f24f682 (v1.0.6) we are able to use multiqueue feature on virtio
NICs. It breaks network processing into multiple queues which can be
processed in parallel by different host CPUs. The queues are, however,
created by opening /dev/net/tun several times. Unfortunately, only the
first FD in the row is labelled so when turning the multiqueue feature
on in the guest, qemu will get AVC denial. Make sure we label all the
FDs needed.

Moreover, the default label of /dev/net/tun doesn't allow
attaching a queue:

    type=AVC msg=audit(1399622478.790:893): avc:  denied  { attach_queue }
    for  pid=7585 comm="qemu-kvm"
    scontext=system_u:system_r:svirt_t:s0:c638,c877
    tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023
    tclass=tun_socket

And as suggested by SELinux maintainers, the tun FD should be labeled
as svirt_t. Therefore, we don't need to adjust any range (as done
previously by Guannan in ae368ebf) rather set the seclabel of the
domain directly.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-08-20 09:42:24 +02:00
John Ferlan
17bddc46f4 hostdev: Introduce virDomainHostdevSubsysSCSIiSCSI
Create the structures and API's to hold and manage the iSCSI host device.
This extends the 'scsi_host' definitions added in commit id '5c811dce'.
A future patch will add the XML parsing, but that code requires some
infrastructure to be in place first in order to handle the differences
between a 'scsi_host' and an 'iSCSI host' device.
2014-07-24 07:04:44 -04:00
John Ferlan
42957661dc hostdev: Introduce virDomainHostdevSubsysSCSIHost
Split virDomainHostdevSubsysSCSI further. In preparation for having
either SCSI or iSCSI data, create a union in virDomainHostdevSubsysSCSI
to contain just a virDomainHostdevSubsysSCSIHost to describe the
'scsi_host' host device
2014-07-24 06:39:28 -04:00
John Ferlan
5805621cd9 hostdev: Introduce virDomainHostdevSubsysSCSI
Create a separate typedef for the hostdev union data describing SCSI
Then adjust the code to use the new pointer
2014-07-24 06:39:27 -04:00
John Ferlan
1c8da0d44e hostdev: Introduce virDomainHostdevSubsysPCI
Create a separate typedef for the hostdev union data describing PCI.
Then adjust the code to use the new pointer
2014-07-24 06:39:27 -04:00
John Ferlan
7540d07f09 hostdev: Introduce virDomainHostdevSubsysUSB
Create a separate typedef for the hostdev union data describing USB.
Then adjust the code to use the new pointer
2014-07-24 06:39:27 -04:00
Peter Krempa
0a515a3ba3 security: DAC: Plumb usage of chown callback
Use the callback to set disk and storage image labels by modifying the
existing functions and adding wrappers to avoid refactoring a lot of the
code.
2014-07-24 09:59:00 +02:00
Peter Krempa
7490a6d272 security: DAC: Introduce callback to perform image chown
To integrate the security driver with the storage driver we need to
pass a callback for a function that will chown storage volumes.

Introduce and document the callback prototype.
2014-07-24 09:58:59 +02:00
Peter Krempa
9f28599d51 security: DAC: Remove superfluous link resolution
When restoring security labels in the dac driver the code would resolve
the file path and use the resolved one to be chown-ed. The setting code
doesn't do that. Remove the unnecessary code.
2014-07-24 09:58:59 +02:00
Cédric Bosdonnat
9265f8ab67 Rework lxc apparmor profile
Rework the apparmor lxc profile abstraction to mimic ubuntu's container-default.
This profile allows quite a lot, but strives to restrict access to
dangerous resources.

Removing the explicit authorizations to bash, systemd and cron files,
forces them to keep the lxc profile for all applications inside the
container. PUx permissions where leading to running systemd (and others
tasks) unconfined.

Put the generic files, network and capabilities restrictions directly
in the TEMPLATE.lxc: this way, users can restrict them on a per
container basis.
2014-07-15 12:57:05 -06:00
Eric Blake
58156f39ce capabilities: use bool instead of int
While preparing to add a capability for active commit, I noticed
that the existing code was abusing int for boolean values.

* src/conf/capabilities.h (_virCapsGuestFeature, _virCapsHost)
(virCapabilitiesNew, virCapabilitiesAddGuestFeature): Improve
types.
* src/conf/capabilities.c (virCapabilitiesNew)
(virCapabilitiesAddGuestFeature): Adjust signature.
* src/bhyve/bhyve_capabilities.c (virBhyveCapsBuild): Update
clients.
* src/esx/esx_driver.c (esxCapsInit): Likewise.
* src/libxl/libxl_conf.c (libxlMakeCapabilities): Likewise.
* src/lxc/lxc_conf.c (virLXCDriverCapsInit): Likewise.
* src/openvz/openvz_conf.c (openvzCapsInit): Likewise.
* src/parallels/parallels_driver.c (parallelsBuildCapabilities):
Likewise.
* src/phyp/phyp_driver.c (phypCapsInit): Likewise.
* src/qemu/qemu_capabilities.c (virQEMUCapsInit)
(virQEMUCapsInitGuestFromBinary): Likewise.
* src/security/virt-aa-helper.c (get_definition): Likewise.
* src/test/test_driver.c (testBuildCapabilities): Likewise.
* src/uml/uml_conf.c (umlCapsInit): Likewise.
* src/vbox/vbox_tmpl.c (vboxCapsInit): Likewise.
* src/vmware/vmware_conf.c (vmwareCapsInit): Likewise.
* src/xen/xen_hypervisor.c (xenHypervisorBuildCapabilities):
Likewise.
* src/xenapi/xenapi_driver.c (getCapsObject): Likewise.
* tests/qemucaps2xmltest.c (testGetCaps): Likewise.
* tests/testutils.c (virTestGenericCapsInit): Likewise.
* tests/testutilslxc.c (testLXCCapsInit): Likewise.
* tests/testutilsqemu.c (testQemuCapsInit): Likewise.
* tests/testutilsxen.c (testXenCapsInit): Likewise.
* tests/vircaps2xmltest.c (buildVirCapabilities): Likewise.
* tests/vircapstest.c (buildNUMATopology): Likewise.
* tests/vmx2xmltest.c (testCapsInit): Likewise.
* tests/xml2vmxtest.c (testCapsInit): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-07-14 08:00:46 -06:00
Cédric Bosdonnat
9b1e4cd503 aa-helper: adjust previous patch
Don't fail when there is nothing to do, as a tweak to the previous
patch regarding output of libvirt-UUID.files for LXC apparmor profiles

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-07-11 14:14:50 -06:00
Cédric Bosdonnat
383e7126a8 Don't output libvirt-UUID.files for LXC apparmor profiles 2014-07-11 11:01:36 -06:00
Michal Privoznik
0b22a16d7e virSecurityDeviceLabelDef: substitute 'norelabel' with 'relabel'
Similarly to the previous commit, boolean variables should not start
with 'no-' prefix.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-07-11 10:36:02 +02:00
Michal Privoznik
13adf1b2ce virSecurityLabelDef: substitute 'norelabel' with 'relabel'
This negation in names of boolean variables is driving me insane. The
code is much more readable if we drop the 'no-' prefix. Well, at least
for me.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-07-11 10:35:58 +02:00
Peter Krempa
cd7b63e663 security: AppArmor: Implement per-image seclabel set
Refactor the code and reuse it to implement the functionality.
2014-07-09 11:17:12 +02:00
Peter Krempa
15cad6577f security: AppArmor: Implement per-image seclabel restore
Refactor the existing code to allow re-using it for the per-image label
restore too.
2014-07-09 11:15:22 +02:00
Peter Krempa
7077cfeff4 security: DAC: Implement per-image seclabel set
Refactor the code and reuse it to implement the functionality.
2014-07-09 11:11:43 +02:00
Peter Krempa
4f2170dc24 security: DAC: Implement per-image seclabel restore
Refactor the existing code to allow re-using it for the per-image label
restore too.
2014-07-09 11:10:08 +02:00
Peter Krempa
4983931701 security: selinux: Implement per-image seclabel set
Refactor the code and reuse it to implement the functionality.
2014-07-09 10:59:22 +02:00
Peter Krempa
b2790e33a4 security: selinux: Implement per-image seclabel restore
Refactor the existing code to allow re-using it for the per-image label
restore too.
2014-07-09 10:58:33 +02:00
Peter Krempa
1797128ef6 security: Introduce APIs to label single images
Add security driver functions to label separate storage images using the
virStorageSource definition. This will help to avoid the need to do ugly
changes to the disk struct and use the source directly.
2014-07-09 10:38:56 +02:00
Peter Krempa
63834faadb storage: Move readonly and shared flags to disk source from disk def
In the future we might need to track state of individual images. Move
the readonly and shared flags to the virStorageSource struct so that we
can keep them in a per-image basis.
2014-07-08 14:27:19 +02:00
Peter Krempa
7dbfd12426 security: nop: Avoid very long lines
The function headers contain type on the same line as the name. When
combined with usage of ATTRIBUTE_UNUSED, the function headers were very
long. Shorten them by breaking the line after the type.
2014-06-26 10:18:47 +02:00
Peter Krempa
9e1b2cff8e security: Fix header formatting of a few functions
Some of the functions in the storage driver had their headers formatted
incorrectly.
2014-06-26 10:18:47 +02:00
Peter Krempa
8b641f44fc security: manager: Document behavior of disk label manipulation funcs
virSecurityManagerSetDiskLabel and virSecurityManagerRestoreDiskLabel
don't have complementary semantics. Document the semantics to avoid
possible problems.
2014-06-26 10:18:47 +02:00
Peter Krempa
2e5ffb2946 security: manager: Unify function header format 2014-06-26 10:18:47 +02:00
Peter Krempa
5fd0b40ff4 security: manager: Avoid forward decl of virSecurityManagerDispose 2014-06-26 10:18:47 +02:00
Peter Krempa
23a8646a89 security: Rename virSecurityManagerRestoreImageLabel to *Disk*
I'm going to add functions that will deal with individual image files
rather than whole disks. Rename the security function to make room for
the new one.
2014-06-26 10:18:47 +02:00
Peter Krempa
c8e4220515 security: Rename virSecurityManagerSetImageLabel to *Disk*
I'm going to add functions that will deal with individual image files
rather than whole disks. Rename the security function to make room for
the new one.
2014-06-20 09:27:19 +02:00
Peter Krempa
7c6dae0418 security: Sanitize type of @migrated in virSecurityManagerRestoreAllLabel
Also remove one spurious ATTRIBUTE_UNUSED guarding the @migrated
argument.
2014-06-20 09:27:19 +02:00
Peter Krempa
83c896c859 util: Don't require full disk definition when getting imagelabels
The image labels are stored in the virStorageSource struct. Convert the
virDomainDiskDefGetSecurityLabelDef helper not to use the full disk def
and move it appropriately.
2014-06-20 09:27:15 +02:00
Serge Hallyn
c7abe7448c virt-aa-helper: allow access to /dev/vhost-net if needed
Only allow the access if it is a KVM domain which has a NIC which wants
non-userspace networking.

This addresses https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1322568

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2014-06-17 22:12:31 -06:00
Peter Krempa
cc6484d486 security: Don't skip labelling for network disks
A network disk might actually be backed by local storage. Also the path
iterator actually handles networked disks well now so remove the code
that skips the labelling in dac and selinux security driver.
2014-06-12 10:32:12 +02:00
Ján Tomko
f9bf63e673 SELinux: don't fail silently when no label is present
This fixes startup of a domain with:
<seclabel type='none' model='dac'/>
on a host with selinux and dac drivers and
security_default_confined = 0

https://bugzilla.redhat.com/show_bug.cgi?id=1105939
https://bugzilla.redhat.com/show_bug.cgi?id=1102611
2014-06-10 10:18:24 +02:00
Eric Blake
c123ef7104 conf: store disk source as pointer, for easier manipulation
As part of the work on backing chains, I'm finding that it would
be easier to directly manipulate chains of pointers (adding a
snapshot merely adjusts pointers to form the correct list) rather
than copy data from one struct to another.  This patch converts
domain disk source to be a pointer.

In this patch, the pointer is ALWAYS allocated (thanks in part to
the previous patch forwarding all disk def allocation through a
common point), and all other changse are just mechanical fallout of
the new type; there should be no functional change.  It is possible
that we may want to leave the pointer NULL for a cdrom with no
medium in a later patch, but as that requires a closer audit of the
source to ensure we don't fault on a null dereference, I didn't do
it here.

* src/conf/domain_conf.h (_virDomainDiskDef): Change type of src.
* src/conf/domain_conf.c: Adjust all clients.
* src/security/security_selinux.c: Likewise.
* src/qemu/qemu_domain.c: Likewise.
* src/qemu/qemu_command.c: Likewise.
* src/qemu/qemu_conf.c: Likewise.
* src/qemu/qemu_process.c: Likewise.
* src/qemu/qemu_migration.c: Likewise.
* src/qemu/qemu_driver.c: Likewise.
* src/lxc/lxc_driver.c: Likewise.
* src/lxc/lxc_controller.c: Likewise.
* tests/securityselinuxlabeltest.c: Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-06-06 09:56:28 -06:00
Peter Krempa
713cc3b0a7 storage: Move virStorageFileGetMetadata to the storage driver
My future work will modify the metadata crawler function to use the
storage driver file APIs to access the files instead of accessing them
directly so that we will be able to request the metadata for remote
files too. To avoid linking the storage driver to every helper file
using the utils code, the backing chain traversal function needs to be
moved to the storage driver source.

Additionally the virt-aa-helper and virstoragetest programs need to be
linked with the storage driver as a result of this change.
2014-06-03 09:27:23 +02:00
Julio Faracco
5a2bd4c917 conf: more enum cleanups in "src/conf/domain_conf.h"
In "src/conf/domain_conf.h" there are many enum declarations. The
cleanup in this header filer was started, but it wasn't enough and
there are many other files that has enum variables declared. So, the
commit was starting to be big. This commit finish the cleanup in this
header file and in other files that has enum variables, parameters,
or functions declared.

Signed-off-by: Julio Faracco <jcfaracco@gmail.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-06-02 15:32:58 -06:00
Julio Faracco
d4dad16204 conf: enum cleanups in "src/conf/domain_conf.h"
In "src/conf/domain_conf.h" there are many enumerations (enum)
declarations to be converted as a typedef too. As mentioned before,
it's better to use a typedef for variable types, function types and
other usages. I think this file has most of those enum declarations
at "src/conf/". So, me and Eric Blake plan to keep the cleanups all
over the source code. This time, most of the files changed in this
commit are related to part of one file: "src/conf/domain_conf.h".

Signed-off-by: Julio Faracco <jcfaracco@gmail.com>
2014-06-02 15:20:22 -06:00
Ján Tomko
88e36a69de Fix crash in DAC driver with no seclabels
With dynamic_ownership = 1 but no seclabels, RestoreChardevLabel
dereferences the NULL seclabel when checking if norelabel is set.

Remove this check, since it is already done in RestoreSecurityAllLabel
and if norelabel is set, RestoreChardevLabel is never called.
2014-05-19 15:31:42 +02:00
Michal Privoznik
64c1e1ead1 virSecurityDACRestoreSecurityHostdevLabel: Unmark @def as unused
The domain definition is clearly used a few lines
below so there's no need to mark @def as unused.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-05-19 11:15:52 +02:00
Jim Fehlig
a0f82fd2bd security_dac: honor relabel='no' in chardev config
The DAC driver ignores the relabel='no' attribute in chardev config

  <serial type='file'>
    <source path='/tmp/jim/test.file'>
      <seclabel model='dac' relabel='no'/>
    </source>
    <target port='0'/>
  </serial>

This patch avoids labeling chardevs when relabel='no' is specified.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2014-05-16 15:32:15 -06:00
Jim Fehlig
bb917a90b1 security_dac: avoid relabeling hostdevs when relabel='no'
When relabel='no' at the domain level, there is no need to call
the hostdev relabeling functions.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2014-05-16 15:32:14 -06:00
Jim Fehlig
3c2487ab0a security_dac: honor relabel='no' in disk config
https://bugzilla.redhat.com/show_bug.cgi?id=999301

The DAC driver ignores the relabel='no' attribute in disk config

  <disk type='file' device='floppy'>
    <driver name='qemu' type='raw'/>
    <source file='/some/path/floppy.img'>
      <seclabel model='dac' relabel='no'/>
    </source>
    <target dev='fda' bus='fdc'/>
    <readonly/>
  </disk>

This patch avoid labeling disks when relabel='no' is specified.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2014-05-16 15:32:14 -06:00
Jim Fehlig
9369a56244 security_dac: avoid relabeling when relabel='no'
If relabel='no' at the domain level, no need to attempt relabeling
in virSecurityDAC{Set,Restore}SecurityAllLabel().

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2014-05-16 15:32:14 -06:00
Jim Fehlig
3de7e4ec5e security_dac: rework callback parameter passing
Currently, the DAC security driver passes callback data as

    void params[2];
    params[0] = mgr;
    params[1] = def;

Clean this up by defining a structure for passing the callback
data.  Moreover, there's no need to pass the whole virDomainDef
in the callback as the only thing needed in the callbacks is
virSecurityLabelDefPtr.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2014-05-16 15:32:14 -06:00
Jim Fehlig
1d98e713d5 security_dac: cleanup use of enum types
In switch statements, use enum types since it is safer when
adding new items to the enum.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2014-05-16 15:32:14 -06:00
Jim Fehlig
e1ce6d836e security_dac: annotate some functions with ATTRIBUTE_NONNULL
Annotate some static function parameters with ATTRIBUTE_NONNULL
and remove checks for NULL inputs.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2014-05-16 15:32:14 -06:00
Jim Fehlig
5099084eb3 security_dac: Fix indentation 2014-05-14 11:43:00 -06:00
Jim Fehlig
d77fa847c3 security_dac: Remove unnecessary curly braces 2014-05-14 11:43:00 -06:00
Jim Fehlig
fcf5ea7fc0 security_dac: Remove unnecessary ATTRIBUTE_UNUSED
Remove ATTRIBUTE_UNUSED on several function parameters that are
actually used.
2014-05-14 11:43:00 -06:00
Peter Krempa
8823272d41 util: storage: Invert the way recursive metadata retrieval works
To avoid having the root of a backing chain present twice in the list we
need to invert the working of virStorageFileGetMetadataRecurse.

Until now the recursive worker created a new backing chain element from
the name and other information passed as arguments. This required us to
pass the data of the parent in a deconstructed way and the worker
created a new entry for the parent.

This patch converts this function so that it just fills in metadata
about the parent and creates a backing chain element from those. This
removes the duplication of the first element.

To avoid breaking the test suite, virstoragetest now calls a wrapper
that creates the parent structure explicitly and pre-fills it with the
test data with same function signature as previously used.
2014-04-24 14:27:57 +02:00
Peter Krempa
44551275a9 storage: Move disk->backingChain to the recursive disk->src.backingStore
Switch over to storing of the backing chain as a recursive
virStorageSource structure.

This is a string based move. Currently the first element will be present
twice in the backing chain as currently the retrieval function stores
the parent in the newly detected chain. This will be fixed later.
2014-04-23 23:11:07 +02:00
Nehal J Wani
3d5c29a17c Fix typos in src/*
Fix minor typos in source comments

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-04-21 16:49:08 -06:00
Daniel P. Berrange
3cfa19da22 Replace Pci with PCI throughout
Since it is an abbreviation, PCI should always be fully
capitalized or full lower case, never Pci.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-08 11:15:55 +01:00
Eric Blake
8733303933 conf: avoid memleak on NULL path
I noticed that the apparmor code could request metadata even
for a cdrom with no media, which would cause a memory leak of
the hash table used to look for loops in the backing chain.
But even before that, we blindly dereferenced the path for
printing a debug statement, so it is just better to enforce
that this is only used on non-NULL names.

* src/util/virstoragefile.c (virStorageFileGetMetadata): Assume
non-NULL path.
* src/util/virstoragefile.h: Annotate this.
* src/security/virt-aa-helper.c (get_files): Fix caller.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-04-07 16:31:45 -06:00
Ján Tomko
66050f0f89 Fix coverity-reported leak in virSecurityManagerGenLabel
Coverity complains about a possible leak of seclabel if
!sec_managers[i]->drv->domainGenSecurityLabel is true
and the seclabel might be overwritten by the next iteration
of the loop.

This leak should never happen, because every security driver
has domainGenSecurityLabel defined.
2014-04-02 15:23:01 +02:00
Eric Blake
5160ab795a util: move detection of shared filesystems
The code in virstoragefile.c is getting more complex as I
consolidate backing chain handling code.  But for the setuid
virt-login-shell, we don't need to crawl backing chains.  It's
easier to audit things for setuid security if there are fewer
files involved, so this patch moves the one function that
virFileOpen() was actually relying on to also live in virfile.c.

* src/util/virstoragefile.c (virStorageFileIsSharedFS)
(virStorageFileIsSharedFSType): Move...
* src/util/virfile.c (virFileIsSharedFS, virFileIsSharedFSType):
...to here, and rename.
(virFileOpenAs): Update caller.
* src/security/security_selinux.c
(virSecuritySELinuxSetFileconHelper)
(virSecuritySELinuxSetSecurityAllLabel)
(virSecuritySELinuxRestoreSecurityImageLabelInt): Likewise.
* src/security/security_dac.c
(virSecurityDACRestoreSecurityImageLabelInt): Likewise.
* src/qemu/qemu_driver.c (qemuOpenFileAs): Likewise.
* src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise.
* src/util/virstoragefile.h: Adjust declarations.
* src/util/virfile.h: Likewise.
* src/libvirt_private.syms (virfile.h, virstoragefile.h): Move
symbols as appropriate.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-04-01 10:38:14 -06:00