Commit Graph

714 Commits

Author SHA1 Message Date
Daniel P. Berrangé
b1b878c512 util: activate directory override when used from library
The Perl bindings for libvirt use the test driver for unit tests. This
tries to load the cpu_map/index.xml file, and when run from an
uninstalled build will fail.

The problem is that virFileActivateDirOverride is called by our various
binaries like libvirtd, virsh, but is not called when a 3rd party app
uses libvirt.so

To deal with this we allow the LIBVIRT_DIR_OVERRIDE=1 env variable to be
set and make virInitialize look for this. The 'run' script will set it,
so now build using this script to run against an uninstalled tree we
will correctly resolve files to the source tree.

Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-09-10 11:03:35 +01:00
Michal Privoznik
6bb4242d9f lib: Define and use autofree for virConfPtr
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2019-09-10 09:34:37 +02:00
Martin Kletzander
86289374ef selinux: Do not report an error when not returning -1
I guess the reason for that was the automatic interpretation/stringification of
setfilecon_errno, but the code was not nice to read and it was a bit confusing.
Also, the logs and error states get cleaner this way.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2019-08-31 08:48:51 +02:00
Michal Privoznik
8fe953805a security_selinux: Play nicely with network FS that only emulates SELinux
There are some network file systems that do support XATTRs (e.g.
gluster via FUSE). And they appear to support SELinux too.
However, not really. Problem is, that it is impossible to change
SELinux label of a file stored there, and yet we claim success
(rightfully - hypervisor succeeds in opening the file). But this
creates a problem for us - from XATTR bookkeeping POV, we haven't
changed the label and thus if we remembered any label, we must
roll back and remove it.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740506

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2019-08-30 12:50:09 +02:00
Michal Privoznik
eaa2a064fa security_selinux: Drop virSecuritySELinuxSetFileconHelper
This function is no longer needed because after previous commits
it's just an alias to virSecuritySELinuxSetFilecon.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2019-08-30 12:46:54 +02:00
Michal Privoznik
b71d54f447 security_selinux: Drop @optional from _virSecuritySELinuxContextItem
Now, that we don't need to remember if setting context is
'optional' (the argument only made
virSecuritySELinuxSetFileconImpl() return a different success
code), we can drop it from the _virSecuritySELinuxContextItem
structure as we don't need to remember it in transactions.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2019-08-30 12:38:52 +02:00
Michal Privoznik
079c1d6a29 security_selinux: Drop virSecuritySELinuxSetFileconOptional()
There is no real difference between
virSecuritySELinuxSetFilecon() and
virSecuritySELinuxSetFileconOptional(). Drop the latter in favour
of the former.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2019-08-30 12:38:12 +02:00
Michal Privoznik
34712a5e3b virSecuritySELinuxSetFileconImpl: Drop @optional argument
The only thing that the @optional argument does is that it makes
the function return 1 instead of 0 if setting SELinux context
failed in a non-critical fashion. Drop the argument then and
return 1 in that case. This enables caller to learn if SELinux
context was set or not.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2019-08-30 12:33:04 +02:00
Nikolay Shirokovskiy
7c40211a5a security_util: verify xattrs only if ref is present
After 7cfb7aab57 commit starting a domain pullutes logs with
warnings like [1]. The reason is resource files do not
have timestamp before starting a domain and after destroying
domain the timestamp is cleared. Let's check the timestamp
only if attribute with refcounter is found.

[1] warning : virSecurityValidateTimestamp:198 : Invalid XATTR timestamp detected on \
    /some/path secdriver=dac

Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-08-29 15:55:10 +02:00
Daniel P. Berrangé
d29c917ef4 src: honour the RUNSTATEDIR variable in all code
All code using LOCALSTATEDIR "/run" is updated to use RUNSTATEDIR
instead. The exception is the remote driver client which still
uses LOCALSTATEDIR "/run". The client needs to connect to remote
machines which may not be using /run, so /var/run is more portable
due to the /var/run -> /run symlink.

Some duplicate paths in the apparmor code are also purged.

There's no functional change by default yet since both expressions
expand to the same value.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-08-27 10:23:13 +01:00
Michal Privoznik
7cfb7aab57 security_util: Remove stale XATTRs
It may happen that we leave some XATTRs behind. For instance, on
a sudden power loss, the host just shuts down without calling
restore on domain paths. This creates a problem, because when the
host starts up again, the XATTRs are there but they don't reflect
the true state and this may result in libvirt denying start of a
domain.

To solve this, save a unique timestamp (host boot time) among
with our XATTRs.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1741140

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2019-08-22 17:05:17 +02:00
Michal Privoznik
6a2806fd54 security: Don't increase XATTRs refcounter on failure
If user has two domains, each have the same disk (configured for
RW) but each runs with different seclabel then we deny start of
the second domain because in order to do that we would need to
relabel the disk but that would cut the first domain off. Even if
we did not do that, qemu would fail to start because it would be
unable to lock the disk image for the second time. So far, this
behaviour is expected. But what is not expected is that we
increase the refcounter in XATTRs and leave it like that.

What happens is that when the second domain starts,
virSecuritySetRememberedLabel() is called, and since there are
XATTRs from the first domain it increments the refcounter and
returns it (refcounter == 2 at this point). Then callers
(virSecurityDACSetOwnership() and
virSecuritySELinuxSetFileconHelper()) realize that refcounter is
greater than 1 and desired seclabel doesn't match the one the
disk image already has and an error is produced. But the
refcounter is never decremented.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1740024

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2019-08-22 15:50:21 +02:00
Andrea Bolognani
60dfe76990 virt-aa-helper: Drop unnecessary AppArmor rule
Apparently /proc/self is automatically converted to /proc/@{pid}
before checking rules, which makes spelling it out explicitly
redundant.

Suggested-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2019-08-22 10:58:41 +02:00
Michal Privoznik
359c7c1e94 security_util: Document virSecurityMoveRememberedLabel
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2019-08-22 10:34:42 +02:00
Michal Privoznik
8ced0909e5 security_util: Use more VIR_AUTOFREE()
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2019-08-22 10:34:42 +02:00
Andrea Bolognani
9c2446ed4a virt-aa-helper: Actually fix AppArmor profile
Tried previously in

  commit b1eb8b3e8f
  Author: Andrea Bolognani <abologna@redhat.com>
  Date:   Mon Aug 19 10:23:42 2019 +0200

    virt-aa-helper: Fix AppArmor profile

  v5.6.0-243-gb1eb8b3e8f

with somewhat disappointing results.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-08-20 10:35:18 +02:00
Andrea Bolognani
b1eb8b3e8f virt-aa-helper: Fix AppArmor profile
Since

  commit 432faf259b
  Author: Michal Privoznik <mprivozn@redhat.com>
  Date:   Tue Jul 2 19:49:51 2019 +0200

    virCommand: use procfs to learn opened FDs

    When spawning a child process, between fork() and exec() we close
    all file descriptors and keep only those the caller wants us to
    pass onto the child. The problem is how we do that. Currently, we
    get the limit of opened files and then iterate through each one
    of them and either close() it or make it survive exec(). This
    approach is suboptimal (although, not that much in default
    configurations where the limit is pretty low - 1024). We have
    /proc where we can learn what FDs we hold open and thus we can
    selectively close only those.

    Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
    Reviewed-by: Ján Tomko <jtomko@redhat.com>

  v5.5.0-173-g432faf259b

programs using the virCommand APIs on Linux need read access to
/proc/self/fd, or they will fail like

  error : virCommandWait:2796 : internal error: Child process
  (LIBVIRT_LOG_OUTPUTS=3:stderr /usr/lib/libvirt/virt-aa-helper -c
   -u libvirt-b20e9a8e-091a-45e0-8823-537119e98bc6) unexpected exit
  status 1: libvirt:  error : cannot open directory '/proc/self/fd':
  Permission denied
  virt-aa-helper: error: apparmor_parser exited with error

Update the AppArmor profile for virt-aa-helper so that read access
to the relevant path is granted.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-08-19 15:47:24 +02:00
Andrea Bolognani
b194c3d9c7 virt-aa-helper: Call virCommandRawStatus()
The way we're processing the return status, using WIFEXITED() and
friends, only works when we have the raw return status; however,
virCommand defaults to processing the return status for us. Call
virCommandRawStatus() before virCommandRun() so that we get the raw
return status and the logic can actually work.

This results in guest startup failures caused by AppArmor issues
being reported much earlier: for example, if virt-aa-helper exits
with an error we're now reporting

  error: internal error: cannot load AppArmor profile 'libvirt-b20e9a8e-091a-45e0-8823-537119e98bc6'

instead of the misleading

  error: internal error: Process exited prior to exec: libvirt:
  error : unable to set AppArmor profile 'libvirt-b20e9a8e-091a-45e0-8823-537119e98bc6'
  for '/usr/bin/qemu-system-x86_64': No such file or directory

Suggested-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-08-19 15:47:05 +02:00
Andrea Bolognani
7d3a0f56b8 virt-aa-helper: Use virCommand APIs directly
Right now we're using the virRun() convenience API, but that
doesn't allow the kind of control we want. Use the virCommand
APIs directly instead.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-08-19 15:46:58 +02:00
Erik Skultety
5801ef06ec src: security: Replace bitwise OR with logical OR
Typo introduced by commit d73f3f5836.

https://bugzilla.redhat.com/show_bug.cgi?id=1738483

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2019-08-07 12:08:46 +02:00
Michal Privoznik
c012e0f7fa virSecurityManagerMetadataLock: Skip over duplicate paths
If there are two paths on the list that are the same we need to
lock it only once. Because when we try to lock it the second time
then open() fails. And if it didn't, locking it the second time
would fail for sure. After all, it is sufficient to lock all
paths just once satisfy the caller.

Reported-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Tested-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2019-07-18 15:13:13 +02:00
Michal Privoznik
ee6501ab05 virSecurityManagerMetadataLock: Expand the comment on deadlocks
Document why we need to sort paths while it's still fresh in my
memory.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Tested-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2019-07-18 15:13:05 +02:00
Christian Ehrhardt
bc85411c49
security: aa-helper: allow virt-aa-helper to read .vhd images
VHD images can be used as any other, so we should add them to the list
of types that virt-aa-helper can read when creating the per-guest rules
for backing files.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
2019-07-15 13:43:51 +02:00
Michal Privoznik
44a204e674 security_selinux: Implement virSecurityManagerMoveImageMetadata
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
a379b86cd2 security_dac: Implement virSecurityManagerMoveImageMetadata
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
d73f3f5836 security_util: Introduce virSecurityMoveRememberedLabel
A simple helper function that would be used from DAC and SELinux
drivers.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
8b74cecbdf security: Introduce virSecurityManagerMoveImageMetadata
The purpose of this API is to allow caller move XATTRs (or remove
them) from one file to another. This will be needed when moving
top level of disk chain (either by introducing new HEAD or
removing it).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
8b1660e530 security: Don't remember owner for shared resources
This effectively reverts d7420430ce and adds new code.

Here is the problem: Imagine a file X that is to be shared
between two domains as a disk. Let the first domain (vm1) have
seclabel remembering turned on and the other (vm2) has it turned
off. Assume that both domains will run under the same user, but
the original owner of X is different (i.e. trying to access X
without relabelling leads to EPERM).

Let's start vm1 first. This will cause X to be relabelled and to
gain new attributes:

  trusted.libvirt.security.ref_dac="1"
  trusted.libvirt.security.dac="$originalOwner"

When vm2 is started, X will again be relabelled, but since the
new label is the same as X already has (because of vm1) nothing
changes and vm1 and vm2 can access X just fine. Note that no
XATTR is changed (especially the refcounter keeps its value of 1)
because the vm2 domain has the feature turned off.

Now, vm1 is shut off and vm2 continues running. In seclabel
restore process we would get to X and since its refcounter is 1
we would restore the $originalOwner on it. But this is unsafe to
do because vm2 is still using X (remember the assumption that
$originalOwner and vm2's seclabel are distinct?).

The problem is that refcounter stored in XATTRs doesn't reflect
the actual times a resource is in use. Since I don't see any easy
way around it let's just not store original owner on shared
resources. Shared resource in world of domain disks is:

  - whole backing chain but the top layer,
  - read only disk (we don't require CDROM to be explicitly
    marked as shareable),
  - disk marked as shareable.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2019-07-03 08:36:04 +02:00
Michal Privoznik
d87f363a3f security_selinux: Allow caller to suppress owner remembering
Just like previous commit allowed to enable or disable owner
remembering for each individual path, do the same for SELinux
driver. This is going to be needed in the next commit.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
377b4e0a6b security_dac: Allow caller to suppress owner remembering
One caller in particular (virSecurityDACSetImageLabelInternal)
will want to have the feature turned on only in some cases.
Introduce @remember member to _virSecurityDACChownItem to track
whether caller wants to do owner remembering or not.
The actual remembering is then enabled if both caller wanted it
and the feature is turned on in the config file.

Technically, we could skip over paths that don't have remember
enabled when creating a list of paths to lock. We won't touch
their XATTRs after all. Well, I rather play it safe and keep them
on the locking list for now.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
cc503c75c7 security: Document @restore member of transaction list
Both DAC and SELinux drivers support transactions. Each item on
the transaction list consists of various variables and @restore
is one of them. Document it so that as the list of variables grow
it's easier to spot which variable does what.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
5214b2f1a3 security: Don't skip label restore on file systems lacking XATTRs
The way that virSecurityDACRecallLabel is currently written is
that if XATTRs are not supported for given path to the caller
this is not different than if the path is still in use. The value
of 1 is returned which makes secdrivers skip label restore.
This is clearly a bug as we are not restoring labels on say NFS
even though previously we were.

Strictly speaking, changes to virSecurityDACRememberLabel are not
needed, but they are done anyway so that getter and setter behave
in the same fashion.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
0d44d2876a virfile: Make virFileGetXAttr report errors
The way that security drivers use XATTR is kind of verbose. If
error reporting was left for caller then the caller would end up
even more verbose.

There are two places where we do not want to report error if
virFileGetXAttr fails. Therefore virFileGetXAttrQuiet is
introduced as an alternative that doesn't report errors.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Michal Privoznik
86e43ded42 virSecuritySELinuxRestoreAllLabel: Print @migrated in the debug message too
Just like it's DAC counterpart is doing,
virSecuritySELinuxRestoreAllLabel() could print @migrated in the
debug message.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:03 +02:00
Jonathon Jongsma
55474a8ce7 src/security: use #pragma once in headers
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-19 17:12:31 +02:00
Christian Ehrhardt
18ffb1670e
apparmor: Add openGraphicsFD rule for named profile
Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules.
Later on 4ec3cf9a fixed that for ptrace and signal but openGraphicsFD
is still missing.

As a result, libvirtd is unable to open UI on libvirt >=5.1 e.g. with
virt-manager.

Add openGraphicsFD rule that references the libvirtd profile
by name in addition to full binary path.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1833040

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2019-06-19 14:22:47 +02:00
Daniel P. Berrangé
e5df4edefa src: don't statically link code that's already in libvirt.so
Various binaries are statically linking to libvirt_util.la and
other intermediate libraries we build. These intermediate libs
all get built into the main libvirt.so shared library eventually,
so we can dynamically link to that instead and reduce the on disk
footprint.

In libvirt-daemon RPM:

            virtlockd: 1.6 MB -> 153 KB
             virtlogd: 1.6 MB -> 157 KB
     libvirt_iohelper: 937 KB -> 23 KB

In libvirt-daemon-driver-network RPM:

 libvirt_leaseshelper: 940 KB -> 26 KB

In libvirt-daemon-driver-storage-core RPM:

   libvirt_parthelper: 926 KB -> 21 KB

IOW, about 5.6 MB total space saving in a build done on Fedora 30
x86_64 architecture.

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-05-17 14:34:45 +01:00
Christian Ehrhardt
0541b65464
virt-aa-helper: allow sysfs path used for vhost-scsi
When a vhost scsi device is hotplugged virt-aa-helper is called to
add the respective path.
For example the config:
  <hostdev mode='subsystem' type='scsi_host' managed='no'>
    <source protocol='vhost' wwpn='naa.50014059de6fba4f'/>
  </hostdev>
Will call it to add:
 /sys/kernel/config/target/vhost//naa.50014059de6fba4f

But in general /sys paths are filtered in virt-aa-helper.c:valid_path
To allow the path used for vhost-scsi we need to add it to the list of
known and accepted overrides.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1829223

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-05-16 09:31:58 +02:00
Cole Robinson
84a5e89b31 conf: Add VIR_DOMAIN_DEF_FEATURE_NET_MODEL_STRING
This requires drivers to opt in to handle the raw modelstr
network model, all others will error if a passed in XML value
is not in the model enum.

Enable this feature for libxl/xen/xm and qemu drivers

Acked-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-16 13:11:08 -04:00
Cole Robinson
6bf7c67699 conf: net: Add wrapper functions for <model> value
To ease converting the net->model value to an enum, add
the wrapper functions:

virDomainNetGetModelString
virDomainNetSetModelString
virDomainNetStreqModelString
virDomainNetStrcaseeqModelString

Acked-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-04-16 13:11:08 -04:00
Michal Privoznik
abd70ac3ae virSecurityDACRestoreChardevLabel: Restore UNIX sockets too
We're setting seclabels on unix sockets but never restoring them.
Surprisingly, we are doing so in SELinux driver.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-16 10:47:51 +02:00
Andrea Bolognani
03a07357e1 maint: Add filetype annotations to Makefile.inc.am
Vim has trouble figuring out the filetype automatically because
the name doesn't follow existing conventions; annotations like
the ones we already have in Makefile.ci help it out.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-12 16:55:38 +02:00
Peter Krempa
f785318187 Revert "Include unistd.h directly by files using it"
This reverts commit a5e1602090.

Getting rid of unistd.h from our headers will require more work than
just fixing the broken mingw build. Revert it until I have a more
complete proposal.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2019-04-10 12:26:32 +02:00
Peter Krempa
a5e1602090 Include unistd.h directly by files using it
util/virutil.h bogously included unistd.h. Drop it and replace it by
including it directly where needed.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 09:12:04 +02:00
Daniel P. Berrangé
c1ac1e4637 security: avoid use of dirent d_type field
The d_type field cannot be assumed to be filled. Some filesystems, such
as older XFS, will simply report DT_UNKNOWN.

Even if the d_type is filled in, the use of it in the SELinux functions
is dubious. If labelling all files in a directory there's no reason to
skip things which are not regular files. We merely need to skip "." and
"..", which is done by virDirRead() already.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-03 11:31:38 +01:00
intrigeri
80e83d63dc apparmor: support more QEMU architectures
Add hppa, nios2, or1k, riscv32 and riscv64 to the profile.

Fixes: https://bugs.debian.org/914940

Signed-off-by: intrigeri <intrigeri@boum.org>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2019-04-01 12:32:55 +02:00
Jim Fehlig
411cdaf884 apparmor: Check libvirtd profile status by name
Commit a3ab6d42 changed the libvirtd profile to a named profile,
breaking the apparmor driver's ability to detect if the profile is
active. When the apparmor driver loads it checks the status of the
libvirtd profile using the full binary path, which fails since the
profile is now referenced by name. If the apparmor driver is
explicitly requested in /etc/libvirt/qemu.conf, then libvirtd fails
to load too.

Instead of only checking the profile status by full binary path,
also check by profile name. The full path check is retained in case
users have a customized libvirtd profile with full path.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
2019-03-13 11:58:11 -06:00
Jim Fehlig
4ec3cf9a0f apparmor: Add ptrace and signal rules for named profile
Commit a3ab6d42 changed the libvirtd profile to a named profile
but neglected to accommodate the change in the qemu profile
ptrace and signal rules. As a result, libvirtd is unable to
signal confined qemu processes and hence unable to shutdown
or destroy VMs.

Add ptrace and signal rules that reference the libvirtd profile
by name in addition to full binary path.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
2019-03-06 09:51:01 -07:00
Christian Ehrhardt
f2cbb94eab
security: aa-helper: gl devices in sysfs at arbitrary depth
Further testing with more devices showed that we sometimes have a
different depth of pci device paths when accessing sysfs for device
attributes.

But since the access is limited to a set of filenames and read only it
is safe to use a wildcard for that.

Related apparmor denies - while we formerly had only considered:
apparmor="DENIED" operation="open"
  name="/sys/devices/pci0000:00/0000:00:02.1/uevent"
  requested_mask="r"

We now also know of cases like:
apparmor="DENIED" operation="open"
  name="/sys/devices/pci0000:00/0000:00:03.1/0000:1c:00.0/uevent"
  requested_mask="r"

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1817943

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2019-03-06 11:31:39 +01:00
Christian Ehrhardt
00fbb9e516
security: aa-helper: nvidia rules for gl devices
Further testing with different devices showed that we need more rules
to drive gl backends with nvidia cards. Related denies look like:

apparmor="DENIED" operation="open"
  name="/usr/share/egl/egl_external_platform.d/"
  requested_mask="r"
apparmor="DENIED" operation="open"
  name="/proc/modules"
  requested_mask="r"
apparmor="DENIED" operation="open"
  name="/proc/driver/nvidia/params"
  requested_mask="r"
apparmor="DENIED" operation="mknod"
  name="/dev/nvidiactl"
  requested_mask="c"

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1817943

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2019-03-06 11:29:55 +01:00
Christian Ehrhardt
27a9ebf281
security: aa-helper: generate more rules for gl devices
Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled
graphics devices" implemented the detection for gl enabled
devices in virt-aa-helper. But further testing showed
that it will need much more access for the full gl stack
to work.

Upstream apparmor just recently split those things out and now
has two related abstractions at
https://gitlab.com/apparmor/apparmor/blob/master:
- dri-common at /profiles/apparmor.d/abstractions/dri-common
- mesa: at /profiles/apparmor.d/abstractions/mesa

If would be great to just include that for the majority of
rules, but they are not yet in any distribution so we need
to add rules inspired by them based on the testing that we
can do.

Furthermore qemu with opengl will also probe the backing device
of the rendernode for attributes which should be safe as
read-only wildcard rules.

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1815452

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2019-02-25 08:57:33 +01:00
Christian Ehrhardt
d85e8e400b
security: aa-helper: allow virt-aa-helper to read /dev/dri
Change fb01e1a44 "virt-aa-helper: generate rules for gl enabled
graphics devices" implemented the detection for gl enabled
devices in virt-aa-helper. But it will in certain cases e.g. if
no rendernode was explicitly specified need to read /dev/dri
which it currently isn't allowed.

Add a rule to the apparmor profile of virt-aa-helper itself to
be able to do that.

Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2019-02-25 08:50:38 +01:00
Ján Tomko
060e07c3ca Remove remaining references to kqemu
We dropped support in commit 8e91a40 (November 2015), but some
occurrences still remained, even in live code.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reported-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2019-02-19 08:33:50 +01:00
Erik Skultety
17f6a257f1 security: dac: Relabel /dev/sev in the namespace
The default permissions (0600 root:root) are of no use to the qemu
process so we need to change the owner to qemu iff running with
namespaces.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-02-01 12:40:22 +01:00
Peter Krempa
c938c35363 security: Remove disk labeling functions and fix callers
Now that we have replacement in the form of the image labeling function
we can drop the unnecessary functions by replacing all callers.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2019-01-30 17:20:38 +01:00
Peter Krempa
43479005ee security: Remove security driver internals for disk labeling
Security labeling of disks consists of labeling of the disk image
itself and it's backing chain. Modify
virSecurityManager[Set|Restore]ImageLabel to take a boolean flag that
will label the full chain rather than the top image itself.

This allows to delete/unify some parts of the code and will also
simplify callers in some cases.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2019-01-30 17:20:38 +01:00
Michal Privoznik
5772885d28 lib: Use more of VIR_STEAL_PTR()
We have this very handy macro called VIR_STEAL_PTR() which steals
one pointer into the other and sets the other to NULL. The
following coccinelle patch was used to create this commit:

  @ rule1 @
  identifier a, b;
  @@

  - b = a;
    ...
  - a = NULL;
  + VIR_STEAL_PTR(b, a);

Some places were clean up afterwards to make syntax-check happy
(e.g. some curly braces were removed where the body become a one
liner).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2019-01-28 14:46:58 +01:00
Cole Robinson
ea72bc65df conf: Add virDomainNetIsVirtioModel
This will be extended in the future, so let's simplify things by
centralizing the checks.

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-01-24 18:59:38 -05:00
Jim Fehlig
a3ab6d42d8 apparmor: convert libvirtd profile to a named profile
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2019-01-23 11:10:15 -07:00
Jim Fehlig
70c2933da2 apparmor: Add support for named profiles
Upstream apparmor is switching to named profiles. In short,

/usr/sbin/dnsmasq {

becomes

profile dnsmasq /usr/sbin/dnsmasq {

Consequently, any profiles that reference profiles in a peer= condition
need to be updated if the referenced profile switches to a named profile.
Apparmor commit 9ab45d81 switched dnsmasq to a named profile. ATM it is
the only named profile switch that has affected libvirt. Add rules to the
libvirtd profile to reference dnsmasq in peer= conditions by profile name.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2019-01-23 11:10:15 -07:00
Christian Ehrhardt
fb01e1a44d
virt-aa-helper: generate rules for gl enabled graphics devices
This adds the virt-aa-helper support for gl enabled graphics devices to
generate rules for the needed rendernode paths.

Example in domain xml:
<graphics type='spice'>
  <gl enable='yes' rendernode='/dev/dri/bar'/>
</graphics>

results in:
  "/dev/dri/bar" rw,

Special cases are:
- multiple devices with rendernodes -> all are added
- non explicit rendernodes -> follow recently added virHostGetDRMRenderNode
- rendernode without opengl (in egl-headless for example) -> still add
  the node

Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1757085

Reviewed-by: Erik Skultety <eskultet@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
2019-01-23 07:54:58 +01:00
Andrea Bolognani
6ee53e54dc apparmor: Move static data out of examples/
These files need to be installed on the system for apparmor
support to work, so they don't belong with examples.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2019-01-10 16:48:12 +01:00
John Ferlan
9d42d51eef security: Fix comparison for virSecuritySELinuxRecallLabel
The @con type security_context_t is actually a "char *", so the
correct check should be to dereference one more level; otherwise,
we could return/use the NULL pointer later in a subsequent
virSecuritySELinuxSetFileconImpl call (using @fcon).

Suggested-by: Michal Prívozník <mprivozn@redhat.com>
Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-21 06:03:44 -05:00
John Ferlan
458b952bee security: Resolve possible memory leak
If virSecuritySELinuxRestoreFileLabel returns 0 or -1 too soon, then
the @newpath will be leaked.

Suggested-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-21 06:03:35 -05:00
Michal Privoznik
d9043c06e6 virSecuritySELinuxRestoreAllLabel: Restore more labels
We are setting label on kernel, initrd, dtb and slic_table files.
But we never restored it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:40 +01:00
Michal Privoznik
d81f3e02d7 virSecuritySELinuxRestoreAllLabel: Reorder device relabeling
It helps whe trying to match calls with virSecuritySELinuxSetAllLabel
if the order in which devices are set/restored is the same in
both functions.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:38 +01:00
Michal Privoznik
edacf25da7 virSecuritySELinuxTransactionRun: Implement rollback
When iterating over list of paths/disk sources to relabel it may
happen that the process fails at some point. In that case, for
the sake of keeping seclabel refcount (stored in XATTRs) in sync
with reality we have to perform rollback. However, if that fails
too the only thing we can do is warn user.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:35 +01:00
Michal Privoznik
b44fd42016 security_selinux: Restore label on failed setfilecon() attempt
It's important to keep XATTRs untouched (well, in the same state
they were in when entering the function). Otherwise our
refcounting would be messed up.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:31 +01:00
Michal Privoznik
4dc37a39cf security_selinux: Remember old labels
Similarly to what I did in DAC driver, this also requires the
same SELinux label to be used for shared paths. If a path is
already in use by a domain (or domains) then and the domain we
are starting now wants to access the path it has to have the same
SELinux label. This might look too restrictive as the new label
can still guarantee access to already running domains but in
reality it is very unlikely and usually an admin mistake.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:28 +01:00
Michal Privoznik
1e9c472452 security_selinux: Track if transaction is restore
It is going to be important to know if the current transaction we
are running is a restore operation or set label operation so that
we know whether to call virSecurityGetRememberedLabel() or
virSecuritySetRememberedLabel(). That is, whether we are in a
restore and therefore have to fetch the remembered label, or we
are in set operation and therefore have to store the original
label.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:26 +01:00
Michal Privoznik
d7420430ce virSecurityDACRestoreImageLabelInt: Restore even shared/RO disks
Now that we have seclabel remembering we can safely restore
labels for shared and RO disks. In fact we need to do that to
keep seclabel refcount stored in XATTRs in sync with reality.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:21 +01:00
Michal Privoznik
1845d3ad5d security_dac: Remember old labels
This also requires the same DAC label to be used for shared
paths. If a path is already in use by a domain (or domains) then
and the domain we are starting now wants to access the path it
has to have the same DAC label. This might look too restrictive
as the new label can still guarantee access to already running
domains but in reality it is very unlikely and usually an admin
mistake.

This requirement also simplifies seclabel remembering, because we
can store only one seclabel and have a refcounter for how many
times the path is in use. If we were to allow different labels
and store them in some sort of array the algorithm to match
labels to domains would be needlessly complicated.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:17 +01:00
Michal Privoznik
fa808763b2 security_dac: Allow callers to enable/disable label remembering/recall
Because the implementation that will be used for label
remembering/recall is not atomic we have to give callers a chance
to enable or disable it. That is, enable it if and only if
metadata locking is enabled. Otherwise the feature MUST be turned
off.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:14 +01:00
Michal Privoznik
a30e6d17c9 virSecurityDACRestoreAllLabel: Restore more labels
We are setting label on kernel, initrd, dtb and slic_table files.
But we never restored it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:11 +01:00
Michal Privoznik
08e3b1c0dc virSecurityDACRestoreAllLabel: Reorder device relabeling
It helps whe trying to match calls with virSecurityDACSetAllLabel
if the order in which devices are set/restored is the same in
both functions.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:09 +01:00
Michal Privoznik
06af6609e9 virSecurityDACTransactionRun: Implement rollback
When iterating over list of paths/disk sources to relabel it may
happen that the process fails at some point. In that case, for
the sake of keeping seclabel refcount (stored in XATTRs) in sync
with reality we have to perform rollback. However, if that fails
too the only thing we can do is warn user.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:06 +01:00
Michal Privoznik
86def3c88c security_dac: Restore label on failed chown() attempt
It's important to keep XATTRs untouched (well, in the same state
they were in when entering the function). Otherwise our
refcounting would be messed up.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:31:59 +01:00
Michal Privoznik
f9a0019fea security: Include security_util
This file implements wrappers over XATTR getter/setter. It
ensures the proper XATTR namespace is used.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:31:56 +01:00
Daniel P. Berrangé
07c9d6601d qemu: use line breaks in command line args written to log
The QEMU command line arguments are very long and currently all written
on a single line to /var/log/libvirt/qemu/$GUEST.log. This introduces
logic to add line breaks after every env variable and "-" optional
argument, and every positional argument. This will create a clearer log
file, which will in turn present better in bug reports when people cut +
paste from the log into a bug comment.

An example log file entry now looks like this:

  2018-12-14 12:57:03.677+0000: starting up libvirt version: 5.0.0, qemu version: 3.0.0qemu-3.0.0-1.fc29, kernel: 4.19.5-300.fc29.x86_64, hostname: localhost.localdomain
  LC_ALL=C \
  PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin \
  HOME=/home/berrange \
  USER=berrange \
  LOGNAME=berrange \
  QEMU_AUDIO_DRV=none \
  /usr/bin/qemu-system-ppc64 \
  -name guest=guest,debug-threads=on \
  -S \
  -object secret,id=masterKey0,format=raw,file=/home/berrange/.config/libvirt/qemu/lib/domain-33-guest/master-key.aes \
  -machine pseries-2.10,accel=tcg,usb=off,dump-guest-core=off \
  -m 1024 \
  -realtime mlock=off \
  -smp 1,sockets=1,cores=1,threads=1 \
  -uuid c8a74977-ab18-41d0-ae3b-4041c7fffbcd \
  -display none \
  -no-user-config \
  -nodefaults \
  -chardev socket,id=charmonitor,fd=23,server,nowait \
  -mon chardev=charmonitor,id=monitor,mode=control \
  -rtc base=utc \
  -no-shutdown \
  -boot strict=on \
  -device qemu-xhci,id=usb,bus=pci.0,addr=0x1 \
  -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x2 \
  -sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny \
  -msg timestamp=on
  2018-12-14 12:57:03.730+0000: shutting down, reason=failed

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-12-17 15:02:11 +00:00
Daniel P. Berrangé
568a417224 Enforce a standard header file guard symbol name
Require that all headers are guarded by a symbol named

  LIBVIRT_$FILENAME

where $FILENAME is the uppercased filename, with all characters
outside a-z changed into '_'.

Note we do not use a leading __ because that is technically a
namespace reserved for the toolchain.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-12-14 10:47:13 +00:00
Daniel P. Berrangé
4cfd709021 Fix many mistakes & inconsistencies in header file layout
This introduces a syntax-check script that validates header files use a
common layout:

  /*
   ...copyright header...
   */
  <one blank line>
  #ifndef SYMBOL
  # define SYMBOL
  ....content....
  #endif /* SYMBOL */

For any file ending priv.h, before the #ifndef, we will require a
guard to prevent bogus imports:

  #ifndef SYMBOL_ALLOW
  # error ....
  #endif /* SYMBOL_ALLOW */
  <one blank line>

The many mistakes this script identifies are then fixed.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-12-14 10:46:53 +00:00
Daniel P. Berrangé
600462834f Remove all Author(s): lines from source file headers
In many files there are header comments that contain an Author:
statement, supposedly reflecting who originally wrote the code.
In a large collaborative project like libvirt, any non-trivial
file will have been modified by a large number of different
contributors. IOW, the Author: comments are quickly out of date,
omitting people who have made significant contribitions.

In some places Author: lines have been added despite the person
merely being responsible for creating the file by moving existing
code out of another file. IOW, the Author: lines give an incorrect
record of authorship.

With this all in mind, the comments are useless as a means to identify
who to talk to about code in a particular file. Contributors will always
be better off using 'git log' and 'git blame' if they need to  find the
author of a particular bit of code.

This commit thus deletes all Author: comments from the source and adds
a rule to prevent them reappearing.

The Copyright headers are similarly misleading and inaccurate, however,
we cannot delete these as they have legal meaning, despite being largely
inaccurate. In addition only the copyright holder is permitted to change
their respective copyright statement.

Reviewed-by: Erik Skultety <eskultet@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-12-13 16:08:38 +00:00
Yuri Chornoivan
e5c1fbca24 Fix minor typos in messages and docs
Signed-off-by: Yuri Chornoivan <yurchor@ukr.net>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-05 10:39:54 +01:00
Erik Skultety
ae00e73cfe security: dac: gfx: egl-headless: Relabel the DRI device
Just like for SPICE, we need to change the permissions on the DRI device
used as the @rendernode for egl-headless graphics type.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-03 14:56:08 +01:00
Christian Ehrhardt
ef6bbfff78 security: aa-helper: Fix static defined vfio MDEVs
virt-aa-helper needs to grant QEMU access to VFIO MDEV devices.

This extends commit 74e86b6b which only covered PCI hostdevs for VFIO-PCI
assignment by now also covering vfio MDEVs.
It has still the same limitations regarding the device lifecycle, IOW we're
unable to predict the actual VFIO device being created, thus we need
wildcards.

Also note that the hotplug case, where apparmor is able to detect the actual
VFIO device during runtime, is already covered by commit 606afafb.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
2018-11-22 14:19:54 +01:00
Michal Privoznik
0aad10cdae Revert "security_manager: Load lock plugin on init"
This reverts commit 3e26b476b5.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-11-16 13:42:39 +01:00
Michal Privoznik
207860927a security_manager: Rework metadata locking
Trying to use virlockd to lock metadata turns out to be too big
gun. Since we will always spawn a separate process for relabeling
we are safe to use thread unsafe POSIX locks and take out
virtlockd completely out of the picture.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-11-16 13:42:39 +01:00
Michal Privoznik
a2f0b97ab7 virSecurityManagerTransactionCommit: Do metadata locking iff enabled in config
When metadata locking is enabled that means the security commit
processing will be run in a fork similar to how namespaces use fork()'s
for processing. This is done to ensure libvirt can properly and
synchronously modify the metadata to store the original owner data.

Since fork()'s (e.g. virFork) have been seen as a performance bottleneck
being able to disable them allows the admin to choose whether the
performance 'hit' is worth the extra 'security' of being able to
remember the original owner of a lock.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-11-16 13:42:38 +01:00
Marc Hartmayer
1458746f05 virSecuritySELinuxTransactionCommit: Return -1 if no transaction is set
Return -1 and report an error message if no transaction is set and
virSecuritySELinuxTransactionCommit is called.

The function description of virSecuritySELinuxTransactionCommit says:

  "Also it is considered as error if there's no transaction set and this
   function is called."

Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
2018-11-13 18:36:15 +01:00
Michal Privoznik
8d8f6b4e88 virSecuritySELinuxTransactionCommit: Don't mask error
In 4674fc6afd I've implemented transactions for selinux driver.
Well, now that I am working in this area I've noticed a subtle
bug: @ret is initialized to 0 instead of -1. Facepalm.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
2018-11-13 18:33:58 +01:00
Ján Tomko
d6b8838dd8 security: dac: also label listen UNIX sockets
We switched to opening mode='bind' sockets ourselves:
commit 30fb2276d8
    qemu: support passing pre-opened UNIX socket listen FD
in v4.5.0-rc1~251

Then fixed qemuBuildChrChardevStr to change libvirtd's label
while creating the socket:
commit b0c6300fc4
    qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels
v4.5.0-rc1~52

Also add labeling of these sockets to the DAC driver.
Instead of duplicating the logic which decides whether libvirt should
pre-create the socket, assume an existing path meaning that it was created
by libvirt.

https://bugzilla.redhat.com/show_bug.cgi?id=1633389

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2018-10-02 12:44:44 +02:00
Michal Privoznik
cd33eaa251 security: Don't try to lock NULL paths
It may happen that in the list of paths/disk sources to relabel
there is a disk source. If that is the case, the path is NULL. In
that case, we shouldn't try to lock the path. It's likely a
network disk anyway and therefore there is nothing to lock.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2018-09-26 12:01:48 +02:00
Michal Privoznik
f4d7ca62a4 security: Grab a reference to virSecurityManager for transactions
This shouldn't be needed per-se. Security manager shouldn't
disappear during transactions - it's immutable. However, it
doesn't hurt to grab a reference either - transaction code uses
it after all.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-26 12:01:36 +02:00
Michal Privoznik
72a8b8ecc5 virSecuritySELinuxContextListFree: Don't leak list->items
This array is allocated in virSecuritySELinuxContextListAppend()
but never freed. This commit is essentially the same as ca25026.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-26 12:01:32 +02:00
Erik Skultety
5165ff0971 src: More cleanup of some system headers already contained in internal.h
All of the ones being removed are pulled in by internal.h. The only
exception is sanlock which expects the application to include <stdint.h>
before sanlock's headers, because sanlock prototypes use fixed width
int, but they don't include stdint.h themselves, so we have to leave
that one in place.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Acked-by: Michal Privoznik <mprivozn@redhat.com>
2018-09-20 10:16:39 +02:00
Erik Skultety
9403b63102 internal: Move <stdio.h> include to internal.h
It doesn't really make sense for us to have stdlib.h and string.h but
not stdio.h in the internal.h header.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Acked-by: Michal Privoznik <mprivozn@redhat.com>
2018-09-20 10:16:38 +02:00
Michal Privoznik
6d855abc14 security_selinux: Lock metadata when running transaction
Lock all the paths we want to relabel to mutually exclude other
libvirt daemons.

The only hitch here is that directories can't be locked.
Therefore, when relabeling a directory do not lock it (this
happens only when setting up some domain private paths anyway,
e.g. huge pages directory).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
62fd05194a security_selinux: Move transaction handling up one level
So far the whole transaction handling is done
virSecuritySELinuxSetFileconHelper(). This needs to change for
the sake of security label remembering and locking. Otherwise we
would be locking a path when only appending it to transaction
list and not when actually relabelling it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
4a7a7808dc virSecuritySELinuxRestoreFileLabel: Adjust code pattern
Firstly, the following code pattern is harder to follow:

  if (func() < 0) {
      error();
  } else {
      /* success */
  }

We should put 'goto cleanup' into the error branch and move the
else branch one level up.
Secondly, 'rc' should really be named 'ret' because it holds
return value of the function. Not some intermediate value.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Michal Privoznik
c9318499a7 virSecuritySELinuxRestoreFileLabel: Rename 'err' label
This label is used in both successful and error paths. Therefore
it should be named 'cleanup' and not 'err'.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00