Commit Graph

518 Commits

Author SHA1 Message Date
Cédric Bosdonnat
0500fbd4b6 Fixed regression in apparmor profiles for qemu brought by 43c030f 2014-03-27 09:04:08 -06:00
Ján Tomko
9e7ecabf94 Indent top-level labels by one space in the rest of src/ 2014-03-25 14:58:40 +01:00
Peter Krempa
ccef7d7876 apparmor: Fix build after split of disk source metadata
Commit 4f20226664 breaks build with
AppArmor enabled as it missed the refactor to the new accessors.
2014-03-24 20:00:11 +01:00
Eric Blake
4f20226664 conf: prepare to track multiple host source files per <disk>
It's finally time to start tracking disk backing chains in
<domain> XML.  The first step is to start refactoring code
so that we have an object more convenient for representing
each host source resource in the context of a single guest
<disk>.  Ultimately, I plan to move the new type into src/util
where it can be reused by virStorageFile, but to make the
transition easier to review, this patch just creates the
new type then fixes everything until it compiles again.

* src/conf/domain_conf.h (_virDomainDiskDef): Split...
(_virDomainDiskSourceDef): ...to new struct.
(virDomainDiskAuthClear): Use new type.
* src/conf/domain_conf.c (virDomainDiskDefFree): Split...
(virDomainDiskSourceDefClear): ...to new function.
(virDomainDiskGetType, virDomainDiskSetType)
(virDomainDiskGetSource, virDomainDiskSetSource)
(virDomainDiskGetDriver, virDomainDiskSetDriver)
(virDomainDiskGetFormat, virDomainDiskSetFormat)
(virDomainDiskAuthClear, virDomainDiskGetActualType)
(virDomainDiskDefParseXML, virDomainDiskSourceDefFormat)
(virDomainDiskDefFormat, virDomainDiskDefForeachPath)
(virDomainDiskDefGetSecurityLabelDef)
(virDomainDiskSourceIsBlockType): Adjust all users.
* src/lxc/lxc_controller.c (virLXCControllerSetupDisk):
Likewise.
* src/lxc/lxc_driver.c (lxcDomainAttachDeviceMknodHelper):
Likewise.
* src/qemu/qemu_command.c (qemuAddRBDHost, qemuParseRBDString)
(qemuParseDriveURIString, qemuParseGlusterString)
(qemuParseISCSIString, qemuParseNBDString)
(qemuDomainDiskGetSourceString, qemuBuildDriveStr)
(qemuBuildCommandLine, qemuParseCommandLineDisk)
(qemuParseCommandLine): Likewise.
* src/qemu/qemu_conf.c (qemuCheckSharedDevice)
(qemuAddISCSIPoolSourceHost, qemuTranslateDiskSourcePool):
Likewise.
* src/qemu/qemu_driver.c (qemuDomainUpdateDeviceConfig)
(qemuDomainPrepareDiskChainElement)
(qemuDomainSnapshotCreateInactiveExternal)
(qemuDomainSnapshotPrepareDiskExternalBackingInactive)
(qemuDomainSnapshotPrepareDiskInternal)
(qemuDomainSnapshotPrepare)
(qemuDomainSnapshotCreateSingleDiskActive)
(qemuDomainSnapshotUndoSingleDiskActive)
(qemuDomainBlockPivot, qemuDomainBlockJobImpl)
(qemuDomainBlockCopy, qemuDomainBlockCommit): Likewise.
* src/qemu/qemu_migration.c (qemuMigrationIsSafe): Likewise.
* src/qemu/qemu_process.c (qemuProcessGetVolumeQcowPassphrase)
(qemuProcessInitPasswords): Likewise.
* src/security/security_selinux.c
(virSecuritySELinuxSetSecurityFileLabel): Likewise.
* src/storage/storage_driver.c (virStorageFileInitFromDiskDef):
Likewise.
* tests/securityselinuxlabeltest.c (testSELinuxLoadDef):
Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-03-24 12:18:34 -06:00
Eric Blake
2aad0ebe2d conf: use disk source accessors in security/
Part of a series of cleanups to use new accessor methods.

* src/security/security_dac.c (virSecurityDACSetSecurityImageLabel)
(virSecurityDACRestoreSecurityImageLabelInt)
(virSecurityDACSetSecurityAllLabel): Use accessors.
* src/security/security_selinux.c
(virSecuritySELinuxRestoreSecurityImageLabelInt)
(virSecuritySELinuxSetSecurityImageLabel)
(virSecuritySELinuxSetSecurityAllLabel): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-03-24 11:59:50 -06:00
Martin Kletzander
95aed7febc Use K&R style for curly braces in remaining files
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-03-20 17:27:17 +01:00
Scott Sullivan
0099a4ae2b is_selinux_enabled() returns -1 on error, account for this.
Per the documentation, is_selinux_enabled() returns -1 on error.
Account for this. Previously when -1 was being returned the condition
would still be true. I was noticing this because on my system that has
selinux disabled I was getting this in the libvirt.log every 5
seconds:

error : virIdentityGetSystem:173 : Unable to lookup SELinux process context: Invalid argument

With this patch applied, I no longer get these messages every 5
seconds. I am submitting this in case its deemed useful for inclusion.
Anyone have any comments on this change? This is a patch off current
master.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-03-20 16:26:55 +01:00
Daniel P. Berrange
2835c1e730 Add virLogSource variables to all source files
Any source file which calls the logging APIs now needs
to have a VIR_LOG_INIT("source.name") declaration at
the start of the file. This provides a static variable
of the virLogSource type.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-03-18 14:29:22 +00:00
Martin Kletzander
14fc041f69 Don't leave empty first line in C source files
If there should be some sort of separator it is better to use comment
with the filename, copyright, description, license information and
authors.

Found by:

git grep -nH '^$' | grep '\.[ch]:1:'

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-03-18 12:17:12 +01:00
Felix Geyer
29ea8a9b64 virt-aa-helper: handle 9pfs
Make virt-aa-helper create rules to allow VMs access to filesystem
mounts from the host.

Signed-off-by: Felix Geyer <debfx@fobos.de>
Signed-off-by: Hiroshi Miura <miurahr@linux.com>
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Guido Günther <agx@sigxcpu.org>
2014-03-17 20:53:39 +01:00
Michal Privoznik
f5796b61cc virSecurityDACSetSecurityImageLabel: Unmark @def as unused
The @def is clearly used just a few lines below. There's no need to use
ATTRIBUTE_UNUSED for it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-03-11 11:18:06 +01:00
Cédric Bosdonnat
9194ccecf1 apparmor: handle "none" type 2014-03-04 11:26:59 +00:00
Cédric Bosdonnat
500b2e9655 apparmor: add debug traces when changing profile.
The reason for these is that aa-status doesn't show the process using
the profile as they are in another namespace.
2014-03-04 11:07:05 +00:00
Cédric Bosdonnat
43c030f046 LXC driver: generate apparmor profiles for guests
use_apparmor() was first designed to be called from withing libvirtd,
but libvirt_lxc also uses it. in libvirt_lxc, there is no need to check
whether to use apparmor or not: just use it if possible.
2014-03-04 11:07:05 +00:00
Ján Tomko
0db9b0883c Generate a valid imagelabel even for type 'none'
Commit 2ce63c1 added imagelabel generation when relabeling is turned
off. But we weren't filling out the sensitivity for type 'none' labels,
resulting in an invalid label:

$ virsh managedsave domain
error: unable to set security context 'system_u:object_r:svirt_image_t'
on fd 28: Invalid argument
2014-02-05 19:47:30 +01:00
Osier Yang
10c9ceff6d util: Add one argument for several scsi utils
To support passing the path of the test data to the utils, one
more argument is added to virSCSIDeviceGetSgName,
virSCSIDeviceGetDevName, and virSCSIDeviceNew, and the related
code is changed accordingly.

Later tests for the scsi utils will be based on this patch.

Signed-off-by: Osier Yang <jyang@redhat.com>
2014-01-30 15:48:28 +08:00
Osier Yang
2b66504ded util: Add "shareable" field for virSCSIDevice struct
Unlike the host devices of other types, SCSI host device XML supports
"shareable" tag. This patch introduces it for the virSCSIDevice struct
for a later patch use (to detect if the SCSI device is shareable when
preparing the SCSI host device in QEMU driver).
2014-01-23 17:52:33 +08:00
Michal Privoznik
d1fdecb624 virSecuritySELinuxSetFileconHelper: Don't fail on read-only NFS
https://bugzilla.redhat.com/show_bug.cgi?id=996543

When starting up a domain, the SELinux labeling is done depending on
current configuration. If the labeling fails we check for possible
causes, as not all labeling failures are fatal. For example, if the
labeled file is on NFS which lacks SELinux support, the file can still
be readable to qemu process. These cases are distinguished by the errno
code: NFS without SELinux support returns EOPNOTSUPP. However, we were
missing one scenario. In case there's a read-only disk on a read-only
NFS (and possibly any FS) and the labeling is just optional (not
explicitly requested in the XML) there's no need to make the labeling
error fatal. In other words, read-only file on read-only NFS can fail to
be labeled, but be readable at the same time.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2014-01-17 13:35:01 +01:00
Eric Blake
baa7244951 maint: improve VIR_ERR_NO_SUPPORT usage
We weren't very consistent in our use of VIR_ERR_NO_SUPPORT; many
users just passed __FUNCTION__ on, while others passed "%s" to
silence over-eager compilers that warn about __FUNCTION__ not
containing any %.  It's nicer to route all these uses through
a single macro, so that if we ever need to change the reporting,
we can do it in one place.

I verified that 'virsh -c test:///default qemu-monitor-command test foo'
gives the same error message before and after this patch:
error: this function is not supported by the connection driver: virDomainQemuMonitorCommand

Note that in libvirt.c, we were inconsistent on whether virDomain*
API used virLibConnError() (with VIR_FROM_NONE) or virLibDomainError()
(with VIR_FROM_DOMAIN); this patch unifies these errors to all use
VIR_FROM_NONE, on the grounds that it is unlikely that a caller
learning that a call is unimplemented can do anything in particular
with extra knowledge of which error domain it belongs to.

One particular change to note is virDomainOpenGraphics which was
trying to fail with VIR_ERR_NO_SUPPORT after a failed
VIR_DRV_SUPPORTS_FEATURE check; all other places that fail a
feature check report VIR_ERR_ARGUMENT_UNSUPPORTED.

* src/util/virerror.h (virReportUnsupportedError): New macro.
* src/libvirt-qemu.c: Use new macro.
* src/libvirt-lxc.c: Likewise.
* src/lxc/lxc_driver.c: Likewise.
* src/security/security_manager.c: Likewise.
* src/util/virinitctl.c: Likewise.
* src/libvirt.c: Likewise.
(virDomainOpenGraphics): Use correct error for unsupported feature.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-04 12:15:08 -07:00
Daniel P. Berrange
d75d8b46f8 Don't overwrite errors from virConfReadFile
The SELinux security driver would overwrite errors from the
virConfReadFile function.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-12-04 15:40:23 +00:00
Daniel P. Berrange
2b510e4903 Fix off-by-1 in default SELinux MCS range
For a while we're have random failures of 'securityselinuxtest'
which were not at all reproducible. Fortunately we finally
caught a failure with VIR_TEST_DEBUG=1 enabled. This revealed

TEST: securityselinuxtest
 1) GenLabel "dynamic unconfined, s0, c0.c1023"                       ... OK
 2) GenLabel "dynamic unconfined, s0, c0.c1023"                       ... OK
 3) GenLabel "dynamic unconfined, s0, c0.c1023"                       ... OK
 4) GenLabel "dynamic virtd, s0, c0.c1023"                            ... OK
 5) GenLabel "dynamic virtd, s0, c0.c10"                              ... OK
 6) GenLabel "dynamic virtd, s2-s3, c0.c1023"                         ... OK
 7) GenLabel "dynamic virtd, missing range"                           ... Category two 1024 is out of range 0-1023
FAILED
FAIL: securityselinuxtest

And sure enough we had an off-by-1 in the MCS range code when
the current process has no range set. The test suite randomly
allocates 2 categories from 0->1024 so the chances of hitting
this in the test suite were slim indeed :-)

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-11-20 13:09:00 +00:00
Eric Blake
fb8613525d maint: avoid further typedef accidents
To make it easier to forbid future attempts at a confusing typedef
name ending in Ptr that isn't actually a pointer, insist that we
follow our preferred style of 'typedef foo *fooPtr'.

* cfg.mk (sc_forbid_const_pointer_typedef): Enforce consistent
style, to prevent issue fixed in previous storage patch.
* src/conf/capabilities.h (virCapsPtr): Fix offender.
* src/security/security_stack.c (virSecurityStackItemPtr):
Likewise.
* tests/qemucapabilitiestest.c (testQemuDataPtr): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-10-30 17:02:12 -06:00
John Ferlan
aa42bb1700 Add '+' to uid/gid printing for label processing
To ensure proper processing by virGetUserID() and virGetGroupID()
of a uid/gid add a "+" prior to the uid/gid to denote it's really
a uid/gid for the label.
2013-10-29 17:10:15 -04:00
Peter Krempa
8e362a8955 apparmor: Fix typo in function name in driver struct initialization
Commit 64a68a4a introduced a typo in the initialization of the apparmor
driver structure breaking the build with apparmor enabled.
2013-10-29 17:01:22 +01:00
Giuseppe Scrivano
64a68a4a09 security: add new internal function "virSecurityManagerGetBaseLabel"
virSecurityManagerGetBaseLabel queries the default settings used by
a security model.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2013-10-29 06:57:07 -06:00
Giuseppe Scrivano
4387132f31 security: use a single function to set DAC user and group
Merge the functions 'virSecurityDACSetUser' and
'virSecurityDACSetGroup' into 'virSecurityDACSetUserAndGroup'.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2013-10-29 06:55:09 -06:00
Eric Blake
84e8091796 maint: avoid 'const fooPtr' in security
'const fooPtr' is the same as 'foo * const' (the pointer won't
change, but it's contents can).  But in general, if an interface
is trying to be const-correct, it should be using 'const foo *'
(the pointer is to data that can't be changed).

Fix up offenders in src/security.

* src/security/security_apparmor.c (reload_profile)
(AppArmorSetSecurityHostdevLabelHelper)
(AppArmorReleaseSecurityLabel, AppArmorRestoreSecurityAllLabel)
(AppArmorSetSecurityProcessLabel)
(AppArmorSetSecurityChildProcessLabel)
(AppArmorSetSecurityImageLabel, AppArmorSecurityVerify)
(AppArmorSetSecurityHostdevLabel)
(AppArmorRestoreSecurityHostdevLabel, AppArmorSetFDLabel): Drop
needless const.
* src/security/security_selinux.c
(virSecuritySELinuxSetSecurityFileLabel): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-10-14 14:34:38 -06:00
Ján Tomko
f1bdcb2be9 selinux: Only close the selabel_handle once
On selinux driver initialization failure (missing/incorrectly
formatted contexts file), selabel_handle was closed twice.

Introduced by 6159710.
2013-10-01 15:00:07 +02:00
Michal Privoznik
32d7e2481b AppArmorSetSecurityImageLabel: Avoid use of uninitialized variable
The @profile_name variable can be used uninitialized.
2013-09-04 08:47:00 +02:00
Eric Blake
745aa55fbf security: provide supplemental groups even when parsing label (CVE-2013-4291)
Commit 29fe5d7 (released in 1.1.1) introduced a latent problem
for any caller of virSecurityManagerSetProcessLabel and where
the domain already had a uid:gid label to be parsed.  Such a
setup would collect the list of supplementary groups during
virSecurityManagerPreFork, but then ignores that information,
and thus fails to call setgroups() to adjust the supplementary
groups of the process.

Upstream does not use virSecurityManagerSetProcessLabel for
qemu (it uses virSecurityManagerSetChildProcessLabel instead),
so this problem remained latent until backporting the initial
commit into v0.10.2-maint (commit c061ff5, released in 0.10.2.7),
where virSecurityManagerSetChildProcessLabel has not been
backported.  As a result of using a different code path in the
backport, attempts to start a qemu domain that runs as qemu:qemu
will end up with supplementary groups unchanged from the libvirtd
parent process, rather than the desired supplementary groups of
the qemu user.  This can lead to failure to start a domain
(typical Fedora setup assigns user 107 'qemu' to both group 107
'qemu' and group 36 'kvm', so a disk image that is only readable
under kvm group rights is locked out).  Worse, it is a security
hole (the qemu process will inherit supplemental group rights
from the parent libvirtd process, which means it has access
rights to files owned by group 0 even when such files should
not normally be visible to user qemu).

LXC does not use the DAC security driver, so it is not vulnerable
at this time.  Still, it is better to plug the latent hole on
the master branch first, before cherry-picking it to the only
vulnerable branch v0.10.2-maint.

* src/security/security_dac.c (virSecurityDACGetIds): Always populate
groups and ngroups, rather than only when no label is parsed.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-29 08:43:03 -06:00
Eric Blake
0f082e699e selinux: distinguish failure to label from request to avoid label
https://bugzilla.redhat.com/show_bug.cgi?id=924153

Commit 904e05a2 (v0.9.9) added a per-<disk> seclabel element with
an attribute relabel='no' in order to try and minimize the
impact of shutdown delays when an NFS server disappears.  The idea
was that if a disk is on NFS and can't be labeled in the first
place, there is no need to attempt the (no-op) relabel on domain
shutdown.  Unfortunately, the way this was implemented was by
modifying the domain XML so that the optimization would survive
libvirtd restart, but in a way that is indistinguishable from an
explicit user setting.  Furthermore, once the setting is turned
on, libvirt avoids attempts at labeling, even for operations like
snapshot or blockcopy where the chain is being extended or pivoted
onto non-NFS, where SELinux labeling is once again possible.  As
a result, it was impossible to do a blockcopy to pivot from an
NFS image file onto a local file.

The solution is to separate the semantics of a chain that must
not be labeled (which the user can set even on persistent domains)
vs. the optimization of not attempting a relabel on cleanup (a
live-only annotation), and using only the user's explicit notation
rather than the optimization as the decision on whether to skip
a label attempt in the first place.  When upgrading an older
libvirtd to a newer, an NFS volume will still attempt the relabel;
but as the avoidance of a relabel was only an optimization, this
shouldn't cause any problems.

In the ideal future, libvirt will eventually have XML describing
EVERY file in the backing chain, with each file having a separate
<seclabel> element.  At that point, libvirt will be able to track
more closely which files need a relabel attempt at shutdown.  But
until we reach that point, the single <seclabel> for the entire
<disk> chain is treated as a hint - when a chain has only one
file, then we know it is accurate; but if the chain has more than
one file, we have to attempt relabel in spite of the attribute,
in case part of the chain is local and SELinux mattered for that
portion of the chain.

* src/conf/domain_conf.h (_virSecurityDeviceLabelDef): Add new
member.
* src/conf/domain_conf.c (virSecurityDeviceLabelDefParseXML):
Parse it, for live images only.
(virSecurityDeviceLabelDefFormat): Output it.
(virDomainDiskDefParseXML, virDomainChrSourceDefParseXML)
(virDomainDiskSourceDefFormat, virDomainChrDefFormat)
(virDomainDiskDefFormat): Pass flags on through.
* src/security/security_selinux.c
(virSecuritySELinuxRestoreSecurityImageLabelInt): Honor labelskip
when possible.
(virSecuritySELinuxSetSecurityFileLabel): Set labelskip, not
norelabel, if labeling fails.
(virSecuritySELinuxSetFileconHelper): Fix indentation.
* docs/formatdomain.html.in (seclabel): Document new xml.
* docs/schemas/domaincommon.rng (devSeclabel): Allow it in RNG.
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-*-labelskip.xml:
* tests/qemuxml2argvdata/qemuxml2argv-seclabel-*-labelskip.args:
* tests/qemuxml2xmloutdata/qemuxml2xmlout-seclabel-*-labelskip.xml:
New test files.
* tests/qemuxml2argvtest.c (mymain): Run the new tests.
* tests/qemuxml2xmltest.c (mymain): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-08-20 10:39:03 -06:00
Martin Kletzander
bba579b6e0 Expose ownership ID parsing
Parsing 'user:group' is useful even outside the DAC security driver,
so expose the most abstract function which has no DAC security driver
bits in itself.
2013-07-24 14:29:11 +02:00
Eric Blake
bfc183c1e3 security: fix deadlock with prefork
Attempts to start a domain with both SELinux and DAC security
modules loaded will deadlock; latent problem introduced in commit
fdb3bde and exposed in commit 29fe5d7.  Basically, when recursing
into the security manager for other driver's prefork, we have to
undo the asymmetric lock taken at the manager level.

Reported by Jiri Denemark, with diagnosis help from Dan Berrange.

* src/security/security_stack.c (virSecurityStackPreFork): Undo
extra lock grabbed during recursion.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-19 09:15:22 -06:00
Eric Blake
29fe5d745f security_dac: compute supplemental groups before fork
Commit 75c1256 states that virGetGroupList must not be called
between fork and exec, then commit ee777e99 promptly violated
that for lxc's use of virSecurityManagerSetProcessLabel.  Hoist
the supplemental group detection to the time that the security
manager needs to fork.  Qemu is safe, as it uses
virSecurityManagerSetChildProcessLabel which in turn uses
virCommand to determine supplemental groups.

This does not fix the fact that virSecurityManagerSetProcessLabel
calls virSecurityDACParseIds calls parseIds which eventually
calls getpwnam_r, which also violates fork/exec async-signal-safe
safety rules, but so far no one has complained of hitting
deadlock in that case.

* src/security/security_dac.c (_virSecurityDACData): Track groups
in private data.
(virSecurityDACPreFork): New function, to set them.
(virSecurityDACClose): Clean up new fields.
(virSecurityDACGetIds): Alter signature.
(virSecurityDACSetSecurityHostdevLabelHelper)
(virSecurityDACSetChardevLabel, virSecurityDACSetProcessLabel)
(virSecurityDACSetChildProcessLabel): Update callers.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-18 15:35:30 -06:00
Eric Blake
fdb3bde31c security: framework for driver PreFork handler
A future patch wants the DAC security manager to be able to safely
get the supplemental group list for a given uid, but at the time
of a fork rather than during initialization so as to pick up on
live changes to the system's group database.  This patch adds the
framework, including the possibility of a pre-fork callback
failing.

For now, any driver that implements a prefork callback must be
robust against the possibility of being part of a security stack
where a later element in the chain fails prefork.  This means
that drivers cannot do any action that requires a call to postfork
for proper cleanup (no grabbing a mutex, for example).  If this
is too prohibitive in the future, we would have to switch to a
transactioning sequence, where each driver has (up to) 3 callbacks:
PreForkPrepare, PreForkCommit, and PreForkAbort, to either clean
up or commit changes made during prepare.

* src/security/security_driver.h (virSecurityDriverPreFork): New
callback.
* src/security/security_manager.h (virSecurityManagerPreFork):
Change signature.
* src/security/security_manager.c (virSecurityManagerPreFork):
Optionally call into driver, and allow returning failure.
* src/security/security_stack.c (virSecurityDriverStack):
Wrap the handler for the stack driver.
* src/qemu/qemu_process.c (qemuProcessStart): Adjust caller.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-18 15:19:36 -06:00
Michal Privoznik
ba44dd2453 virSecurityManagerGenLabel: Skip seclabels without model
While generating seclabels, we check the seclabel stack if required
driver is in the stack. If not, an error is returned. However, it is
possible for a seclabel to not have any model set (happens with LXC
domains that have just <seclabel type='none'>). If that's the case,
we should just skip the iteration instead of calling STREQ(NULL, ...)
and SIGSEGV-ing subsequently.
2013-07-17 12:36:47 +02:00
Eric Blake
ee777e9949 util: make virSetUIDGID async-signal-safe
https://bugzilla.redhat.com/show_bug.cgi?id=964358

POSIX states that multi-threaded apps should not use functions
that are not async-signal-safe between fork and exec, yet we
were using getpwuid_r and initgroups.  Although rare, it is
possible to hit deadlock in the child, when it tries to grab
a mutex that was already held by another thread in the parent.
I actually hit this deadlock when testing multiple domains
being started in parallel with a command hook, with the following
backtrace in the child:

 Thread 1 (Thread 0x7fd56bbf2700 (LWP 3212)):
 #0  __lll_lock_wait ()
     at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:136
 #1  0x00007fd5761e7388 in _L_lock_854 () from /lib64/libpthread.so.0
 #2  0x00007fd5761e7257 in __pthread_mutex_lock (mutex=0x7fd56be00360)
     at pthread_mutex_lock.c:61
 #3  0x00007fd56bbf9fc5 in _nss_files_getpwuid_r (uid=0, result=0x7fd56bbf0c70,
     buffer=0x7fd55c2a65f0 "", buflen=1024, errnop=0x7fd56bbf25b8)
     at nss_files/files-pwd.c:40
 #4  0x00007fd575aeff1d in __getpwuid_r (uid=0, resbuf=0x7fd56bbf0c70,
     buffer=0x7fd55c2a65f0 "", buflen=1024, result=0x7fd56bbf0cb0)
     at ../nss/getXXbyYY_r.c:253
 #5  0x00007fd578aebafc in virSetUIDGID (uid=0, gid=0) at util/virutil.c:1031
 #6  0x00007fd578aebf43 in virSetUIDGIDWithCaps (uid=0, gid=0, capBits=0,
     clearExistingCaps=true) at util/virutil.c:1388
 #7  0x00007fd578a9a20b in virExec (cmd=0x7fd55c231f10) at util/vircommand.c:654
 #8  0x00007fd578a9dfa2 in virCommandRunAsync (cmd=0x7fd55c231f10, pid=0x0)
     at util/vircommand.c:2247
 #9  0x00007fd578a9d74e in virCommandRun (cmd=0x7fd55c231f10, exitstatus=0x0)
     at util/vircommand.c:2100
 #10 0x00007fd56326fde5 in qemuProcessStart (conn=0x7fd53c000df0,
     driver=0x7fd55c0dc4f0, vm=0x7fd54800b100, migrateFrom=0x0, stdin_fd=-1,
     stdin_path=0x0, snapshot=0x0, vmop=VIR_NETDEV_VPORT_PROFILE_OP_CREATE,
     flags=1) at qemu/qemu_process.c:3694
 ...

The solution is to split the work of getpwuid_r/initgroups into the
unsafe portions (getgrouplist, called pre-fork) and safe portions
(setgroups, called post-fork).

* src/util/virutil.h (virSetUIDGID, virSetUIDGIDWithCaps): Adjust
signature.
* src/util/virutil.c (virSetUIDGID): Add parameters.
(virSetUIDGIDWithCaps): Adjust clients.
* src/util/vircommand.c (virExec): Likewise.
* src/util/virfile.c (virFileAccessibleAs, virFileOpenForked)
(virDirCreate): Likewise.
* src/security/security_dac.c (virSecurityDACSetProcessLabel):
Likewise.
* src/lxc/lxc_container.c (lxcContainerSetID): Likewise.
* configure.ac (AC_CHECK_FUNCS_ONCE): Check for setgroups, not
initgroups.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-07-11 15:46:42 -06:00
Daniel P. Berrange
716961372e Convert 'int i' to 'size_t i' in src/security files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-10 17:40:14 +01:00
Michal Privoznik
a72715e0a8 Adapt to VIR_ALLOC and virAsprintf in src/security/* 2013-07-10 11:07:32 +02:00
Michal Privoznik
8290cbbc38 viralloc: Report OOM error on failure
Similarly to VIR_STRDUP, we want the OOM error to be reported in
VIR_ALLOC and friends.
2013-07-10 11:07:31 +02:00
Peter Krempa
2ce63c1611 selinux: Always generate imagelabel
The imagelabel SELinux label was only generated when relabeling was
enabled. This prohibited labeling of files created by libvirt that need
to be labeled even if relabeling is turned off.

The only codepath this change has direct impact on is labeling of FDs
passed to qemu which is always safe in current state.
2013-07-08 15:04:20 +02:00
Peter Krempa
e45ee23c59 selinux: Cleanup coding style 2013-07-08 15:04:07 +02:00
Laine Stump
1d829e1306 pci: rename virPCIDeviceGetVFIOGroupDev to virPCIDeviceGetIOMMUGroupDev
I realized after the fact that it's probably better in the long run to
give this function a name that matches the name of the link used in
sysfs to hold the group (iommu_group).

I'm changing it now because I'm about to add several more functions
that deal with iommu groups.
2013-06-25 18:07:38 -04:00
Ján Tomko
0b466db29b selinux: assume 's0' if the range is empty
This fixes a crash:
https://bugzilla.redhat.com/show_bug.cgi?id=969878
2013-06-11 13:13:43 +02:00
Eric Blake
146ba114a5 syntax: prefer space after semicolon in for loop
I noticed several unusual spacings in for loops, and decided to
fix them up.  See the next commit for the syntax check that found
all of these.

* examples/domsuspend/suspend.c (main): Fix spacing.
* python/libvirt-override.c: Likewise.
* src/conf/interface_conf.c: Likewise.
* src/security/virt-aa-helper.c: Likewise.
* src/util/virconf.c: Likewise.
* src/util/virhook.c: Likewise.
* src/util/virlog.c: Likewise.
* src/util/virsocketaddr.c: Likewise.
* src/util/virsysinfo.c: Likewise.
* src/util/viruuid.c: Likewise.
* src/vbox/vbox_tmpl.c: Likewise.
* src/xen/xen_hypervisor.c: Likewise.
* tools/virsh-domain-monitor.c (vshDomainStateToString): Drop
default case, to let compiler check us.
* tools/virsh-domain.c (vshDomainVcpuStateToString): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
2013-05-28 07:56:07 -06:00
Osier Yang
fb6a05e75d security_dac: Fix the coding style
Pushed under trivial rule.
2013-05-24 23:33:09 +08:00
Michal Privoznik
aaa42912ae Adapt to VIR_STRDUP and VIR_STRNDUP in src/security/* 2013-05-23 09:56:38 +02:00
Osier Yang
3de80af28a src/security: Remove the whitespace before ';' 2013-05-21 23:41:44 +08:00
Michal Privoznik
23fbda20a7 security_apparmor.c: Include virscsi.h
After introducing AppArmorSetSecuritySCSILabel() in 2691cd5f
we are using virSCSIDevicePtr type without proper include.
2013-05-13 14:01:14 +02:00
Osier Yang
2691cd5fe8 security: Manage the security label for scsi host device
To not introduce more redundant code, helpers are added for
both "selinux", "dac", and "apparmor" backends.

Signed-off-by: Han Cheng <hanc.fnst@cn.fujitsu.com>
Signed-off-by: Osier Yang <jyang@redhat>

v2.5 - v3:
  * Splitted from 8/10 of v2.5
  * Don't forget the other backends (DAC, and apparmor)
2013-05-13 19:08:40 +08:00
Laine Stump
bfe7721d50 util: move virFile* functions from virutil.c to virfile.c
These all existed before virfile.c was created, and for some reason
weren't moved.

This is mostly straightfoward, although the syntax rule prohibiting
write() had to be changed to have an exception for virfile.c instead
of virutil.c.

This movement pointed out that there is a function called
virBuildPath(), and another almost identical function called
virFileBuildPath(). They really should be a single function, which
I'll take care of as soon as I figure out what the arglist should look
like.
2013-05-10 13:09:30 -04:00
Daniel P. Berrange
0454a7cd3d Replace 'goto clean' with 'goto cleanup' in apparmor code
Some of the apparmor code files did not follow the normal
goto label naming pratices

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-09 17:18:44 +01:00
Ján Tomko
dcea5a492f get rid of virBufferAsprintf where possible
Use virBufferAddLit or virBufferAddChar instead.
2013-05-07 17:38:58 +02:00
Michal Privoznik
7c9a2d88cd virutil: Move string related functions to virstring.c
The source code base needs to be adapted as well. Some files
include virutil.h just for the string related functions (here,
the include is substituted to match the new file), some include
virutil.h without any need (here, the include is removed), and
some require both.
2013-05-02 16:56:55 +02:00
Laine Stump
ed12bbee81 security driver: eliminate memory leaks in failure paths
If virPCIDeviceGetVFIOGroupDev() failed,
virSecurity*(Set|Restore)HostdevLabel() would fail to free a
virPCIDevice that had been allocated.

These leaks were all introduced (by me) very recently, in commit
f0bd70a.
2013-04-30 11:22:32 -04:00
Laine Stump
19635f7d0d conf: remove extraneous _TYPE from driver backend enums
This isn't strictly speaking a bugfix, but I realized I'd gotten a bit
too verbose when I chose the names for
VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_*. This shortens them all a bit.
2013-04-26 21:51:12 -04:00
Laine Stump
f0bd70a940 security: update hostdev labelling functions for VFIO
Legacy kvm style pci device assignment requires changes to the
labelling of several sysfs files for each device, but for vfio device
assignment, the only thing that needs to be relabelled/chowned is the
"group" device for the group that contains the device to be assigned.
2013-04-25 21:28:43 -04:00
Laine Stump
9f80fc1bd5 conf: put hostdev pci address in a struct
There will soon be other items related to pci hostdevs that need to be
in the same part of the hostdevsubsys union as the pci address (which
is currently a single member called "pci". This patch replaces the
single member named pci with a struct named pci that contains a single
member named "addr".
2013-04-25 21:23:38 -04:00
Peter Krempa
4165ea9663 selinux: Don't mask errors of virSecuritySELinuxGenNewContext
Since cbe67ff9b0
virSecuritySELinuxGenNewContext reports good error messages. Fix callers
that mask the errors by generic error message.
2013-04-24 16:03:35 +02:00
Osier Yang
bc95be5dea cleanup: Remove the duplicate header
Detected by a simple Shell script:

for i in $(git ls-files -- '*.[ch]'); do
    awk 'BEGIN {
        fail=0
    }
    /# *include.*\.h/{
        match($0, /["<][^">]*[">]/)
        arr[substr($0, RSTART+1, RLENGTH-2)]++
    }
    END {
        for (key in arr) {
            if (arr[key] > 1) {
                fail=1
                printf("%d %s\n", arr[key], key)
            }
        }
        if (fail == 1)
            exit 1
    }' $i

    if test $? != 0; then
        echo "Duplicate header(s) in $i"
    fi
done;

A later patch will add the syntax-check to avoid duplicate
headers.
2013-04-17 15:49:35 +08:00
Stefan Berger
2a40a09220 Add SELinux and DAC labeling support for TPM passthrough
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
Tested-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
2013-04-12 16:55:46 -04:00
Peter Krempa
482e5f159c virCaps: get rid of defaultConsoleTargetType callback
This patch refactors various places to allow removing of the
defaultConsoleTargetType callback from the virCaps structure.

A new console character device target type is introduced -
VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_NONE - to mark that no type was
specified in the XML. This type is at the end converted to the standard
VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_SERIAL. Other types that are
different from this default have to be processed separately in the
device post parse callback.
2013-04-04 22:42:39 +02:00
Peter Krempa
ad0d10b2b1 conf callback: Rearrange function parameters
Move the xmlopt and caps arguments to the end of the argument list.
2013-04-04 22:41:19 +02:00
Peter Krempa
43b99fc4c0 conf: Add post XML parse callbacks and prepare for cleaning of virCaps
This patch adds instrumentation that will allow hypervisor drivers to
fill and validate domain and device definitions after parsed by the XML
parser.

With this patch, after the XML is parsed, a callback to the driver is
issued requesting to fill and validate driver specific details of the
configuration. This allows to use sensible defaults and checks on a per
driver basis at the time the XML is parsed.

Two callback pointers are stored in the new virDomainXMLConf object:
* virDomainDeviceDefPostParseCallback (devicesPostParseCallback)
  - called for a single device parsed and for every single device in a
    domain config. A virDomainDeviceDefPtr is passed along with the
    domain definition and virCaps.

* virDomainDefPostParseCallback, (domainPostParseCallback)
  - A callback that is meant to process the domain config after it's
  parsed.  A virDomainDefPtr is passed along with virCaps.

Both types of callbacks support arbitrary opaque data passed for the
callback functions.

Errors may be reported in those callbacks resulting in a XML parsing
failure.
2013-04-04 22:29:48 +02:00
Peter Krempa
e84b19316a maint: Rename xmlconf to xmlopt and virDomainXMLConfig to virDomainXMLOption
This patch is the result of running:

for i in $(git ls-files | grep -v html | grep -v \.po$ ); do
  sed -i -e "s/virDomainXMLConf/virDomainXMLOption/g" -e "s/xmlconf/xmlopt/g" $i
done

and a few manual tweaks.
2013-04-04 22:18:56 +02:00
Guido Günther
ea151935bb security_manager: fix comparison
otherwise we crash later on if we don't find a match like:

 #0  0xb72c2b4f in virSecurityManagerGenLabel (mgr=0xb8e42d20, vm=0xb8ef40c0) at security/security_manager.c:424
 #1  0xb18811f3 in qemuProcessStart (conn=conn@entry=0xb8eed880, driver=driver@entry=0xb8e3b1e0, vm=vm@entry=0xb8ef58f0,
     migrateFrom=migrateFrom@entry=0xb18f6088 "stdio", stdin_fd=18,
     stdin_path=stdin_path@entry=0xb8ea7798 "/var/lib/jenkins/jobs/libvirt-tck-build/workspace/tck.img", snapshot=snapshot@entry=0x0,
     vmop=vmop@entry=VIR_NETDEV_VPORT_PROFILE_OP_RESTORE, flags=flags@entry=2) at qemu/qemu_process.c:3364
 #2  0xb18d6cb2 in qemuDomainSaveImageStartVM (conn=conn@entry=0xb8eed880, driver=driver@entry=0xb8e3b1e0, vm=0xb8ef58f0, fd=fd@entry=0xb6bf3f98,
     header=header@entry=0xb6bf3fa0, path=path@entry=0xb8ea7798 "/var/lib/jenkins/jobs/libvirt-tck-build/workspace/tck.img",
     start_paused=start_paused@entry=false) at qemu/qemu_driver.c:4843
 #3  0xb18d7eeb in qemuDomainRestoreFlags (conn=conn@entry=0xb8eed880,
     path=path@entry=0xb8ea7798 "/var/lib/jenkins/jobs/libvirt-tck-build/workspace/tck.img", dxml=dxml@entry=0x0, flags=flags@entry=0)
     at qemu/qemu_driver.c:4962
 #4  0xb18d8123 in qemuDomainRestore (conn=0xb8eed880, path=0xb8ea7798 "/var/lib/jenkins/jobs/libvirt-tck-build/workspace/tck.img")
     at qemu/qemu_driver.c:4987
 #5  0xb718d186 in virDomainRestore (conn=0xb8eed880, from=0xb8ea87d8 "/var/lib/jenkins/jobs/libvirt-tck-build/workspace/tck.img") at libvirt.c:2768
 #6  0xb7736363 in remoteDispatchDomainRestore (args=<optimized out>, rerr=0xb6bf41f0, client=0xb8eedaf0, server=<optimized out>, msg=<optimized out>)
     at remote_dispatch.h:4679
 #7  remoteDispatchDomainRestoreHelper (server=0xb8e1a3e0, client=0xb8eedaf0, msg=0xb8ee72c8, rerr=0xb6bf41f0, args=0xb8ea8968, ret=0xb8ef5330)
     at remote_dispatch.h:4661
 #8  0xb720db01 in virNetServerProgramDispatchCall (msg=0xb8ee72c8, client=0xb8eedaf0, server=0xb8e1a3e0, prog=0xb8e216b0)
     at rpc/virnetserverprogram.c:439
 #9  virNetServerProgramDispatch (prog=0xb8e216b0, server=server@entry=0xb8e1a3e0, client=0xb8eedaf0, msg=0xb8ee72c8) at rpc/virnetserverprogram.c:305
 #10 0xb7206e97 in virNetServerProcessMsg (msg=<optimized out>, prog=<optimized out>, client=<optimized out>, srv=0xb8e1a3e0) at rpc/virnetserver.c:162
 #11 virNetServerHandleJob (jobOpaque=0xb8ea7720, opaque=0xb8e1a3e0) at rpc/virnetserver.c:183
 #12 0xb70f9f78 in virThreadPoolWorker (opaque=opaque@entry=0xb8e1a540) at util/virthreadpool.c:144
 #13 0xb70f94a5 in virThreadHelper (data=0xb8e0e558) at util/virthreadpthread.c:161
 #14 0xb705d954 in start_thread (arg=0xb6bf4b70) at pthread_create.c:304
 #15 0xb6fd595e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:130

This unbreaks libvirt-tck's domain/100-transient-save-restore.t with
qemu:///session and selinux compiled in but disabled.

Introduced by 8d68cbeaa8
2013-04-03 22:57:31 +02:00
Michal Privoznik
8d68cbeaa8 sec_manager: Refuse to start domain with unsupported seclabel
https://bugzilla.redhat.com/show_bug.cgi?id=947387

If a user configures a domain to use a seclabel of a specific type,
but the appropriate driver is not accessible, we should refuse to
start the domain. For instance, if user requires selinux, but it is
either non present in the system, or is just disabled, we should not
start the domain. Moreover, since we are touching only those labels we
have a security driver for, the other labels may confuse libvirt when
reconnecting to a domain on libvirtd restart. In our selinux example,
when starting up a domain, missing security label is okay, as we
auto-generate one. But later, when libvirt is re-connecting to a live
qemu instance, we parse a state XML, where security label is required
and it is an error if missing:

  error : virSecurityLabelDefParseXML:3228 : XML error: security label
  is missing

This results in a qemu process left behind without any libvirt control.
2013-04-03 10:19:46 +02:00
Michal Privoznik
a1c68a1fcb security_manager.c: Append seclabel iff generated
With my previous patches, we unconditionally appended a seclabel,
even if it wasn't generated but found in array of defined seclabels.
This resulted in double free later when doing virDomainDefFree
and iterating over the array of defined seclabels.

Moreover, there was another possibility of double free, if the
seclabel was generated in the last iteration of the process of
walking trough security managers array.
2013-03-28 16:13:01 +01:00
Michal Privoznik
e4a28a3281 security: Don't add seclabel of type none if there's already a seclabel
https://bugzilla.redhat.com/show_bug.cgi?id=923946

The <seclabel type='none'/> should be added iff there is no other
seclabel defined within a domain. This bug can be easily reproduced:
1) configure selinux seclabel for a domain
2) disable system's selinux and restart libvirtd
3) observe <seclabel type='none'/> being appended to a domain on its
   startup
2013-03-28 10:01:06 +01:00
Michal Privoznik
6c4de11614 security_manager: Don't manipulate domain XML in virDomainDefGetSecurityLabelDef
The virDomainDefGetSecurityLabelDef was modifying the domain XML.
It tried to find a seclabel corresponding to given sec driver. If the
label wasn't found, the function created one which is wrong. In fact
it's security manager which should modify this part of domain XML.
2013-03-28 10:01:06 +01:00
Olivia Yin
26705e02c1 selinux: deal with dtb file 2013-03-19 15:48:59 -06:00
Daniel P. Berrange
1732c1c629 Fix parsing of SELinux ranges without a category
Normally libvirtd should run with a SELinux label

  system_u:system_r:virtd_t:s0-s0:c0.c1023

If a user manually runs libvirtd though, it is sometimes
possible to get into a situation where it is running

  system_u:system_r:init_t:s0

The SELinux security driver isn't expecting this and can't
parse the security label since it lacks the ':c0.c1023' part
causing it to complain

  internal error Cannot parse sensitivity level in s0

This updates the parser to cope with this, so if no category
is present, libvirtd will hardcode the equivalent of c0.c1023.

Now this won't work if SELinux is in Enforcing mode, but that's
not an issue, because the user can only get into this problem
if in Permissive mode. This means they can now start VMs in
Permissive mode without hitting that parsing error

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-14 12:42:21 +00:00
Daniel P. Berrange
4a92fe4413 Separate MCS range parsing from MCS range checking
Pull the code which parses the current process MCS range
out of virSecuritySELinuxMCSFind and into a new method
virSecuritySELinuxMCSGetProcessRange.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-14 12:42:21 +00:00
Daniel P. Berrange
f2d8190cfb Fix memory leak on OOM in virSecuritySELinuxMCSFind
The body of the loop in virSecuritySELinuxMCSFind would
directly 'return NULL' on OOM, instead of jumping to the
cleanup label. This caused a leak of several local vars.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-14 12:42:21 +00:00
Peter Krempa
27cf98e2d1 virCaps: conf: start splitting out irrelevat data
The virCaps structure gathered a ton of irrelevant data over time that.
The original reason is that it was propagated to the XML parser
functions.

This patch aims to create a new data structure virDomainXMLConf that
will contain immutable data that are used by the XML parser. This will
allow two things we need:

1) Get rid of the stuff from virCaps

2) Allow us to add callbacks to check and add driver specific stuff
after domain XML is parsed.

This first attempt removes pointers to private data allocation functions
to this new structure and update all callers and function that require
them.
2013-03-13 09:27:14 +01:00
Guannan Ren
ce4557c3ab apparmor: use AppArmorSetFDLabel for both imageFD and tapFD
Rename AppArmorSetImageFDLabel to AppArmorSetFDLabel which could
be used as a common function for *ALL* fd relabelling in Linux.

In apparmor profile for specific vm with uuid cdbebdfa-1d6d-65c3-be0f-fd74b978a773
Path: /etc/apparmor.d/libvirt/libvirt-cdbebdfa-1d6d-65c3-be0f-fd74b978a773.files
The last line is for the tapfd relabelling.

 # DO NOT EDIT THIS FILE DIRECTLY. IT IS MANAGED BY LIBVIRT.
  "/var/log/libvirt/**/rhel6qcow2.log" w,
  "/var/lib/libvirt/**/rhel6qcow2.monitor" rw,
  "/var/run/libvirt/**/rhel6qcow2.pid" rwk,
  "/run/libvirt/**/rhel6qcow2.pid" rwk,
  "/var/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
  "/run/libvirt/**/*.tunnelmigrate.dest.rhel6qcow2" rw,
  "/var/lib/libvirt/images/rhel6u3qcow2.img" rw,
  "/dev/tap45" rw,
2013-03-08 10:56:07 +08:00
Jim Fehlig
438a3850db Fix starting qemu instances when apparmor driver is enabled
With the apparmor security driver enabled, qemu instances fail
to start

# grep ^security_driver /etc/libvirt/qemu.conf
security_driver = "apparmor"
# virsh start test-kvm
error: Failed to start domain test-kvm
error: internal error security label already defined for VM

The model field of virSecurityLabelDef object is always populated
by virDomainDefGetSecurityLabelDef(), so remove the check for a
NULL model when verifying if a label is already defined for the
instance.

Checking for a NULL model and populating it later in
AppArmorGenSecurityLabel() has been left in the code to be
consistent with virSecuritySELinuxGenSecurityLabel().
2013-02-28 17:35:59 -07:00
John Ferlan
676688b69b security: Remove unnecessary checks for mgr == NULL
Coverity found the DACGenLabel was checking for mgr == NULL after a
possible dereference; however, in order to get into the function the
virSecurityManagerGenLabel would have already dereferenced sec_managers[i]
so the check was unnecessary. Same check is made in SELinuxGenSecurityLabel.
2013-02-16 07:44:35 -05:00
Laine Stump
7bf1aa0b9b security: add new virSecurityManagerSetChildProcessLabel API
The existing virSecurityManagerSetProcessLabel() API is designed so
that it must be called after forking the child process, but before
exec'ing the child. Due to the way the virCommand API works, that
means it needs to be put in a "hook" function that virCommand is told
to call out to at that time.

Setting the child process label is a basic enough need when executing
any process that virCommand should have a method of doing that. But
virCommand must be told what label to set, and only the security
driver knows the answer to that question.

The new virSecurityManagerSet*Child*ProcessLabel() API is the way to
transfer the knowledge about what label to set from the security
driver to the virCommand object. It is given a virCommandPtr, and each
security driver calls the appropriate virCommand* API to tell
virCommand what to do between fork and exec.

1) in the case of the DAC security driver, it calls
virCommandSetUID/GID() to set a uid and gid that must be set for the
child process.

2) for the SELinux security driver, it calls
virCommandSetSELinuxLabel() to save a copy of the char* that will be
sent to setexeccon_raw() *after forking the child process*.

3) for the AppArmor security drivers, it calls
virCommandSetAppArmorProfile() to save a copy of the char* that will
be sent to aa_change_profile() *after forking the child process*.

With this new API in place, we will be able to remove
virSecurityManagerSetProcessLabel() from any virCommand pre-exec
hooks.

(Unfortunately, the LXC driver uses clone() rather than virCommand, so
it can't take advantage of this new security driver API, meaning that
we need to keep around the older virSecurityManagerSetProcessLabel(),
at least for now.)
2013-02-13 16:11:16 -05:00
Daniel P. Berrange
61b52d2e38 Fix potential deadlock across fork() in QEMU driver
The hook scripts used by virCommand must be careful wrt
accessing any mutexes that may have been held by other
threads in the parent process. With the recent refactoring
there are 2 potential flaws lurking, which will become real
deadlock bugs once the global QEMU driver lock is removed.

Remove use of the QEMU driver lock from the hook function
by passing in the 'virQEMUDriverConfigPtr' instance directly.

Add functions to the virSecurityManager to be invoked before
and after fork, to ensure the mutex is held by the current
thread. This allows it to be safely used in the hook script
in the child process.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-12 11:05:31 +00:00
Eric Blake
736a87b916 build: fix compilation of selinux on RHEL 5
On RHEL 5, I got:

security/security_selinux.c: In function 'getContext':
security/security_selinux.c:971: warning: unused parameter 'mgr' [-Wunused-parameter]

* src/security/security_selinux.c (getContext): Mark potentially
unused parameter.
2013-02-11 17:12:25 -07:00
Daniel P. Berrange
0ab49601a8 Remove re-entrant API call in SELinux/AppArmor security managers
The security manager drivers are not allowed to call back
out to top level security manager APIs, since that results
in recursive mutex acquisition and thus deadlock. Remove
calls to virSecurityManagerGetModel from SELinux / AppArmor
drivers

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-11 16:05:05 +00:00
Daniel P. Berrange
48b49a631a Serialize execution of security manager APIs
Add locking to virSecurityManagerXXX APIs, so that use of the
security drivers is internally serialized. This avoids the need
to rely on the global driver locks to achieve serialization

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-11 12:33:44 +00:00
Daniel P. Berrange
11d926659b Turn virSecurityManager into a virObjectLockable
To enable locking to be introduced to the security manager
objects later, turn virSecurityManager into a virObjectLockable
class

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-11 12:33:41 +00:00
Daniel P. Berrange
fed92f08db Turn virCapabilities into a virObject
To enable virCapabilities instances to be reference counted,
turn it into a virObject. All cases of virCapabilitiesFree
turn into virObjectUnref

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-02-08 11:34:26 +00:00
Daniel P. Berrange
77c3015f9c Rename all USB device functions to have a standard name prefix
Rename all the usbDeviceXXX and usbXXXDevice APIs to have a
fixed virUSBDevice name prefix
2013-02-05 19:22:25 +00:00
Daniel P. Berrange
202535601c Rename all PCI device functions to have a standard name prefix
Rename all the pciDeviceXXX and pciXXXDevice APIs to have a
fixed virPCIDevice name prefix
2013-02-05 19:22:25 +00:00
Jiri Denemark
3b35369c0f selinux: Properly indent preprocessor directives 2013-01-24 14:10:50 +01:00
Jiri Denemark
d4b7309a9c apparmor: Avoid freeing uninitialized pointer 2013-01-24 14:04:25 +01:00
Richard W.M. Jones
6159710ca1 selinux: Only create the selabel_handle once.
According to Eric Paris this is slightly more efficient because it
only loads the regular expressions in libselinux once.
2013-01-24 12:40:49 +00:00
John Ferlan
a2b36ec5db security: Need to add virCommandFree() 2013-01-24 12:37:30 +01:00
John Ferlan
770b4aa8f0 security: Need to initialize 'sens'
It was possible to call VIR_FREE in cleanup prior to initialization
2013-01-22 17:29:26 +01:00
John Ferlan
05cc035189 selinux: Resolve resource leak using the default disk label
Commit id a994ef2d1 changed the mechanism to store/update the default
security label from using disk->seclabels[0] to allocating one on the
fly. That change allocated the label, but never saved it.  This patch
will save the label. The new virDomainDiskDefAddSecurityLabelDef() is
a copy of the virDomainDefAddSecurityLabelDef().
2013-01-22 14:34:12 +01:00
John Ferlan
7479026b5c security: Use virStrcpy to move the label 2013-01-22 14:34:11 +01:00
Daniel P. Berrange
f24404a324 Rename virterror.c virterror_internal.h to virerror.{c,h} 2012-12-21 11:19:50 +00:00
Daniel P. Berrange
556cf5f617 Rename xml.{c,h} to virxml.{c,h} 2012-12-21 11:19:50 +00:00
Daniel P. Berrange
e861b31275 Rename uuid.{c,h} to viruuid.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
44f6ae27fe Rename util.{c,h} to virutil.{c,h} 2012-12-21 11:19:49 +00:00
Daniel P. Berrange
05dc8398dd Rename storage_file.{c,h} to virstoragefile.{c,h} 2012-12-21 11:19:48 +00:00
Daniel P. Berrange
3ddddd98c3 Rename pci.{c,h} to virpci.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
ab9b7ec2f6 Rename memory.{c,h} to viralloc.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
936d95d347 Rename logging.{c,h} to virlog.{c,h} 2012-12-21 11:17:14 +00:00
Daniel P. Berrange
ebc8db5189 Rename hostusb.{c,h} to virusb.{c,h} 2012-12-21 11:17:13 +00:00
Daniel P. Berrange
0f8454101d Rename conf.{c,h} to virconf.{c,h} 2012-12-21 11:17:13 +00:00
Daniel P. Berrange
04d9510f50 Rename command.{c,h} to vircommand.{c,h} 2012-12-21 11:17:13 +00:00
Daniel P. Berrange
2005f7b552 Rename buf.{c,h} to virbuffer.{c,h}
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-21 11:17:12 +00:00
Ján Tomko
3e7890c8ef security: fix #endif comment in security_stack.h 2012-12-20 19:55:54 +01:00
Daniel P. Berrange
dc068e35c0 Fix arch datatype in vahControl in virt-aa-helper.c
When changing to virArch, the virt-aa-helper.c file was not
completely changed. The vahControl struct was left with a
char *arch field, instead of virArch arch field.
2012-12-19 11:45:31 +00:00
Daniel P. Berrange
c25c18f71b Convert capabilities / domain_conf to use virArch
Convert the host capabilities and domain config structs to
use the virArch datatype. Update the parsers and all drivers
to take account of datatype change

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-18 16:53:03 +00:00
Jiri Denemark
cdfe739c97 apparmor: Fix build 2012-12-17 21:17:55 +01:00
Daniel P. Berrange
a6cbdd7b81 Add support for SELinux labelling of hostdev storage/misc devices
The SELinux security driver needs to learn to label storage/misc
hostdev devices for LXC

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 17:50:51 +00:00
Daniel P. Berrange
570ad09ef9 Refactor SELinux security driver hostdev labelling
Prepare to support different types of hostdevs by refactoring
the current SELinux security driver code

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 17:50:51 +00:00
Daniel P. Berrange
df5928ea56 Allow passing a vroot into security manager hostdev labelling
When LXC labels USB devices during hotplug, it is running in
host context, so it needs to pass in a vroot path to the
container root.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 17:50:51 +00:00
Daniel P. Berrange
89c5a9d0e8 Skip bulk relabelling of resources in SELinux driver when used with LXC
The virSecurityManager{Set,Restore}AllLabel methods are invoked
at domain startup/shutdown to relabel resources associated with
a domain. This works fine with QEMU, but with LXC they are in
fact both currently no-ops since LXC does not support disks,
hostdevs, or kernel/initrd files. Worse, when LXC gains support
for disks/hostdevs, they will do the wrong thing, since they
run in host context, not container context. Thus this patch
turns then into a formal no-op when used with LXC. The LXC
controller will call out to specific security manager labelling
APIs as required during startup.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 17:50:51 +00:00
Daniel P. Berrange
77d3a80974 Support custom 'svirt_tcg_t' context for TCG based guests
The current SELinux policy only works for KVM guests, since
TCG requires the 'execmem' privilege. There is a 'virt_use_execmem'
boolean to turn this on globally, but that is unpleasant for users.
This changes libvirt to automatically use a new 'svirt_tcg_t'
context for TCG based guests. This obsoletes the previous
boolean tunable and makes things 'just work(tm)'

Since we can't assume we run with new enough policy, I also
make us log a warning message (once only) if we find the policy
lacks support. In this case we fallback to the normal label and
expect users to set the boolean tunable

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-12-17 11:22:36 +00:00
Ján Tomko
b28fb61fd7 selinux: fix NULL dereference in GetSecurityMountOptions
In the case of an OOM error in virDomainDefGetSecurityLabelDef, secdef
is set to NULL, then dereferenced while printing the debug message.
2012-12-13 15:41:44 -07:00
Serge Hallyn
a4e44e674e add vnc unix sockets to apparmor policy
When using vnc gaphics over a unix socket, virt-aa-helper needs to provide
access for the qemu domain to access the sockfile.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2012-12-11 14:32:39 -07:00
Serge Hallyn
88bd1a644b add security hook for permitting hugetlbfs access
When a qemu domain is backed by huge pages, apparmor needs to grant the domain
rw access to files under the hugetlbfs mount point.  Add a hook, called in
qemu_process.c, which ends up adding the read-write access through
virt-aa-helper.  Qemu will be creating a randomly named file under the
mountpoint and unlinking it as soon as it has mmap()d it, therefore we
cannot predict the full pathname, but for the same reason it is generally
safe to provide access to $path/**.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2012-12-11 14:27:20 -07:00
Daniel P. Berrange
3f6470f753 Fix error handling in virSecurityManagerGetMountOptions
The impls of virSecurityManagerGetMountOptions had no way to
return errors, since the code was treating 'NULL' as a success
value. This is somewhat pointless, since the calling code did
not want NULL in the first place and has to translate it into
the empty string "". So change the code so that the impls can
return "" directly, allowing use of NULL for error reporting
once again

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-11-27 16:45:04 +00:00
Viktor Mihajlovski
b1c88c1476 capabilities: defaultConsoleTargetType can depend on architecture
For S390, the default console target type cannot be of type 'serial'.
It is necessary to at least interpret the 'arch' attribute
value of the os/type element to produce the correct default type.

Therefore we need to extend the signature of defaultConsoleTargetType
to account for architecture. As a consequence all the drivers
supporting this capability function must be updated.

Despite the amount of changed files, the only change in behavior is
that for S390 the default console target type will be 'virtio'.

N.B.: A more future-proof approach could be to to use hypervisor
specific capabilities to determine the best possible console type.
For instance one could add an opaque private data pointer to the
virCaps structure (in case of QEMU to hold capsCache) which could
then be passed to the defaultConsoleTargetType callback to determine
the console target type.
Seems to be however a bit overengineered for the use case...

Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
2012-11-09 09:20:59 -07:00
Daniel P. Berrange
1c04f99970 Remove spurious whitespace between function name & open brackets
The libvirt coding standard is to use 'function(...args...)'
instead of 'function (...args...)'. A non-trivial number of
places did not follow this rule and are fixed in this patch.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-11-02 13:36:49 +00:00
Jiri Denemark
0111b409a3 Fix build with apparmor
Recent storage patches changed signature of virStorageFileGetMetadata
and replaced chain with backingChain in virDomainDiskDef.
2012-10-25 10:21:57 +02:00
Cole Robinson
767be8be72 selinux: Don't fail RestoreAll if file doesn't have a default label
When restoring selinux labels after a VM is stopped, any non-standard
path that doesn't have a default selinux label causes the process
to stop and exit early. This isn't really an error condition IMO.

Of course the selinux API could be erroring for some other reason
but hopefully that's rare enough to not need explicit handling.

Common example here is storing disk images in a non-standard location
like under /mnt.
2012-10-23 11:45:24 -04:00
Eric Blake
add633bdf9 build: print uids as unsigned
Reported by Michal Privoznik.

* src/security/security_dac.c (virSecurityDACGenLabel): Use
correct format.
2012-10-23 08:38:33 -06:00
Eric Blake
23a4df886d build: use correct printf types for uid/gid
Fixes a build failure on cygwin:
cc1: warnings being treated as errors
security/security_dac.c: In function 'virSecurityDACSetProcessLabel':
security/security_dac.c:862:5: error: format '%u' expects type 'unsigned int', but argument 7 has type 'uid_t' [-Wformat]
security/security_dac.c:862:5: error: format '%u' expects type 'unsigned int', but argument 8 has type 'gid_t' [-Wformat]

* src/security/security_dac.c (virSecurityDACSetProcessLabel)
(virSecurityDACGenLabel): Use proper casts.
2012-10-22 14:41:00 -06:00
Eric Blake
38c4a9cc40 storage: use cache to walk backing chain
We used to walk the backing file chain at least twice per disk,
once to set up cgroup device whitelisting, and once to set up
security labeling.  Rather than walk the chain every iteration,
which possibly includes calls to fork() in order to open root-squashed
NFS files, we can exploit the cache of the previous patch.

* src/conf/domain_conf.h (virDomainDiskDefForeachPath): Alter
signature.
* src/conf/domain_conf.c (virDomainDiskDefForeachPath): Require caller
to supply backing chain via disk, if recursion is desired.
* src/security/security_dac.c
(virSecurityDACSetSecurityImageLabel): Adjust caller.
* src/security/security_selinux.c
(virSecuritySELinuxSetSecurityImageLabel): Likewise.
* src/security/virt-aa-helper.c (get_files): Likewise.
* src/qemu/qemu_cgroup.c (qemuSetupDiskCgroup)
(qemuTeardownDiskCgroup): Likewise.
(qemuSetupCgroup): Pre-populate chain.
2012-10-19 17:35:11 -06:00
Guannan Ren
d37a3a1d6c selinux: remove unused variables in socket labelling 2012-10-17 13:13:17 +08:00
Martin Kletzander
6676c1fc8f selinux: Use raw contexts 2
In commit 9674f2c637, I forgot to change
selabel_lookup with the other functions, so this one-liner does exactly
that.
2012-10-16 10:30:18 +02:00
Guannan Ren
ae368ebfcc selinux: add security selinux function to label tapfd
BZ:https://bugzilla.redhat.com/show_bug.cgi?id=851981
When using macvtap, a character device gets first created by
kernel with name /dev/tapN, its selinux context is:
system_u:object_r:device_t:s0

Shortly, when udev gets notification when new file is created
in /dev, it will then jump in and relabel this file back to the
expected default context:
system_u:object_r:tun_tap_device_t:s0

There is a time gap happened.
Sometimes, it will have migration failed, AVC error message:
type=AVC msg=audit(1349858424.233:42507): avc:  denied  { read write } for
pid=19926 comm="qemu-kvm" path="/dev/tap33" dev=devtmpfs ino=131524
scontext=unconfined_u:system_r:svirt_t:s0:c598,c908
tcontext=system_u:object_r:device_t:s0 tclass=chr_file

This patch will label the tapfd device before qemu process starts:
system_u:object_r:tun_tap_device_t:MCS(MCS from seclabel->label)
2012-10-15 21:01:07 +08:00
Martin Kletzander
9674f2c637 selinux: Use raw contexts
We are currently able to work only with non-translated SELinux
contexts, but we are using functions that work with translated
contexts throughout the code.  This patch swaps all SELinux context
translation relative calls with their raw sisters to avoid parsing
problems.

The problems can be experienced with mcstrans for example.  The
difference is that if you have translations enabled (yum install
mcstrans; service mcstrans start), fgetfilecon_raw() will get you
something like 'system_u:object_r:virt_image_t:s0', whereas
fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow'
that we cannot parse.

I was trying to confirm that the _raw variants were here since the dawn of
time, but the only thing I see now is that it was imported together in
the upstream repo [1] from svn, so before 2008.

Thanks Laurent Bigonville for finding this out.

[1] http://oss.tresys.com/git/selinux.git
2012-10-12 17:54:09 +02:00
Jiri Denemark
059aff6b98 qemu: Add option to treat missing USB devices as success
All USB device lookup functions emit an error when they cannot find the
requested device. With this patch, their caller can choose if a missing
device is an error or normal condition.
2012-10-11 15:11:41 +02:00
Marcelo Cerri
7c035625f8 security: update user and group parsing in security_dac.c
The functions virGetUserID and virGetGroupID are now able to parse
user/group names and IDs in a similar way to coreutils' chown. So, user
and group parsing in security_dac can be simplified.
2012-10-08 15:20:57 -06:00
Marcelo Cerri
60469dd10f security: also parse user/group names instead of just IDs for DAC labels
The DAC driver is missing parsing of group and user names for DAC labels
and currently just parses uid and gid. This patch extends it to support
names, so the following security label definition is now valid:

  <seclabel type='static' model='dac' relabel='yes'>
      <label>qemu:qemu</label>
      <imagelabel>qemu:qemu</imagelabel>
  </seclabel>

When it tries to parse an owner or a group, it first tries to resolve it as
a name, if it fails or it's an invalid user/group name then it tries to
parse it as an UID or GID. A leading '+' can also be used for both owner and
group to force it to be parsed as IDs, so the following example is also
valid:

  <seclabel type='static' model='dac' relabel='yes'>
      <label>+101:+101</label>
      <imagelabel>+101:+101</imagelabel>
  </seclabel>

This ensures that UID 101 and GUI 101 will be used instead of an user or
group named "101".
2012-10-03 12:15:03 +02:00
Richard W.M. Jones
f8b08d0e96 Add <seclabel> to character devices.
This allows the user to control labelling of each character device
separately (the default is to inherit from the VM).

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
2012-09-21 13:43:47 +01:00
Eric Blake
4ecb723b9e maint: fix up copyright notice inconsistencies
https://www.gnu.org/licenses/gpl-howto.html recommends that
the 'If not, see <url>.' phrase be a separate sentence.

* tests/securityselinuxhelper.c: Remove doubled line.
* tests/securityselinuxtest.c: Likewise.
* globally: s/;  If/.  If/
2012-09-20 16:30:55 -06:00
Peter Krempa
ede89aab64 security: Don't ignore errors when parsing DAC security labels
The DAC security driver silently ignored errors when parsing the DAC
label and used default values instead.

With a domain containing the following label definition:

<seclabel type='static' model='dac' relabel='yes'>
  <label>sdfklsdjlfjklsdjkl</label>
</seclabel>

the domain would start normaly but the disk images would be still owned
by root and no error was displayed.

This patch changes the behavior if the parsing of the label fails (note
that a not present label is not a failure and in this case the default
label should be used) the error isn't masked but is raised that causes
the domain start to fail with a descriptive error message:

virsh #  start tr
error: Failed to start domain tr
error: internal error invalid argument: failed to parse DAC seclabel
'sdfklsdjlfjklsdjkl' for domain 'tr'

I also changed the error code to "invalid argument" from "internal
error" and tweaked the various error messages to contain correct and
useful information.
2012-09-20 16:21:52 +02:00
Peter Krempa
1497e36db9 security: Re-apply commit ce53382ba2
Recent changes in the security driver discarded changes that fixed
labeling un-confined guests.
2012-08-30 16:45:38 +02:00
Daniel P. Berrange
d0c0e79ac6 Fix configuration of QEMU security drivers
If no 'security_driver' config option was set, then the code
just loaded the 'dac' security driver. This is a regression
on previous behaviour, where we would probe for a possible
security driver. ie default to SELinux if available.

This changes things so that it 'security_driver' is not set,
we once again do probing. For simplicity we also always
create the stack driver, even if there is only one driver
active.

The desired semantics are:

 - security_driver not set
     -> probe for selinux/apparmour/nop
     -> auto-add DAC driver
 - security_driver set to a string
     -> add that one driver
     -> auto-add DAC driver
 - security_driver set to a list
     -> add all drivers in list
     -> auto-add DAC driver

It is not allowed, or possible to specify 'dac' in the
security_driver config param, since that is always
enabled.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-30 11:36:28 +08:00
Peter Krempa
ba150e5504 Revert "security: Add DAC to security_drivers"
This reverts commit 9f9b7b85c9.

The DAC security driver needs special handling and extra parameters and
can't just be added to regular security drivers.
2012-08-29 16:18:41 +02:00
Alex Jia
95c61007e7 security: remove dead code from virSecurityDACGenLabel
* src/security/security_dac.c: remove useless dead code.

Signed-off-by: Alex Jia <ajia@redhat.com>
2012-08-29 18:25:57 +08:00
Peter Krempa
f2f0af3960 security_dac: Don't return uninitialised uid and gid for image labels
As in the previous commit, images are also chowned to uninitialised
uid and gid if the label is not present.
2012-08-29 01:31:30 +02:00
Peter Krempa
3c2f5e3ede security_dac: Don't return uninitialised value when parsing seclabels
When starting a machine the DAC security driver tries to set the UID and
GID of the newly spawned process. This worked as desired if the desired
label was set. When the label was missing a logical bug in
virSecurityDACGenLabel() caused that uninitialised values were used as
uid and gid for the new process.

With this patch, default values (from qemu driver configuration)
are used if the label is not found.
2012-08-28 18:41:41 +02:00
Peter Krempa
f2b241e6a7 security_dac: Avoid segfault when no label is requested
When no DAC "label" was requested for a domain the DAC manager tried to
strdup a NULL string causing a segfault.
2012-08-28 18:40:36 +02:00
Michal Privoznik
9f9b7b85c9 security: Add DAC to security_drivers
Currently, if users set 'security_driver="dac"' in qemu.conf libvirtd
fails to initialize as DAC driver is not found because it is missing
in our security drivers array.
2012-08-24 17:19:25 +02:00
Daniel P. Berrange
7272a92c81 Fix parsing of uid/gid on Mingw32
The DAC security driver uses the virStrToLong_ui function to
parse the uid/gid out of the seclabel string. This works on
Linux where 'uid_t' is an unsigned int, but on Mingw32 it is
just an 'int'. This causes compiler warnings about signed/
unsigned int pointer mis-match.

To avoid this, use explicit 'unsigned int ouruid' local
vars to pass into virStrToLong_ui, and then simply assign
to the 'uid_t' type after parsing

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-21 15:03:54 +01:00
Daniel P. Berrange
4e365df44f Honour current sensitivity and category ranges in SELinux label generation
Currently the dynamic label generation code will create labels
with a sensitivity of s0, and a category pair in the range
0-1023. This is fine when running a standard MCS policy because
libvirtd will run with a label

  system_u:system_r:virtd_t:s0-s0:c0.c1023

With custom policies though, it is possible for libvirtd to have
a different sensitivity, or category range. For example

  system_u:system_r:virtd_t:s2-s3:c512.c1023

In this case we must assign the VM a sensitivity matching the
current lower sensitivity value, and categories in the range
512-1023

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-21 11:37:57 +01:00
Daniel P. Berrange
2d9df4fca0 Fix regression generating image context
The code to refactor sec label handling accidentally changed the
SELinux driver to use the 'domain_context' when generating the
image label instead of the 'file_context'

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-21 11:37:57 +01:00
Marcelo Cerri
a994ef2d1a Update security layer to handle many security labels
These changes make the security drivers able to find and handle the
correct security label information when more than one label is
available. They also update the DAC driver to be used as an usual
security driver.

Signed-off-by: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
2012-08-20 19:14:30 +02:00
Marcelo Cerri
6c3cf57d6c Internal refactory of data structures
This patch updates the structures that store information about each
domain and each hypervisor to support multiple security labels and
drivers. It also updates all the remaining code to use the new fields.

Signed-off-by: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
2012-08-20 19:13:33 +02:00
Viktor Mihajlovski
b6ad2c2334 selinux: Fix incorrect object label generation.
This is a fix for the object label generation. It uses a new flag for
virSecuritySELinuxGenNewContext that specifies whether the context is
for an object. If so the context role remains unchanged.
Without this fix it is not possible to start domains with image file or
block device backed storage when selinux is enabled.

Signed-off-by: Viktor Mihajlovski <mihajlov@linux.vnet.ibm.com>
2012-08-20 10:07:22 -06:00
Daniel P. Berrange
b6e66cb6dd Pull code which finds a free MCS label out into its own method
The code for picking a MCS label is about to get significantly
more complicated, so it deserves to be in a standlone method,
instead of a switch/case body.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-14 15:31:26 +01:00
Daniel P. Berrange
b77e9814e4 Honour current user and role in SELinux label generation
When generating an SELinux context for a VM from the template
"system_u:system_r:svirt_t:s0", copy the role + user from the
current process instead of the template context. So if the
current process is

   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

then the VM context ends up as

  unconfined_u:unconfined_r:svirt_t:s0:c386,c703

instead of

   system_u:system_r:svirt_t:s0:c177,c424

Ideally the /etc/selinux/targeted/contexts/virtual_domain_context
file would have just shown the 'svirt_t' type, and not the full
context, but that can't be changed now for compatibility reasons.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-14 15:31:26 +01:00
Daniel P. Berrange
cbe67ff9b0 Fix error reporting in virSecuritySELinuxGenNewContext
The virSecuritySELinuxGenNewContext method was not reporting any
errors, leaving it up to the caller to report a generic error.
In addition it could potentially trigger a strdup(NULL) in an
OOM scenario. Move all error reporting into the
virSecuritySELinuxGenNewContext method where accurate info
can be provided

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-14 15:31:26 +01:00
Daniel P. Berrange
51b23ed31a Use VIR_ERR_CONFIG_UNSUPPORTED if requested security driver is disabled
There is currently no way to distinguish the case that a requested
security driver was disabled, from the case where no security driver
was available. Use VIR_ERR_CONFIG_UNSUPPORTED as the error when an
explicitly requested security driver was disabled

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-14 15:31:26 +01:00
Daniel P. Berrange
fd016806df Add missing domain_conf.h include in security_manager.h
The security_manager.h header is not self-contained because it
uses the virDomainDefPtr without first including domain_conf.h

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-08-14 15:31:26 +01:00
Eric Blake
87de27b7f9 virrandom: make virRandomInitialize an automatic one-shot
All callers used the same initialization seed (well, the new
viratomictest forgot to look at getpid()); so we might as well
make this value automatic.  And while it may feel like we are
giving up functionality, I documented how to get it back in the
unlikely case that you actually need to debug with a fixed
pseudo-random sequence.  I left that crippled by default, so
that a stray environment variable doesn't cause a lack of
randomness to become a security issue.

* src/util/virrandom.c (virRandomInitialize): Rename...
(virRandomOnceInit): ...and make static, with one-shot call.
Document how to do fixed-seed debugging.
* src/util/virrandom.h (virRandomInitialize): Drop prototype.
* src/libvirt_private.syms (virrandom.h): Don't export it.
* src/libvirt.c (virInitialize): Adjust caller.
* src/lxc/lxc_controller.c (main): Likewise.
* src/security/virt-aa-helper.c (main): Likewise.
* src/util/iohelper.c (main): Likewise.
* tests/seclabeltest.c (main): Likewise.
* tests/testutils.c (virtTestMain): Likewise.
* tests/viratomictest.c (mymain): Likewise.
2012-08-06 08:15:13 -06:00
Jiri Denemark
ce53382ba2 security: Skip labeling resources when seclabel defaults to none
If a domain is explicitly configured with <seclabel type="none"/> we
correctly ensure that no labeling will be done by setting
norelabel=true. However, if no seclabel element is present in domain XML
and hypervisor is configured not to confine domains by default, we only
set type to "none" without turning off relabeling. Thus if such a domain
is being started, security driver wants to relabel resources with
default label, which doesn't make any sense.

Moreover, with SELinux security driver, the generated image label lacks
"s0" sensitivity, which causes setfilecon() fail with EINVAL in
enforcing mode.
2012-07-27 18:58:48 +02:00
Osier Yang
a4bcefbcff maint: Use consistent copyright.
This is a follow up patch of commit f9ce7dad6, it modifies all
the files which declare the copyright like "See COPYING.LIB for
the License of this software" to use the detailed/consistent one.

And deserts the outdated comments like:

 * libvirt-qemu.h:
 * Summary: qemu specific interfaces
 * Description: Provides the interfaces of the libvirt library to handle
 *              qemu specific methods
 *
 * Copy:  Copyright (C) 2010, 2012 Red Hat, Inc.

Uses the more compact style like:

 * libvirt-qemu.h: Interfaces specific for QEMU/KVM driver
 *
 * Copyright (C) 2010, 2012 Red Hat, Inc.
2012-07-27 18:27:21 +08:00
Osier Yang
f9ce7dad60 Desert the FSF address in copyright
Per the FSF address could be changed from time to time, and GNU
recommends the following now: (http://www.gnu.org/licenses/gpl-howto.html)

  You should have received a copy of the GNU General Public License
  along with Foobar.  If not, see <http://www.gnu.org/licenses/>.

This patch removes the explicit FSF address, and uses above instead
(of course, with inserting 'Lesser' before 'General').

Except a bunch of files for security driver, all others are changed
automatically, the copyright for securify files are not complete,
that's why to do it manually:

  src/security/security_selinux.h
  src/security/security_driver.h
  src/security/security_selinux.c
  src/security/security_apparmor.h
  src/security/security_apparmor.c
  src/security/security_driver.c
2012-07-23 10:50:50 +08:00
Daniel P. Berrange
a56c347080 Use a hash table for storing MCS labels
Instead of using an O(n) efficiency linked list for storing
MCS labels, use a hash table. Instead of having the list
be global, put it in the SELinux driver private data struct
to ensure uniqueness across different instances of the driver.
This also ensures thread safety when multiple hypervisor
drivers are used in the same libvirtd process

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-07-20 20:17:24 +01:00
Daniel P. Berrange
2e668a61d5 Fix error handling when adding MCS labels
When adding MCS labels, OOM was not being handled correctly.
In addition when reserving an existing label, no check was
made to see if it was already reserved

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-07-20 20:17:19 +01:00
Daniel P. Berrange
12b187fb95 Use standard naming prefix for SELinux driver function names
The function names in the SELinux driver all start with
SELinux or 'mcs' as a prefix. Sanitize this so that they
all use 'virSecuritySELinux' as the prefix

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-07-20 20:17:14 +01:00
Daniel P. Berrange
b8605b22e5 Replace use of virSecurityReportError with virReportError
Update the security drivers to use virReportError instead of
the virSecurityReportError custom macro

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-07-20 13:59:58 +01:00
Eric Blake
99f1faf777 po: avoid spurious double spaces in messages
Noticed during the recent error cleanups.

* src/network/bridge_driver.c (networkStartRadvd): Fix spacing.
* src/openvz/openvz_conf.c (openvzReadMemConf): Likewise.
* src/qemu/qemu_command.c (qemuNetworkIfaceConnect): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainDetachNetDevice): Likewise.
* src/qemu/qemu_process.c (qemuProcessStop): Likewise.
* src/security/virt-aa-helper.c (vah_add_file): Likewise.
2012-07-18 17:47:03 -06:00
Daniel P. Berrange
ebbcc02639 Remove last usage of PATH_MAX and ban its future use
Remove a number of pointless checks against PATH_MAX and
add a syntax-check rule to prevent its use in future

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-05-28 10:43:01 +01:00
Michal Privoznik
4ab0d6c48a security: Switch to C99-style struct initialization 2012-05-24 16:37:51 +02:00
Daniel P. Berrange
7ba66ef285 Fix build compat with older libselinux for LXC
Most versions of libselinux do not contain the function
selinux_lxc_contexts_path() that the security driver
recently started using for LXC. We must add a conditional
check for it in configure and then disable the LXC security
driver for builds where libselinux lacks this function.

* configure.ac: Check for selinux_lxc_contexts_path
* src/security/security_selinux.c: Disable LXC security
  if selinux_lxc_contexts_path() is missing
2012-05-16 15:38:29 +01:00
Daniel Walsh
abf2ebbd27 Add security driver APIs for getting mount options
Some security drivers require special options to be passed to
the mount system call. Add a security driver API for handling
this data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-05-16 10:05:47 +01:00
Daniel Walsh
6844ceadb4 Add support for LXC specific SELinux configuration
The SELinux policy for LXC uses a different configuration file
than the traditional svirt one. Thus we need to load
/etc/selinux/targeted/contexts/lxc_contexts which contains
something like this:

 process = "system_u:system_r:svirt_lxc_net_t:s0"
 file = "system_u:object_r:svirt_lxc_file_t:s0"
 content = "system_u:object_r:virt_var_lib_t:s0"

cleverly designed to be parsable by virConfPtr

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-05-16 10:05:47 +01:00
Daniel Walsh
fa5e68ffbf Use private data struct in SELinux driver
Currently the SELinux driver stores its state in a set of global
variables. This switches it to use a private data struct instead.
This will enable different instances to have their own data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-05-16 10:05:46 +01:00
Daniel Walsh
cf36c23bc9 Don't enable the AppArmour security driver with LXC
The AppArmour driver does not currently have support for LXC
so ensure that when probing, it claims to be disabled

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-05-16 10:05:46 +01:00
Daniel Walsh
73580c60d1 Pass the virt driver name into security drivers
To allow the security drivers to apply different configuration
information per hypervisor, pass the virtualization driver name
into the security manager constructor.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-05-16 10:05:46 +01:00
Daniel P. Berrange
ec8cae93db Consistent style for usage of sizeof operator
The code is splattered with a mix of

  sizeof foo
  sizeof (foo)
  sizeof(foo)

Standardize on sizeof(foo) and add a syntax check rule to
enforce it

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2012-03-30 11:47:24 +01:00
Martin Kletzander
9943276fd2 Cleanup for a return statement in source files
Return statements with parameter enclosed in parentheses were modified
and parentheses were removed. The whole change was scripted, here is how:

List of files was obtained using this command:
git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' |             \
grep -e '\.[ch]$' -e '\.py$'

Found files were modified with this command:
sed -i -e                                                                 \
's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \
-e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_'

Then checked for nonsense.

The whole command looks like this:
git grep -l -e '\<return\s*([^()]*\(([^()]*)[^()]*\)*)\s*;' |             \
grep -e '\.[ch]$' -e '\.py$' | xargs sed -i -e                            \
's_^\(.*\<return\)\s*(\(\([^()]*([^()]*)[^()]*\)*\))\s*\(;.*$\)_\1 \2\4_' \
-e 's_^\(.*\<return\)\s*(\([^()]*\))\s*\(;.*$\)_\1 \2\3_'
2012-03-26 14:45:22 -06:00
Eric Blake
3e2c3d8f6d build: use correct type for pid and similar types
No thanks to 64-bit windows, with 64-bit pid_t, we have to avoid
constructs like 'int pid'.  Our API in libvirt-qemu cannot be
changed without breaking ABI; but then again, libvirt-qemu can
only be used on systems that support UNIX sockets, which rules
out Windows (even if qemu could be compiled there) - so for all
points on the call chain that interact with this API decision,
we require a different variable name to make it clear that we
audited the use for safety.

Adding a syntax-check rule only solves half the battle; anywhere
that uses printf on a pid_t still needs to be converted, but that
will be a separate patch.

* cfg.mk (sc_correct_id_types): New syntax check.
* src/libvirt-qemu.c (virDomainQemuAttach): Document why we didn't
use pid_t for pid, and validate for overflow.
* include/libvirt/libvirt-qemu.h (virDomainQemuAttach): Tweak name
for syntax check.
* src/vmware/vmware_conf.c (vmwareExtractPid): Likewise.
* src/driver.h (virDrvDomainQemuAttach): Likewise.
* tools/virsh.c (cmdQemuAttach): Likewise.
* src/remote/qemu_protocol.x (qemu_domain_attach_args): Likewise.
* src/qemu_protocol-structs (qemu_domain_attach_args): Likewise.
* src/util/cgroup.c (virCgroupPidCode, virCgroupKillInternal):
Likewise.
* src/qemu/qemu_command.c(qemuParseProcFileStrings): Likewise.
(qemuParseCommandLinePid): Use pid_t for pid.
* daemon/libvirtd.c (daemonForkIntoBackground): Likewise.
* src/conf/domain_conf.h (_virDomainObj): Likewise.
* src/probes.d (rpc_socket_new): Likewise.
* src/qemu/qemu_command.h (qemuParseCommandLinePid): Likewise.
* src/qemu/qemu_driver.c (qemudGetProcessInfo, qemuDomainAttach):
Likewise.
* src/qemu/qemu_process.c (qemuProcessAttach): Likewise.
* src/qemu/qemu_process.h (qemuProcessAttach): Likewise.
* src/uml/uml_driver.c (umlGetProcessInfo): Likewise.
* src/util/virnetdev.h (virNetDevSetNamespace): Likewise.
* src/util/virnetdev.c (virNetDevSetNamespace): Likewise.
* tests/testutils.c (virtTestCaptureProgramOutput): Likewise.
* src/conf/storage_conf.h (_virStoragePerms): Use mode_t, uid_t,
and gid_t rather than int.
* src/security/security_dac.c (virSecurityDACSetOwnership): Likewise.
* src/conf/storage_conf.c (virStorageDefParsePerms): Avoid
compiler warning.
2012-03-02 06:57:43 -07:00
Jiri Denemark
afb96301f3 security: Driver 'none' cannot create confined guests
In case the caller specifies that confined guests are required but the
security driver turns out to be 'none', we should return an error since
this driver clearly cannot meet that requirement.  As a result of this
error, libvirtd fails to start when the host admin explicitly sets
confined guests are required but there is no security driver available.

Since security driver 'none' cannot create confined guests, we override
default confined setting so that hypervisor drivers do not thing they
should create confined guests.
2012-02-08 11:55:56 +01:00
Jiri Denemark
3ecc06f4d5 apparmor: Add missing comma
Typo introduced by c18a88ac
2012-02-06 09:22:46 +01:00
Laine Stump
c18a88ac48 qemu: eliminate "Ignoring open failure" when using root-squash NFS
This eliminates the warning message reported in:

 https://bugzilla.redhat.com/show_bug.cgi?id=624447

It was caused by a failure to open an image file that is not
accessible by root (the uid libvirtd is running as) because it's on a
root-squash NFS share, owned by a different user, with permissions of
660 (or maybe 600).

The solution is to use virFileOpenAs() rather than open(). The
codepath that generates the error is during qemuSetupDiskCGroup(), but
the actual open() is in a lower-level generic function called from
many places (virDomainDiskDefForeachPath), so some other pieces of the
code were touched just to add dummy (or possibly useful) uid and gid
arguments.

Eliminating this warning message has the nice side effect that the
requested operation may even succeed (which in this case isn't
necessary, but shouldn't hurt anything either).
2012-02-03 16:47:43 -05:00
Daniel P. Berrange
b170eb99f5 Add two new security label types
Curently security labels can be of type 'dynamic' or 'static'.
If no security label is given, then 'dynamic' is assumed. The
current code takes advantage of this default, and avoids even
saving <seclabel> elements with type='dynamic' to disk. This
means if you temporarily change security driver, the guests
can all still start.

With the introduction of sVirt to LXC though, there needs to be
a new default of 'none' to allow unconfined LXC containers.

This patch introduces two new security label types

 - default:  the host configuration decides whether to run the
             guest with type 'none' or 'dynamic' at guest start
 - none:     the guest will run unconfined by security policy

The 'none' label type will obviously be undesirable for some
deployments, so a new qemu.conf option allows a host admin to
mandate confined guests. It is also possible to turn off default
confinement

  security_default_confined = 1|0  (default == 1)
  security_require_confined = 1|0  (default == 0)

* src/conf/domain_conf.c, src/conf/domain_conf.h: Add new
  seclabel types
* src/security/security_manager.c, src/security/security_manager.h:
  Set default sec label types
* src/security/security_selinux.c: Handle 'none' seclabel type
* src/qemu/qemu.conf, src/qemu/qemu_conf.c, src/qemu/qemu_conf.h,
  src/qemu/libvirtd_qemu.aug: New security config options
* src/qemu/qemu_driver.c: Tell security driver about default
  config
2012-02-02 17:44:37 -07:00
Jiri Denemark
bc1edeb611 apparmor: Fix use of uninitialized random_data
Without this, virt-aa-helper would segfault in -c or -r commands.
2012-01-27 11:14:21 +01:00
Daniel P. Berrange
e95ef67b35 Introduce new API for generating random numbers
The old virRandom() API was not generating good random numbers.
Replace it with a new API virRandomBits which instead of being
told the upper limit, gets told the number of bits of randomness
required.

* src/util/virrandom.c, src/util/virrandom.h: Add virRandomBits,
  and move virRandomInitialize
* src/util/util.h, src/util/util.c: Delete virRandom and
  virRandomInitialize
* src/libvirt.c, src/security/security_selinux.c,
  src/test/test_driver.c, src/util/iohelper.c: Update for
  changes from virRandom to virRandomBits
* src/storage/storage_backend_iscsi.c: Remove bogus call
  to virRandomInitialize & convert to virRandomBits
2012-01-26 14:03:14 +00:00
Jiri Denemark
d82ef7c39d apparmor: Mark pid parameter as unused 2012-01-11 12:27:47 +01:00
Daniel P. Berrange
99be754ada Change security driver APIs to use virDomainDefPtr instead of virDomainObjPtr
When sVirt is integrated with the LXC driver, it will be neccessary
to invoke the security driver APIs using only a virDomainDefPtr
since the lxc_container.c code has no virDomainObjPtr available.
Aside from two functions which want obj->pid, every bit of the
security driver code only touches obj->def. So we don't need to
pass a virDomainObjPtr into the security drivers, a virDomainDefPtr
is sufficient. Two functions also gain a 'pid_t pid' argument.

* src/qemu/qemu_driver.c, src/qemu/qemu_hotplug.c,
  src/qemu/qemu_migration.c, src/qemu/qemu_process.c,
  src/security/security_apparmor.c,
  src/security/security_dac.c,
  src/security/security_driver.h,
  src/security/security_manager.c,
  src/security/security_manager.h,
  src/security/security_nop.c,
  src/security/security_selinux.c,
  src/security/security_stack.c: Change all security APIs to use a
  virDomainDefPtr instead of virDomainObjPtr
2012-01-11 09:52:18 +00:00
Eric Blake
904e05a292 seclabel: honor device override in selinux
This wires up the XML changes in the previous patch to let SELinux
labeling honor user overrides, as well as affecting the live XML
configuration in one case where the user didn't specify anything
in the offline XML.

I noticed that the logs contained messages like this:

2011-12-05 23:32:40.382+0000: 26569: warning : SELinuxRestoreSecurityFileLabel:533 : cannot lookup default selinux label for /nfs/libvirt/images/dom.img

for all my domain images living on NFS.  But if we would just remember
that on domain creation that we were unable to set a SELinux label (due to
NFSv3 lacking labels, or NFSv4 not being configured to expose attributes),
then we could avoid wasting the time trying to clear the label on
domain shutdown.  This in turn is one less point of NFS failure,
especially since there have been documented cases of virDomainDestroy
hanging during an attempted operation on a failed NFS connection.

* src/security/security_selinux.c (SELinuxSetFilecon): Move guts...
(SELinuxSetFileconHelper): ...to new function.
(SELinuxSetFileconOptional): New function.
(SELinuxSetSecurityFileLabel): Honor override label, and remember
if labeling failed.
(SELinuxRestoreSecurityImageLabelInt): Skip relabeling based on
override.
2011-12-30 10:57:59 +08:00
Josh Durgin
20e1233c31 security: don't try to label network disks
Network disks don't have paths to be resolved or files to be checked
for ownership. ee3efc41e6 checked this
for some image label functions, but was partially reverted in a
refactor.  This finishes adding the check to each security driver's
set and restore label methods for images.

Signed-off-by: Josh Durgin <josh.durgin@dreamhost.com>
2011-12-12 11:52:15 +01:00
Serge Hallyn
4cfdbfc46f apparmor: allow tunnelled migrations.
The pathname for the pipe for tunnelled migration is unresolvable.  The
libvirt apparmor driver therefore refuses access, causing migration to
fail.  If we can't resolve the path, the worst that can happen is that
we should have given permission to the file but didn't.  Otherwise
(especially since this is a /proc/$$/fd/N file) the file is already open
and libvirt won't be refused access by apparmor anyway.

Also adjust virt-aa-helper to allow access to the
*.tunnelmigrate.dest.name files.

For more information, see https://launchpad.net/bugs/869553.

Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
2011-12-02 12:31:51 -07:00
Michal Privoznik
a6916977bb conf: Improve incorrect root element error messages
When user pass wrong root element, it is not 'internal error' and
we can give him hint what we are expecting.
2011-11-28 15:12:37 +01:00
Daniel P. Berrange
07bf96ee3f Add missing defaultConsoleTargetType callback for AppArmour
Every instance of virCapsPtr must have the defaultConsoleTargetType
field set.

* src/security/virt-aa-helper.c: Add defaultConsoleTargetType to
  virCapsPtr
2011-11-07 15:15:25 +00:00
Daniel P. Berrange
0873b688c6 Allow multiple consoles per virtual guest
While Xen only has a single paravirt console, UML, and
QEMU both support multiple paravirt consoles. The LXC
driver can also be trivially made to support multiple
consoles. This patch extends the XML to allow multiple
<console> elements in the XML. It also makes the UML
and QEMU drivers support this config.

* src/conf/domain_conf.c, src/conf/domain_conf.h: Allow
  multiple <console> devices
* src/lxc/lxc_driver.c, src/xen/xen_driver.c,
  src/xenxs/xen_sxpr.c, src/xenxs/xen_xm.c: Update for
  internal API changes
* src/security/security_selinux.c, src/security/virt-aa-helper.c:
  Only label consoles that aren't a copy of the serial device
* src/qemu/qemu_command.c, src/qemu/qemu_driver.c,
  src/qemu/qemu_process.c, src/uml/uml_conf.c,
  src/uml/uml_driver.c: Support multiple console devices
* tests/qemuxml2xmltest.c, tests/qemuxml2argvtest.c: Extra
  tests for multiple virtio consoles. Set QEMU_CAPS_CHARDEV
  for all console /channel tests
* tests/qemuxml2argvdata/qemuxml2argv-channel-virtio-auto.args,
  tests/qemuxml2argvdata/qemuxml2argv-channel-virtio.args
  tests/qemuxml2argvdata/qemuxml2argv-console-virtio.args: Update
  for correct chardev syntax
* tests/qemuxml2argvdata/qemuxml2argv-console-virtio-many.args,
  tests/qemuxml2argvdata/qemuxml2argv-console-virtio-many.xml: New
  test file
2011-11-03 12:01:05 +00:00
Laine Stump
46e8dc710a security: properly chown/label bidirectional and unidirectional fifos
This patch fixes the regression with using named pipes for qemu serial
devices noted in:

  https://bugzilla.redhat.com/show_bug.cgi?id=740478

The problem was that, while new code in libvirt looks for a single
bidirectional fifo of the name given in the config, then relabels that
and continues without looking for / relabelling the two unidirectional
fifos named ${name}.in and ${name}.out, qemu looks in the opposite
order. So if the user had naively created all three fifos, libvirt
would relabel the bidirectional fifo to allow qemu access, but qemu
would attempt to use the two unidirectional fifos and fail (because it
didn't have proper permissions/rights).

This patch changes the order that libvirt looks for the fifos to match
what qemu does - first it looks for the dual fifos, then it looks for
the single bidirectional fifo. If it finds the dual unidirectional
fifos first, it labels/chowns them and ignores any possible
bidirectional fifo.

(Note commit d37c6a3a (which first appeared in libvirt-0.9.2) added
the code that checked for a bidirectional fifo. Prior to that commit,
bidirectional fifos for serial devices didn't work because libvirt
always required the ${name}.(in|out) fifos to exist, and qemu would
always prefer those.
2011-09-28 09:38:22 -04:00
Jamie Strandboge
03d89991f2 fix AppArmor driver for pipe character devices
The AppArmor security driver adds only the path specified in the domain
XML for character devices of type 'pipe'. It should be using <path>.in
and <path>.out. We do this by creating a new vah_add_file_chardev() and
use it for char devices instead of vah_add_file(). Also adjust
valid_path() to accept S_FIFO (since qemu chardevs of type 'pipe' use
fifos). This is https://launchpad.net/bugs/832507
2011-09-28 15:43:39 +08:00
Michal Privoznik
1888363d8b selinux: Correctly report warning if virt_use_nfs not set
Previous patch c9b37fee tried to deal with virt_use_nfs. But
setfilecon() returns EOPNOTSUPP on NFS so we need to move the
warning to else branch.
2011-09-23 12:15:55 +02:00
Peter Krempa
b998f1f77c xml: Clean up rest of virtual XML document names for XML strings
Commit 498d783 cleans up some of virtual file names for parsing strings
in memory. This patch cleans up (hopefuly) the rest forgotten by the
first patch.

This patch also changes all of the previously modified "filenames" to
valid URI's replacing spaces for underscores.

Changes to v1:
- Replace all spaces for underscores, so that the strings form valid
  URI's
- Replace spaces in places changed by commit 498d783
2011-09-14 09:09:04 -06:00
Michal Privoznik
c9b37fee25 selinux: Detect virt_use_nfs boolean set
If we fail setting label on a file and this file is on NFS share,
it is wise to advise user to set virt_use_nfs selinux boolean
variable.
2011-09-09 09:32:59 +02:00
Peter Krempa
498d783387 xml: Change virtual file names of xml documents parsed in memory
While parsing XML strings from memory, the previous convention in
libvirt was to set the virtual file name to "domain.xml" or something
similar. This could potentialy trick the user into looking for a file
named domain.xml on the disk in an attempt to fix the error.

This patch changes these filenames to something that can't be as easily
confused for a valid filename.

Examples of error messages:
---------------------------
Error while loading file from disk:

15:07:59.015: 527: error : catchXMLError:709 : /path/to/domain.xml:1: StartTag: invalid element name
<domain type='kvm'><
--------------------^

Error while parsing definition in memory:

15:08:43.581: 525: error : catchXMLError:709 : (domain definition):2: error parsing attribute name
  <name>vm1</name>
--^
2011-09-08 17:20:33 +01:00
Daniel P. Berrange
183383889a Remove bogus virSecurityManagerSetProcessFDLabel method
The virSecurityManagerSetProcessFDLabel method was introduced
after a mis-understanding from a conversation about SELinux
socket labelling. The virSecurityManagerSetSocketLabel method
should have been used for all such scenarios.

* src/security/security_apparmor.c, src/security/security_apparmor.c,
  src/security/security_driver.h, src/security/security_manager.c,
  src/security/security_manager.h, src/security/security_selinux.c,
  src/security/security_stack.c: Remove SetProcessFDLabel driver
2011-08-31 11:07:31 +01:00
Jiri Denemark
520d91f8bd security: Introduce SetSocketLabel
This API labels all sockets created until ClearSocketLabel is called in
a way that a vm can access them (i.e., they are labeled with svirt_t
based label in SELinux).
2011-08-26 11:52:48 +02:00
Jiri Denemark
4c85d96f27 security: Rename SetSocketLabel APIs to SetDaemonSocketLabel
The APIs are designed to label a socket in a way that the libvirt daemon
itself is able to access it (i.e., in SELinux the label is virtd_t based
as opposed to svirt_* we use for labeling resources that need to be
accessed by a vm). The new name reflects this.
2011-08-26 11:51:09 +02:00
Eric Blake
d89dd42d51 maint: simplify lots of libxml2 clients
Repetitive patterns should be factored.  The sign of a good
factorization is a change that kills 5x more lines than it adds :)

* src/conf/domain_conf.c (virDomainDeviceDefParse)
(virDomainSnapshotDefParseString): Use new convenience macros.
* src/conf/storage_conf.c (virStoragePoolDefParseSourceString):
Likewise.
* src/cpu/cpu.c (cpuCompareXML, cpuBaselineXML): Likewise.
* src/esx/esx_vi.c (esxVI_Context_Execute): Likewise.
* src/qemu/qemu_migration.c (qemuMigrationCookieXMLParseStr):
Likewise.
* src/security/virt-aa-helper.c (caps_mockup): Likewise.
* src/test/test_driver.c (testOpenFromFile): Likewise.
* tests/cputest.c (cpuTestLoadXML, cpuTestLoadMultiXML):
Likewise.
* tools/virsh.c (cmdFreecell, makeCloneXML, cmdVNCDisplay)
(cmdTTYConsole, cmdDetachInterface, cmdDetachDisk)
(cmdSnapshotCreate, cmdSnapshotCreateAs, cmdSnapshotCurrent)
(cmdSnapshotList, cmdSnapshotParent): Likewise.
2011-08-19 09:13:55 -06:00
Eric Blake
8e22e08935 build: rename files.h to virfile.h
In preparation for a future patch adding new virFile APIs.

* src/util/files.h, src/util/files.c: Move...
* src/util/virfile.h, src/util/virfile.c: ...here, and rename
functions to virFile prefix.  Macro names are intentionally
left alone.
* *.c: All '#include "files.h"' uses changed.
* src/Makefile.am (UTIL_SOURCES): Reflect rename.
* cfg.mk (exclude_file_name_regexp--sc_prohibit_close): Likewise.
* src/libvirt_private.syms: Likewise.
* docs/hacking.html.in: Likewise.
* HACKING: Regenerate.
2011-07-21 10:34:51 -06:00
Jamie Strandboge
3d7320403b update apparmor security driver for new udev paths
In the Ubuntu development release we recently got a new udev that
moves /var/run to /run, /var/lock to /run/lock and /dev/shm to /run/shm.
This change in udev requires updating the apparmor security driver in
libvirt[1].

Attached is a patch that:
 * adjusts src/security/virt-aa-helper.c to allow both
LOCALSTATEDIR/run/libvirt/**/%s.pid and /run/libvirt/**/%s.pid. While
the profile is not as precise, LOCALSTATEDIR/run/ is typically a symlink
to /run/ anyway, so there is no additional access (remember that
apparmor resolves symlinks, which is why this is still required even
if /var/run points to /run).
 * adjusts example/apparmor/libvirt-qemu paths for /dev/shm

[1]https://launchpad.net/bugs/810270

--
Jamie Strandboge             | http://www.canonical.com
2011-07-14 11:41:48 -06:00
Matthias Bolte
aa14709a47 Add domain type checking
The drivers were accepting domain configs without checking if those
were actually meant for them. For example the LXC driver happily
accepts configs with type QEMU.

Add a check for the expected domain types to the virDomainDefParse*
functions.
2011-07-11 19:38:51 +02:00
Matthias Bolte
2d2d6a01d7 apparmor: Finish incomplete renaming of relabel to norelabel
Commit 693eac388f was incomplete here.
2011-07-06 14:15:05 +02:00
Daniel P. Berrange
693eac388f Fix default value of security label 'relabel' attribute
When no <seclabel> is present in the XML, the virDomainSeclabelDef
struct is left as all zeros. Unfortunately, this means it gets setup
as type=dynamic, with relabel=no, which is an illegal combination.

Change the 'bool relabel' attribute in virDomainSeclabelDef to
the inverse 'bool norelabel' so that the default initialization
is sensible

* src/conf/domain_conf.c, src/conf/domain_conf.h,
  src/security/security_apparmor.c, src/security/security_selinux.c:
  Replace 'relabel' with 'norelabel'
2011-07-06 12:45:09 +01:00
Daniel P. Berrange
6321fd9798 Allow for resource relabelling with static labels
Add a new attribute to the <seclabel> XML to allow resource
relabelling to be enabled with static label usage.

  <seclabel model='selinux' type='static' relabel='yes'>
    <label>system_u:system_r:svirt_t:s0:c392,c662</label>
  </seclabel>

* docs/schemas/domain.rng: Add relabel attribute
* src/conf/domain_conf.c, src/conf/domain_conf.h: Parse
  the 'relabel' attribute
* src/qemu/qemu_process.c: Unconditionally clear out the
  'imagelabel' attribute
* src/security/security_apparmor.c: Skip based on 'relabel'
  attribute instead of label type
* src/security/security_selinux.c: Skip based on 'relabel'
  attribute instead of label type and fill in <imagelabel>
  attribute if relabel is enabled.
2011-07-04 11:18:57 +01:00
Daniel P. Berrange
4ebfc42716 Allow a base label to be specified in dynamic labelling mode
Normally the dynamic labelling mode will always use a base
label of 'svirt_t' for VMs. Introduce a <baselabel> field
in the <seclabel> XML to allow this base label to be changed

eg

   <seclabel type='dynamic' model='selinux'>
     <baselabel>system_u:object_r:virt_t:s0</baselabel>
   </seclabel>

* docs/schemas/domain.rng: Add <baselabel>
* src/conf/domain_conf.c, src/conf/domain_conf.h: Parsing
  of base label
* src/qemu/qemu_process.c: Don't reset 'model' attribute if
  a base label is specified
* src/security/security_apparmor.c: Refuse to support base label
* src/security/security_selinux.c: Use 'baselabel' when generating
  label, if available
2011-07-04 11:17:19 +01:00
Daniel P. Berrange
8e3c6fbbe6 Add a virSecurityManagerSetProcessFDLabel
Add a new security driver method for labelling an FD with
the process label, rather than the image label

* src/libvirt_private.syms, src/security/security_apparmor.c,
  src/security/security_dac.c, src/security/security_driver.h,
  src/security/security_manager.c, src/security/security_manager.h,
  src/security/security_selinux.c, src/security/security_stack.c:
  Add virSecurityManagerSetProcessFDLabel & impl
2011-06-28 16:39:30 +01:00
Daniel P. Berrange
4438c63e71 Rename virSecurityManagerSetFDLabel method
The virSecurityManagerSetFDLabel method is used to label
file descriptors associated with disk images. There will
shortly be a need to label other file descriptors in a
different way. So the current name is ambiguous. Rename
the method to virSecurityManagerSetImageFDLabel to clarify
its purpose

* src/libvirt_private.syms,
  src/qemu/qemu_migration.c, src/qemu/qemu_process.c,
  src/security/security_apparmor.c, src/security/security_dac.c,
  src/security/security_driver.h, src/security/security_manager.c,
  src/security/security_manager.h, src/security/security_selinux.c,
  src/security/security_stack.c: s/FDLabel/ImageFDLabel/
2011-06-28 16:39:22 +01:00
Jamie Strandboge
0b501bd4e1 Move load of AppArmor profile to GenLabel()
Commit 12317957ec introduced an incompatible
architectural change for the AppArmor security driver. Specifically,
virSecurityManagerSetAllLabel() is now called much later in
src/qemu/qemu_process.c:qemuProcessStart(). Previously, SetAllLabel() was
called immediately after GenLabel() such that after the dynamic label (profile
name) was generated, SetAllLabel() would be called to create and load the
AppArmor profile into the kernel before qemuProcessHook() was executed. With
12317957ec, qemuProcessHook() is now called
before SetAllLabel(), such that aa_change_profile() ends up being called
before the AppArmor profile is loaded into the kernel (via ProcessLabel() in
qemuProcessHook()).

This patch addresses the change by making GenLabel() load the AppArmor
profile into the kernel after the label (profile name) is generated.
SetAllLabel() is then adjusted to only reload_profile() and append stdin_fn to
the profile when it is specified. This also makes the AppArmor driver work
like its SELinux counterpart with regard to SetAllLabel() and stdin_fn.
Bug-Ubuntu: https://launchpad.net/bugs/801569
2011-06-24 10:09:44 -06:00
Jamie Strandboge
b9757fea30 apparmor: implement AppArmorSetFDLabel()
During a savevm operation, libvirt will now use fd migration if qemu
supports it. When the AppArmor driver is enabled, AppArmorSetFDLabel()
is used but since this function simply returns '0', the dynamic AppArmor
profile is not updated and AppArmor blocks access to the save file. This
patch implements AppArmorSetFDLabel() to get the pathname of the file by
resolving the fd symlink in /proc, and then gives that pathname to
reload_profile(), which fixes 'virsh save' when AppArmor is enabled.

Reference: https://launchpad.net/bugs/795800
2011-06-20 11:53:24 +08:00
Eric Blake
7444f86024 virt-aa-helper: add missing include
Regression introduced in commit 02e8691.

* src/security/virt-aa-helper.c (includes): Reflect move of virRun.
2011-06-08 07:19:21 -06:00
Laine Stump
62ed801c13 security driver: ignore EINVAL when chowning an image file
This fixes:

  https://bugzilla.redhat.com/show_bug.cgi?id=702044
  https://bugzilla.redhat.com/show_bug.cgi?id=709454

Both of these complain of a failure to use an image file that resides
on a read-only NFS volume. The function in the DAC security driver
that chowns image files to the qemu user:group before using them
already has special cases to ignore failure of chown on read-only file
systems, and in a few other cases, but it hadn't been checking for
EINVAL, which is what is returned if the qemu user doesn't even exist
on the NFS server.

Since the explanation of EINVAL in the chown man page almost exactly
matches the log message already present for the case of EOPNOTSUPP,
I've just added EINVAL to that same conditional.
2011-06-03 12:27:05 -04:00
Eric Blake
b598ac555c security: plug regression introduced in disk probe logic
Regression introduced in commit d6623003 (v0.8.8) - using the
wrong sizeof operand meant that security manager private data
was overlaying the allowDiskFormatProbing member of struct
_virSecurityManager.  This reopens disk probing, which was
supposed to be prevented by the solution to CVE-2010-2238.

* src/security/security_manager.c
(virSecurityManagerGetPrivateData): Use correct offset.
2011-06-01 17:05:24 -06:00
Matthias Bolte
0ec289a469 apparmor: Fix compilation by removing remains from virCommand conversion
Commit aaf20355b8 was incomplete here and
missed to remove some parts.
2011-05-14 06:51:32 +02:00
Cole Robinson
aaf20355b8 apparmor: Convert virExec usage to virCommand
Untested
2011-05-13 14:19:08 -04:00
Cole Robinson
b9e51e5677 xml: Use virXMLParse* helpers everywhere
virt-aa-helper isn't even compile tested since I don't have the setup for
it.

v2:
    virt-aa-helper fixes from Eric
2011-05-13 10:32:53 -04:00
Matthias Bolte
ebea59ad82 apparmor: Fix uninitalized variable warning in virt-aa-helper 2011-05-10 08:03:31 +02:00
Daniel P. Berrange
d37c6a3ae0 Fix security driver handling of FIFOs with QEMU
When setting up a FIFO for QEMU, it allows either a pair
of fifos used unidirectionally, or a single fifo used
bidirectionally. Look for the bidirectional fifo first
when labelling since that is more useful

* src/security/security_dac.c,
  src/security/security_selinux.c: Fix fifo handling
2011-05-06 12:56:32 +01:00
Eric Blake
68ea80cfdd maint: rename virBufferVSprintf to virBufferAsprintf
We already have virAsprintf, so picking a similar name helps for
seeing a similar purpose.  Furthermore, the prefix V before printf
generally implies 'va_list', even though this variant was '...', and
the old name got in the way of adding a new va_list version.

global rename performed with:

$ git grep -l virBufferVSprintf \
  | xargs -L1 sed -i 's/virBufferVSprintf/virBufferAsprintf/g'

then revert the changes in ChangeLog-old.
2011-05-05 13:47:40 -06:00
Matthias Bolte
60d769a13a Remove virConnectPtr from virRaiseErrorFull
And from all related macros and functions.
2011-04-17 07:22:23 +02:00
Eric Blake
dbe3bad987 maint: use lighter-weight function for straight appends
It costs quite a few processor cycles to go through printf parsing
just to determine that we only meant to append.

* src/xen/xend_internal.c (xend_op_ext): Consolidate multiple
printfs into one.
* src/qemu/qemu_command.c (qemuBuildWatchdogDevStr)
(qemuBuildUSBInputDevStr, qemuBuildSoundDevStr)
(qemuBuildSoundCodecStr, qemuBuildVideoDevStr): Likewise.
(qemuBuildCpuArgStr, qemuBuildCommandLine): Prefer virBufferAdd
over virBufferVsprintf for trivial appends.
* src/phyp/phyp_driver.c (phypExec, phypUUIDTable_Push)
(phypUUIDTable_Pull): Likewise.
* src/conf/nwfilter_conf.c (macProtocolIDFormatter)
(arpOpcodeFormatter, formatIPProtocolID, printStringItems)
(virNWFilterPrintStateMatchFlags, virNWIPAddressFormat)
(virNWFilterDefFormat): Likewise.
* src/security/virt-aa-helper.c (main): Likewise.
* src/util/sexpr.c (sexpr2string): Likewise.
* src/xenxs/xen_sxpr.c (xenFormatSxprChr): Likewise.
* src/xenxs/xen_xm.c (xenFormatXMDisk): Likewise.
2011-04-15 15:26:26 -06:00
Matthias Bolte
97176c6350 virt-aa-helper: Remove PATH_MAX sized stack allocations 2011-04-05 08:55:27 +02:00
Eric Blake
0d166c6b7c build: detect potentential uninitialized variables
Even with -Wuninitialized (which is part of autobuild.sh
--enable-compile-warnings=error), gcc does NOT catch this
use of an uninitialized variable:

{
  if (cond)
    goto error;
  int a = 1;
error:
  printf("%d", a);
}

which prints 0 (supposing the stack started life wiped) if
cond was true.  Clang will catch it, but we don't use clang
as often.  Using gcc -Wjump-misses-init catches it, but also
gives false positives:

{
  if (cond)
    goto error;
  int a = 1;
  return a;
error:
  return 0;
}

Here, a was never used in the scope of the error block, so
declaring it after goto is technically fine (and clang agrees).
However, given that our HACKING already documents a preference
to C89 decl-before-statement, the false positive warning is
enough of a prod to comply with HACKING.

[Personally, I'd _really_ rather use C99 decl-after-statement
to minimize scope, but until gcc can efficiently and reliably
catch scoping and uninitialized usage bugs, I'll settle with
the compromise of enforcing a coding standard that happens to
reject false positives if it can also detect real bugs.]

* acinclude.m4 (LIBVIRT_COMPILE_WARNINGS): Add -Wjump-misses-init.
* src/util/util.c (__virExec): Adjust offenders.
* src/conf/domain_conf.c (virDomainTimerDefParseXML): Likewise.
* src/remote/remote_driver.c (doRemoteOpen): Likewise.
* src/phyp/phyp_driver.c (phypGetLparNAME, phypGetLparProfile)
(phypGetVIOSFreeSCSIAdapter, phypVolumeGetKey)
(phypGetStoragePoolDevice)
(phypVolumeGetPhysicalVolumeByStoragePool)
(phypVolumeGetPath): Likewise.
* src/vbox/vbox_tmpl.c (vboxNetworkUndefineDestroy)
(vboxNetworkCreate, vboxNetworkDumpXML)
(vboxNetworkDefineCreateXML): Likewise.
* src/xenapi/xenapi_driver.c (getCapsObject)
(xenapiDomainDumpXML): Likewise.
* src/xenapi/xenapi_utils.c (createVMRecordFromXml): Likewise.
* src/security/security_selinux.c (SELinuxGenNewContext):
Likewise.
* src/qemu/qemu_command.c (qemuBuildCommandLine): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainChangeEjectableMedia):
Likewise.
* src/qemu/qemu_process.c (qemuProcessWaitForMonitor): Likewise.
* src/qemu/qemu_monitor_text.c (qemuMonitorTextGetPtyPaths):
Likewise.
* src/qemu/qemu_driver.c (qemudDomainShutdown)
(qemudDomainBlockStats, qemudDomainMemoryPeek): Likewise.
* src/storage/storage_backend_iscsi.c
(virStorageBackendCreateIfaceIQN): Likewise.
* src/node_device/node_device_udev.c (udevProcessPCI): Likewise.
2011-04-04 11:26:29 -06:00
Eric Blake
208a044a54 command: properly diagnose process exit via signal
Child processes don't always reach _exit(); if they die from a
signal, then any messages should still be accurate.  Most users
either expect a 0 status (thankfully, if status==0, then
WIFEXITED(status) is true and WEXITSTATUS(status)==0 for all
known platforms) or were filtering on WIFEXITED before printing
a status, but a few were missing this check.  Additionally,
nwfilter_ebiptables_driver was making an assumption that works
on Linux (where WEXITSTATUS shifts and WTERMSIG just masks)
but fails on other platforms (where WEXITSTATUS just masks and
WTERMSIG shifts).

* src/util/command.h (virCommandTranslateStatus): New helper.
* src/libvirt_private.syms (command.h): Export it.
* src/util/command.c (virCommandTranslateStatus): New function.
(virCommandWait): Use it to also diagnose status from signals.
* src/security/security_apparmor.c (load_profile): Likewise.
* src/storage/storage_backend.c
(virStorageBackendQEMUImgBackingFormat): Likewise.
* src/util/util.c (virExecDaemonize, virRunWithHook)
(virFileOperation, virDirCreate): Likewise.
* daemon/remote.c (remoteDispatchAuthPolkit): Likewise.
* src/nwfilter/nwfilter_ebiptables_driver.c (ebiptablesExecCLI):
Likewise.
2011-03-25 05:34:48 -06:00
Eric Blake
3dfd4ea398 build: avoid compiler warning on cygwin
On cygwin:

  CC       libvirt_driver_security_la-security_dac.lo
security/security_dac.c: In function 'virSecurityDACSetProcessLabel':
security/security_dac.c:618: warning: format '%d' expects type 'int', but argument 7 has type 'uid_t' [-Wformat]

We've done this before (see src/util/util.c).

* src/security/security_dac.c (virSecurityDACSetProcessLabel): On
cygwin, uid_t is a 32-bit long.
2011-03-08 21:56:18 -07:00
Soren Hansen
e5f3b90e97 Pass virSecurityManagerPtr to virSecurityDAC{Set, Restore}ChardevCallback
virSecurityDAC{Set,Restore}ChardevCallback expect virSecurityManagerPtr,
but are passed virDomainObjPtr instead. This makes
virSecurityDACSetChardevLabel set a wrong uid/gid on chardevs. This
patch fixes this behaviour.

Signed-off-by: Soren Hansen <soren@linux2go.dk>
2011-03-03 08:08:16 -07:00
Daniel P. Berrange
35416720c2 Put <stdbool.h> into internal.h so it is available everywhere
Remove the <stdbool.h> header from all source files / headers
and just put it into internal.h

* src/internal.h: Add <stdbool.h>
2011-02-24 12:04:06 +00:00
Eric Blake
009fce98be security: avoid memory leak
Leak introduced in commit d6623003.

* src/qemu/qemu_driver.c (qemuSecurityInit): Avoid leak on failure.
* src/security/security_stack.c (virSecurityStackClose): Avoid
leaking component drivers.
2011-02-22 09:50:34 -07:00
Eric Blake
994e7567b6 maint: kill all remaining uses of old DEBUG macro
Done mechanically with:
$ git grep -l '\bDEBUG0\? *(' | xargs -L1 sed -i 's/\bDEBUG0\? *(/VIR_&/'

followed by manual deletion of qemudDebug in daemon/libvirtd.c, along
with a single 'make syntax-check' fallout in the same file, and the
actual deletion in src/util/logging.h.

* src/util/logging.h (DEBUG, DEBUG0): Delete.
* daemon/libvirtd.h (qemudDebug): Likewise.
* global: Change remaining clients over to VIR_DEBUG counterpart.
2011-02-21 08:46:52 -07:00
Eric Blake
32e52134ff smartcard: enable SELinux support
* src/security/security_selinux.c
(SELinuxRestoreSecuritySmartcardCallback)
(SELinuxSetSecuritySmartcardCallback): New helper functions.
(SELinuxRestoreSecurityAllLabel, SELinuxSetSecurityAllLabel): Use
them.
2011-02-03 19:28:53 -07:00
Laine Stump
d89608f994 Add a function to the security driver API that sets the label of an open fd.
A need was found to set the SELinux context label on an open fd (a
pipe, as a matter of fact). This patch adds a function to the security
driver API that will set the label on an open fd to secdef.label. For
all drivers other than the SELinux driver, it's a NOP. For the SElinux
driver, it calls fsetfilecon().

If the return is a failure, it only returns error up to the caller if
1) the desired label is different from the existing label, 2) the
destination fd is of a type that supports setting the selinux context,
and 3) selinux is in enforcing mode. Otherwise it will return
success. This follows the pattern of the existing function
SELinuxSetFilecon().
2011-01-26 09:03:11 -05:00
Daniel P. Berrange
31c698d76d Avoid crash in security driver if model is NULL
If the XML security model is NULL, it is assumed that the current
model will be used with dynamic labelling. The verify step is
meaningless and potentially crashes if dereferencing NULL

* src/security/security_manager.c: Skip NULL model on verify
2011-01-21 16:07:04 +00:00
Eric Blake
98334e7c3a domain_conf: split source data out from ChrDef
This opens up the possibility of reusing the smaller ChrSourceDef
for both qemu monitor and a passthrough smartcard device.

* src/conf/domain_conf.h (_virDomainChrDef): Factor host
details...
(_virDomainChrSourceDef): ...into new struct.
(virDomainChrSourceDefFree): New prototype.
* src/conf/domain_conf.c (virDomainChrDefFree)
(virDomainChrDefParseXML, virDomainChrDefFormat): Split...
(virDomainChrSourceDefClear, virDomainChrSourceDefFree)
(virDomainChrSourceDefParseXML, virDomainChrSourceDefFormat):
...into new functions.
(virDomainChrDefParseTargetXML): Update clients to reflect type
split.
* src/vmx/vmx.c (virVMXParseSerial, virVMXParseParallel)
(virVMXFormatSerial, virVMXFormatParallel): Likewise.
* src/xen/xen_driver.c (xenUnifiedDomainOpenConsole): Likewise.
* src/xen/xend_internal.c (xenDaemonParseSxprChar)
(xenDaemonFormatSxprChr): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainDumpXML, vboxAttachSerial)
(vboxAttachParallel): Likewise.
* src/security/security_dac.c (virSecurityDACSetChardevLabel)
(virSecurityDACSetChardevCallback)
(virSecurityDACRestoreChardevLabel)
(virSecurityDACRestoreChardevCallback): Likewise.
* src/security/security_selinux.c (SELinuxSetSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback)
(SELinuxRestoreSecurityChardevLabel)
(SELinuxSetSecurityChardevCallback): Likewise.
* src/security/virt-aa-helper.c (get_files): Likewise.
* src/lxc/lxc_driver.c (lxcVmStart, lxcDomainOpenConsole):
Likewise.
* src/uml/uml_conf.c (umlBuildCommandLineChr): Likewise.
* src/uml/uml_driver.c (umlIdentifyOneChrPTY, umlIdentifyChrPTY)
(umlDomainOpenConsole): Likewise.
* src/qemu/qemu_command.c (qemuBuildChrChardevStr)
(qemuBuildChrArgStr, qemuBuildCommandLine)
(qemuParseCommandLineChr): Likewise.
* src/qemu/qemu_domain.c (qemuDomainObjPrivateXMLFormat)
(qemuDomainObjPrivateXMLParse): Likewise.
* src/qemu/qemu_cgroup.c (qemuSetupChardevCgroup): Likewise.
* src/qemu/qemu_hotplug.c (qemuDomainAttachNetDevice): Likewise.
* src/qemu/qemu_driver.c (qemudFindCharDevicePTYsMonitor)
(qemudFindCharDevicePTYs, qemuPrepareChardevDevice)
(qemuPrepareMonitorChr, qemudShutdownVMDaemon)
(qemuDomainOpenConsole): Likewise.
* src/qemu/qemu_command.h (qemuBuildChrChardevStr)
(qemuBuildChrArgStr): Delete, now that they are static.
* src/libvirt_private.syms (domain_conf.h): New exports.
* cfg.mk (useless_free_options): Update list.
* tests/qemuxml2argvtest.c (testCompareXMLToArgvFiles): Update
tests.
2011-01-14 09:54:26 -07:00
Daniel P. Berrange
d6623003c6 Refactor the security drivers to simplify usage
The current security driver usage requires horrible code like

    if (driver->securityDriver &&
        driver->securityDriver->domainSetSecurityHostdevLabel &&
        driver->securityDriver->domainSetSecurityHostdevLabel(driver->securityDriver,
                                                              vm, hostdev) < 0)

This pair of checks for NULL clutters up the code, making the driver
calls 2 lines longer than they really need to be. The goal of the
patchset is to change the calling convention to simply

  if (virSecurityManagerSetHostdevLabel(driver->securityDriver,
                                        vm, hostdev) < 0)

The first check for 'driver->securityDriver' being NULL is removed
by introducing a 'no op' security driver that will always be present
if no real driver is enabled. This guarentees driver->securityDriver
!= NULL.

The second check for 'driver->securityDriver->domainSetSecurityHostdevLabel'
being non-NULL is hidden in a new abstraction called virSecurityManager.
This separates the driver callbacks, from main internal API. The addition
of a virSecurityManager object, that is separate from the virSecurityDriver
struct also allows for security drivers to carry state / configuration
information directly. Thus the DAC/Stack drivers from src/qemu which
used to pull config from 'struct qemud_driver' can now be moved into
the 'src/security' directory and store their config directly.

* src/qemu/qemu_conf.h, src/qemu/qemu_driver.c: Update to
  use new virSecurityManager APIs
* src/qemu/qemu_security_dac.c,  src/qemu/qemu_security_dac.h
  src/qemu/qemu_security_stacked.c, src/qemu/qemu_security_stacked.h:
  Move into src/security directory
* src/security/security_stack.c, src/security/security_stack.h,
  src/security/security_dac.c, src/security/security_dac.h: Generic
  versions of previous QEMU specific drivers
* src/security/security_apparmor.c, src/security/security_apparmor.h,
  src/security/security_driver.c, src/security/security_driver.h,
  src/security/security_selinux.c, src/security/security_selinux.h:
  Update to take virSecurityManagerPtr object as the first param
  in all callbacks
* src/security/security_nop.c, src/security/security_nop.h: Stub
  implementation of all security driver APIs.
* src/security/security_manager.h, src/security/security_manager.c:
  New internal API for invoking security drivers
* src/libvirt.c: Add missing debug for security APIs
2011-01-10 18:10:52 +00:00
Josh Durgin
ee3efc41e6 Skip file-based security checks for network disks
Network disks are accessed by qemu directly, and have no
associated file on the host, so checking for file ownership etc.
is unnecessary.

Signed-off-by: Josh Durgin <joshd@hq.newdream.net>
2010-12-21 07:30:25 -07:00
Eric Blake
8e2b26db94 build: allow older libselinux again
* configure.ac (with_selinux): Check for <selinux/label.h>.
* src/security/security_selinux.c (getContext): New function.
(SELinuxRestoreSecurityFileLabel): Use it to restore compilation
when using older libselinux.
2010-12-20 10:26:15 -07:00
Eric Blake
6679943f94 selinux: avoid memory overhead of matchpathcon
https://bugzilla.redhat.com/show_bug.cgi?id=658657

* src/security/security_selinux.c
(SELinuxRestoreSecurityFileLabel): Use selabel_lookup instead of
matchpathcon.
Suggested by Daniel Walsh.
2010-12-13 17:01:57 -07:00
Eric Blake
d95488dce5 security, storage: plug memory leaks for security_context_t
security_context_t happens to be a typedef for char*, and happens to
begin with a string usable as a raw context string.  But in reality,
it is an opaque type that may or may not have additional information
after the first NUL byte, where that additional information can
include pointers that can only be freed via freecon().

Proof is from this valgrind run of daemon/libvirtd:

==6028== 839,169 (40 direct, 839,129 indirect) bytes in 1 blocks are definitely lost in loss record 274 of 274
==6028==    at 0x4A0515D: malloc (vg_replace_malloc.c:195)
==6028==    by 0x3022E0D48C: selabel_open (label.c:165)
==6028==    by 0x3022E11646: matchpathcon_init_prefix (matchpathcon.c:296)
==6028==    by 0x3022E1190D: matchpathcon (matchpathcon.c:317)
==6028==    by 0x4F9D842: SELinuxRestoreSecurityFileLabel (security_selinux.c:382)

800k is a lot of memory to be leaking.

* src/storage/storage_backend.c
(virStorageBackendUpdateVolTargetInfoFD): Avoid leak on error.
* src/security/security_selinux.c
(SELinuxReserveSecurityLabel, SELinuxGetSecurityProcessLabel)
(SELinuxRestoreSecurityFileLabel): Use correct function to free
security_context_t.
2010-11-24 15:23:43 -07:00
Daniel Veillard
83fa118458 Fix a failure to restore SELinux label for character devices
The code in SELinuxRestoreSecurityChardevLabel() was trying to
use SELinuxSetFilecon directly for devices or file types while
it should really use SELinuxRestoreSecurityFileLabel encapsulating
routine, which avoid various problems like resolving symlinks,
making sure he file exists and work around NFS problems
2010-11-18 17:55:14 +01:00
Matthias Bolte
c505eafeda virt-aa-helper: Fix several compile errors
Include locale.h for setlocale().

Revert the usage string back to it's original form.

Use puts() instead of fputs(), as fputs() expects a FILE*.

Add closing parenthesis to some vah_error() calls.

Use argv[0] instead of an undefined argv0.
2010-11-17 21:36:27 +01:00
Eric Blake
e8aba782e7 maint: avoid remaining sprintf uses
* cfg.mk (sc_prohibit_sprintf): New rule.
(sc_prohibit_asprintf): Avoid false positives.
* docs/hacking.html.in (Printf-style functions): Document the
policy.
* HACKING: Regenerate.
* .x-sc_prohibit_sprintf: New exemptions.
* Makefile.am (syntax_check_exceptions): Ship new file.
* src/vbox/vbox_tmpl.c (vboxStartMachine, vboxAttachUSB): Use
virAsprintf instead.
* src/uml/uml_driver.c (umlOpenMonitor): Use snprintf instead.
* tools/virsh.c (cmdDetachInterface): Likewise.
* src/security/security_selinux.c (SELinuxGenSecurityLabel):
Likewise.
* src/openvz/openvz_driver.c (openvzDomainDefineCmd): Likewise,
and ensure large enough buffer.
2010-11-17 10:13:12 -07:00
Eric Blake
c811d46fab virt-aa-helper: translate error messages
These messages are visible to the user, so they should be
consistently translated.

* cfg.mk (msg_gen_function): Add vah_error, vah_warning.
* src/security/virt-aa-helper.c: Translate messages.
(catchXMLError): Fix capitalization.
2010-11-17 10:13:12 -07:00
Eric Blake
981d2cdab4 maint: improve i18n on non-Linux
Per the gettext developer:
http://lists.gnu.org/archive/html/bug-gnu-utils/2010-10/msg00019.html
http://lists.gnu.org/archive/html/bug-gnu-utils/2010-10/msg00021.html

gettext() doesn't work correctly on all platforms unless you have
called setlocale().  Furthermore, gnulib's gettext.h has provisions
for setting up a default locale, which is the preferred method for
libraries to use gettext without having to call textdomain() and
override the main program's default domain (virInitialize already
calls bindtextdomain(), but this is insufficient without the
setlocale() added in this patch; and a redundant bindtextdomain()
in this patch doesn't hurt, but serves as a good example for other
packages that need to bind a second translation domain).

This patch is needed to silence a new gnulib 'make syntax-check'
rule in the next patch.

* daemon/libvirtd.c (main): Setup locale and gettext.
* src/lxc/lxc_controller.c (main): Likewise.
* src/security/virt-aa-helper.c (main): Likewise.
* src/storage/parthelper.c (main): Likewise.
* tools/virsh.c (main): Fix exit status.
* src/internal.h (DEFAULT_TEXT_DOMAIN): Define, for gettext.h.
(_): Simplify definition accordingly.
* po/POTFILES.in: Add src/storage/parthelper.c.
2010-11-17 10:12:57 -07:00
Eric Blake
0d5f54bb21 maint: use gnulib configmake rather than open-coding things
* bootstrap.conf (gnulib_modules): Add configmake.
* daemon/Makefile.am (libvirtd_CFLAGS): Drop defines provided by
gnulib.
* src/Makefile.am (INCLUDES): Likewise.
* tests/Makefile.am (INCLUDES): Likewise.
* tools/Makefile.am (virsh_CFLAGS): Likewise.
* daemon/libvirtd.c (qemudInitPaths, usage, main): Update
clients.
* src/cpu/cpu_map.c (CPUMAPFILE): Likewise.
* src/driver.c (DEFAULT_DRIVER_DIR): Likewise.
* src/internal.h (_): Likewise.
* src/libvirt.c (virInitialize): Likewise.
* src/lxc/lxc_conf.h (LXC_CONFIG_DIR, LXC_STATE_DIR, LXC_LOG_DIR):
Likewise.
* src/lxc/lxc_conf.c (lxcCapsInit, lxcLoadDriverConfig):
Likewise.
* src/network/bridge_driver.c (NETWORK_PID_DIR)
(NETWORK_STATE_DIR, DNSMASQ_STATE_DIR, networkStartup): Likewise.
* src/nwfilter/nwfilter_driver.c (nwfilterDriverStartup):
Likewise.
* src/qemu/qemu_conf.c (qemudLoadDriverConfig): Likewise.
* src/qemu/qemu_driver.c (qemudStartup): Likewise.
* src/remote/remote_driver.h (LIBVIRTD_PRIV_UNIX_SOCKET)
(LIBVIRTD_PRIV_UNIX_SOCKET_RO, LIBVIRTD_CONFIGURATION_FILE)
(LIBVIRT_PKI_DIR): Likewise.
* src/secret/secret_driver.c (secretDriverStartup): Likewise.
* src/security/security_apparmor.c (VIRT_AA_HELPER): Likewise.
* src/security/virt-aa-helper.c (main): Likewise.
* src/storage/storage_backend_disk.c (PARTHELPER): Likewise.
* src/storage/storage_driver.c (storageDriverStartup): Likewise.
* src/uml/uml_driver.c (TEMPDIR, umlStartup): Likewise.
* src/util/hooks.c (LIBVIRT_HOOK_DIR): Likewise.
* tools/virsh.c (main): Likewise.
* docs/hooks.html.in: Likewise.
2010-11-17 08:58:58 -07:00
Jamie Strandboge
29318e177a virt-aa-helper should require <uuid> in XML
When <uuid> is not in the XML, a virUUIDGenerate() ends up being called which
is unnecessary and can lead to crashes if /dev/urandom isn't available
because virRandomInitialize() is not called within virt-aa-helper. This patch
adds verify_xpath_context() and updates caps_mockup() to use it.

Bug-Ubuntu: https://launchpad.net/bugs/672943
2010-11-11 14:59:50 -07:00
Laine Stump
5b04f42c6f ignore SELinuxSetFilecon error in SELinuxSetSecurityFileLabel if on nfs
If virDomainAttachDevice() was called with an image that was located
on a root-squashed NFS server, and in a directory that was unreadable
by root on the machine running libvirtd, the attach would fail due to
an attempt to change the selinux label of the image with EACCES (which
isn't covered as an ignore case in SELinuxSetFilecon())

NFS doesn't support SELinux labelling anyway, so we mimic the failure
handling of commit 93a18bbafa, which
just ignores the errors if the target is on an NFS filesystem (in
SELinuxSetSecurityAllLabel() only, though.)

This can be seen as a follow-on to commit
347d266c51, which ignores file open
failures of files on NFS that occur directly in
virDomainDiskDefForeachPath() (also necessary), but does not ignore
failures in functions that are called from there (eg
SELinuxSetSecurityFileLabel()).
2010-11-11 11:43:06 -05:00
Stefan Berger
60ae1c34ad bye to close(), welcome to VIR_(FORCE_)CLOSE()
Using automated replacement with sed and editing I have now replaced all
occurrences of close() with VIR_(FORCE_)CLOSE() except for one, of
course. Some replacements were straight forward, others I needed to pay
attention. I hope I payed attention in all the right places... Please
have a look. This should have at least solved one more double-close
error.
2010-11-09 15:48:48 -05:00
Daniel P. Berrange
347d266c51 Ignore open failures when relabelling disk images
NFS in root squash mode may prevent opening disk images to
determine backing store. Ignore errors in this scenario.

* src/security/security_selinux.c: Ignore open failures on disk
  images
2010-11-02 14:38:23 +00:00
Daniel P. Berrange
93a18bbafa Treat failure to relabel stdin_path as non-fatal on NFS
NFS does not support file labelling, so ignore this error
for stdin_path when on NFS.

* src/security/security_selinux.c: Ignore failures on labelling
  stdin_path on NFS
* src/util/storage_file.c, src/util/storage_file.h: Refine
  virStorageFileIsSharedFS() to allow it to check for a
  specific FS type.
2010-11-02 14:38:19 +00:00
Daniel P. Berrange
e06772f006 Remove audit hooks from the selinux security driver code
This reverts commit b8e2de8899
The hooks will be re-added in the QEMU driver itself.

* src/security/security_selinux.c: Remove audit hooks
2010-10-27 17:03:21 +01:00