mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-28 08:35:22 +00:00
6f290666dc
Normally libvirtd should run with a SELinux label
system_u:system_r:virtd_t:s0-s0:c0.c1023
If a user manually runs libvirtd though, it is sometimes
possible to get into a situation where it is running
system_u:system_r:init_t:s0
The SELinux security driver isn't expecting this and can't
parse the security label since it lacks the ':c0.c1023' part
causing it to complain
internal error Cannot parse sensitivity level in s0
This updates the parser to cope with this, so if no category
is present, libvirtd will hardcode the equivalent of c0.c1023.
Now this won't work if SELinux is in Enforcing mode, but that's
not an issue, because the user can only get into this problem
if in Permissive mode. This means they can now start VMs in
Permissive mode without hitting that parsing error
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 1732c1c629)
Conflicts:
src/security/security_selinux.c
340 lines
10 KiB
C
340 lines
10 KiB
C
/*
|
|
* Copyright (C) 2011-2012 Red Hat, Inc.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library. If not, see
|
|
* <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
|
|
|
|
#include <config.h>
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <time.h>
|
|
|
|
#include <selinux/selinux.h>
|
|
#include <selinux/context.h>
|
|
|
|
#include "internal.h"
|
|
#include "testutils.h"
|
|
#include "memory.h"
|
|
#include "util.h"
|
|
#include "logging.h"
|
|
#include "virterror_internal.h"
|
|
#include "security/security_manager.h"
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_NONE
|
|
|
|
struct testSELinuxGenLabelData {
|
|
virSecurityManagerPtr mgr;
|
|
|
|
const char *pidcon;
|
|
|
|
bool dynamic;
|
|
const char *label;
|
|
const char *baselabel;
|
|
|
|
const char *user;
|
|
const char *role;
|
|
const char *imagerole;
|
|
const char *type;
|
|
const char *imagetype;
|
|
|
|
int sensMin;
|
|
int sensMax;
|
|
int catMin;
|
|
int catMax;
|
|
};
|
|
|
|
static virDomainDefPtr
|
|
testBuildDomainDef(bool dynamic,
|
|
const char *label,
|
|
const char *baselabel)
|
|
{
|
|
virDomainDefPtr def;
|
|
virSecurityLabelDefPtr secdef;
|
|
|
|
if (VIR_ALLOC(def) < 0)
|
|
goto no_memory;
|
|
|
|
if (VIR_ALLOC_N(def->seclabels, 1) < 0)
|
|
goto no_memory;
|
|
|
|
if (VIR_ALLOC(secdef) < 0)
|
|
goto no_memory;
|
|
|
|
def->virtType = VIR_DOMAIN_VIRT_KVM;
|
|
def->seclabels[0] = secdef;
|
|
def->seclabels[0]->type = dynamic ? VIR_DOMAIN_SECLABEL_DYNAMIC : VIR_DOMAIN_SECLABEL_STATIC;
|
|
|
|
if (label &&
|
|
!(def->seclabels[0]->label = strdup(label)))
|
|
goto no_memory;
|
|
|
|
if (baselabel &&
|
|
!(def->seclabels[0]->baselabel = strdup(baselabel)))
|
|
goto no_memory;
|
|
|
|
return def;
|
|
|
|
no_memory:
|
|
virReportOOMError();
|
|
virDomainDefFree(def);
|
|
return NULL;
|
|
}
|
|
|
|
|
|
static bool
|
|
testSELinuxCheckCon(context_t con,
|
|
const char *user,
|
|
const char *role,
|
|
const char *type,
|
|
int sensMin,
|
|
int sensMax ATTRIBUTE_UNUSED,
|
|
int catMin,
|
|
int catMax)
|
|
{
|
|
const char *range;
|
|
char *tmp;
|
|
int gotSens;
|
|
int gotCatOne;
|
|
int gotCatTwo;
|
|
|
|
if (STRNEQ(context_user_get(con), user)) {
|
|
fprintf(stderr, "Expect user %s got %s\n",
|
|
user, context_user_get(con));
|
|
return false;
|
|
}
|
|
if (STRNEQ(context_role_get(con), role)) {
|
|
fprintf(stderr, "Expect role %s got %s\n",
|
|
role, context_role_get(con));
|
|
return false;
|
|
}
|
|
if (STRNEQ(context_type_get(con), type)) {
|
|
fprintf(stderr, "Expect type %s got %s\n",
|
|
type, context_type_get(con));
|
|
return false;
|
|
}
|
|
|
|
range = context_range_get(con);
|
|
if (range[0] != 's') {
|
|
fprintf(stderr, "Malformed range %s, cannot find sensitivity\n",
|
|
range);
|
|
return false;
|
|
}
|
|
if (virStrToLong_i(range + 1, &tmp, 10, &gotSens) < 0 ||
|
|
!tmp) {
|
|
fprintf(stderr, "Malformed range %s, cannot parse sensitivity\n",
|
|
range + 1);
|
|
return false;
|
|
}
|
|
if (*tmp != ':') {
|
|
fprintf(stderr, "Malformed range %s, too many sensitivity values\n",
|
|
tmp);
|
|
return false;
|
|
}
|
|
tmp++;
|
|
if (*tmp != 'c') {
|
|
fprintf(stderr, "Malformed range %s, cannot find first category\n",
|
|
tmp);
|
|
return false;
|
|
}
|
|
tmp++;
|
|
if (virStrToLong_i(tmp, &tmp, 10, &gotCatOne) < 0) {
|
|
fprintf(stderr, "Malformed range %s, cannot parse category one\n",
|
|
tmp);
|
|
return false;
|
|
}
|
|
if (tmp && *tmp == ',')
|
|
tmp++;
|
|
if (tmp && *tmp == 'c') {
|
|
tmp++;
|
|
if (virStrToLong_i(tmp, &tmp, 10, &gotCatTwo) < 0) {
|
|
fprintf(stderr, "Malformed range %s, cannot parse category two\n",
|
|
tmp);
|
|
return false;
|
|
}
|
|
if (*tmp != '\0') {
|
|
fprintf(stderr, "Malformed range %s, junk after second category\n",
|
|
tmp);
|
|
return false;
|
|
}
|
|
if (gotCatOne == gotCatTwo) {
|
|
fprintf(stderr, "Saw category pair %d,%d where cats were equal\n",
|
|
gotCatOne, gotCatTwo);
|
|
return false;
|
|
}
|
|
} else {
|
|
gotCatTwo = gotCatOne;
|
|
}
|
|
|
|
if (gotSens != sensMin) {
|
|
fprintf(stderr, "Sensitivity %d is not equal to min %d\n",
|
|
gotSens, sensMin);
|
|
return false;
|
|
}
|
|
if (gotCatOne < catMin ||
|
|
gotCatOne > catMax) {
|
|
fprintf(stderr, "Category one %d is out of range %d-%d\n",
|
|
gotCatTwo, catMin, catMax);
|
|
return false;
|
|
}
|
|
if (gotCatTwo < catMin ||
|
|
gotCatTwo > catMax) {
|
|
fprintf(stderr, "Category two %d is out of range %d-%d\n",
|
|
gotCatTwo, catMin, catMax);
|
|
return false;
|
|
}
|
|
|
|
if (gotCatOne > gotCatTwo) {
|
|
fprintf(stderr, "Category one %d is greater than category two %d\n",
|
|
gotCatOne, gotCatTwo);
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static int
|
|
testSELinuxGenLabel(const void *opaque)
|
|
{
|
|
const struct testSELinuxGenLabelData *data = opaque;
|
|
int ret = -1;
|
|
virDomainDefPtr def;
|
|
context_t con = NULL;
|
|
context_t imgcon = NULL;
|
|
|
|
if (setcon_raw((security_context_t)data->pidcon) < 0) {
|
|
perror("Cannot set process security context");
|
|
return -1;
|
|
}
|
|
|
|
if (!(def = testBuildDomainDef(data->dynamic,
|
|
data->label,
|
|
data->baselabel)))
|
|
goto cleanup;
|
|
|
|
if (virSecurityManagerGenLabel(data->mgr, def) < 0) {
|
|
virErrorPtr err = virGetLastError();
|
|
fprintf(stderr, "Cannot generated label %s\n", err->message);
|
|
goto cleanup;
|
|
}
|
|
|
|
VIR_DEBUG("label=%s imagelabel=%s",
|
|
def->seclabels[0]->label, def->seclabels[0]->imagelabel);
|
|
|
|
if (!(con = context_new(def->seclabels[0]->label)))
|
|
goto cleanup;
|
|
if (!(imgcon = context_new(def->seclabels[0]->imagelabel)))
|
|
goto cleanup;
|
|
|
|
if (!testSELinuxCheckCon(con,
|
|
data->user, data->role, data->type,
|
|
data->sensMin, data->sensMax,
|
|
data->catMin, data->catMax))
|
|
goto cleanup;
|
|
|
|
if (!testSELinuxCheckCon(imgcon,
|
|
data->user, data->imagerole, data->imagetype,
|
|
data->sensMin, data->sensMax,
|
|
data->catMin, data->catMax))
|
|
goto cleanup;
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
context_free(con);
|
|
context_free(imgcon);
|
|
virDomainDefFree(def);
|
|
return ret;
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
mymain(void)
|
|
{
|
|
int ret = 0;
|
|
virSecurityManagerPtr mgr;
|
|
|
|
if (!(mgr = virSecurityManagerNew("selinux", "QEMU", false, true, false))) {
|
|
virErrorPtr err = virGetLastError();
|
|
if (err->code == VIR_ERR_CONFIG_UNSUPPORTED)
|
|
exit(EXIT_AM_SKIP);
|
|
|
|
fprintf(stderr, "Unable to initialize security driver: %s\n",
|
|
err->message);
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
#define DO_TEST_GEN_LABEL(desc, pidcon, \
|
|
dynamic, label, baselabel, \
|
|
user, role, imageRole, \
|
|
type, imageType, \
|
|
sensMin, sensMax, catMin, catMax) \
|
|
do { \
|
|
struct testSELinuxGenLabelData data = { \
|
|
mgr, pidcon, dynamic, label, baselabel, \
|
|
user, role, imageRole, type, imageType, \
|
|
sensMin, sensMax, catMin, catMax \
|
|
}; \
|
|
if (virtTestRun("GenLabel " # desc, 1, testSELinuxGenLabel, &data) < 0) \
|
|
ret = -1; \
|
|
} while (0)
|
|
|
|
DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
|
|
"unconfined_u:unconfined_r:unconfined_t:s0",
|
|
true, NULL, NULL,
|
|
"unconfined_u", "unconfined_r", "object_r",
|
|
"svirt_t", "svirt_image_t",
|
|
0, 0, 0, 1023);
|
|
DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
|
|
"unconfined_u:unconfined_r:unconfined_t:s0-s0",
|
|
true, NULL, NULL,
|
|
"unconfined_u", "unconfined_r", "object_r",
|
|
"svirt_t", "svirt_image_t",
|
|
0, 0, 0, 1023);
|
|
DO_TEST_GEN_LABEL("dynamic unconfined, s0, c0.c1023",
|
|
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023",
|
|
true, NULL, NULL,
|
|
"unconfined_u", "unconfined_r", "object_r",
|
|
"svirt_t", "svirt_image_t",
|
|
0, 0, 0, 1023);
|
|
DO_TEST_GEN_LABEL("dynamic virtd, s0, c0.c1023",
|
|
"system_u:system_r:virtd_t:s0-s0:c0.c1023",
|
|
true, NULL, NULL,
|
|
"system_u", "system_r", "object_r",
|
|
"svirt_t", "svirt_image_t",
|
|
0, 0, 0, 1023);
|
|
DO_TEST_GEN_LABEL("dynamic virtd, s0, c0.c10",
|
|
"system_u:system_r:virtd_t:s0-s0:c0.c10",
|
|
true, NULL, NULL,
|
|
"system_u", "system_r", "object_r",
|
|
"svirt_t", "svirt_image_t",
|
|
0, 0, 0, 10);
|
|
DO_TEST_GEN_LABEL("dynamic virtd, s2-s3, c0.c1023",
|
|
"system_u:system_r:virtd_t:s2-s3:c0.c1023",
|
|
true, NULL, NULL,
|
|
"system_u", "system_r", "object_r",
|
|
"svirt_t", "svirt_image_t",
|
|
2, 3, 0, 1023);
|
|
|
|
return (ret == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
|
|
}
|
|
|
|
VIRT_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/libsecurityselinuxhelper.so")
|