Re: [libvirt] Patch set to add virt-sandbox -s inherit and fixes for man pages.

Friday, 2 August 2013

On Fri, Aug 02, 2013 at 11:20:16AM -0400, Daniel J Walsh wrote:
...
 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1

 for some reason my git-sendmail keeps failing. 
Here's the wrapper script I used for that

  $ cat $HOME/usr/bin/git-spam 
  #!/bin/sh

  dohelp() {
	 echo "syntax: $0 TO-ADDR REV-LIST"
  }

  if [ -z "$2" ]; then
     dohelp;
     exit 1
  fi

  TO=$1
  REV=$2
  shift
  shift

  git send-email --compose --to "$TO" --smtp-server=smtp.corp.redhat.com
--no-chain-reply-to $REV "$@"

Assuming you do your work on a branch, then you can just run

  git-spam libvir-list(a)redhat.com master..

If you were doing your work on master directly, then you'd
have to use

  git-spam libvir-list(a)redhat.com origin/master..

Or explicitly specify the starting commit hash.

...

 [sandbox PATCH 1/3] Add virt-sandbox -s inherit, to execute the
 [sandbox PATCH 2/3] Add comment about LIBVIRT_DEFAULT_URI to
 [sandbox PATCH 3/3] virt-sandbox-service.pod did not mention upgrade
...PGP SIGNATURE...
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.14 (GNU/Linux)
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

 iEYEARECAAYFAlH7zjAACgkQrlYvE4MpobPBIQCgvOYtY0ccFTUNBNA4tWWQs02t
 tYwAn15nXX9WhTyG0Piw4QVYwide9/RZ
 =g+dS
 -----END PGP SIGNATURE----- 

...
 >From
fcf2e72b78b66075ca5f061423a259e058f4f39d Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh(a)redhat.com&gt;
 Date: Wed, 31 Jul 2013 17:04:58 -0400
 Subject: [sandbox PATCH 1/3] Add virt-sandbox -s inherit, to execute the
  sandbox from the parent.

 This will allow us to run sandbox as the calling process,  If I am
 running a shell as staff_u:unconfined_r:unconfined_t:s0, and I
 execute virt-sandbox -c lxc/// -- /bin/sh

 /bin/sh will run as staff_u:unconfined_r:unconfined_t:s0
 ---
  bin/virt-sandbox.c                       |  4 ++++
  libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++
  2 files changed, 18 insertions(+)

 diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
 index b51465d..9a75f3c 100644
 --- a/bin/virt-sandbox.c
 +++ b/bin/virt-sandbox.c
 @@ -403,6 +403,10 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context.
  To set a completely static label. For example,
  static,label=system_u:system_r:svirt_t:s0:c412,c355

 +=item inherit
 +
 +Inherit the context from the process that is executing virt-sandbox.
 +
  =back

  =item B<-p>, B<--privileged>
 diff --git a/libvirt-sandbox/libvirt-sandbox-config.c
b/libvirt-sandbox/libvirt-sandbox-config.c
 index ccdb3bc..8e8ac65 100644
 --- a/libvirt-sandbox/libvirt-sandbox-config.c
 +++ b/libvirt-sandbox/libvirt-sandbox-config.c
 @@ -27,6 +27,8 @@
  #include <glib/gi18n.h>

  #include "libvirt-sandbox/libvirt-sandbox.h"
 +#include <errno.h>
 +#include <selinux/selinux.h>

  /**
   * SECTION: libvirt-sandbox-config
 @@ -1521,6 +1523,18 @@ gboolean gvir_sandbox_config_set_security_opts(GVirSandboxConfig
*config,
          gvir_sandbox_config_set_security_dynamic(config, TRUE);
      } else if (g_str_equal(tmp, "static")) {
          gvir_sandbox_config_set_security_dynamic(config, FALSE);
 +    } else if (g_str_equal(tmp, "inherit")) {
 +        gvir_sandbox_config_set_security_dynamic(config, FALSE);
 +        security_context_t scon;
 +        if (getcon(&scon) < 0) {
 +                g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0,
 +                            _("Unable to get SELinux context of user: %s"),
 +                            strerror(errno));
 +                return FALSE;
 +        }
 +        gvir_sandbox_config_set_security_label(config, scon);
 +        freecon(scon); 
Looks good.

I wonder if we should also have an explicit 'unconfined' string to
simplify life for people who want to run the container entirely
unconfined ? eg avoid them needing the verbose

   -s static,label=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

...
 +
      } else {
          g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0,
                      _("Unknown security option '%s'"), tmp); 
You'll need to re-add the code to detect selinux in configure, since we
had got rid of that previously. eg create m4/virt-selinux.m4 containing

AC_DEFUN([LIBVIRT_SANDBOX_SELINUX], [
  fail=0
  old_LIBS=$LIBS
  old_CFLAGS=$CFLAGS
  AC_CHECK_HEADER([selinux/selinux.h],[],[fail=1])
  AC_CHECK_LIB([selinux], [fgetfilecon],[],[fail=1])
  LIBS=$old_LIBS
  CFLAGS=$old_CFLAGS
  test $fail = 1 &&
    AC_MSG_ERROR([You must install the libselinux development package in order to compile
libvirt-sandbox])
])

And then add

  LIBVIRT_SANDBOX_SELINUX

to configure.ac, and update libvirt-sandbox/Makefile.am to include
SELINUX_CFLAGS and SELINUX_LIBS.

And make libvirt-sandbox.spec.in have a BuildRequires: libselinux-devel

...
 diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
 index 9a75f3c..26eefcf 100644
 --- a/bin/virt-sandbox.c
 +++ b/bin/virt-sandbox.c
 @@ -280,6 +280,7 @@ not allowed to open any other files.

  Set the libvirt connection URI, defaults to qemu:///session if
  omitted. Currently only the QEMU and LXC drivers are supported.
 +Alternatively the C<LIBVIRT_DEFAULT_URI> environment variable can be set, or the
config file C</etc/libvirt/libvirt.conf> can have a default URI set. 
Can you add line wrap at appropriate places

...
 >From af40cc741f69b335975f36801efe91f822a2b8cc Mon Sep 17 00:00:00
2001
 From: Dan Walsh <dwalsh(a)redhat.com&gt;
 Date: Thu, 1 Aug 2013 11:09:51 -0400
 Subject: [sandbox PATCH 3/3] virt-sandbox-service.pod did not mention upgrade

 Also still had references to start, stop and list
 ---
  bin/virt-sandbox-service.pod | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)

 diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod
 index 32caad9..b317ad4 100644
 --- a/bin/virt-sandbox-service.pod
 +++ b/bin/virt-sandbox-service.pod
 @@ -4,7 +4,7 @@ virt-sandbox-service - Secure container tool

  =head1 SYNOPSIS

 -  {create,clone,connect,delete,execute,list,reload,start,stop}
 +  {create,clone,connect,delete,execute,reload,upgrade}

    commands:

 @@ -20,6 +20,8 @@ virt-sandbox-service - Secure container tool

      reload              Reload a running sandbox container

 +    upgrade             Upgrade the sandbox container
 +
  =head1 DESCRIPTION

  virt-sandbox-service is used to provision secure sandboxed system services.
 @@ -52,7 +54,7 @@ supported currently).

  =head1 SEE ALSO

 -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>,
C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>,
C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>,
C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>
 +C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>,
C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>,
C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>,
C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, 
C<virt-sandbox-service-upgrade(1)> 

This SEE ALSO section should have some line wraps add too

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] Patch set to add virt-sandbox -s inherit and fixes for man pages.