Re: [libvirt] [sandbox PATCH] virt-sandbox patch to launch containers with proper label

Monday, 30 September 2013

On Wed, Sep 25, 2013 at 04:50:23PM -0400, Dan Walsh wrote:
...
 virt-sandbox should be launching containers based off the
lxc_context
 file from selinux-policy. I changed the hard coded paths to match the
 latest fedora assigned labels.

 Fedora 20 SELinux Policy and beyond will have proper SELinux labels in its
 lxc_contexts file.
 ---
  bin/virt-sandbox-service                  |  2 +-
  bin/virt-sandbox-service-clone.pod        |  5 ++-
  bin/virt-sandbox-service-create.pod       |  7 ++--
  bin/virt-sandbox.c                        |  5 ++-
  libvirt-sandbox/libvirt-sandbox-builder.c | 58 +++++++++++++++++++++++++------
  5 files changed, 55 insertions(+), 22 deletions(-)

 diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
 index c4c4f54..b42fe08 100755
 --- a/bin/virt-sandbox-service
 +++ b/bin/virt-sandbox-service
 @@ -101,7 +101,7 @@ def copydirtree(src, dst):
  class Container:
      DEFAULT_PATH       = "/var/lib/libvirt/filesystems"
      DEFAULT_IMAGE      = "/var/lib/libvirt/images/%s.raw"
 -    SELINUX_FILE_TYPE  = "svirt_lxc_file_t"
 +    SELINUX_FILE_TYPE  = "svirt_sandbox_file_t" 
This change will make it impossible to use the new release on existing
distros since they won't have this new policy type. We need this to be
conditionally changed.

...
 diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c
b/libvirt-sandbox/libvirt-sandbox-builder.c
 index 1335042..613161a 100644
 --- a/libvirt-sandbox/libvirt-sandbox-builder.c
 +++ b/libvirt-sandbox/libvirt-sandbox-builder.c
 @@ -67,6 +67,48 @@ gvir_sandbox_builder_error_quark(void)
  {
      return g_quark_from_static_string("gvir-sandbox-builder");
  }
 +#include <selinux/selinux.h>
 +#include <errno.h>
 +static char line[1024];
 +
 +static const char *get_label(int type) {
 +    const char *path = selinux_lxc_contexts_path();
 +
 +    FILE *fp = fopen(path, "r");
 +    if (fp) {
 +        GType gt = gvir_config_domain_virt_type_get_type ();
 +        GEnumClass *cls = g_type_class_ref (gt);
 +        GEnumValue *val = g_enum_get_value (cls, type);
 +
 +        while (val && fgets(line, sizeof line, fp)) {
 +            int len = strlen(line);
 +            if (len > 2)
 +                continue;
 +            if (line[len-1] == '\n')
 +                line[len-1] = '\0';
 +            char *name = line;
 +            char *value = strchr(name, '=');
 +            if (!value)
 +                continue;
 +            *value = '\0';
 +            value++;
 +            if (strcmp(name,val->value_nick))
 +                continue;
 +            return value;
 +        }
 +        fclose(fp); 
I'm not sure I really understand what this code is doing. You seem to
be opening /etc/selinux/targetted/context/lxc_contexts and then searching
for the type for LXC, QEMU or KVM. This doesn't really make sense to me.
I wonder what the point of any of this code us, when the switch statement
below looks to be sufficient.

...
 +    }
 +
 +    switch (type) {
 +    case GVIR_CONFIG_DOMAIN_VIRT_KVM:
 +        return "system_u:system_r:svirt_qemu_net_t:s0"; 
This should be 'svirt_kvm_net_t' otherwise you are granting the
KVM process permission to use execmem & execstack, which is
bad from a security POV.

...
 +    case GVIR_CONFIG_DOMAIN_VIRT_QEMU:
 +        return "system_u:system_r:svirt_qemu_net_t:s0"; 
This again looks like it might have back compat problems, if we
try to use this on old policy based systems. Though those hosts
were already broken due to svirt_t type not allowing sufficient
privileges, so perhaps its ok.

...
 +    case GVIR_CONFIG_DOMAIN_VIRT_LXC:
 +    default:
 +        return "system_u:system_r:svirt_lxc_net_t:s0"; 
The default case should report an error - we shouldn't assume that
if we add usermode linux or vmware support, that it'll want this
lxc type.

...
 +    }
 +}

  static gboolean gvir_sandbox_builder_construct_domain(GVirSandboxBuilder *builder,
                                                        GVirSandboxConfig *config,
 @@ -335,17 +377,11 @@ static gboolean
gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil
      if (gvir_sandbox_config_get_security_dynamic(config)) {
          gvir_config_domain_seclabel_set_type(sec,
                                               GVIR_CONFIG_DOMAIN_SECLABEL_DYNAMIC);
 -        if (label)
 -            gvir_config_domain_seclabel_set_baselabel(sec, label);
 -        else if (gvir_config_domain_get_virt_type(domain) ==
 -                 GVIR_CONFIG_DOMAIN_VIRT_LXC)
 -            gvir_config_domain_seclabel_set_baselabel(sec,
"system_u:system_r:svirt_lxc_net_t:s0");
 -        else if (gvir_config_domain_get_virt_type(domain) ==
 -                 GVIR_CONFIG_DOMAIN_VIRT_QEMU)
 -            gvir_config_domain_seclabel_set_baselabel(sec,
"system_u:system_r:svirt_tcg_t:s0");
 -        else if (gvir_config_domain_get_virt_type(domain) ==
 -                 GVIR_CONFIG_DOMAIN_VIRT_KVM)
 -            gvir_config_domain_seclabel_set_baselabel(sec,
"system_u:system_r:svirt_t:s0");
 +        if (!label)
 +            label = get_label(gvir_config_domain_get_virt_type(domain));
 +
 +        gvir_config_domain_seclabel_set_baselabel(sec, label);
 +
      } else {
          gvir_config_domain_seclabel_set_type(sec,
                                               GVIR_CONFIG_DOMAIN_SECLABEL_STATIC);

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt] [sandbox PATCH] virt-sandbox patch to launch containers with proper label