Re: [libvirt] Updated James Morris patch to apply to libvirt-0.6.0 version

On Fri, Feb 27, 2009 at 03:37:55PM -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Another patch off latest repository. > > This patch does not require the XML to include a label, although this is > still supported. > > Implemented most of the comments from Jim. make check and make > syntax-check passes, Added seclabeltest.c to run in tests, Updated > capability.rng, although not really sure I did it right. > > This patch will generate random MCS Labels and relabels the image files > to match. Seems to work well on F11. I had a few problems with label generation on my F11 machine - perhaps you have a newer version of the patch than the one I applied. I found I need the following additional patch.. - Make domainGenSecurityLabel() give diagnostics for each type of error instead of using generic error message in caller - Change logic bug 'c1 == c2' to 'c1 < c2' - Change 'c%d,c%d' to 'c%d.c%d' - it doesn't like labels with the form "c210,c502" only wanting "c210.c502"

- Fix use of STREQ - no need for == 0 in there

- Use VIR_FREE/VIR_ALLOC for memory mgmt With this I can successfully start several VMs, and see them all using different contexts, and see the files labelled # ps -xZ | grep qemu | awk '{print $1}' system_u:system_r:qemu_t:s0:c35.c537 system_u:system_r:qemu_t:s0:c210.c502 # ls -Zl /var/lib/libvirt/images/ total 504 -rwxr-xr-x. 1 system_u:object_r:virt_image_t:s0:c210.c502 root root 1073741824 2009-03-03 12:15 demo2.img -rwxr-xr-x. 1 system_u:object_r:virt_image_t:s0:c35.c537 root root 1073741824 2009-03-03 11:49 demo.img Daniel Index: src/qemu_driver.c =================================================================== RCS file: /data/cvs/libvirt/src/qemu_driver.c,v retrieving revision 1.212 diff -u -p -r1.212 qemu_driver.c --- src/qemu_driver.c 3 Mar 2009 12:03:44 -0000 1.212 +++ src/qemu_driver.c 3 Mar 2009 12:25:47 -0000 @@ -1316,13 +1316,11 @@ static int qemudStartVMDaemon(virConnect /* If you are using a SecurityDriver and there was no security label in database, then generate a security label for isolation */ - if (vm->def->seclabel.label == NULL && driver->securityDriver) { - if (driver->securityDriver->domainGenSecurityLabel(vm) < 0) { - qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR, - "%s", _("Unable to generate Security Label")); - return -1; - } - } + if (vm->def->seclabel.label == NULL && + driver->securityDriver && + driver->securityDriver->domainGenSecurityLabel && + driver->securityDriver->domainGenSecurityLabel(conn, vm) < 0) + return -1; FD_ZERO(&keepfd); Index: src/security.h =================================================================== RCS file: /data/cvs/libvirt/src/security.h,v retrieving revision 1.1 diff -u -p -r1.1 security.h --- src/security.h 3 Mar 2009 09:44:42 -0000 1.1 +++ src/security.h 3 Mar 2009 12:25:47 -0000 @@ -37,7 +37,8 @@ typedef int (*virSecurityDomainRestoreIm typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn, virDomainObjPtr vm, virDomainDeviceDefPtr dev); -typedef int (*virSecurityDomainGenLabel) (virDomainObjPtr sec); +typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn, + virDomainObjPtr sec); typedef int (*virSecurityDomainGetLabel) (virConnectPtr conn, virDomainObjPtr vm, virSecurityLabelPtr sec); Index: src/security_selinux.c =================================================================== RCS file: /data/cvs/libvirt/src/security_selinux.c,v retrieving revision 1.1 diff -u -p -r1.1 security_selinux.c --- src/security_selinux.c 3 Mar 2009 10:06:49 -0000 1.1 +++ src/security_selinux.c 3 Mar 2009 12:25:47 -0000 @@ -24,6 +24,9 @@ #include "util.h" #include "memory.h" + +#define VIR_FROM_THIS VIR_FROM_SECURITY + static char default_domain_context[1024]; static char default_image_context[1024]; #define SECURITY_SELINUX_VOID_DOI "0" @@ -45,10 +48,11 @@ mcsAdd(const char *mcs) struct MCS *ptr; for (ptr = mcsList; ptr; ptr = ptr->next) { - if (STREQ(ptr->mcs, mcs) == 0) + if (STREQ(ptr->mcs, mcs)) return -1; } - ptr = malloc(sizeof(struct MCS)); + if (VIR_ALLOC(ptr) < 0) + return -1; ptr->mcs = strdup(mcs); ptr->next = mcsList; mcsList = ptr; @@ -62,7 +66,7 @@ mcsRemove(const char *mcs) struct MCS *ptr = NULL; for (ptr = mcsList; ptr; ptr = ptr->next) { - if (STREQ(ptr->mcs, mcs) == 0) { + if (STREQ(ptr->mcs, mcs)) { if (prevptr) prevptr->next = ptr->next; else { @@ -149,7 +153,8 @@ SELinuxInitialize(virConnectPtr conn) } static int -SELinuxGenSecurityLabel(virDomainObjPtr vm) +SELinuxGenSecurityLabel(virConnectPtr conn, + virDomainObjPtr vm) { int rc = -1; char mcs[1024]; @@ -158,8 +163,11 @@ SELinuxGenSecurityLabel(virDomainObjPtr int c2 = 0; if ( ( vm->def->seclabel.label ) || ( vm->def->seclabel.model ) || - ( vm->def->seclabel.imagelabel )) + ( vm->def->seclabel.imagelabel )) { + virSecurityReportError(conn, VIR_ERR_ERROR, + "%s", _("security labellin already defined for VM")); return rc; + } do { c1 = virRandom(1024); @@ -168,28 +176,40 @@ SELinuxGenSecurityLabel(virDomainObjPtr if ( c1 == c2 ) { sprintf(mcs, "s0:c%d", c1); } else { - if ( c1 == c2 ) - sprintf(mcs, "s0:c%d,c%d", c1, c2); + if ( c1 < c2 ) + sprintf(mcs, "s0:c%d.c%d", c1, c2); else - sprintf(mcs, "s0:c%d,c%d", c2, c1); + sprintf(mcs, "s0:c%d.c%d", c2, c1); } } while(mcsAdd(mcs) == -1); vm->def->seclabel.label = SELinuxGenNewContext(default_domain_context, mcs); - if (! vm->def->seclabel.label) goto err; + if (! vm->def->seclabel.label) { + virSecurityReportError(conn, VIR_ERR_ERROR, + _("cannot generate selinux context for %s"), mcs); + goto err; + } vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs); - if (! vm->def->seclabel.imagelabel) goto err; + if (! vm->def->seclabel.imagelabel) { + virSecurityReportError(conn, VIR_ERR_ERROR, + _("cannot generate selinux context for %s"), mcs); + goto err; + } vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME); - if (! vm->def->seclabel.model) goto err; + if (! vm->def->seclabel.model) { + virReportOOMError(conn); + goto err; + } + rc = 0; goto done; err: - free(vm->def->seclabel.label); vm->def->seclabel.label = NULL; - free(vm->def->seclabel.imagelabel); vm->def->seclabel.imagelabel = NULL; - free(vm->def->seclabel.model); vm->def->seclabel.model = NULL; + VIR_FREE(vm->def->seclabel.label); + VIR_FREE(vm->def->seclabel.imagelabel); + VIR_FREE(vm->def->seclabel.model); done: - free(scontext); + VIR_FREE(scontext); return rc; }

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEUEARECAAYFAkmtOdQACgkQrlYvE4MpobMdwQCfQR3lSPnih5zd977k/wET4WqD rhIAmNYlqoogrM4KFb/trH4n5lxU2fc= =Bhc/ -----END PGP SIGNATURE-----