2:43 a.m.
Dear list,
there were several attempts in the past to implement this feature, but
none of them was successful. The problem is that we change security
labels when starting a domain but never record the original labels
therefore when restoring the labels back in domain shutdown phase we
have to go with root:root or restorecon. This is not user friendly.
Now that we have metadata locking implemented we have exclusive access
to the files we are touching and therefore can call functions to record
the original owner. Since this database needs to be distributed
(consider multiple daemons and an network file system) it can't be
stored inside a daemon (libvirtd knows nothing about other daemons
running on distant hosts). Therefore the next option is to store it with
the files themselves - in XATTRs.
There is one caveat though. A file can be passed to multiple domains at
the same time (for instance an installation ISO), therefore we need a
reference counter so that the only the last label restore call actually
restores the original owner. A picture is worth more than a thousand
words:
# chown 5:6 /var/lib/libvirt/images/fd.img
# ls -ln /var/lib/libvirt/images/fd.img
-rw-r--r-- 1 5 6 2097152 Mar 17 2018 /var/lib/libvirt/images/fd.img
# getfattr -d -m - /var/lib/libvirt/images/fd.img
(no output)
# virsh domblklist fedora
Target Source
------------------------------------------------
sda /var/lib/libvirt/images/fedora.qcow2
sdb /var/lib/libvirt/images/fd.img
# virsh domblklist gentoo
Target Source
----------------------------------------------------------------------
fda /var/lib/libvirt/images/fd.img
sda /var/lib/libvirt/images/gentoo.qcow2
# virsh start fedora
Domain fedora started
# getfattr -d -m - /var/lib/libvirt/images/fd.img
trusted.libvirt.security.dac="+5:+6"
trusted.libvirt.security.ref_dac="1"
# virsh start gentoo
Domain gentoo started
# getfattr -d -m - /var/lib/libvirt/images/fd.img
trusted.libvirt.security.dac="+5:+6"
trusted.libvirt.security.ref_dac="2"
# virsh shutdown --domain fedora
Domain fedora is being shutdown
# ls -ln /var/lib/libvirt/images/fd.img
-rw-r--r-- 1 0 0 2097152 Mar 17 2018 /var/lib/libvirt/images/fd.img
# getfattr -d -m - /var/lib/libvirt/images/fd.img
trusted.libvirt.security.dac="+5:+6"
trusted.libvirt.security.ref_dac="1"
# virsh shutdown --domain gentoo
Domain gentoo is being shutdown
# getfattr -d -m - /var/lib/libvirt/images/fd.img
(no output)
# ls -ln /var/lib/libvirt/images/fd.img
-rw-r--r-- 1 5 6 2097152 Mar 17 2018 /var/lib/libvirt/images/fd.img
Even though I'm showing DAC only in my example, it's the same story with
SELinux.
Of course, this plays nicely with filesystems that don't support XATTRs,
which there are not that much, but unfortunately NFS is one of them :(
Michal Prívozník (18):
security: Unify header conditionals
util: Introduce xattr getter/setter/remover
security: Include security_util
security_dac: Restore label on failed chown() attempt
virSecurityDACTransactionRun: Implement rollback
virSecurityDACRestoreAllLabel: Reorder device relabeling
virSecurityDACRestoreAllLabel: Restore more labels
security_dac: Allow callers to enable/disable label remembering/recall
security_dac: Remember old labels
virSecurityDACRestoreImageLabelInt: Restore even shared/RO disks
security_selinux: Track if transaction is restore
security_selinux: Remember old labels
security_selinux: Restore label on failed setfilecon() attempt
virSecuritySELinuxTransactionRun: Implement rollback
virSecuritySELinuxRestoreAllLabel: Reorder device relabeling
virSecuritySELinuxRestoreAllLabel: Restore more labels
tools: Provide a script to recover fubar'ed XATTRs setup
qemu.conf: Allow users to enable/disable label remembering
src/libvirt_private.syms | 3 +
src/qemu/libvirtd_qemu.aug | 1 +
src/qemu/qemu.conf | 6 +
src/qemu/qemu_conf.c | 4 +
src/qemu/test_libvirtd_qemu.aug.in | 1 +
src/security/Makefile.inc.am | 2 +
src/security/security_apparmor.h | 6 +-
src/security/security_dac.c | 212 +++++++++++++++++-------
src/security/security_dac.h | 6 +-
src/security/security_driver.h | 6 +-
src/security/security_manager.h | 6 +-
src/security/security_nop.h | 6 +-
src/security/security_selinux.c | 256 +++++++++++++++++++++--------
src/security/security_selinux.h | 6 +-
src/security/security_stack.h | 6 +-
src/security/security_util.c | 198 ++++++++++++++++++++++
src/security/security_util.h | 32 ++++
src/util/virfile.c | 121 ++++++++++++++
src/util/virfile.h | 11 ++
tools/Makefile.am | 1 +
tools/libvirt_recover_xattrs.sh | 89 ++++++++++
21 files changed, 829 insertions(+), 150 deletions(-)
create mode 100644 src/security/security_util.c
create mode 100644 src/security/security_util.h
create mode 100755 tools/libvirt_recover_xattrs.sh
--
2.18.1