7 p.m.
virt-manager has no way to known the user/group that run the HV
process without requiring the user to manually set it trough setup.py
or assuming "root" as default value.
This series extends the Guest capabilities with "hv_user" and
"hv_group", to inform the libvirt user about the user/group (when qemu
is used) that run the HV process.
Giuseppe Scrivano (3):
caps: new internal function "virCapabilitiesSetHvUserAndGroup"
qemu: set hv_user/hv_group caps to the user/group which runs qemu
caps: add tests and documentation for hv_user and hv_group
docs/schemas/capability.rng | 10 +++++++
src/conf/capabilities.c | 46 +++++++++++++++++++++++++++++++
src/conf/capabilities.h | 7 +++++
src/libvirt_private.syms | 1 +
src/qemu/qemu_capabilities.c | 3 ++
tests/capabilityschemadata/caps-test2.xml | 4 +++
6 files changed, 71 insertions(+)
--
1.8.3.1
7 p.m.
New subject: [libvirt] [PATCH 1/3] caps: new internal function "virCapabilitiesSetHvUserAndGroup"
It allows to set the optional elements "hv_user" and "hv_group" for a
guest.
hv_user and hv_group can be used to specify the user/group which own the
hypervisor.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
src/conf/capabilities.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
src/conf/capabilities.h | 7 +++++++
src/libvirt_private.syms | 1 +
3 files changed, 54 insertions(+)
diff --git a/src/conf/capabilities.c b/src/conf/capabilities.c
index 1acc936..ffb1db5 100644
--- a/src/conf/capabilities.c
+++ b/src/conf/capabilities.c
@@ -169,6 +169,9 @@ virCapabilitiesFreeGuest(virCapsGuestPtr guest)
virCapabilitiesFreeGuestFeature(guest->features[i]);
VIR_FREE(guest->features);
+ VIR_FREE(guest->hvUser);
+ VIR_FREE(guest->hvGroup);
+
VIR_FREE(guest);
}
@@ -470,6 +473,43 @@ error:
/**
+ * virCapabilitiesSetHvUserAndGroup:
+ * @guest: guest to set HV user:group for.
+ * @user: name of the user which owns the hypervisor. Use NULL to unset.
+ * @group: name of the group which owns the hypervisor. Use NULL to unset.
+ *
+ * Set the user and the group which own the hypervisor.
+ */
+int
+virCapabilitiesSetHvUserAndGroup(virCapsGuestPtr guest,
+ const char *user,
+ const char *group)
+{
+ char *u = NULL;
+ char *g = NULL;
+
+ if (user && VIR_STRDUP(u, user) < 0)
+ goto no_memory;
+
+ if (group && VIR_STRDUP(g, group) < 0)
+ goto no_memory;
+
+ VIR_FREE(guest->hvUser);
+ VIR_FREE(guest->hvGroup);
+
+ guest->hvUser = u;
+ guest->hvGroup = g;
+
+ return 0;
+
+no_memory:
+ VIR_FREE(u);
+ VIR_FREE(g);
+ return -1;
+}
+
+
+/**
* virCapabilitiesAddGuestFeature:
* @guest: guest to associate feature with
* @name: name of feature ('pae', 'acpi', 'apic')
@@ -903,6 +943,12 @@ virCapabilitiesFormatXML(virCapsPtr caps)
virBufferAddLit(&xml, " </features>\n");
}
+ if (caps->guests[i]->hvUser)
+ virBufferAsprintf(&xml, "
<hv_user>%s</hv_user>\n",
+ caps->guests[i]->hvUser);
+ if (caps->guests[i]->hvGroup)
+ virBufferAsprintf(&xml, "
<hv_group>%s</hv_group>\n",
+ caps->guests[i]->hvGroup);
virBufferAddLit(&xml, " </guest>\n\n");
}
diff --git a/src/conf/capabilities.h b/src/conf/capabilities.h
index 88ec454..a6fe7e0 100644
--- a/src/conf/capabilities.h
+++ b/src/conf/capabilities.h
@@ -80,6 +80,8 @@ typedef struct _virCapsGuest virCapsGuest;
typedef virCapsGuest *virCapsGuestPtr;
struct _virCapsGuest {
char *ostype;
+ char *hvUser;
+ char *hvGroup;
virCapsGuestArch arch;
size_t nfeatures;
size_t nfeatures_max;
@@ -218,6 +220,11 @@ virCapabilitiesAddGuestDomain(virCapsGuestPtr guest,
int nmachines,
virCapsGuestMachinePtr *machines);
+extern int
+virCapabilitiesSetHvUserAndGroup(virCapsGuestPtr guest,
+ const char *user,
+ const char *group);
+
extern virCapsGuestFeaturePtr
virCapabilitiesAddGuestFeature(virCapsGuestPtr guest,
const char *name,
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index c25a61f..41219d6 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -60,6 +60,7 @@ virCapabilitiesFreeNUMAInfo;
virCapabilitiesGetCpusForNodemask;
virCapabilitiesNew;
virCapabilitiesSetHostCPU;
+virCapabilitiesSetHvUserAndGroup;
# conf/cpu_conf.h
--
1.8.3.1
7 p.m.
New subject: [libvirt] [PATCH 2/3] qemu: set hv_user/hv_group caps to the user/group which runs qemu
Use QEMU_USER and QEMU_GROUP, that are passed to libvirt at
configure-time, as values for "hv_user" and "hv_group" in the guest
capabilities.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
src/qemu/qemu_capabilities.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index ffbede7..d536554 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -749,6 +749,9 @@ virQEMUCapsInitGuest(virCapsPtr caps,
machines)) == NULL)
goto error;
+ if (virCapabilitiesSetHvUserAndGroup(guest, QEMU_USER, QEMU_GROUP) < 0)
+ goto error;
+
machines = NULL;
nmachines = 0;
--
1.8.3.1
7 p.m.
New subject: [libvirt] [PATCH 3/3] caps: add tests and documentation for hv_user and hv_group
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
docs/schemas/capability.rng | 10 ++++++++++
tests/capabilityschemadata/caps-test2.xml | 4 ++++
2 files changed, 14 insertions(+)
diff --git a/docs/schemas/capability.rng b/docs/schemas/capability.rng
index 65c7c72..1a65142 100644
--- a/docs/schemas/capability.rng
+++ b/docs/schemas/capability.rng
@@ -225,6 +225,16 @@
<optional>
<ref name='features'/>
</optional>
+ <optional>
+ <element name='hv_user'>
+ <ref name='genericName'/>
+ </element>
+ </optional>
+ <optional>
+ <element name='hv_group'>
+ <ref name='genericName'/>
+ </element>
+ </optional>
</element>
</define>
diff --git a/tests/capabilityschemadata/caps-test2.xml
b/tests/capabilityschemadata/caps-test2.xml
index a99c1b8..4a57e44 100644
--- a/tests/capabilityschemadata/caps-test2.xml
+++ b/tests/capabilityschemadata/caps-test2.xml
@@ -76,6 +76,8 @@
<acpi default='on' toggle='yes'/>
<apic default='on' toggle='no'/>
</features>
+ <hv_user>foo</hv_user>
+ <hv_group>bar</hv_group>
</guest>
<guest>
@@ -117,6 +119,8 @@
<acpi default='on' toggle='yes'/>
<apic default='on' toggle='no'/>
</features>
+ <hv_user>ba-r</hv_user>
+ <hv_group>baz_</hv_group>
</guest>
</capabilities>
--
1.8.3.1
5:03 a.m.
On Tue, Aug 27, 2013 at 02:00:03AM +0200, Giuseppe Scrivano wrote:
virt-manager has no way to known the user/group that run the HV
process without requiring the user to manually set it trough setup.py
or assuming "root" as default value.
This series extends the Guest capabilities with "hv_user" and
"hv_group", to inform the libvirt user about the user/group (when qemu
is used) that run the HV process.
This is not a suitably generic approach.
The 'user' and 'group' associated with QEMU are default settings used
by the DAC security driver if the user does not specify the user and
group themselves in the <seclabel> XML.
Similarly with the SELinux security driver there is a default label
used (svirt_t), if the user does not specify the label themselves.
So to expose anything in the XML we should be providing a way to
describe the default label for any security driver.
Also there can actually be multiple default security labels depending
on the virt type usd (kvm vs tcg)
eg where the capabilities has
<secmodel>
<model>selinux</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
</secmodel>
We should look at extending it to be something like
<secmodel>
<model>selinux</model>
<doi>0</doi>
<baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
<baselabel
type='qemu'>system_u:system_r:svirt_tcg_t:s0</baselabel>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>107:107</baselabel>
<baselabel type='qemu'>107:107</baselabel>
</secmodel>
NB, I used 'baselabel' to mirror the same 'baselabel' naming used in
the domain XML <seclabel> element.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
6:49 a.m.
New subject: [libvirt] [PATCH v2 0/3] expose baselabel for each sec model/virt type
Now each security model can define its own base label, that describes
the default security context used by libvirt to run an hypervisor
process. This information is exposed to users trough the host
capabilities XML.
Giuseppe Scrivano (3):
security: add new internal function "virSecurityManagerGetBaseLabel"
capabilities: add baselabel per sec driver/virt type to secmodel
capabilities: document and test "<baselabel>"
docs/schemas/capability.rng | 8 ++++
src/conf/capabilities.c | 60 +++++++++++++++++++++++++++-
src/conf/capabilities.h | 14 +++++++
src/libvirt_private.syms | 2 +
src/qemu/qemu_conf.c | 11 +++--
src/security/security_apparmor.c | 7 ++++
src/security/security_dac.c | 26 +++++++++++-
src/security/security_driver.h | 3 ++
src/security/security_manager.c | 15 +++++++
src/security/security_manager.h | 2 +
src/security/security_nop.c | 9 +++++
src/security/security_selinux.c | 9 +++++
src/security/security_stack.c | 8 ++++
tests/capabilityschemadata/caps-qemu-kvm.xml | 2 +
tests/capabilityschemadata/caps-test3.xml | 2 +
15 files changed, 172 insertions(+), 6 deletions(-)
--
1.8.3.1
6:49 a.m.
New subject: [libvirt] [PATCH v2 1/3] security: add new internal function "virSecurityManagerGetBaseLabel"
virSecurityManagerGetBaseLabel queries the default settings used by
a security model.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/security/security_apparmor.c | 7 +++++++
src/security/security_dac.c | 26 +++++++++++++++++++++++++-
src/security/security_driver.h | 3 +++
src/security/security_manager.c | 15 +++++++++++++++
src/security/security_manager.h | 2 ++
src/security/security_nop.c | 9 +++++++++
src/security/security_selinux.c | 9 +++++++++
src/security/security_stack.c | 8 ++++++++
9 files changed, 79 insertions(+), 1 deletion(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 35f0f1b..aea7e94 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1033,6 +1033,7 @@ virSecurityDriverLookup;
# security/security_manager.h
virSecurityManagerClearSocketLabel;
virSecurityManagerGenLabel;
+virSecurityManagerGetBaseLabel;
virSecurityManagerGetDOI;
virSecurityManagerGetModel;
virSecurityManagerGetMountOptions;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index adc9918..6f95ce5 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -931,6 +931,11 @@ AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return opts;
}
+static const char *
+AppArmorGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+ return "";
+}
virSecurityDriver virAppArmorSecurityDriver = {
.privateDataLen = 0,
@@ -972,4 +977,6 @@ virSecurityDriver virAppArmorSecurityDriver = {
.domainSetSecurityTapFDLabel = AppArmorSetFDLabel,
.domainGetSecurityMountOptions = AppArmorGetMountOptions,
+
+ .getBaseLabel = AppArmoryGetBaseLabel,
};
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 6876bd5..d5e93fa 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -47,6 +47,7 @@ struct _virSecurityDACData {
gid_t *groups;
int ngroups;
bool dynamicOwnership;
+ char *baselabel;
};
void
@@ -217,6 +218,7 @@ virSecurityDACClose(virSecurityManagerPtr mgr)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
VIR_FREE(priv->groups);
+ VIR_FREE(priv->baselabel);
return 0;
}
@@ -1114,8 +1116,9 @@ virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
virSecurityLabelDefPtr secdef =
virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
- if (!secdef || !seclabel)
+ if (!secdef || !seclabel) {
return -1;
+ }
if (secdef->label)
ignore_value(virStrcpy(seclabel->label, secdef->label,
@@ -1170,6 +1173,25 @@ virSecurityDACGetMountOptions(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
return NULL;
}
+static const char *
+virSecurityDACGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+ uid_t user;
+ gid_t group;
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ if (priv->baselabel)
+ return priv->baselabel;
+
+ if (virGetUserID(QEMU_USER, &user) < 0 ||
+ virGetGroupID(QEMU_GROUP, &group) < 0 ||
+ virAsprintf(&priv->baselabel, "%u:%u",
+ (unsigned int) priv->user,
+ (unsigned int) priv->group) < 0)
+ return NULL;
+
+ return priv->baselabel;
+}
+
virSecurityDriver virSecurityDriverDAC = {
.privateDataLen = sizeof(virSecurityDACData),
.name = SECURITY_DAC_NAME,
@@ -1212,4 +1234,6 @@ virSecurityDriver virSecurityDriverDAC = {
.domainSetSecurityTapFDLabel = virSecurityDACSetTapFDLabel,
.domainGetSecurityMountOptions = virSecurityDACGetMountOptions,
+
+ .getBaseLabel = virSecurityDACGetBaseLabel,
};
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 8735558..64bd307 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -46,6 +46,7 @@ typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr);
typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr);
typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr);
+typedef const char *(*virSecurityDriverGetBaseLabel) (virSecurityManagerPtr mgr);
typedef int (*virSecurityDriverPreFork) (virSecurityManagerPtr mgr);
@@ -154,6 +155,8 @@ struct _virSecurityDriver {
virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
virSecurityDomainSetHugepages domainSetSecurityHugepages;
+
+ virSecurityDriverGetBaseLabel getBaseLabel;
};
virSecurityDriverPtr virSecurityDriverLookup(const char *name,
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 92fb504..8535c8e 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -273,6 +273,21 @@ virSecurityManagerGetModel(virSecurityManagerPtr mgr)
return NULL;
}
+const char *
+virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+ if (mgr->drv->getBaseLabel) {
+ const char *ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->getBaseLabel(mgr);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ virReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+ return NULL;
+}
+
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
{
return mgr->allowDiskFormatProbing;
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 9252830..381cfc9 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -55,6 +55,8 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr);
const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr);
const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr);
const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
+const char *virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr);
+
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
bool virSecurityManagerGetDefaultConfined(virSecurityManagerPtr mgr);
bool virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 233404c..c0d0f08 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -186,6 +186,13 @@ static char
*virSecurityDomainGetMountOptionsNop(virSecurityManagerPtr mgr ATTRI
return opts;
}
+static const char *
+virSecurityGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+ return "";
+}
+
+
virSecurityDriver virSecurityDriverNop = {
.privateDataLen = 0,
.name = "none",
@@ -226,4 +233,6 @@ virSecurityDriver virSecurityDriverNop = {
.domainSetSecurityTapFDLabel = virSecurityDomainSetFDLabelNop,
.domainGetSecurityMountOptions = virSecurityDomainGetMountOptionsNop,
+
+ .getBaseLabel = virSecurityGetBaseLabel,
};
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 38de060..d7cafc6 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1827,6 +1827,14 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr
def,
}
+static const char *
+virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr)
+{
+ virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ return priv->domain_context;
+}
+
+
static int
virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@@ -2474,4 +2482,5 @@ virSecurityDriver virSecurityDriverSELinux = {
.domainSetSecurityTapFDLabel = virSecuritySELinuxSetTapFDLabel,
.domainGetSecurityMountOptions = virSecuritySELinuxGetSecurityMountOptions,
+ .getBaseLabel = virSecuritySELinuxGetBaseLabel,
};
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 0a0dc92..d704dd9 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -555,6 +555,12 @@ virSecurityStackGetNested(virSecurityManagerPtr mgr)
return list;
}
+static const char *
+virSecurityStackGetBaseLabel(virSecurityManagerPtr mgr)
+{
+ return virSecurityManagerGetBaseLabel(virSecurityStackGetPrimary(mgr));
+}
+
virSecurityDriver virSecurityDriverStack = {
.privateDataLen = sizeof(virSecurityStackData),
.name = "stack",
@@ -599,4 +605,6 @@ virSecurityDriver virSecurityDriverStack = {
.domainGetSecurityMountOptions = virSecurityStackGetMountOptions,
.domainSetSecurityHugepages = virSecurityStackSetHugepages,
+
+ .getBaseLabel = virSecurityStackGetBaseLabel,
};
--
1.8.3.1
6:03 a.m.
New subject: [libvirt] [PATCH v2 1/3] security: add new internal function "virSecurityManagerGetBaseLabel"
On Thu, Sep 05, 2013 at 01:49:43PM +0200, Giuseppe Scrivano wrote:
virSecurityManagerGetBaseLabel queries the default settings used by
a security model.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/security/security_apparmor.c | 7 +++++++
src/security/security_dac.c | 26 +++++++++++++++++++++++++-
src/security/security_driver.h | 3 +++
src/security/security_manager.c | 15 +++++++++++++++
src/security/security_manager.h | 2 ++
src/security/security_nop.c | 9 +++++++++
src/security/security_selinux.c | 9 +++++++++
src/security/security_stack.c | 8 ++++++++
9 files changed, 79 insertions(+), 1 deletion(-)
+static const char *
+AppArmorGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+ return "";
+}
I wonder if we should just return NULL here. I don't think we need
to be able to report errors other than "no base label", so I think
using NULL for that is sufficient.
@@ -1170,6 +1173,25 @@
virSecurityDACGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return NULL;
}
+static const char *
+virSecurityDACGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED)
+{
+ uid_t user;
+ gid_t group;
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ if (priv->baselabel)
+ return priv->baselabel;
+
+ if (virGetUserID(QEMU_USER, &user) < 0 ||
+ virGetGroupID(QEMU_GROUP, &group) < 0 ||
+ virAsprintf(&priv->baselabel, "%u:%u",
+ (unsigned int) priv->user,
+ (unsigned int) priv->group) < 0)
+ return NULL;
It would be better to initialize the 'pribv->baselabel' when we
first set the user/group, so that this getter does not have
side effects.
+typedef const char *(*virSecurityDriverGetBaseLabel)
(virSecurityManagerPtr mgr);
We need to be able to pass in 'int virttype' here...
+static const char *
+virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr)
+{
+ virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ return priv->domain_context;
....So that here we can do
if (virttype == VIR_DOMAIN_VIRT_QEMU)
return priv->alt_domain_context
else
return priv->domain_context
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
6:49 a.m.
New subject: [libvirt] [PATCH v2 2/3] capabilities: add baselabel per sec driver/virt type to secmodel
Expand the "secmodel" XML fragment of "host" with a sequence of
baselabel's which describe the default security context used by
libvirt with a specific security model and virtualization type:
<secmodel>
<model>selinux</model>
<doi>0</doi>
<baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
<baselabel type='qemu'>system_u:system_r:svirt_t:s0</baselabel>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>0:0</baselabel>
<baselabel type='qemu'>0:0</baselabel>
</secmodel>
"baselabel" is driver-specific information, e.g. in the DAC security
model, it indicates USER_ID:GROUP_ID.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
src/conf/capabilities.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++--
src/conf/capabilities.h | 14 +++++++++++
src/libvirt_private.syms | 1 +
src/qemu/qemu_conf.c | 11 ++++++---
4 files changed, 81 insertions(+), 5 deletions(-)
diff --git a/src/conf/capabilities.c b/src/conf/capabilities.c
index 1acc936..b0e2ff9 100644
--- a/src/conf/capabilities.c
+++ b/src/conf/capabilities.c
@@ -184,6 +184,20 @@ virCapabilitiesFreeNUMAInfo(virCapsPtr caps)
}
static void
+virCapabilitiesFreeSecModel(virCapsHostSecModelPtr secmodel)
+{
+ size_t i;
+ for (i = 0; i < secmodel->nlabels; i++) {
+ VIR_FREE(secmodel->labels[i].type);
+ VIR_FREE(secmodel->labels[i].label);
+ }
+
+ VIR_FREE(secmodel->labels);
+ VIR_FREE(secmodel->model);
+ VIR_FREE(secmodel->doi);
+}
+
+static void
virCapabilitiesDispose(void *object)
{
virCapsPtr caps = object;
@@ -204,8 +218,7 @@ virCapabilitiesDispose(void *object)
VIR_FREE(caps->host.migrateTrans);
for (i = 0; i < caps->host.nsecModels; i++) {
- VIR_FREE(caps->host.secModels[i].model);
- VIR_FREE(caps->host.secModels[i].doi);
+ virCapabilitiesFreeSecModel(&caps->host.secModels[i]);
}
VIR_FREE(caps->host.secModels);
@@ -507,6 +520,44 @@ virCapabilitiesAddGuestFeature(virCapsGuestPtr guest,
}
/**
+ * virCapabilitiesHostSecModelAddBaseLabel
+ * @secmodel: Security model to add a base label for
+ * @type: virtualization type
+ * @label: base label
+ *
+ * Returns non-zero on error.
+ */
+extern int
+virCapabilitiesHostSecModelAddBaseLabel(virCapsHostSecModelPtr secmodel,
+ const char *type,
+ const char *label)
+{
+ char *t = NULL, *l = NULL;
+
+ if (type == NULL || label == NULL)
+ return -1;
+
+ if (VIR_STRDUP(t, type) < 0)
+ goto no_memory;
+
+ if (VIR_STRDUP(l, label) < 0)
+ goto no_memory;
+
+ if (VIR_EXPAND_N(secmodel->labels, secmodel->nlabels, 1) < 0)
+ goto no_memory;
+
+ secmodel->labels[secmodel->nlabels - 1].type = t;
+ secmodel->labels[secmodel->nlabels - 1].label = l;
+
+ return 0;
+
+no_memory:
+ VIR_FREE(l);
+ VIR_FREE(t);
+ return -1;
+}
+
+/**
* virCapabilitiesSupportsGuestArch:
* @caps: capabilities to query
* @arch: Architecture to search for
@@ -826,6 +877,11 @@ virCapabilitiesFormatXML(virCapsPtr caps)
caps->host.secModels[i].model);
virBufferAsprintf(&xml, " <doi>%s</doi>\n",
caps->host.secModels[i].doi);
+ for (j = 0; j < caps->host.secModels[i].nlabels; j++) {
+ virBufferAsprintf(&xml, " <baselabel
type='%s'>%s</baselabel>\n",
+ caps->host.secModels[i].labels[j].type,
+ caps->host.secModels[i].labels[j].label);
+ }
virBufferAddLit(&xml, " </secmodel>\n");
}
diff --git a/src/conf/capabilities.h b/src/conf/capabilities.h
index 88ec454..5bc7bb5 100644
--- a/src/conf/capabilities.h
+++ b/src/conf/capabilities.h
@@ -104,11 +104,20 @@ struct _virCapsHostNUMACell {
virCapsHostNUMACellCPUPtr cpus;
};
+typedef struct _virCapsHostSecModelLabel virCapsHostSecModelLabel;
+typedef virCapsHostSecModelLabel *virCapsHostSecModelLabelPtr;
+struct _virCapsHostSecModelLabel {
+ char *type;
+ char *label;
+};
+
typedef struct _virCapsHostSecModel virCapsHostSecModel;
typedef virCapsHostSecModel *virCapsHostSecModelPtr;
struct _virCapsHostSecModel {
char *model;
char *doi;
+ size_t nlabels;
+ virCapsHostSecModelLabelPtr labels;
};
typedef struct _virCapsHost virCapsHost;
@@ -225,6 +234,11 @@ virCapabilitiesAddGuestFeature(virCapsGuestPtr guest,
int toggle);
extern int
+virCapabilitiesHostSecModelAddBaseLabel(virCapsHostSecModelPtr secmodel,
+ const char *type,
+ const char *label);
+
+extern int
virCapabilitiesSupportsGuestArch(virCapsPtr caps,
virArch arch);
extern int
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index aea7e94..cdf9e58 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -58,6 +58,7 @@ virCapabilitiesFormatXML;
virCapabilitiesFreeMachines;
virCapabilitiesFreeNUMAInfo;
virCapabilitiesGetCpusForNodemask;
+virCapabilitiesHostSecModelAddBaseLabel;
virCapabilitiesNew;
virCapabilitiesSetHostCPU;
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 1f57f72..71dbb27 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -563,7 +563,7 @@ virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
virCapsPtr caps;
virSecurityManagerPtr *sec_managers = NULL;
/* Security driver data */
- const char *doi, *model;
+ const char *doi, *model, *label;
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
/* Basic host arch / guest machine capabilities */
@@ -589,11 +589,16 @@ virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
goto error;
for (i = 0; sec_managers[i]; i++) {
+ virCapsHostSecModelPtr sm = &caps->host.secModels[i];
doi = virSecurityManagerGetDOI(sec_managers[i]);
model = virSecurityManagerGetModel(sec_managers[i]);
- if (VIR_STRDUP(caps->host.secModels[i].model, model) < 0 ||
- VIR_STRDUP(caps->host.secModels[i].doi, doi) < 0)
+ label = virSecurityManagerGetBaseLabel(sec_managers[i]);
+ if (VIR_STRDUP(sm->model, model) < 0 ||
+ VIR_STRDUP(sm->doi, doi) < 0 ||
+ virCapabilitiesHostSecModelAddBaseLabel(sm, "kvm", label) < 0
||
+ virCapabilitiesHostSecModelAddBaseLabel(sm, "qemu", label) < 0)
goto error;
+
VIR_DEBUG("Initialized caps for security driver \"%s\" with
"
"DOI \"%s\"", model, doi);
}
--
1.8.3.1
6:05 a.m.
New subject: [libvirt] [PATCH v2 2/3] capabilities: add baselabel per sec driver/virt type to secmodel
On Thu, Sep 05, 2013 at 01:49:44PM +0200, Giuseppe Scrivano wrote:
for (i = 0; sec_managers[i]; i++) {
+ virCapsHostSecModelPtr sm = &caps->host.secModels[i];
doi = virSecurityManagerGetDOI(sec_managers[i]);
model = virSecurityManagerGetModel(sec_managers[i]);
- if (VIR_STRDUP(caps->host.secModels[i].model, model) < 0 ||
- VIR_STRDUP(caps->host.secModels[i].doi, doi) < 0)
+ label = virSecurityManagerGetBaseLabel(sec_managers[i]);
You need to call this twice, once for kvm and once for qemu
since different labels will be used
+ if (VIR_STRDUP(sm->model, model) < 0 ||
+ VIR_STRDUP(sm->doi, doi) < 0 ||
+ virCapabilitiesHostSecModelAddBaseLabel(sm, "kvm", label) < 0
||
+ virCapabilitiesHostSecModelAddBaseLabel(sm, "qemu", label) < 0)
And pass in the different labels here.
Also, you need to update the lxc_driver code to set this metadata since
it uses sVirt too.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
6:49 a.m.
New subject: [libvirt] [PATCH v2 3/3] capabilities: document and test "<baselabel>"
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
docs/schemas/capability.rng | 8 ++++++++
tests/capabilityschemadata/caps-qemu-kvm.xml | 2 ++
tests/capabilityschemadata/caps-test3.xml | 2 ++
3 files changed, 12 insertions(+)
diff --git a/docs/schemas/capability.rng b/docs/schemas/capability.rng
index 65c7c72..aee03d7 100644
--- a/docs/schemas/capability.rng
+++ b/docs/schemas/capability.rng
@@ -60,6 +60,14 @@
<element name='doi'>
<text/>
</element>
+ <zeroOrMore>
+ <element name='baselabel'>
+ <attribute name='type'>
+ <text/>
+ </attribute>
+ <text/>
+ </element>
+ </zeroOrMore>
</interleave>
</element>
</define>
diff --git a/tests/capabilityschemadata/caps-qemu-kvm.xml
b/tests/capabilityschemadata/caps-qemu-kvm.xml
index 1fbc22b..066ec71 100644
--- a/tests/capabilityschemadata/caps-qemu-kvm.xml
+++ b/tests/capabilityschemadata/caps-qemu-kvm.xml
@@ -25,6 +25,8 @@
<secmodel>
<model>selinux</model>
<doi>0</doi>
+ <baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
+ <baselabel
type='qemu'>system_u:system_r:svirt_t:s0</baselabel>
</secmodel>
</host>
diff --git a/tests/capabilityschemadata/caps-test3.xml
b/tests/capabilityschemadata/caps-test3.xml
index e6c56c5..d359f25 100644
--- a/tests/capabilityschemadata/caps-test3.xml
+++ b/tests/capabilityschemadata/caps-test3.xml
@@ -82,6 +82,8 @@
<secmodel>
<model>dac</model>
<doi>0</doi>
+ <baselabel type='kvm'>0:0</baselabel>
+ <baselabel type='qemu'>0:0</baselabel>
</secmodel>
</host>
--
1.8.3.1
6:07 a.m.
New subject: [libvirt] [PATCH v2 3/3] capabilities: document and test "<baselabel>"
On Thu, Sep 05, 2013 at 01:49:45PM +0200, Giuseppe Scrivano wrote:
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
docs/schemas/capability.rng | 8 ++++++++
tests/capabilityschemadata/caps-qemu-kvm.xml | 2 ++
tests/capabilityschemadata/caps-test3.xml | 2 ++
3 files changed, 12 insertions(+)
It would be preferrable to have thse changes in the same commit
that you changed conf/capabilities.{c,h}.
And then have the changes to the qemu & lxc drivers separate
from the changes to the core capabilities code.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
5:58 a.m.
New subject: [libvirt] [PATCH v2 0/3] expose baselabel for each sec model/virt type
On Thu, Sep 05, 2013 at 01:49:42PM +0200, Giuseppe Scrivano wrote:
Now each security model can define its own base label, that
describes
the default security context used by libvirt to run an hypervisor
process. This information is exposed to users trough the host
capabilities XML.
Just a quick note for future reference. When posting v2/v3/etc
versions of a patch series, we generally prefer them to be posted
as new top level threads, rather than setting In-reply-to against
the original posting. The reason is we've found people a more
likely to miss new postings when posted as replies, and it also
makes it clearer that the new posting is a self-contained series
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4094
days inactive
4104
days old
12 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Giuseppe Scrivano