[libvirt] Refactored previous patch into 5 patches
[sandbox PATCH 1/5] Add virt-sandbox -s inherit, to execute the [sandbox PATCH 2/5] Unit files only exist in Systemd Containers. [sandbox PATCH 3/5] -S is not supported by virt-sandbox [sandbox PATCH 4/5] Fix SEE ALSO lines to be multi-line [sandbox PATCH 5/5] virt-sandbox needs to mention LIBVIRT_DEFAULT_URI
This will allow us to run sandbox as the calling process, If I am running a shell as staff_u:unconfined_r:unconfined_t:s0, and I execute virt-sandbox -c lxc/// -- /bin/sh /bin/sh will run as staff_u:unconfined_r:unconfined_t:s0 --- bin/virt-sandbox.c | 4 ++++ configure.ac | 1 + libvirt-sandbox.spec.in | 1 + libvirt-sandbox/Makefile.am | 2 ++ libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++ m4/virt-selinux.m4 | 11 +++++++++++ 6 files changed, 33 insertions(+) create mode 100644 m4/virt-selinux.m4 diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c index 3ddcd17..14700d7 100644 --- a/bin/virt-sandbox.c +++ b/bin/virt-sandbox.c @@ -417,6 +417,10 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context. To set a completely static label. For example, static,label=system_u:system_r:svirt_t:s0:c412,c355 +=item inherit + +Inherit the context from the process that is executing virt-sandbox. + =back =item B<-p>, B<--privileged> diff --git a/configure.ac b/configure.ac index 32206b8..50f23fc 100644 --- a/configure.ac +++ b/configure.ac @@ -84,6 +84,7 @@ LIBVIRT_SANDBOX_WIN32 LIBVIRT_SANDBOX_COVERAGE LIBVIRT_SANDBOX_INTROSPECTION LIBVIRT_SANDBOX_RPCGEN +LIBVIRT_SANDBOX_SELINUX dnl Should be in m4/virt-gettext.m4 but intltoolize is too dnl dumb to find it there diff --git a/libvirt-sandbox.spec.in b/libvirt-sandbox.spec.in index a9721b5..718c27b 100644 --- a/libvirt-sandbox.spec.in +++ b/libvirt-sandbox.spec.in @@ -25,6 +25,7 @@ BuildRequires: gobject-introspection-devel BuildRequires: glibc-static BuildRequires: /usr/bin/pod2man BuildRequires: intltool +BuildRequires: libselinux-devel BuildRequires: glib2-devel >= 2.32.0 Requires: rpm-python # For virsh lxc-enter-namespace command diff --git a/libvirt-sandbox/Makefile.am b/libvirt-sandbox/Makefile.am index 4e0ea00..0882490 100644 --- a/libvirt-sandbox/Makefile.am +++ b/libvirt-sandbox/Makefile.am @@ -169,6 +169,7 @@ libvirt_sandbox_init_common_CFLAGS = \ $(LIBVIRT_GLIB_CFLAGS) \ $(LIBVIRT_GOBJECT_CFLAGS) \ $(CAPNG_CFLAGS) \ + $(SELINUX_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) libvirt_sandbox_init_common_LDFLAGS = \ @@ -178,6 +179,7 @@ libvirt_sandbox_init_common_LDFLAGS = \ $(LIBVIRT_GLIB_LIBS) \ $(LIBVIRT_GOBJECT_LIBS) \ $(CAPNG_LIBS) \ + $(SELINUX_LIBS) \ $(WARN_CFLAGS) \ $(NULL) libvirt_sandbox_init_common_LDADD = \ diff --git a/libvirt-sandbox/libvirt-sandbox-config.c b/libvirt-sandbox/libvirt-sandbox-config.c index ccdb3bc..8e8ac65 100644 --- a/libvirt-sandbox/libvirt-sandbox-config.c +++ b/libvirt-sandbox/libvirt-sandbox-config.c @@ -27,6 +27,8 @@ #include <glib/gi18n.h> #include "libvirt-sandbox/libvirt-sandbox.h" +#include <errno.h> +#include <selinux/selinux.h> /** * SECTION: libvirt-sandbox-config @@ -1521,6 +1523,18 @@ gboolean gvir_sandbox_config_set_security_opts(GVirSandboxConfig *config, gvir_sandbox_config_set_security_dynamic(config, TRUE); } else if (g_str_equal(tmp, "static")) { gvir_sandbox_config_set_security_dynamic(config, FALSE); + } else if (g_str_equal(tmp, "inherit")) { + gvir_sandbox_config_set_security_dynamic(config, FALSE); + security_context_t scon; + if (getcon(&scon) < 0) { + g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0, + _("Unable to get SELinux context of user: %s"), + strerror(errno)); + return FALSE; + } + gvir_sandbox_config_set_security_label(config, scon); + freecon(scon); + } else { g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0, _("Unknown security option '%s'"), tmp); diff --git a/m4/virt-selinux.m4 b/m4/virt-selinux.m4 new file mode 100644 index 0000000..ef41721 --- /dev/null +++ b/m4/virt-selinux.m4 @@ -0,0 +1,11 @@ +AC_DEFUN([LIBVIRT_SANDBOX_SELINUX], [ + fail=0 + old_LIBS=$LIBS + old_CFLAGS=$CFLAGS + AC_CHECK_HEADER([selinux/selinux.h],[],[fail=1]) + AC_CHECK_LIB([selinux], [fgetfilecon],[],[fail=1]) + LIBS=$old_LIBS + CFLAGS=$old_CFLAGS + test $fail = 1 && + AC_MSG_ERROR([You must install the libselinux development package in order to compile libvirt-sandbox]) +]) -- 1.8.3.1
On Thu, Aug 15, 2013 at 08:04:41AM -0400, Dan Walsh wrote:
This will allow us to run sandbox as the calling process, If I am running a shell as staff_u:unconfined_r:unconfined_t:s0, and I execute virt-sandbox -c lxc/// -- /bin/sh
/bin/sh will run as staff_u:unconfined_r:unconfined_t:s0 --- bin/virt-sandbox.c | 4 ++++ configure.ac | 1 + libvirt-sandbox.spec.in | 1 + libvirt-sandbox/Makefile.am | 2 ++ libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++ m4/virt-selinux.m4 | 11 +++++++++++ 6 files changed, 33 insertions(+) create mode 100644 m4/virt-selinux.m4
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Do not attempt to fix the unit file of Generic Containers. --- bin/virt-sandbox-service | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index 03873c9..3e83c94 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -928,28 +928,28 @@ def upgrade_config_legacy(path): else: container = SystemdContainer(uri=args.uri, config=config) - fd = open(container.get_unit_path()) - unitfile = fd.read() - fd.close() + fd = open(container.get_unit_path()) + unitfile = fd.read() + fd.close() - unitfile = unitfile.replace("/usr/bin/virt-sandbox-service start", - "/usr/libexec/virt-sandbox-service-util -c lxc:/// -s") - unitfile = unitfile.replace("/usr/bin/virt-sandbox-service reload", - "/usr/bin/virt-sandbox-service -c lxc:/// reload") - unitfile = unitfile.replace("/usr/bin/virt-sandbox-service stop", - "/usr/bin/virsh -c lxc:/// destroy") + unitfile = unitfile.replace("/usr/bin/virt-sandbox-service start", + "/usr/libexec/virt-sandbox-service-util -c lxc:/// -s") + unitfile = unitfile.replace("/usr/bin/virt-sandbox-service reload", + "/usr/bin/virt-sandbox-service -c lxc:/// reload") + unitfile = unitfile.replace("/usr/bin/virt-sandbox-service stop", + "/usr/bin/virsh -c lxc:/// destroy") - unitfile = re.sub("WantedBy=.*\.target", - "WantedBy=multi-user.target", - unitfile) + unitfile = re.sub("WantedBy=.*\.target", + "WantedBy=multi-user.target", + unitfile) - os.remove(container.get_unit_path()) - fd = open(container.get_unit_path(), "wx") - fd.write(unitfile) - fd.close() + os.remove(container.get_unit_path()) + fd = open(container.get_unit_path(), "wx") + fd.write(unitfile) + fd.close() - sys.stdout.write(_("Created unit file %s\n") % - container.get_unit_path()) + sys.stdout.write(_("Created unit file %s\n") % + container.get_unit_path()) # Create new config file + libvirt persistent XML config container.save_config() -- 1.8.3.1
On Thu, Aug 15, 2013 at 08:04:42AM -0400, Dan Walsh wrote:
Do not attempt to fix the unit file of Generic Containers. --- bin/virt-sandbox-service | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-)
You'll find I've already committed the same fix when you rebase to current master. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
-S option has been removed from virt-sandbox, should be removed from man page. --- bin/virt-sandbox.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c index 14700d7..c21a8a6 100644 --- a/bin/virt-sandbox.c +++ b/bin/virt-sandbox.c @@ -269,8 +269,6 @@ virt-sandbox - Run cmd under a virtual machine sandbox virt-sandbox [OPTIONS...] COMMAND [CMDARG1 [CMDARG2 [...]]] -virt-sandbox [OPTIONS...] -S - =head1 DESCRIPTION Run the C<cmd> application within a tightly confined virtual machine. The -- 1.8.3.1
On Thu, Aug 15, 2013 at 08:04:43AM -0400, Dan Walsh wrote:
-S option has been removed from virt-sandbox, should be removed from man page. --- bin/virt-sandbox.c | 2 -- 1 file changed, 2 deletions(-)
diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c index 14700d7..c21a8a6 100644 --- a/bin/virt-sandbox.c +++ b/bin/virt-sandbox.c @@ -269,8 +269,6 @@ virt-sandbox - Run cmd under a virtual machine sandbox
virt-sandbox [OPTIONS...] COMMAND [CMDARG1 [CMDARG2 [...]]]
-virt-sandbox [OPTIONS...] -S - =head1 DESCRIPTION
Run the C<cmd> application within a tightly confined virtual machine. The
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--- bin/virt-sandbox-service.pod | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod index 7752145..b879a46 100644 --- a/bin/virt-sandbox-service.pod +++ b/bin/virt-sandbox-service.pod @@ -54,7 +54,11 @@ supported currently). =head1 SEE ALSO -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, C<virt-sandbox-service-upgrade(1)> +C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, +C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, +C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, +C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, +C<virt-sandbox-service-upgrade(1)> =head1 FILES -- 1.8.3.1
On Thu, Aug 15, 2013 at 08:04:44AM -0400, Dan Walsh wrote:
--- bin/virt-sandbox-service.pod | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod index 7752145..b879a46 100644 --- a/bin/virt-sandbox-service.pod +++ b/bin/virt-sandbox-service.pod @@ -54,7 +54,11 @@ supported currently).
=head1 SEE ALSO
-C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, C<virt-sandbox-service-upgrade(1)> +C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, +C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, +C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, +C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, +C<virt-sandbox-service-upgrade(1)>
=head1 FILES
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Since lots of people want to try out LXC with virt-sandbox, executing -c lxc:/// is a pain, but users might not know about the varible or the config file. --- bin/virt-sandbox.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c index c21a8a6..ae303d2 100644 --- a/bin/virt-sandbox.c +++ b/bin/virt-sandbox.c @@ -283,7 +283,10 @@ not allowed to open any other files. =item B<-c URI>, B<--connect=URI> Set the libvirt connection URI, defaults to qemu:///session if -omitted. Currently only the QEMU and LXC drivers are supported. +omitted. Alternatively the C<LIBVIRT_DEFAULT_URI> environment +variable can be set, or the config file C</etc/libvirt/libvirt.conf> +can have a default URI set. Currently only the QEMU and LXC drivers +are supported. =item B<-n NAME>, B<--name=NAME> -- 1.8.3.1
On Thu, Aug 15, 2013 at 08:04:45AM -0400, Dan Walsh wrote:
Since lots of people want to try out LXC with virt-sandbox, executing -c lxc:/// is a pain, but users might not know about the varible or the config file. --- bin/virt-sandbox.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c index c21a8a6..ae303d2 100644 --- a/bin/virt-sandbox.c +++ b/bin/virt-sandbox.c @@ -283,7 +283,10 @@ not allowed to open any other files. =item B<-c URI>, B<--connect=URI>
Set the libvirt connection URI, defaults to qemu:///session if -omitted. Currently only the QEMU and LXC drivers are supported. +omitted. Alternatively the C<LIBVIRT_DEFAULT_URI> environment +variable can be set, or the config file C</etc/libvirt/libvirt.conf> +can have a default URI set. Currently only the QEMU and LXC drivers +are supported.
=item B<-n NAME>, B<--name=NAME>
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Dan Walsh -
Daniel P. Berrange