11:29 a.m.
Now each security model can define its own base label, that describes
the default security context used by libvirt to run an hypervisor
process. This information is exposed to users trough the host
capabilities XML.
*v3 major changes
- support LXC
- merge virSecurityDACSetUser and virSecurityDACSetGroup in
virSecurityDACSetUserAndGroup
- DAC sets the baselabel in virSecurityDACSetUserAndGroup
- Use virDomainVirtTypeToString instead of hardcoding the name
Giuseppe Scrivano (2):
security: add new internal function "virSecurityManagerGetBaseLabel"
capabilities: add baselabel per sec driver/virt type to secmodel
docs/schemas/capability.rng | 8 ++++
src/conf/capabilities.c | 60 +++++++++++++++++++++++++++-
src/conf/capabilities.h | 14 +++++++
src/libvirt_private.syms | 2 +
src/lxc/lxc_conf.c | 10 ++++-
src/qemu/qemu_conf.c | 21 ++++++++--
src/security/security_apparmor.c | 8 ++++
src/security/security_dac.c | 34 +++++++++++-----
src/security/security_dac.h | 7 ++--
src/security/security_driver.h | 4 ++
src/security/security_manager.c | 22 +++++++++-
src/security/security_manager.h | 2 +
src/security/security_nop.c | 10 +++++
src/security/security_selinux.c | 12 ++++++
src/security/security_stack.c | 9 +++++
tests/capabilityschemadata/caps-qemu-kvm.xml | 2 +
tests/capabilityschemadata/caps-test3.xml | 2 +
17 files changed, 204 insertions(+), 23 deletions(-)
--
1.8.3.1
11:29 a.m.
New subject: [libvirt] [PATCH v3 1/2] security: add new internal function "virSecurityManagerGetBaseLabel"
virSecurityManagerGetBaseLabel queries the default settings used by
a security model.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/security/security_apparmor.c | 8 ++++++++
src/security/security_dac.c | 34 ++++++++++++++++++++++++----------
src/security/security_dac.h | 7 +++----
src/security/security_driver.h | 4 ++++
src/security/security_manager.c | 22 ++++++++++++++++++++--
src/security/security_manager.h | 2 ++
src/security/security_nop.c | 10 ++++++++++
src/security/security_selinux.c | 12 ++++++++++++
src/security/security_stack.c | 9 +++++++++
10 files changed, 93 insertions(+), 16 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 35f0f1b..aea7e94 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1033,6 +1033,7 @@ virSecurityDriverLookup;
# security/security_manager.h
virSecurityManagerClearSocketLabel;
virSecurityManagerGenLabel;
+virSecurityManagerGetBaseLabel;
virSecurityManagerGetDOI;
virSecurityManagerGetModel;
virSecurityManagerGetMountOptions;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index adc9918..2d74cdd 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -931,6 +931,12 @@ AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return opts;
}
+static const char *
+AppArmorGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ int virtType ATTRIBUTE_UNUSED)
+{
+ return NULL;
+}
virSecurityDriver virAppArmorSecurityDriver = {
.privateDataLen = 0,
@@ -972,4 +978,6 @@ virSecurityDriver virAppArmorSecurityDriver = {
.domainSetSecurityTapFDLabel = AppArmorSetFDLabel,
.domainGetSecurityMountOptions = AppArmorGetMountOptions,
+
+ .getBaseLabel = AppArmoryGetBaseLabel,
};
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 6876bd5..019c789 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -47,22 +47,25 @@ struct _virSecurityDACData {
gid_t *groups;
int ngroups;
bool dynamicOwnership;
+ char *baselabel;
};
-void
-virSecurityDACSetUser(virSecurityManagerPtr mgr,
- uid_t user)
+/* returns -1 on error, 0 on success */
+int
+virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
+ uid_t user,
+ gid_t group)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
priv->user = user;
-}
-
-void
-virSecurityDACSetGroup(virSecurityManagerPtr mgr,
- gid_t group)
-{
- virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
priv->group = group;
+
+ if (virAsprintf(&priv->baselabel, "%u:%u",
+ (unsigned int) user,
+ (unsigned int) group) < 0)
+ return -1;
+
+ return 0;
}
void
@@ -217,6 +220,7 @@ virSecurityDACClose(virSecurityManagerPtr mgr)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
VIR_FREE(priv->groups);
+ VIR_FREE(priv->baselabel);
return 0;
}
@@ -1170,6 +1174,14 @@ virSecurityDACGetMountOptions(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
return NULL;
}
+static const char *
+virSecurityDACGetBaseLabel(virSecurityManagerPtr mgr,
+ int virt ATTRIBUTE_UNUSED)
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ return priv->baselabel;
+}
+
virSecurityDriver virSecurityDriverDAC = {
.privateDataLen = sizeof(virSecurityDACData),
.name = SECURITY_DAC_NAME,
@@ -1212,4 +1224,6 @@ virSecurityDriver virSecurityDriverDAC = {
.domainSetSecurityTapFDLabel = virSecurityDACSetTapFDLabel,
.domainGetSecurityMountOptions = virSecurityDACGetMountOptions,
+
+ .getBaseLabel = virSecurityDACGetBaseLabel,
};
diff --git a/src/security/security_dac.h b/src/security/security_dac.h
index 02432a5..dbcf56f 100644
--- a/src/security/security_dac.h
+++ b/src/security/security_dac.h
@@ -25,10 +25,9 @@
extern virSecurityDriver virSecurityDriverDAC;
-void virSecurityDACSetUser(virSecurityManagerPtr mgr,
- uid_t user);
-void virSecurityDACSetGroup(virSecurityManagerPtr mgr,
- gid_t group);
+int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
+ uid_t user,
+ gid_t group);
void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
bool dynamic);
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 8735558..ced1b92 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -46,6 +46,8 @@ typedef int (*virSecurityDriverClose) (virSecurityManagerPtr mgr);
typedef const char *(*virSecurityDriverGetModel) (virSecurityManagerPtr mgr);
typedef const char *(*virSecurityDriverGetDOI) (virSecurityManagerPtr mgr);
+typedef const char *(*virSecurityDriverGetBaseLabel) (virSecurityManagerPtr mgr,
+ int virtType);
typedef int (*virSecurityDriverPreFork) (virSecurityManagerPtr mgr);
@@ -154,6 +156,8 @@ struct _virSecurityDriver {
virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
virSecurityDomainSetHugepages domainSetSecurityHugepages;
+
+ virSecurityDriverGetBaseLabel getBaseLabel;
};
virSecurityDriverPtr virSecurityDriverLookup(const char *name,
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 92fb504..c4b8f10 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -146,8 +146,10 @@ virSecurityManagerPtr virSecurityManagerNewDAC(const char
*virtDriver,
if (!mgr)
return NULL;
- virSecurityDACSetUser(mgr, user);
- virSecurityDACSetGroup(mgr, group);
+ if (virSecurityDACSetUserAndGroup(mgr, user, group) < 0) {
+ virSecurityManagerDispose(mgr);
+ return NULL;
+ }
virSecurityDACSetDynamicOwnership(mgr, dynamicOwnership);
return mgr;
@@ -273,6 +275,22 @@ virSecurityManagerGetModel(virSecurityManagerPtr mgr)
return NULL;
}
+/* return NULL if a base label is not present */
+const char *
+virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+ if (mgr->drv->getBaseLabel) {
+ const char *ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->getBaseLabel(mgr, virtType);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ virReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+ return NULL;
+}
+
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr)
{
return mgr->allowDiskFormatProbing;
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 9252830..81d3160 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -55,6 +55,8 @@ void *virSecurityManagerGetPrivateData(virSecurityManagerPtr mgr);
const char *virSecurityManagerGetDriver(virSecurityManagerPtr mgr);
const char *virSecurityManagerGetDOI(virSecurityManagerPtr mgr);
const char *virSecurityManagerGetModel(virSecurityManagerPtr mgr);
+const char *virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr, int virtType);
+
bool virSecurityManagerGetAllowDiskFormatProbing(virSecurityManagerPtr mgr);
bool virSecurityManagerGetDefaultConfined(virSecurityManagerPtr mgr);
bool virSecurityManagerGetRequireConfined(virSecurityManagerPtr mgr);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 233404c..73e1ac1 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -186,6 +186,14 @@ static char
*virSecurityDomainGetMountOptionsNop(virSecurityManagerPtr mgr ATTRI
return opts;
}
+static const char *
+virSecurityGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ int virtType ATTRIBUTE_UNUSED)
+{
+ return NULL;
+}
+
+
virSecurityDriver virSecurityDriverNop = {
.privateDataLen = 0,
.name = "none",
@@ -226,4 +234,6 @@ virSecurityDriver virSecurityDriverNop = {
.domainSetSecurityTapFDLabel = virSecurityDomainSetFDLabelNop,
.domainGetSecurityMountOptions = virSecurityDomainGetMountOptionsNop,
+
+ .getBaseLabel = virSecurityGetBaseLabel,
};
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 38de060..1c2ea64 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1827,6 +1827,17 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr
def,
}
+static const char *
+virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+ virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ if (virtType == VIR_DOMAIN_VIRT_QEMU)
+ return priv->alt_domain_context;
+ else
+ return priv->domain_context;
+}
+
+
static int
virSecuritySELinuxRestoreSecurityAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@@ -2474,4 +2485,5 @@ virSecurityDriver virSecurityDriverSELinux = {
.domainSetSecurityTapFDLabel = virSecuritySELinuxSetTapFDLabel,
.domainGetSecurityMountOptions = virSecuritySELinuxGetSecurityMountOptions,
+ .getBaseLabel = virSecuritySELinuxGetBaseLabel,
};
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 0a0dc92..ff0f06b 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -555,6 +555,13 @@ virSecurityStackGetNested(virSecurityManagerPtr mgr)
return list;
}
+static const char *
+virSecurityStackGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+ return virSecurityManagerGetBaseLabel(virSecurityStackGetPrimary(mgr),
+ virtType);
+}
+
virSecurityDriver virSecurityDriverStack = {
.privateDataLen = sizeof(virSecurityStackData),
.name = "stack",
@@ -599,4 +606,6 @@ virSecurityDriver virSecurityDriverStack = {
.domainGetSecurityMountOptions = virSecurityStackGetMountOptions,
.domainSetSecurityHugepages = virSecurityStackSetHugepages,
+
+ .getBaseLabel = virSecurityStackGetBaseLabel,
};
--
1.8.3.1
8:05 a.m.
New subject: [libvirt] [PATCH v3 1/2] security: add new internal function "virSecurityManagerGetBaseLabel"
On Fri, Sep 06, 2013 at 06:29:55PM +0200, Giuseppe Scrivano wrote:
virSecurityManagerGetBaseLabel queries the default settings used by
a security model.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/security/security_apparmor.c | 8 ++++++++
src/security/security_dac.c | 34 ++++++++++++++++++++++++----------
src/security/security_dac.h | 7 +++----
src/security/security_driver.h | 4 ++++
src/security/security_manager.c | 22 ++++++++++++++++++++--
src/security/security_manager.h | 2 ++
src/security/security_nop.c | 10 ++++++++++
src/security/security_selinux.c | 12 ++++++++++++
src/security/security_stack.c | 9 +++++++++
10 files changed, 93 insertions(+), 16 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 35f0f1b..aea7e94 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1033,6 +1033,7 @@ virSecurityDriverLookup;
# security/security_manager.h
virSecurityManagerClearSocketLabel;
virSecurityManagerGenLabel;
+virSecurityManagerGetBaseLabel;
virSecurityManagerGetDOI;
virSecurityManagerGetModel;
virSecurityManagerGetMountOptions;
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index adc9918..2d74cdd 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -931,6 +931,12 @@ AppArmorGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
return opts;
}
+static const char *
+AppArmorGetBaseLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ int virtType ATTRIBUTE_UNUSED)
+{
+ return NULL;
+}
virSecurityDriver virAppArmorSecurityDriver = {
.privateDataLen = 0,
@@ -972,4 +978,6 @@ virSecurityDriver virAppArmorSecurityDriver = {
.domainSetSecurityTapFDLabel = AppArmorSetFDLabel,
.domainGetSecurityMountOptions = AppArmorGetMountOptions,
+
+ .getBaseLabel = AppArmoryGetBaseLabel,
};
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 6876bd5..019c789 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -47,22 +47,25 @@ struct _virSecurityDACData {
gid_t *groups;
int ngroups;
bool dynamicOwnership;
+ char *baselabel;
};
-void
-virSecurityDACSetUser(virSecurityManagerPtr mgr,
- uid_t user)
+/* returns -1 on error, 0 on success */
+int
+virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
+ uid_t user,
+ gid_t group)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
priv->user = user;
-}
-
-void
-virSecurityDACSetGroup(virSecurityManagerPtr mgr,
- gid_t group)
-{
- virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
priv->group = group;
+
+ if (virAsprintf(&priv->baselabel, "%u:%u",
+ (unsigned int) user,
+ (unsigned int) group) < 0)
+ return -1;
+
+ return 0;
}
void
@@ -217,6 +220,7 @@ virSecurityDACClose(virSecurityManagerPtr mgr)
{
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
VIR_FREE(priv->groups);
+ VIR_FREE(priv->baselabel);
return 0;
}
@@ -1170,6 +1174,14 @@ virSecurityDACGetMountOptions(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
return NULL;
}
+static const char *
+virSecurityDACGetBaseLabel(virSecurityManagerPtr mgr,
+ int virt ATTRIBUTE_UNUSED)
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ return priv->baselabel;
+}
+
virSecurityDriver virSecurityDriverDAC = {
.privateDataLen = sizeof(virSecurityDACData),
.name = SECURITY_DAC_NAME,
@@ -1212,4 +1224,6 @@ virSecurityDriver virSecurityDriverDAC = {
.domainSetSecurityTapFDLabel = virSecurityDACSetTapFDLabel,
.domainGetSecurityMountOptions = virSecurityDACGetMountOptions,
+
+ .getBaseLabel = virSecurityDACGetBaseLabel,
};
diff --git a/src/security/security_dac.h b/src/security/security_dac.h
index 02432a5..dbcf56f 100644
--- a/src/security/security_dac.h
+++ b/src/security/security_dac.h
@@ -25,10 +25,9 @@
extern virSecurityDriver virSecurityDriverDAC;
-void virSecurityDACSetUser(virSecurityManagerPtr mgr,
- uid_t user);
-void virSecurityDACSetGroup(virSecurityManagerPtr mgr,
- gid_t group);
+int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
+ uid_t user,
+ gid_t group);
It would be desirable to have this re-factoring done in a separate,
prior, patch from that which adds the GetBaseLabel hook.
diff --git a/src/security/security_manager.c
b/src/security/security_manager.c
index 92fb504..c4b8f10 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -146,8 +146,10 @@ virSecurityManagerPtr virSecurityManagerNewDAC(const char
*virtDriver,
if (!mgr)
return NULL;
- virSecurityDACSetUser(mgr, user);
- virSecurityDACSetGroup(mgr, group);
+ if (virSecurityDACSetUserAndGroup(mgr, user, group) < 0) {
+ virSecurityManagerDispose(mgr);
+ return NULL;
+ }
Likewise this block
diff --git a/src/security/security_selinux.c
b/src/security/security_selinux.c
index 38de060..1c2ea64 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1827,6 +1827,17 @@ virSecuritySELinuxRestoreSecuritySmartcardCallback(virDomainDefPtr
def,
}
+static const char *
+virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+ virSecuritySELinuxDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ if (virtType == VIR_DOMAIN_VIRT_QEMU)
+ return priv->alt_domain_context;
alt_domain_context is not guaranteed to be present, so you need to have
if (virtType == VIR_DOMAIN_VIRT_QEMU && priv->alt_domain_context)
....
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
8:13 a.m.
New subject: [libvirt] [PATCH v3 1/2] security: add new internal function "virSecurityManagerGetBaseLabel"
On Fri, Sep 06, 2013 at 06:29:55PM +0200, Giuseppe Scrivano wrote:
virSecurityManagerGetBaseLabel queries the default settings used by
a security model.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
src/libvirt_private.syms | 1 +
src/security/security_apparmor.c | 8 ++++++++
src/security/security_dac.c | 34 ++++++++++++++++++++++++----------
src/security/security_dac.h | 7 +++----
src/security/security_driver.h | 4 ++++
src/security/security_manager.c | 22 ++++++++++++++++++++--
src/security/security_manager.h | 2 ++
src/security/security_nop.c | 10 ++++++++++
src/security/security_selinux.c | 12 ++++++++++++
src/security/security_stack.c | 9 +++++++++
10 files changed, 93 insertions(+), 16 deletions(-)
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index 92fb504..c4b8f10 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -273,6 +275,22 @@ virSecurityManagerGetModel(virSecurityManagerPtr mgr)
return NULL;
}
+/* return NULL if a base label is not present */
+const char *
+virSecurityManagerGetBaseLabel(virSecurityManagerPtr mgr, int virtType)
+{
+ if (mgr->drv->getBaseLabel) {
+ const char *ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->getBaseLabel(mgr, virtType);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ virReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+ return NULL;
Per my reply to the 2nd patch, we need to remove thie virReportError
method call. It is valid to not implement this method if no baselabel
is required.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
11:29 a.m.
New subject: [libvirt] [PATCH v3 2/2] capabilities: add baselabel per sec driver/virt type to secmodel
Expand the "secmodel" XML fragment of "host" with a sequence of
baselabel's which describe the default security context used by
libvirt with a specific security model and virtualization type:
<secmodel>
<model>selinux</model>
<doi>0</doi>
<baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
<baselabel type='qemu'>system_u:system_r:svirt_t:s0</baselabel>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>0:0</baselabel>
<baselabel type='qemu'>0:0</baselabel>
</secmodel>
"baselabel" is driver-specific information, e.g. in the DAC security
model, it indicates USER_ID:GROUP_ID.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
docs/schemas/capability.rng | 8 ++++
src/conf/capabilities.c | 60 +++++++++++++++++++++++++++-
src/conf/capabilities.h | 14 +++++++
src/libvirt_private.syms | 1 +
src/lxc/lxc_conf.c | 10 ++++-
src/qemu/qemu_conf.c | 21 ++++++++--
tests/capabilityschemadata/caps-qemu-kvm.xml | 2 +
tests/capabilityschemadata/caps-test3.xml | 2 +
8 files changed, 111 insertions(+), 7 deletions(-)
diff --git a/docs/schemas/capability.rng b/docs/schemas/capability.rng
index 65c7c72..aee03d7 100644
--- a/docs/schemas/capability.rng
+++ b/docs/schemas/capability.rng
@@ -60,6 +60,14 @@
<element name='doi'>
<text/>
</element>
+ <zeroOrMore>
+ <element name='baselabel'>
+ <attribute name='type'>
+ <text/>
+ </attribute>
+ <text/>
+ </element>
+ </zeroOrMore>
</interleave>
</element>
</define>
diff --git a/src/conf/capabilities.c b/src/conf/capabilities.c
index 1acc936..b0e2ff9 100644
--- a/src/conf/capabilities.c
+++ b/src/conf/capabilities.c
@@ -184,6 +184,20 @@ virCapabilitiesFreeNUMAInfo(virCapsPtr caps)
}
static void
+virCapabilitiesFreeSecModel(virCapsHostSecModelPtr secmodel)
+{
+ size_t i;
+ for (i = 0; i < secmodel->nlabels; i++) {
+ VIR_FREE(secmodel->labels[i].type);
+ VIR_FREE(secmodel->labels[i].label);
+ }
+
+ VIR_FREE(secmodel->labels);
+ VIR_FREE(secmodel->model);
+ VIR_FREE(secmodel->doi);
+}
+
+static void
virCapabilitiesDispose(void *object)
{
virCapsPtr caps = object;
@@ -204,8 +218,7 @@ virCapabilitiesDispose(void *object)
VIR_FREE(caps->host.migrateTrans);
for (i = 0; i < caps->host.nsecModels; i++) {
- VIR_FREE(caps->host.secModels[i].model);
- VIR_FREE(caps->host.secModels[i].doi);
+ virCapabilitiesFreeSecModel(&caps->host.secModels[i]);
}
VIR_FREE(caps->host.secModels);
@@ -507,6 +520,44 @@ virCapabilitiesAddGuestFeature(virCapsGuestPtr guest,
}
/**
+ * virCapabilitiesHostSecModelAddBaseLabel
+ * @secmodel: Security model to add a base label for
+ * @type: virtualization type
+ * @label: base label
+ *
+ * Returns non-zero on error.
+ */
+extern int
+virCapabilitiesHostSecModelAddBaseLabel(virCapsHostSecModelPtr secmodel,
+ const char *type,
+ const char *label)
+{
+ char *t = NULL, *l = NULL;
+
+ if (type == NULL || label == NULL)
+ return -1;
+
+ if (VIR_STRDUP(t, type) < 0)
+ goto no_memory;
+
+ if (VIR_STRDUP(l, label) < 0)
+ goto no_memory;
+
+ if (VIR_EXPAND_N(secmodel->labels, secmodel->nlabels, 1) < 0)
+ goto no_memory;
+
+ secmodel->labels[secmodel->nlabels - 1].type = t;
+ secmodel->labels[secmodel->nlabels - 1].label = l;
+
+ return 0;
+
+no_memory:
+ VIR_FREE(l);
+ VIR_FREE(t);
+ return -1;
+}
+
+/**
* virCapabilitiesSupportsGuestArch:
* @caps: capabilities to query
* @arch: Architecture to search for
@@ -826,6 +877,11 @@ virCapabilitiesFormatXML(virCapsPtr caps)
caps->host.secModels[i].model);
virBufferAsprintf(&xml, " <doi>%s</doi>\n",
caps->host.secModels[i].doi);
+ for (j = 0; j < caps->host.secModels[i].nlabels; j++) {
+ virBufferAsprintf(&xml, " <baselabel
type='%s'>%s</baselabel>\n",
+ caps->host.secModels[i].labels[j].type,
+ caps->host.secModels[i].labels[j].label);
+ }
virBufferAddLit(&xml, " </secmodel>\n");
}
diff --git a/src/conf/capabilities.h b/src/conf/capabilities.h
index 88ec454..5bc7bb5 100644
--- a/src/conf/capabilities.h
+++ b/src/conf/capabilities.h
@@ -104,11 +104,20 @@ struct _virCapsHostNUMACell {
virCapsHostNUMACellCPUPtr cpus;
};
+typedef struct _virCapsHostSecModelLabel virCapsHostSecModelLabel;
+typedef virCapsHostSecModelLabel *virCapsHostSecModelLabelPtr;
+struct _virCapsHostSecModelLabel {
+ char *type;
+ char *label;
+};
+
typedef struct _virCapsHostSecModel virCapsHostSecModel;
typedef virCapsHostSecModel *virCapsHostSecModelPtr;
struct _virCapsHostSecModel {
char *model;
char *doi;
+ size_t nlabels;
+ virCapsHostSecModelLabelPtr labels;
};
typedef struct _virCapsHost virCapsHost;
@@ -225,6 +234,11 @@ virCapabilitiesAddGuestFeature(virCapsGuestPtr guest,
int toggle);
extern int
+virCapabilitiesHostSecModelAddBaseLabel(virCapsHostSecModelPtr secmodel,
+ const char *type,
+ const char *label);
+
+extern int
virCapabilitiesSupportsGuestArch(virCapsPtr caps,
virArch arch);
extern int
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index aea7e94..cdf9e58 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -58,6 +58,7 @@ virCapabilitiesFormatXML;
virCapabilitiesFreeMachines;
virCapabilitiesFreeNUMAInfo;
virCapabilitiesGetCpusForNodemask;
+virCapabilitiesHostSecModelAddBaseLabel;
virCapabilitiesNew;
virCapabilitiesSetHostCPU;
diff --git a/src/lxc/lxc_conf.c b/src/lxc/lxc_conf.c
index c1cee3f..557191a 100644
--- a/src/lxc/lxc_conf.c
+++ b/src/lxc/lxc_conf.c
@@ -126,10 +126,13 @@ virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver)
if (driver) {
/* Security driver data */
- const char *doi, *model;
+ const char *doi, *model, *label, *type;
doi = virSecurityManagerGetDOI(driver->securityManager);
model = virSecurityManagerGetModel(driver->securityManager);
+ label = virSecurityManagerGetBaseLabel(driver->securityManager,
+ VIR_DOMAIN_VIRT_LXC);
+ type = virDomainVirtTypeToString(VIR_DOMAIN_VIRT_LXC);
/* Allocate the primary security driver for LXC. */
if (VIR_ALLOC(caps->host.secModels) < 0)
goto error;
@@ -138,6 +141,11 @@ virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver)
goto error;
if (VIR_STRDUP(caps->host.secModels[0].doi, doi) < 0)
goto error;
+ if (label &&
+ virCapabilitiesHostSecModelAddBaseLabel(&caps->host.secModels[0],
+ type,
+ label) < 0)
+ goto error;
VIR_DEBUG("Initialized caps for security driver \"%s\" with
"
"DOI \"%s\"", model, doi);
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 1f57f72..8daafc7 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -559,12 +559,15 @@ virQEMUDriverCreateXMLConf(virQEMUDriverPtr driver)
virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
{
- size_t i;
+ size_t i, j;
virCapsPtr caps;
virSecurityManagerPtr *sec_managers = NULL;
/* Security driver data */
- const char *doi, *model;
+ const char *doi, *model, *lbl, *type;
virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+ const int virtTypes[] = {VIR_DOMAIN_VIRT_KVM,
+ VIR_DOMAIN_VIRT_QEMU,
+ VIR_DOMAIN_VIRT_LAST};
/* Basic host arch / guest machine capabilities */
if (!(caps = virQEMUCapsInit(driver->qemuCapsCache)))
@@ -589,11 +592,21 @@ virCapsPtr virQEMUDriverCreateCapabilities(virQEMUDriverPtr driver)
goto error;
for (i = 0; sec_managers[i]; i++) {
+ virCapsHostSecModelPtr sm = &caps->host.secModels[i];
doi = virSecurityManagerGetDOI(sec_managers[i]);
model = virSecurityManagerGetModel(sec_managers[i]);
- if (VIR_STRDUP(caps->host.secModels[i].model, model) < 0 ||
- VIR_STRDUP(caps->host.secModels[i].doi, doi) < 0)
+ if (VIR_STRDUP(sm->model, model) < 0 ||
+ VIR_STRDUP(sm->doi, doi) < 0)
goto error;
+
+ for (j = 0; virtTypes[j] != VIR_DOMAIN_VIRT_LAST; j++) {
+ lbl = virSecurityManagerGetBaseLabel(sec_managers[i], virtTypes[j]);
+ type = virDomainVirtTypeToString(virtTypes[j]);
+ if (lbl &&
+ virCapabilitiesHostSecModelAddBaseLabel(sm, type, lbl) < 0)
+ goto error;
+ }
+
VIR_DEBUG("Initialized caps for security driver \"%s\" with
"
"DOI \"%s\"", model, doi);
}
diff --git a/tests/capabilityschemadata/caps-qemu-kvm.xml
b/tests/capabilityschemadata/caps-qemu-kvm.xml
index 1fbc22b..066ec71 100644
--- a/tests/capabilityschemadata/caps-qemu-kvm.xml
+++ b/tests/capabilityschemadata/caps-qemu-kvm.xml
@@ -25,6 +25,8 @@
<secmodel>
<model>selinux</model>
<doi>0</doi>
+ <baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
+ <baselabel
type='qemu'>system_u:system_r:svirt_t:s0</baselabel>
</secmodel>
</host>
diff --git a/tests/capabilityschemadata/caps-test3.xml
b/tests/capabilityschemadata/caps-test3.xml
index e6c56c5..d359f25 100644
--- a/tests/capabilityschemadata/caps-test3.xml
+++ b/tests/capabilityschemadata/caps-test3.xml
@@ -82,6 +82,8 @@
<secmodel>
<model>dac</model>
<doi>0</doi>
+ <baselabel type='kvm'>0:0</baselabel>
+ <baselabel type='qemu'>0:0</baselabel>
</secmodel>
</host>
--
1.8.3.1
8:12 a.m.
New subject: [libvirt] [PATCH v3 2/2] capabilities: add baselabel per sec driver/virt type to secmodel
On Fri, Sep 06, 2013 at 06:29:56PM +0200, Giuseppe Scrivano wrote:
Expand the "secmodel" XML fragment of "host" with
a sequence of
baselabel's which describe the default security context used by
libvirt with a specific security model and virtualization type:
<secmodel>
<model>selinux</model>
<doi>0</doi>
<baselabel type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
<baselabel type='qemu'>system_u:system_r:svirt_t:s0</baselabel>
s/svirt_t/svirt_tcg_t/ for the qemu example just to illustrate
that it is sometimes diferent.
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>0:0</baselabel>
<baselabel type='qemu'>0:0</baselabel>
I'd suggest '107:107' for these examples since that's the usual
ID for Fedora 'qemu' user.
</secmodel>
"baselabel" is driver-specific information, e.g. in the DAC security
model, it indicates USER_ID:GROUP_ID.
Signed-off-by: Giuseppe Scrivano <gscrivan(a)redhat.com>
---
docs/schemas/capability.rng | 8 ++++
src/conf/capabilities.c | 60 +++++++++++++++++++++++++++-
src/conf/capabilities.h | 14 +++++++
src/libvirt_private.syms | 1 +
src/lxc/lxc_conf.c | 10 ++++-
src/qemu/qemu_conf.c | 21 ++++++++--
tests/capabilityschemadata/caps-qemu-kvm.xml | 2 +
tests/capabilityschemadata/caps-test3.xml | 2 +
8 files changed, 111 insertions(+), 7 deletions(-)
diff --git a/src/conf/capabilities.c b/src/conf/capabilities.c
index 1acc936..b0e2ff9 100644
--- a/src/conf/capabilities.c
+++ b/src/conf/capabilities.c
@@ -184,6 +184,20 @@ virCapabilitiesFreeNUMAInfo(virCapsPtr caps)
}
static void
+virCapabilitiesFreeSecModel(virCapsHostSecModelPtr secmodel)
+{
+ size_t i;
+ for (i = 0; i < secmodel->nlabels; i++) {
+ VIR_FREE(secmodel->labels[i].type);
+ VIR_FREE(secmodel->labels[i].label);
+ }
+
+ VIR_FREE(secmodel->labels);
+ VIR_FREE(secmodel->model);
+ VIR_FREE(secmodel->doi);
+}
For functions which don't actually free the passed-in pointer
itself, we prefer to use 'Clear' instead of 'Free' in the name,
to make it more obvious to people what the semantics are.
+
+static void
virCapabilitiesDispose(void *object)
{
virCapsPtr caps = object;
@@ -204,8 +218,7 @@ virCapabilitiesDispose(void *object)
VIR_FREE(caps->host.migrateTrans);
for (i = 0; i < caps->host.nsecModels; i++) {
- VIR_FREE(caps->host.secModels[i].model);
- VIR_FREE(caps->host.secModels[i].doi);
+ virCapabilitiesFreeSecModel(&caps->host.secModels[i]);
}
VIR_FREE(caps->host.secModels);
@@ -507,6 +520,44 @@ virCapabilitiesAddGuestFeature(virCapsGuestPtr guest,
diff --git a/src/lxc/lxc_conf.c b/src/lxc/lxc_conf.c
index c1cee3f..557191a 100644
--- a/src/lxc/lxc_conf.c
+++ b/src/lxc/lxc_conf.c
@@ -126,10 +126,13 @@ virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver)
if (driver) {
/* Security driver data */
- const char *doi, *model;
+ const char *doi, *model, *label, *type;
doi = virSecurityManagerGetDOI(driver->securityManager);
model = virSecurityManagerGetModel(driver->securityManager);
+ label = virSecurityManagerGetBaseLabel(driver->securityManager,
+ VIR_DOMAIN_VIRT_LXC);
Hmm, the virSecurityManagerGetBaseLabel method can raise a VIR_ERR_NO_SUPPORT
message if unsupported, which would be ignored here. It is none the less
valid for this method to be not-implemented by a driver. Since I don't believe
we have a need to report errors in this method, I think we should remove the
call to virReportError in its impl.
+ type = virDomainVirtTypeToString(VIR_DOMAIN_VIRT_LXC);
/* Allocate the primary security driver for LXC. */
if (VIR_ALLOC(caps->host.secModels) < 0)
goto error;
@@ -138,6 +141,11 @@ virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver)
goto error;
if (VIR_STRDUP(caps->host.secModels[0].doi, doi) < 0)
goto error;
+ if (label &&
+ virCapabilitiesHostSecModelAddBaseLabel(&caps->host.secModels[0],
+ type,
+ label) < 0)
+ goto error;
VIR_DEBUG("Initialized caps for security driver \"%s\" with
"
"DOI \"%s\"", model, doi);
diff --git a/tests/capabilityschemadata/caps-qemu-kvm.xml
b/tests/capabilityschemadata/caps-qemu-kvm.xml
index 1fbc22b..066ec71 100644
--- a/tests/capabilityschemadata/caps-qemu-kvm.xml
+++ b/tests/capabilityschemadata/caps-qemu-kvm.xml
@@ -25,6 +25,8 @@
<secmodel>
<model>selinux</model>
<doi>0</doi>
+ <baselabel
type='kvm'>system_u:system_r:svirt_t:s0</baselabel>
+ <baselabel
type='qemu'>system_u:system_r:svirt_t:s0</baselabel>
s/svirt_t/svirt_tcg_t/ in this example
</secmodel>
</host>
diff --git a/tests/capabilityschemadata/caps-test3.xml
b/tests/capabilityschemadata/caps-test3.xml
index e6c56c5..d359f25 100644
--- a/tests/capabilityschemadata/caps-test3.xml
+++ b/tests/capabilityschemadata/caps-test3.xml
@@ -82,6 +82,8 @@
<secmodel>
<model>dac</model>
<doi>0</doi>
+ <baselabel type='kvm'>0:0</baselabel>
+ <baselabel type='qemu'>0:0</baselabel>
</secmodel>
</host>
s/0/107/
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
3:22 a.m.
Giuseppe Scrivano <gscrivan(a)redhat.com> writes:
Now each security model can define its own base label, that
describes
the default security context used by libvirt to run an hypervisor
process. This information is exposed to users trough the host
capabilities XML.
*v3 major changes
- support LXC
- merge virSecurityDACSetUser and virSecurityDACSetGroup in
virSecurityDACSetUserAndGroup
- DAC sets the baselabel in virSecurityDACSetUserAndGroup
- Use virDomainVirtTypeToString instead of hardcoding the name
Giuseppe Scrivano (2):
security: add new internal function "virSecurityManagerGetBaseLabel"
capabilities: add baselabel per sec driver/virt type to secmodel
ping
7:57 a.m.
Giuseppe Scrivano <gscrivan(a)redhat.com> writes:
> *v3 major changes
> - support LXC
> - merge virSecurityDACSetUser and virSecurityDACSetGroup in
> virSecurityDACSetUserAndGroup
> - DAC sets the baselabel in virSecurityDACSetUserAndGroup
> - Use virDomainVirtTypeToString instead of hardcoding the name
>
> Giuseppe Scrivano (2):
> security: add new internal function "virSecurityManagerGetBaseLabel"
> capabilities: add baselabel per sec driver/virt type to secmodel
ping
someone had a chance to look at this series?
Giuseppe
7:55 a.m.
Giuseppe Scrivano <gscrivan(a)redhat.com> writes:
Now each security model can define its own base label, that
describes
the default security context used by libvirt to run an hypervisor
process. This information is exposed to users trough the host
capabilities XML.
*v3 major changes
- support LXC
- merge virSecurityDACSetUser and virSecurityDACSetGroup in
virSecurityDACSetUserAndGroup
- DAC sets the baselabel in virSecurityDACSetUserAndGroup
- Use virDomainVirtTypeToString instead of hardcoding the name
I've ran a quick smoke test on top of the current HEAD and it seems to
work, can someone please review it or tell me if it makes sense at all
to have this information under "capabilities"?
Thanks,
Giuseppe
8 a.m.
On Thu, Oct 17, 2013 at 02:55:04PM +0200, Giuseppe Scrivano wrote:
Giuseppe Scrivano <gscrivan(a)redhat.com> writes:
> Now each security model can define its own base label, that describes
> the default security context used by libvirt to run an hypervisor
> process. This information is exposed to users trough the host
> capabilities XML.
>
> *v3 major changes
> - support LXC
> - merge virSecurityDACSetUser and virSecurityDACSetGroup in
> virSecurityDACSetUserAndGroup
> - DAC sets the baselabel in virSecurityDACSetUserAndGroup
> - Use virDomainVirtTypeToString instead of hardcoding the name
I've ran a quick smoke test on top of the current HEAD and it seems to
work, can someone please review it or tell me if it makes sense at all
to have this information under "capabilities"?
Opps my bad, it was on my todo list to review this, but I totally
forgot. Will do it now.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
4048
days inactive
4089
days old
9 comments
2 participants
participants (2)
-
Daniel P. Berrange -
Giuseppe Scrivano