11:38 a.m.
This patch series includes a new version for the trailing slash fix, but also
includes other fixes to get virt-sandbox run nicely with apparmor. Thus only
one patch has v2 ;)
Cédric Bosdonnat (4):
virt-aa-helper: fix rules for paths with trailing slash
Get more libvirt errors from virt-aa-helper
virt-aa-helper: rename ctl->hvm to ctl->os
virt-aa-helper: add DomainGuest to mockup caps
src/security/security_apparmor.c | 4 ++++
src/security/virt-aa-helper.c | 38 ++++++++++++++++++++++++++++++++++----
tests/virt-aa-helper-test | 3 ---
3 files changed, 38 insertions(+), 7 deletions(-)
--
2.1.4
11:38 a.m.
New subject: [libvirt] [PATCH v2 1/4] virt-aa-helper: fix rules for paths with trailing slash
Rules generated for a path like '/' were having '//' which isn't
correct for apparmor. Make virt-aa-helper smarter to avoid these.
---
src/security/virt-aa-helper.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 13f8a6a..9e18343 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -795,6 +795,9 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms,
bool recursi
goto cleanup;
}
+ if (tmp[strlen(tmp) - 1] == '/')
+ tmp[strlen(tmp) - 1] = '\0';
+
virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ?
"/**" : "", perms);
if (readonly) {
virBufferAddLit(buf, " # don't audit writes to readonly
files\n");
--
2.1.4
11:38 a.m.
New subject: [libvirt] [PATCH v2 2/4] Get more libvirt errors from virt-aa-helper
Initializing libvirt log in virt-aa-helper and getting it to output
libvirt log to stderr. This will help debugging problems happening in
libvirt functions called from within virt-aa-helper
---
src/security/security_apparmor.c | 4 ++++
src/security/virt-aa-helper.c | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 4134a17..16b8f87 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -196,6 +196,10 @@ load_profile(virSecurityManagerPtr mgr,
}
}
+ virCommandAddEnvFormat(cmd,
+ "LIBVIRT_LOG_OUTPUTS=%d:stderr",
+ virLogGetDefaultPriority());
+
virCommandSetInputBuffer(cmd, xml);
rc = virCommandRun(cmd, NULL);
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 9e18343..3d57431 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -41,6 +41,7 @@
#include "virbuffer.h"
#include "viralloc.h"
#include "vircommand.h"
+#include "virlog.h"
#include "security_driver.h"
#include "security_apparmor.h"
@@ -1266,6 +1267,9 @@ main(int argc, char **argv)
exit(EXIT_FAILURE);
}
+ /* Initialize the log system */
+ virLogSetFromEnv();
+
/* clear the environment */
environ = NULL;
if (setenv("PATH", "/sbin:/usr/sbin", 1) != 0)
--
2.1.4
11:38 a.m.
New subject: [libvirt] [PATCH v2 3/4] virt-aa-helper: rename ctl->hvm to ctl->os
ctl->hvm contains os.type string value, change the name to reflect it.
---
src/security/virt-aa-helper.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 3d57431..f94f337 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -73,7 +73,7 @@ typedef struct {
virDomainDefPtr def; /* VM definition */
virCapsPtr caps; /* VM capabilities */
virDomainXMLOptionPtr xmlopt; /* XML parser data */
- char *hvm; /* type of hypervisor (eg hvm, xen) */
+ char *os; /* type of os (eg hvm, xen, exe) */
virArch arch; /* machine architecture */
char *newfile; /* newly added file */
bool append; /* append to .files instead of rewrite */
@@ -89,7 +89,7 @@ vahDeinit(vahControl * ctl)
virObjectUnref(ctl->caps);
virObjectUnref(ctl->xmlopt);
VIR_FREE(ctl->files);
- VIR_FREE(ctl->hvm);
+ VIR_FREE(ctl->os);
VIR_FREE(ctl->newfile);
return 0;
@@ -641,7 +641,7 @@ verify_xpath_context(xmlXPathContextPtr ctxt)
/*
* Parse the xml we received to fill in the following:
- * ctl->hvm
+ * ctl->os
* ctl->arch
*
* These are suitable for setting up a virCapsPtr
@@ -668,8 +668,8 @@ caps_mockup(vahControl * ctl, const char *xmlStr)
if (verify_xpath_context(ctxt) != 0)
goto cleanup;
- ctl->hvm = virXPathString("string(./os/type[1])", ctxt);
- if (!ctl->hvm) {
+ ctl->os = virXPathString("string(./os/type[1])", ctxt);
+ if (!ctl->os) {
vah_error(ctl, 0, _("os.type is not defined"));
goto cleanup;
}
@@ -714,7 +714,7 @@ get_definition(vahControl * ctl, const char *xmlStr)
goto exit;
}
- if ((ostype = virDomainOSTypeFromString(ctl->hvm)) < 0) {
+ if ((ostype = virDomainOSTypeFromString(ctl->os)) < 0) {
vah_error(ctl, 0, _("unknown OS type"));
goto exit;
}
--
2.1.4
11:38 a.m.
New subject: [libvirt] [PATCH v2 4/4] virt-aa-helper: add DomainGuest to mockup caps
With commit 3f9868a virt-aa-helper stopped working due to missing
DomainGuest in the caps.
The test with -c without arch also needs to be
removed since the new capabilities code uses the host arch when none is
provided.
---
src/security/virt-aa-helper.c | 25 ++++++++++++++++++++++++-
tests/virt-aa-helper-test | 3 ---
2 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index f94f337..cf729e9 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -73,6 +73,7 @@ typedef struct {
virDomainDefPtr def; /* VM definition */
virCapsPtr caps; /* VM capabilities */
virDomainXMLOptionPtr xmlopt; /* XML parser data */
+ char *hvm; /* type of hypervisor (eg qemu, xen, lxc) */
char *os; /* type of os (eg hvm, xen, exe) */
virArch arch; /* machine architecture */
char *newfile; /* newly added file */
@@ -89,6 +90,7 @@ vahDeinit(vahControl * ctl)
virObjectUnref(ctl->caps);
virObjectUnref(ctl->xmlopt);
VIR_FREE(ctl->files);
+ VIR_FREE(ctl->hvm);
VIR_FREE(ctl->os);
VIR_FREE(ctl->newfile);
@@ -641,6 +643,7 @@ verify_xpath_context(xmlXPathContextPtr ctxt)
/*
* Parse the xml we received to fill in the following:
+ * ctl->hvm
* ctl->os
* ctl->arch
*
@@ -668,6 +671,11 @@ caps_mockup(vahControl * ctl, const char *xmlStr)
if (verify_xpath_context(ctxt) != 0)
goto cleanup;
+ ctl->hvm = virXPathString("string(./@type)", ctxt);
+ if (!ctl->hvm) {
+ vah_error(ctl, 0, _("domain type is not defined"));
+ goto cleanup;
+ }
ctl->os = virXPathString("string(./os/type[1])", ctxt);
if (!ctl->os) {
vah_error(ctl, 0, _("os.type is not defined"));
@@ -694,7 +702,7 @@ caps_mockup(vahControl * ctl, const char *xmlStr)
static int
get_definition(vahControl * ctl, const char *xmlStr)
{
- int rc = -1, ostype;
+ int rc = -1, ostype, hvmtype;
virCapsGuestPtr guest; /* this is freed when caps is freed */
/*
@@ -730,6 +738,21 @@ get_definition(vahControl * ctl, const char *xmlStr)
goto exit;
}
+ if ((hvmtype = virDomainVirtTypeFromString(ctl->hvm)) < 0) {
+ vah_error(ctl, 0, _("unknown HVM type"));
+ goto exit;
+ }
+
+ if (virCapabilitiesAddGuestDomain(guest,
+ hvmtype,
+ NULL,
+ NULL,
+ 0,
+ NULL) == NULL) {
+ vah_error(ctl, 0, _("could not allocate memory"));
+ goto exit;
+ }
+
ctl->def = virDomainDefParseString(xmlStr,
ctl->caps, ctl->xmlopt,
VIR_DOMAIN_DEF_PARSE_INACTIVE);
diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
index 96471ff..caf2f97 100755
--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
@@ -194,9 +194,6 @@ testme "1" "-c with malformed xml" "-c -u
$valid_uuid" "$test_xml"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,<type arch='x86_64' machine='pc'>hvm</type>,,g"
"$template_xml" > "$test_xml"
testme "1" "-c with no os.type" "-c -u $valid_uuid"
"$test_xml"
-sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,<type arch='x86_64'
machine='pc'>hvm</type>,<type>hvm</type>,g"
"$template_xml" > "$test_xml"
-testme "1" "-c with no architecture" "-c -u $valid_uuid"
"$test_xml"
-
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,hvm</type>,hvm_invalid</type>,g" "$template_xml" >
"$test_xml"
testme "1" "-c with invalid hvm" "-c -u $valid_uuid"
"$test_xml"
--
2.1.4
5:08 p.m.
New subject: [libvirt] [PATCH v2 4/4] virt-aa-helper: add DomainGuest to mockup caps
On Tue, Jul 07, 2015 at 11:38:53AM +0200, Cédric Bosdonnat wrote:
With commit 3f9868a virt-aa-helper stopped working due to missing
DomainGuest in the caps.
The test with -c without arch also needs to be
removed since the new capabilities code uses the host arch when none is
provided.
---
src/security/virt-aa-helper.c | 25 ++++++++++++++++++++++++-
tests/virt-aa-helper-test | 3 ---
2 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index f94f337..cf729e9 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -73,6 +73,7 @@ typedef struct {
virDomainDefPtr def; /* VM definition */
virCapsPtr caps; /* VM capabilities */
virDomainXMLOptionPtr xmlopt; /* XML parser data */
+ char *hvm; /* type of hypervisor (eg qemu, xen, lxc) */
HVM should stand for Hardware Virtual Machine, but not all the
hypervisors provide full virtualization.
I think hypervisor would be a better name. Or virtType, which is what
domain_conf.c uses.
char *os; /* type of os (eg hvm, xen, exe) */
virArch arch; /* machine architecture */
char *newfile; /* newly added file */
@@ -730,6 +738,21 @@ get_definition(vahControl * ctl, const char
*xmlStr)
goto exit;
}
+ if ((hvmtype = virDomainVirtTypeFromString(ctl->hvm)) < 0) {
+ vah_error(ctl, 0, _("unknown HVM type"));
unknown domain/virt type
ACK with the name changed.
Jan
2:39 p.m.
On 07.07.2015 11:38, Cédric Bosdonnat wrote:
This patch series includes a new version for the trailing slash fix,
but also
includes other fixes to get virt-sandbox run nicely with apparmor. Thus only
one patch has v2 ;)
Cédric Bosdonnat (4):
virt-aa-helper: fix rules for paths with trailing slash
Get more libvirt errors from virt-aa-helper
virt-aa-helper: rename ctl->hvm to ctl->os
virt-aa-helper: add DomainGuest to mockup caps
src/security/security_apparmor.c | 4 ++++
src/security/virt-aa-helper.c | 38 ++++++++++++++++++++++++++++++++++----
tests/virt-aa-helper-test | 3 ---
3 files changed, 38 insertions(+), 7 deletions(-)
ACK series
Michal
3358
days inactive
3359
days old
6 comments
3 participants
participants (3)
-
Cédric Bosdonnat -
Ján Tomko -
Michal Privoznik