[libvirt] Updated patch for virt-sandbox -s inherit
-s static,label=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Well running "virt-sandbox -s inherit" would run as unconfined_t for most users. I the future we need to add a check to libvirt to ask SELinux if it is ok for a user to transiton to the label, rather then just to do it. Imagine a confined admin which is allowed to generate containers, he should only be allowed to generate containers with processes labels that he can transition into, not that libvirt can transition into. [sandbox PATCH 1/2] Add virt-sandbox -s inherit, to execute the [sandbox PATCH 2/2] Unit files only exist in Systemd Containers.
This will allow us to run sandbox as the calling process, If I am running a shell as staff_u:unconfined_r:unconfined_t:s0, and I execute virt-sandbox -c lxc/// -- /bin/sh /bin/sh will run as staff_u:unconfined_r:unconfined_t:s0 --- bin/virt-sandbox-service.pod | 6 +++++- bin/virt-sandbox.c | 9 ++++++++- configure.ac | 1 + libvirt-sandbox.spec.in | 1 + libvirt-sandbox/Makefile.am | 2 ++ libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++ m4/virt-selinux.m4 | 11 +++++++++++ 7 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 m4/virt-selinux.m4 diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod index 7752145..b879a46 100644 --- a/bin/virt-sandbox-service.pod +++ b/bin/virt-sandbox-service.pod @@ -54,7 +54,11 @@ supported currently). =head1 SEE ALSO -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, C<virt-sandbox-service-upgrade(1)> +C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, +C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, +C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, +C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, +C<virt-sandbox-service-upgrade(1)> =head1 FILES diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c index 3ddcd17..1132c09 100644 --- a/bin/virt-sandbox.c +++ b/bin/virt-sandbox.c @@ -285,7 +285,10 @@ not allowed to open any other files. =item B<-c URI>, B<--connect=URI> Set the libvirt connection URI, defaults to qemu:///session if -omitted. Currently only the QEMU and LXC drivers are supported. +omitted. Alternatively the C<LIBVIRT_DEFAULT_URI> environment +variable can be set, or the config file C</etc/libvirt/libvirt.conf> +can have a default URI set. Currently only the QEMU and LXC drivers +are supported. =item B<-n NAME>, B<--name=NAME> @@ -417,6 +420,10 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context. To set a completely static label. For example, static,label=system_u:system_r:svirt_t:s0:c412,c355 +=item inherit + +Inherit the context from the process that is executing virt-sandbox. + =back =item B<-p>, B<--privileged> diff --git a/configure.ac b/configure.ac index 32206b8..50f23fc 100644 --- a/configure.ac +++ b/configure.ac @@ -84,6 +84,7 @@ LIBVIRT_SANDBOX_WIN32 LIBVIRT_SANDBOX_COVERAGE LIBVIRT_SANDBOX_INTROSPECTION LIBVIRT_SANDBOX_RPCGEN +LIBVIRT_SANDBOX_SELINUX dnl Should be in m4/virt-gettext.m4 but intltoolize is too dnl dumb to find it there diff --git a/libvirt-sandbox.spec.in b/libvirt-sandbox.spec.in index a9721b5..718c27b 100644 --- a/libvirt-sandbox.spec.in +++ b/libvirt-sandbox.spec.in @@ -25,6 +25,7 @@ BuildRequires: gobject-introspection-devel BuildRequires: glibc-static BuildRequires: /usr/bin/pod2man BuildRequires: intltool +BuildRequires: libselinux-devel BuildRequires: glib2-devel >= 2.32.0 Requires: rpm-python # For virsh lxc-enter-namespace command diff --git a/libvirt-sandbox/Makefile.am b/libvirt-sandbox/Makefile.am index 4e0ea00..0882490 100644 --- a/libvirt-sandbox/Makefile.am +++ b/libvirt-sandbox/Makefile.am @@ -169,6 +169,7 @@ libvirt_sandbox_init_common_CFLAGS = \ $(LIBVIRT_GLIB_CFLAGS) \ $(LIBVIRT_GOBJECT_CFLAGS) \ $(CAPNG_CFLAGS) \ + $(SELINUX_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) libvirt_sandbox_init_common_LDFLAGS = \ @@ -178,6 +179,7 @@ libvirt_sandbox_init_common_LDFLAGS = \ $(LIBVIRT_GLIB_LIBS) \ $(LIBVIRT_GOBJECT_LIBS) \ $(CAPNG_LIBS) \ + $(SELINUX_LIBS) \ $(WARN_CFLAGS) \ $(NULL) libvirt_sandbox_init_common_LDADD = \ diff --git a/libvirt-sandbox/libvirt-sandbox-config.c b/libvirt-sandbox/libvirt-sandbox-config.c index ccdb3bc..8e8ac65 100644 --- a/libvirt-sandbox/libvirt-sandbox-config.c +++ b/libvirt-sandbox/libvirt-sandbox-config.c @@ -27,6 +27,8 @@ #include <glib/gi18n.h> #include "libvirt-sandbox/libvirt-sandbox.h" +#include <errno.h> +#include <selinux/selinux.h> /** * SECTION: libvirt-sandbox-config @@ -1521,6 +1523,18 @@ gboolean gvir_sandbox_config_set_security_opts(GVirSandboxConfig *config, gvir_sandbox_config_set_security_dynamic(config, TRUE); } else if (g_str_equal(tmp, "static")) { gvir_sandbox_config_set_security_dynamic(config, FALSE); + } else if (g_str_equal(tmp, "inherit")) { + gvir_sandbox_config_set_security_dynamic(config, FALSE); + security_context_t scon; + if (getcon(&scon) < 0) { + g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0, + _("Unable to get SELinux context of user: %s"), + strerror(errno)); + return FALSE; + } + gvir_sandbox_config_set_security_label(config, scon); + freecon(scon); + } else { g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0, _("Unknown security option '%s'"), tmp); diff --git a/m4/virt-selinux.m4 b/m4/virt-selinux.m4 new file mode 100644 index 0000000..ef41721 --- /dev/null +++ b/m4/virt-selinux.m4 @@ -0,0 +1,11 @@ +AC_DEFUN([LIBVIRT_SANDBOX_SELINUX], [ + fail=0 + old_LIBS=$LIBS + old_CFLAGS=$CFLAGS + AC_CHECK_HEADER([selinux/selinux.h],[],[fail=1]) + AC_CHECK_LIB([selinux], [fgetfilecon],[],[fail=1]) + LIBS=$old_LIBS + CFLAGS=$old_CFLAGS + test $fail = 1 && + AC_MSG_ERROR([You must install the libselinux development package in order to compile libvirt-sandbox]) +]) -- 1.8.3.1
On Tue, Aug 13, 2013 at 01:10:11PM -0400, Dan Walsh wrote:
This will allow us to run sandbox as the calling process, If I am running a shell as staff_u:unconfined_r:unconfined_t:s0, and I execute virt-sandbox -c lxc/// -- /bin/sh
/bin/sh will run as staff_u:unconfined_r:unconfined_t:s0 --- bin/virt-sandbox-service.pod | 6 +++++- bin/virt-sandbox.c | 9 ++++++++- configure.ac | 1 + libvirt-sandbox.spec.in | 1 + libvirt-sandbox/Makefile.am | 2 ++ libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++ m4/virt-selinux.m4 | 11 +++++++++++ 7 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 m4/virt-selinux.m4
You've taken what was previously 3 separate patches fixing 3 separate bugs, and merged them into one giant patch. This is really bad - separate functional fixes must always be kept as separate patches. The actual changes look good, but please split it back up into 3 separate patches & repost. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/15/2013 04:48 AM, Daniel P. Berrange wrote:
On Tue, Aug 13, 2013 at 01:10:11PM -0400, Dan Walsh wrote:
This will allow us to run sandbox as the calling process, If I am running a shell as staff_u:unconfined_r:unconfined_t:s0, and I execute virt-sandbox -c lxc/// -- /bin/sh
/bin/sh will run as staff_u:unconfined_r:unconfined_t:s0 --- bin/virt-sandbox-service.pod | 6 +++++- bin/virt-sandbox.c | 9 ++++++++- configure.ac | 1 + libvirt-sandbox.spec.in | 1 + libvirt-sandbox/Makefile.am | 2 ++ libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++ m4/virt-selinux.m4 | 11 +++++++++++ 7 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 m4/virt-selinux.m4
You've taken what was previously 3 separate patches fixing 3 separate bugs, and merged them into one giant patch. This is really bad - separate functional fixes must always be kept as separate patches.
The actual changes look good, but please split it back up into 3 separate patches & repost.
Daniel
Not quite sure what you are talking about, I sent two patches, the inherit patch included some fixes to the virt-sandbox-service.pod, which I will split out. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIMvsUACgkQrlYvE4MpobOhLgCeMWUeZe0Q4QUVbyQ7qEIIdkpO jAsAn1H65pp8mgCfDiF/gUBm7P8rfjgH =jziw -----END PGP SIGNATURE-----
On Thu, Aug 15, 2013 at 07:43:01AM -0400, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/15/2013 04:48 AM, Daniel P. Berrange wrote:
On Tue, Aug 13, 2013 at 01:10:11PM -0400, Dan Walsh wrote:
This will allow us to run sandbox as the calling process, If I am running a shell as staff_u:unconfined_r:unconfined_t:s0, and I execute virt-sandbox -c lxc/// -- /bin/sh
/bin/sh will run as staff_u:unconfined_r:unconfined_t:s0 --- bin/virt-sandbox-service.pod | 6 +++++- bin/virt-sandbox.c | 9 ++++++++- configure.ac | 1 + libvirt-sandbox.spec.in | 1 + libvirt-sandbox/Makefile.am | 2 ++ libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++ m4/virt-selinux.m4 | 11 +++++++++++ 7 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 m4/virt-selinux.m4
You've taken what was previously 3 separate patches fixing 3 separate bugs, and merged them into one giant patch. This is really bad - separate functional fixes must always be kept as separate patches.
The actual changes look good, but please split it back up into 3 separate patches & repost.
Daniel
Not quite sure what you are talking about, I sent two patches, the inherit patch included some fixes to the virt-sandbox-service.pod, which I will split out.
Here you sent 3 individual git commits: https://www.redhat.com/archives/libvir-list/2013-August/msg00134.html One for the inherit feature, one virt-sandbox-service.pod fix and one virt-sandbox.c pod file. Now you've squashed those three patches into one patch. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Do not attempt to fix the unit file of Generic Containers. --- bin/virt-sandbox-service | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index 03873c9..3e83c94 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -928,28 +928,28 @@ def upgrade_config_legacy(path): else: container = SystemdContainer(uri=args.uri, config=config) - fd = open(container.get_unit_path()) - unitfile = fd.read() - fd.close() + fd = open(container.get_unit_path()) + unitfile = fd.read() + fd.close() - unitfile = unitfile.replace("/usr/bin/virt-sandbox-service start", - "/usr/libexec/virt-sandbox-service-util -c lxc:/// -s") - unitfile = unitfile.replace("/usr/bin/virt-sandbox-service reload", - "/usr/bin/virt-sandbox-service -c lxc:/// reload") - unitfile = unitfile.replace("/usr/bin/virt-sandbox-service stop", - "/usr/bin/virsh -c lxc:/// destroy") + unitfile = unitfile.replace("/usr/bin/virt-sandbox-service start", + "/usr/libexec/virt-sandbox-service-util -c lxc:/// -s") + unitfile = unitfile.replace("/usr/bin/virt-sandbox-service reload", + "/usr/bin/virt-sandbox-service -c lxc:/// reload") + unitfile = unitfile.replace("/usr/bin/virt-sandbox-service stop", + "/usr/bin/virsh -c lxc:/// destroy") - unitfile = re.sub("WantedBy=.*\.target", - "WantedBy=multi-user.target", - unitfile) + unitfile = re.sub("WantedBy=.*\.target", + "WantedBy=multi-user.target", + unitfile) - os.remove(container.get_unit_path()) - fd = open(container.get_unit_path(), "wx") - fd.write(unitfile) - fd.close() + os.remove(container.get_unit_path()) + fd = open(container.get_unit_path(), "wx") + fd.write(unitfile) + fd.close() - sys.stdout.write(_("Created unit file %s\n") % - container.get_unit_path()) + sys.stdout.write(_("Created unit file %s\n") % + container.get_unit_path()) # Create new config file + libvirt persistent XML config container.save_config() -- 1.8.3.1
On Tue, Aug 13, 2013 at 01:10:12PM -0400, Dan Walsh wrote:
Do not attempt to fix the unit file of Generic Containers. --- bin/virt-sandbox-service | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-)
I co-incidentally did exactly the same fix, so you can drop this one. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (3)
-
Dan Walsh -
Daniel J Walsh
-
Daniel P. Berrange