[libvirt] Updated James Morris patch to apply to libvirt-0.6.0 version

Daniel P. Berrange berrange at redhat.com
Tue Mar 3 12:46:28 UTC 2009


On Fri, Feb 27, 2009 at 03:37:55PM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Another patch off latest repository.
> 
> This patch does not require the XML to include a label, although this is
> still supported.
> 
> Implemented most of the comments from Jim.  make check and make
> syntax-check passes, Added seclabeltest.c to run in tests, Updated
> capability.rng, although not really sure I did it right.
> 
> This patch will generate random MCS Labels and relabels the image files
> to match.  Seems to work well on F11.

I had a few problems with label generation on my F11 machine - perhaps
you have a newer version of the patch than the one I applied.

I found I need the following additional patch..

 - Make domainGenSecurityLabel() give diagnostics for each type of error
   instead of using generic error message in caller
 - Change  logic bug 'c1 == c2' to 'c1 < c2'
 - Change 'c%d,c%d' to 'c%d.c%d' - it doesn't like labels with
   the form "c210,c502"  only wanting "c210.c502"
 - Fix use of STREQ - no need for == 0 in there
 - Use VIR_FREE/VIR_ALLOC for memory mgmt

With this I can successfully start several VMs, and see them all
using different contexts, and see the files labelled

# ps -xZ | grep qemu | awk '{print $1}'
system_u:system_r:qemu_t:s0:c35.c537
system_u:system_r:qemu_t:s0:c210.c502

# ls -Zl /var/lib/libvirt/images/
total 504
-rwxr-xr-x. 1 system_u:object_r:virt_image_t:s0:c210.c502 root root 1073741824 2009-03-03 12:15 demo2.img
-rwxr-xr-x. 1 system_u:object_r:virt_image_t:s0:c35.c537 root root 1073741824 2009-03-03 11:49 demo.img


Daniel

Index: src/qemu_driver.c
===================================================================
RCS file: /data/cvs/libvirt/src/qemu_driver.c,v
retrieving revision 1.212
diff -u -p -r1.212 qemu_driver.c
--- src/qemu_driver.c	3 Mar 2009 12:03:44 -0000	1.212
+++ src/qemu_driver.c	3 Mar 2009 12:25:47 -0000
@@ -1316,13 +1316,11 @@ static int qemudStartVMDaemon(virConnect
 
    /* If you are using a SecurityDriver and there was no security label in
       database, then generate a security label for isolation */
-    if (vm->def->seclabel.label == NULL && driver->securityDriver) {
-        if (driver->securityDriver->domainGenSecurityLabel(vm) < 0) {
-            qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
-                             "%s", _("Unable to generate Security Label"));
-            return -1;
-        }
-    }
+    if (vm->def->seclabel.label == NULL &&
+	driver->securityDriver &&
+	driver->securityDriver->domainGenSecurityLabel &&
+	driver->securityDriver->domainGenSecurityLabel(conn, vm) < 0)
+        return -1;
 
     FD_ZERO(&keepfd);
 
Index: src/security.h
===================================================================
RCS file: /data/cvs/libvirt/src/security.h,v
retrieving revision 1.1
diff -u -p -r1.1 security.h
--- src/security.h	3 Mar 2009 09:44:42 -0000	1.1
+++ src/security.h	3 Mar 2009 12:25:47 -0000
@@ -37,7 +37,8 @@ typedef int (*virSecurityDomainRestoreIm
 typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
                                                virDomainObjPtr vm,
                                                virDomainDeviceDefPtr dev);
-typedef int (*virSecurityDomainGenLabel) (virDomainObjPtr sec);
+typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn,
+					  virDomainObjPtr sec);
 typedef int (*virSecurityDomainGetLabel) (virConnectPtr conn,
                                           virDomainObjPtr vm,
                                           virSecurityLabelPtr sec);
Index: src/security_selinux.c
===================================================================
RCS file: /data/cvs/libvirt/src/security_selinux.c,v
retrieving revision 1.1
diff -u -p -r1.1 security_selinux.c
--- src/security_selinux.c	3 Mar 2009 10:06:49 -0000	1.1
+++ src/security_selinux.c	3 Mar 2009 12:25:47 -0000
@@ -24,6 +24,9 @@
 #include "util.h"
 #include "memory.h"
 
+
+#define VIR_FROM_THIS VIR_FROM_SECURITY
+
 static char default_domain_context[1024];
 static char default_image_context[1024];
 #define SECURITY_SELINUX_VOID_DOI       "0"
@@ -45,10 +48,11 @@ mcsAdd(const char *mcs)
     struct MCS *ptr;
 
     for (ptr = mcsList; ptr; ptr = ptr->next) {
-        if (STREQ(ptr->mcs, mcs) == 0)
+        if (STREQ(ptr->mcs, mcs))
             return -1;
     }
-    ptr = malloc(sizeof(struct MCS));
+    if (VIR_ALLOC(ptr) < 0)
+        return -1;
     ptr->mcs = strdup(mcs);
     ptr->next = mcsList;
     mcsList = ptr;
@@ -62,7 +66,7 @@ mcsRemove(const char *mcs)
     struct MCS *ptr = NULL;
 
     for (ptr = mcsList; ptr; ptr = ptr->next) {
-        if (STREQ(ptr->mcs, mcs) == 0) {
+        if (STREQ(ptr->mcs, mcs)) {
             if (prevptr)
                 prevptr->next = ptr->next;
             else {
@@ -149,7 +153,8 @@ SELinuxInitialize(virConnectPtr conn)
 }
 
 static int
-SELinuxGenSecurityLabel(virDomainObjPtr vm)
+SELinuxGenSecurityLabel(virConnectPtr conn,
+			virDomainObjPtr vm)
 {
     int rc = -1;
     char mcs[1024];
@@ -158,8 +163,11 @@ SELinuxGenSecurityLabel(virDomainObjPtr 
     int c2 = 0;
     if ( ( vm->def->seclabel.label ) ||
          ( vm->def->seclabel.model ) ||
-         ( vm->def->seclabel.imagelabel ))
+         ( vm->def->seclabel.imagelabel )) {
+        virSecurityReportError(conn, VIR_ERR_ERROR,
+			       "%s", _("security labellin already defined for VM"));
         return rc;
+    }
 
     do {
         c1 = virRandom(1024);
@@ -168,28 +176,40 @@ SELinuxGenSecurityLabel(virDomainObjPtr 
         if ( c1 == c2 ) {
             sprintf(mcs, "s0:c%d", c1);
         } else {
-            if ( c1 == c2 )
-                sprintf(mcs, "s0:c%d,c%d", c1, c2);
+            if ( c1 < c2 )
+                sprintf(mcs, "s0:c%d.c%d", c1, c2);
             else
-                sprintf(mcs, "s0:c%d,c%d", c2, c1);
+                sprintf(mcs, "s0:c%d.c%d", c2, c1);
         }
     } while(mcsAdd(mcs) == -1);
 
     vm->def->seclabel.label = SELinuxGenNewContext(default_domain_context, mcs);
-    if (! vm->def->seclabel.label)  goto err;
+    if (! vm->def->seclabel.label)  {
+        virSecurityReportError(conn, VIR_ERR_ERROR,
+			       _("cannot generate selinux context for %s"), mcs);
+	goto err;
+    }
     vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
-    if (! vm->def->seclabel.imagelabel)  goto err;
+    if (! vm->def->seclabel.imagelabel)  {
+        virSecurityReportError(conn, VIR_ERR_ERROR,
+			       _("cannot generate selinux context for %s"), mcs);
+	goto err;
+    }
     vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME);
-    if (! vm->def->seclabel.model) goto err;
+    if (! vm->def->seclabel.model) {
+        virReportOOMError(conn);
+	goto err;
+    }
+
 
     rc = 0;
     goto done;
 err:
-    free(vm->def->seclabel.label); vm->def->seclabel.label = NULL;
-    free(vm->def->seclabel.imagelabel); vm->def->seclabel.imagelabel = NULL;
-    free(vm->def->seclabel.model); vm->def->seclabel.model = NULL;
+    VIR_FREE(vm->def->seclabel.label);
+    VIR_FREE(vm->def->seclabel.imagelabel);
+    VIR_FREE(vm->def->seclabel.model);
 done:
-    free(scontext);
+    VIR_FREE(scontext);
     return rc;
 }
 


-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|




More information about the libvir-list mailing list