[libvirt] Updated James Morris patch to apply to libvirt-0.6.0 version

Daniel J Walsh dwalsh at redhat.com
Tue Mar 3 14:08:20 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel P. Berrange wrote:
> On Fri, Feb 27, 2009 at 03:37:55PM -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Another patch off latest repository.
>>
>> This patch does not require the XML to include a label, although this is
>> still supported.
>>
>> Implemented most of the comments from Jim.  make check and make
>> syntax-check passes, Added seclabeltest.c to run in tests, Updated
>> capability.rng, although not really sure I did it right.
>>
>> This patch will generate random MCS Labels and relabels the image files
>> to match.  Seems to work well on F11.
> 
> I had a few problems with label generation on my F11 machine - perhaps
> you have a newer version of the patch than the one I applied.
> 
> I found I need the following additional patch..
> 
>  - Make domainGenSecurityLabel() give diagnostics for each type of error
>    instead of using generic error message in caller
>  - Change  logic bug 'c1 == c2' to 'c1 < c2'
>  - Change 'c%d,c%d' to 'c%d.c%d' - it doesn't like labels with
>    the form "c210,c502"  only wanting "c210.c502"
This does not make sense.  c210,c502 is valid.  c210.c502 means include
the range.  c210, c211, c212...c502.
>  - Fix use of STREQ - no need for == 0 in there
I am reworking this code to use INT instead of strings.
>  - Use VIR_FREE/VIR_ALLOC for memory mgmt
> 
> With this I can successfully start several VMs, and see them all
> using different contexts, and see the files labelled
> 
> # ps -xZ | grep qemu | awk '{print $1}'
> system_u:system_r:qemu_t:s0:c35.c537
> system_u:system_r:qemu_t:s0:c210.c502
> 
> # ls -Zl /var/lib/libvirt/images/
> total 504
> -rwxr-xr-x. 1 system_u:object_r:virt_image_t:s0:c210.c502 root root 1073741824 2009-03-03 12:15 demo2.img
> -rwxr-xr-x. 1 system_u:object_r:virt_image_t:s0:c35.c537 root root 1073741824 2009-03-03 11:49 demo.img
> 
> 
> Daniel
> 
> Index: src/qemu_driver.c
> ===================================================================
> RCS file: /data/cvs/libvirt/src/qemu_driver.c,v
> retrieving revision 1.212
> diff -u -p -r1.212 qemu_driver.c
> --- src/qemu_driver.c	3 Mar 2009 12:03:44 -0000	1.212
> +++ src/qemu_driver.c	3 Mar 2009 12:25:47 -0000
> @@ -1316,13 +1316,11 @@ static int qemudStartVMDaemon(virConnect
>  
>     /* If you are using a SecurityDriver and there was no security label in
>        database, then generate a security label for isolation */
> -    if (vm->def->seclabel.label == NULL && driver->securityDriver) {
> -        if (driver->securityDriver->domainGenSecurityLabel(vm) < 0) {
> -            qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
> -                             "%s", _("Unable to generate Security Label"));
> -            return -1;
> -        }
> -    }
> +    if (vm->def->seclabel.label == NULL &&
> +	driver->securityDriver &&
> +	driver->securityDriver->domainGenSecurityLabel &&
> +	driver->securityDriver->domainGenSecurityLabel(conn, vm) < 0)
> +        return -1;
>  
>      FD_ZERO(&keepfd);
>  
> Index: src/security.h
> ===================================================================
> RCS file: /data/cvs/libvirt/src/security.h,v
> retrieving revision 1.1
> diff -u -p -r1.1 security.h
> --- src/security.h	3 Mar 2009 09:44:42 -0000	1.1
> +++ src/security.h	3 Mar 2009 12:25:47 -0000
> @@ -37,7 +37,8 @@ typedef int (*virSecurityDomainRestoreIm
>  typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn,
>                                                 virDomainObjPtr vm,
>                                                 virDomainDeviceDefPtr dev);
> -typedef int (*virSecurityDomainGenLabel) (virDomainObjPtr sec);
> +typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn,
> +					  virDomainObjPtr sec);
>  typedef int (*virSecurityDomainGetLabel) (virConnectPtr conn,
>                                            virDomainObjPtr vm,
>                                            virSecurityLabelPtr sec);
> Index: src/security_selinux.c
> ===================================================================
> RCS file: /data/cvs/libvirt/src/security_selinux.c,v
> retrieving revision 1.1
> diff -u -p -r1.1 security_selinux.c
> --- src/security_selinux.c	3 Mar 2009 10:06:49 -0000	1.1
> +++ src/security_selinux.c	3 Mar 2009 12:25:47 -0000
> @@ -24,6 +24,9 @@
>  #include "util.h"
>  #include "memory.h"
>  
> +
> +#define VIR_FROM_THIS VIR_FROM_SECURITY
> +
>  static char default_domain_context[1024];
>  static char default_image_context[1024];
>  #define SECURITY_SELINUX_VOID_DOI       "0"
> @@ -45,10 +48,11 @@ mcsAdd(const char *mcs)
>      struct MCS *ptr;
>  
>      for (ptr = mcsList; ptr; ptr = ptr->next) {
> -        if (STREQ(ptr->mcs, mcs) == 0)
> +        if (STREQ(ptr->mcs, mcs))
>              return -1;
>      }
> -    ptr = malloc(sizeof(struct MCS));
> +    if (VIR_ALLOC(ptr) < 0)
> +        return -1;
>      ptr->mcs = strdup(mcs);
>      ptr->next = mcsList;
>      mcsList = ptr;
> @@ -62,7 +66,7 @@ mcsRemove(const char *mcs)
>      struct MCS *ptr = NULL;
>  
>      for (ptr = mcsList; ptr; ptr = ptr->next) {
> -        if (STREQ(ptr->mcs, mcs) == 0) {
> +        if (STREQ(ptr->mcs, mcs)) {
>              if (prevptr)
>                  prevptr->next = ptr->next;
>              else {
> @@ -149,7 +153,8 @@ SELinuxInitialize(virConnectPtr conn)
>  }
>  
>  static int
> -SELinuxGenSecurityLabel(virDomainObjPtr vm)
> +SELinuxGenSecurityLabel(virConnectPtr conn,
> +			virDomainObjPtr vm)
>  {
>      int rc = -1;
>      char mcs[1024];
> @@ -158,8 +163,11 @@ SELinuxGenSecurityLabel(virDomainObjPtr 
>      int c2 = 0;
>      if ( ( vm->def->seclabel.label ) ||
>           ( vm->def->seclabel.model ) ||
> -         ( vm->def->seclabel.imagelabel ))
> +         ( vm->def->seclabel.imagelabel )) {
> +        virSecurityReportError(conn, VIR_ERR_ERROR,
> +			       "%s", _("security labellin already defined for VM"));
>          return rc;
> +    }
>  
>      do {
>          c1 = virRandom(1024);
> @@ -168,28 +176,40 @@ SELinuxGenSecurityLabel(virDomainObjPtr 
>          if ( c1 == c2 ) {
>              sprintf(mcs, "s0:c%d", c1);
>          } else {
> -            if ( c1 == c2 )
> -                sprintf(mcs, "s0:c%d,c%d", c1, c2);
> +            if ( c1 < c2 )
> +                sprintf(mcs, "s0:c%d.c%d", c1, c2);
>              else
> -                sprintf(mcs, "s0:c%d,c%d", c2, c1);
> +                sprintf(mcs, "s0:c%d.c%d", c2, c1);
>          }
>      } while(mcsAdd(mcs) == -1);
>  
>      vm->def->seclabel.label = SELinuxGenNewContext(default_domain_context, mcs);
> -    if (! vm->def->seclabel.label)  goto err;
> +    if (! vm->def->seclabel.label)  {
> +        virSecurityReportError(conn, VIR_ERR_ERROR,
> +			       _("cannot generate selinux context for %s"), mcs);
> +	goto err;
> +    }
>      vm->def->seclabel.imagelabel = SELinuxGenNewContext(default_image_context, mcs);
> -    if (! vm->def->seclabel.imagelabel)  goto err;
> +    if (! vm->def->seclabel.imagelabel)  {
> +        virSecurityReportError(conn, VIR_ERR_ERROR,
> +			       _("cannot generate selinux context for %s"), mcs);
> +	goto err;
> +    }
>      vm->def->seclabel.model = strdup(SECURITY_SELINUX_NAME);
> -    if (! vm->def->seclabel.model) goto err;
> +    if (! vm->def->seclabel.model) {
> +        virReportOOMError(conn);
> +	goto err;
> +    }
> +
>  
>      rc = 0;
>      goto done;
>  err:
> -    free(vm->def->seclabel.label); vm->def->seclabel.label = NULL;
> -    free(vm->def->seclabel.imagelabel); vm->def->seclabel.imagelabel = NULL;
> -    free(vm->def->seclabel.model); vm->def->seclabel.model = NULL;
> +    VIR_FREE(vm->def->seclabel.label);
> +    VIR_FREE(vm->def->seclabel.imagelabel);
> +    VIR_FREE(vm->def->seclabel.model);
>  done:
> -    free(scontext);
> +    VIR_FREE(scontext);
>      return rc;
>  }
>  
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEUEARECAAYFAkmtOdQACgkQrlYvE4MpobMdwQCfQR3lSPnih5zd977k/wET4WqD
rhIAmNYlqoogrM4KFb/trH4n5lxU2fc=
=Bhc/
-----END PGP SIGNATURE-----




More information about the libvir-list mailing list