[libvirt] [PATCH 0/2] fix nwfilter when /tmp is mounted noexec
Eric Blake
eblake at redhat.com
Wed Nov 9 18:01:58 UTC 2011
On 11/09/2011 10:46 AM, Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=752254 points out that
> libvirt cannot support nwfilter on a system with /tmp mounted
> noexec (which is a very common setup in security-conscious setups),
> all because we were trying to directly invoke a temporary script
> instead of invoking a shell to read the script.
>
> I've split this patch into 2 parts, on the off-chance that patch
> 2 would run afoul of command line length limits (if the total
> size of the generated nwfilter commands could possibly cause
> E2BIG, then we have to go through a temporary file). But my
> recollection is that modern Linux kernels support unlimited
> command-line length (that is, ARG_MAX is not a concern on Linux),
> and that nwfilter_ebiptables_driver only compiles on Linux, so
> my preference would be to squash these into a single commit, if
> others agree that we don't have to worry about length limits.
>
> At any rate, I'm quite impressed at the number of lines of code
> I was able to remove in order to fix a bug!
>
> Eric Blake (2):
> nwfilter: avoid failure with noexec /tmp
> nwfilter: simplify execution of ebiptables scripts
>
> src/nwfilter/nwfilter_ebiptables_driver.c | 134 ++--------------------------
> 1 files changed, 10 insertions(+), 124 deletions(-)
This series does not solve a more fundamental issue that has been on my
mind - are we still sure that the best design for manipulating network
filters involves the creation of a series of shell scripting commands,
where we have to worry about proper quoting and so forth? Is it
possible to refactor this code to make more direct use of virCommand for
every call to iptables and friends (that is, doing the glue logic in C
rather than using C to generate shell scripting commands where the glue
logic is in generated sh)? Or perhaps to even refactor things into a
well-defined file format that we can feed to a helper executable, which
would allow finer-grained SELinux labelling (by isolating the direct
execution of iptables into a well-defined helper executable, then
SELinux can enforce that libvirtd cannot alter the host firewall except
by going through the helper executable, which has been audited to make
only known sets of iptables calls based on well-formed input)?
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
More information about the libvir-list
mailing list