[libvirt] Patch set to add virt-sandbox -s inherit and fixes for man pages.
Daniel P. Berrange
berrange at redhat.com
Fri Aug 2 15:51:34 UTC 2013
On Fri, Aug 02, 2013 at 11:20:16AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> for some reason my git-sendmail keeps failing.
Here's the wrapper script I used for that
$ cat $HOME/usr/bin/git-spam
#!/bin/sh
dohelp() {
echo "syntax: $0 TO-ADDR REV-LIST"
}
if [ -z "$2" ]; then
dohelp;
exit 1
fi
TO=$1
REV=$2
shift
shift
git send-email --compose --to "$TO" --smtp-server=smtp.corp.redhat.com --no-chain-reply-to $REV "$@"
Assuming you do your work on a branch, then you can just run
git-spam libvir-list at redhat.com master..
If you were doing your work on master directly, then you'd
have to use
git-spam libvir-list at redhat.com origin/master..
Or explicitly specify the starting commit hash.
>
> [sandbox PATCH 1/3] Add virt-sandbox -s inherit, to execute the
> [sandbox PATCH 2/3] Add comment about LIBVIRT_DEFAULT_URI to
> [sandbox PATCH 3/3] virt-sandbox-service.pod did not mention upgrade
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlH7zjAACgkQrlYvE4MpobPBIQCgvOYtY0ccFTUNBNA4tWWQs02t
> tYwAn15nXX9WhTyG0Piw4QVYwide9/RZ
> =g+dS
> -----END PGP SIGNATURE-----
> >From fcf2e72b78b66075ca5f061423a259e058f4f39d Mon Sep 17 00:00:00 2001
> From: Dan Walsh <dwalsh at redhat.com>
> Date: Wed, 31 Jul 2013 17:04:58 -0400
> Subject: [sandbox PATCH 1/3] Add virt-sandbox -s inherit, to execute the
> sandbox from the parent.
>
> This will allow us to run sandbox as the calling process, If I am
> running a shell as staff_u:unconfined_r:unconfined_t:s0, and I
> execute virt-sandbox -c lxc/// -- /bin/sh
>
> /bin/sh will run as staff_u:unconfined_r:unconfined_t:s0
> ---
> bin/virt-sandbox.c | 4 ++++
> libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++
> 2 files changed, 18 insertions(+)
>
> diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
> index b51465d..9a75f3c 100644
> --- a/bin/virt-sandbox.c
> +++ b/bin/virt-sandbox.c
> @@ -403,6 +403,10 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context.
> To set a completely static label. For example,
> static,label=system_u:system_r:svirt_t:s0:c412,c355
>
> +=item inherit
> +
> +Inherit the context from the process that is executing virt-sandbox.
> +
> =back
>
> =item B<-p>, B<--privileged>
> diff --git a/libvirt-sandbox/libvirt-sandbox-config.c b/libvirt-sandbox/libvirt-sandbox-config.c
> index ccdb3bc..8e8ac65 100644
> --- a/libvirt-sandbox/libvirt-sandbox-config.c
> +++ b/libvirt-sandbox/libvirt-sandbox-config.c
> @@ -27,6 +27,8 @@
> #include <glib/gi18n.h>
>
> #include "libvirt-sandbox/libvirt-sandbox.h"
> +#include <errno.h>
> +#include <selinux/selinux.h>
>
> /**
> * SECTION: libvirt-sandbox-config
> @@ -1521,6 +1523,18 @@ gboolean gvir_sandbox_config_set_security_opts(GVirSandboxConfig *config,
> gvir_sandbox_config_set_security_dynamic(config, TRUE);
> } else if (g_str_equal(tmp, "static")) {
> gvir_sandbox_config_set_security_dynamic(config, FALSE);
> + } else if (g_str_equal(tmp, "inherit")) {
> + gvir_sandbox_config_set_security_dynamic(config, FALSE);
> + security_context_t scon;
> + if (getcon(&scon) < 0) {
> + g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0,
> + _("Unable to get SELinux context of user: %s"),
> + strerror(errno));
> + return FALSE;
> + }
> + gvir_sandbox_config_set_security_label(config, scon);
> + freecon(scon);
Looks good.
I wonder if we should also have an explicit 'unconfined' string to
simplify life for people who want to run the container entirely
unconfined ? eg avoid them needing the verbose
-s static,label=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> +
> } else {
> g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0,
> _("Unknown security option '%s'"), tmp);
You'll need to re-add the code to detect selinux in configure, since we
had got rid of that previously. eg create m4/virt-selinux.m4 containing
AC_DEFUN([LIBVIRT_SANDBOX_SELINUX], [
fail=0
old_LIBS=$LIBS
old_CFLAGS=$CFLAGS
AC_CHECK_HEADER([selinux/selinux.h],[],[fail=1])
AC_CHECK_LIB([selinux], [fgetfilecon],[],[fail=1])
LIBS=$old_LIBS
CFLAGS=$old_CFLAGS
test $fail = 1 &&
AC_MSG_ERROR([You must install the libselinux development package in order to compile libvirt-sandbox])
])
And then add
LIBVIRT_SANDBOX_SELINUX
to configure.ac, and update libvirt-sandbox/Makefile.am to include
SELINUX_CFLAGS and SELINUX_LIBS.
And make libvirt-sandbox.spec.in have a BuildRequires: libselinux-devel
> diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
> index 9a75f3c..26eefcf 100644
> --- a/bin/virt-sandbox.c
> +++ b/bin/virt-sandbox.c
> @@ -280,6 +280,7 @@ not allowed to open any other files.
>
> Set the libvirt connection URI, defaults to qemu:///session if
> omitted. Currently only the QEMU and LXC drivers are supported.
> +Alternatively the C<LIBVIRT_DEFAULT_URI> environment variable can be set, or the config file C</etc/libvirt/libvirt.conf> can have a default URI set.
Can you add line wrap at appropriate places
> >From af40cc741f69b335975f36801efe91f822a2b8cc Mon Sep 17 00:00:00 2001
> From: Dan Walsh <dwalsh at redhat.com>
> Date: Thu, 1 Aug 2013 11:09:51 -0400
> Subject: [sandbox PATCH 3/3] virt-sandbox-service.pod did not mention upgrade
>
> Also still had references to start, stop and list
> ---
> bin/virt-sandbox-service.pod | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod
> index 32caad9..b317ad4 100644
> --- a/bin/virt-sandbox-service.pod
> +++ b/bin/virt-sandbox-service.pod
> @@ -4,7 +4,7 @@ virt-sandbox-service - Secure container tool
>
> =head1 SYNOPSIS
>
> - {create,clone,connect,delete,execute,list,reload,start,stop}
> + {create,clone,connect,delete,execute,reload,upgrade}
>
> commands:
>
> @@ -20,6 +20,8 @@ virt-sandbox-service - Secure container tool
>
> reload Reload a running sandbox container
>
> + upgrade Upgrade the sandbox container
> +
> =head1 DESCRIPTION
>
> virt-sandbox-service is used to provision secure sandboxed system services.
> @@ -52,7 +54,7 @@ supported currently).
>
> =head1 SEE ALSO
>
> -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>
> +C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, C<virt-sandbox-service-upgrade(1)>
This SEE ALSO section should have some line wraps add too
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list