[libvirt] Patch set to add virt-sandbox -s inherit and fixes for man pages.

Daniel J Walsh dwalsh at redhat.com
Fri Aug 2 18:51:46 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/02/2013 11:51 AM, Daniel P. Berrange wrote:
> On Fri, Aug 02, 2013 at 11:20:16AM -0400, Daniel J Walsh wrote: for some
> reason my git-sendmail keeps failing.
> 
>> Here's the wrapper script I used for that
> 
>> $ cat $HOME/usr/bin/git-spam #!/bin/sh
> 
>> dohelp() { echo "syntax: $0 TO-ADDR REV-LIST" }
> 
>> if [ -z "$2" ]; then dohelp; exit 1 fi
> 
>> TO=$1 REV=$2 shift shift
> 
>> git send-email --compose --to "$TO" --smtp-server=smtp.corp.redhat.com
>> --no-chain-reply-to $REV "$@"
> 
> 
>> Assuming you do your work on a branch, then you can just run
> 
>> git-spam libvir-list at redhat.com master..
> 
> 
>> If you were doing your work on master directly, then you'd have to use
> 
>> git-spam libvir-list at redhat.com origin/master..
> 
>> Or explicitly specify the starting commit hash.
> 
> 
> [sandbox PATCH 1/3] Add virt-sandbox -s inherit, to execute the [sandbox
> PATCH 2/3] Add comment about LIBVIRT_DEFAULT_URI to [sandbox PATCH 3/3]
> virt-sandbox-service.pod did not mention upgrade
> 
>>> From fcf2e72b78b66075ca5f061423a259e058f4f39d Mon Sep 17 00:00:00 2001
>> From: Dan Walsh <dwalsh at redhat.com> Date: Wed, 31 Jul 2013 17:04:58
>> -0400 Subject: [sandbox PATCH 1/3] Add virt-sandbox -s inherit, to
>> execute the sandbox from the parent.
>> 
>> This will allow us to run sandbox as the calling process,  If I am 
>> running a shell as staff_u:unconfined_r:unconfined_t:s0, and I execute
>> virt-sandbox -c lxc/// -- /bin/sh
>> 
>> /bin/sh will run as staff_u:unconfined_r:unconfined_t:s0 --- 
>> bin/virt-sandbox.c                       |  4 ++++ 
>> libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++ 2 files
>> changed, 18 insertions(+)
>> 
>> diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c index
>> b51465d..9a75f3c 100644 --- a/bin/virt-sandbox.c +++
>> b/bin/virt-sandbox.c @@ -403,6 +403,10 @@ USER:ROLE:TYPE:LEVEL, instead
>> of the default base context. To set a completely static label. For
>> example, static,label=system_u:system_r:svirt_t:s0:c412,c355
>> 
>> +=item inherit + +Inherit the context from the process that is executing
>> virt-sandbox. + =back
>> 
>> =item B<-p>, B<--privileged> diff --git
>> a/libvirt-sandbox/libvirt-sandbox-config.c
>> b/libvirt-sandbox/libvirt-sandbox-config.c index ccdb3bc..8e8ac65 100644 
>> --- a/libvirt-sandbox/libvirt-sandbox-config.c +++
>> b/libvirt-sandbox/libvirt-sandbox-config.c @@ -27,6 +27,8 @@ #include
>> <glib/gi18n.h>
>> 
>> #include "libvirt-sandbox/libvirt-sandbox.h" +#include <errno.h> 
>> +#include <selinux/selinux.h>
>> 
>> /** * SECTION: libvirt-sandbox-config @@ -1521,6 +1523,18 @@ gboolean
>> gvir_sandbox_config_set_security_opts(GVirSandboxConfig *config, 
>> gvir_sandbox_config_set_security_dynamic(config, TRUE); } else if
>> (g_str_equal(tmp, "static")) { 
>> gvir_sandbox_config_set_security_dynamic(config, FALSE); +    } else if
>> (g_str_equal(tmp, "inherit")) { +
>> gvir_sandbox_config_set_security_dynamic(config, FALSE); +
>> security_context_t scon; +        if (getcon(&scon) < 0) { +
>> g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0, +
>> _("Unable to get SELinux context of user: %s"), +
>> strerror(errno)); +                return FALSE; +        } +
>> gvir_sandbox_config_set_security_label(config, scon); +
>> freecon(scon);
> 
> Looks good.
> 
> 
> I wonder if we should also have an explicit 'unconfined' string to simplify
> life for people who want to run the container entirely unconfined ? eg
> avoid them needing the verbose
> 
> -s static,label=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> 
>> + } else { g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0, _("Unknown
>> security option '%s'"), tmp);
> 
> You'll need to re-add the code to detect selinux in configure, since we had
> got rid of that previously. eg create m4/virt-selinux.m4 containing
> 
> AC_DEFUN([LIBVIRT_SANDBOX_SELINUX], [ fail=0 old_LIBS=$LIBS 
> old_CFLAGS=$CFLAGS AC_CHECK_HEADER([selinux/selinux.h],[],[fail=1]) 
> AC_CHECK_LIB([selinux], [fgetfilecon],[],[fail=1]) LIBS=$old_LIBS 
> CFLAGS=$old_CFLAGS test $fail = 1 && AC_MSG_ERROR([You must install the
> libselinux development package in order to compile libvirt-sandbox]) ])
> 
> 
> And then add
> 
> LIBVIRT_SANDBOX_SELINUX
> 
> to configure.ac, and update libvirt-sandbox/Makefile.am to include 
> SELINUX_CFLAGS and SELINUX_LIBS.
> 
> And make libvirt-sandbox.spec.in have a BuildRequires: libselinux-devel
> 
>> diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c index
>> 9a75f3c..26eefcf 100644 --- a/bin/virt-sandbox.c +++
>> b/bin/virt-sandbox.c @@ -280,6 +280,7 @@ not allowed to open any other
>> files.
>> 
>> Set the libvirt connection URI, defaults to qemu:///session if omitted.
>> Currently only the QEMU and LXC drivers are supported. +Alternatively the
>> C<LIBVIRT_DEFAULT_URI> environment variable can be set, or the config
>> file C</etc/libvirt/libvirt.conf> can have a default URI set.
> 
> Can you add line wrap at appropriate places
> 
> 
> 
>>> From af40cc741f69b335975f36801efe91f822a2b8cc Mon Sep 17 00:00:00 2001
>> From: Dan Walsh <dwalsh at redhat.com> Date: Thu, 1 Aug 2013 11:09:51 -0400 
>> Subject: [sandbox PATCH 3/3] virt-sandbox-service.pod did not mention
>> upgrade
>> 
>> Also still had references to start, stop and list --- 
>> bin/virt-sandbox-service.pod | 6 ++++-- 1 file changed, 4 insertions(+),
>> 2 deletions(-)
>> 
>> diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod 
>> index 32caad9..b317ad4 100644 --- a/bin/virt-sandbox-service.pod +++
>> b/bin/virt-sandbox-service.pod @@ -4,7 +4,7 @@ virt-sandbox-service -
>> Secure container tool
>> 
>> =head1 SYNOPSIS
>> 
>> -  {create,clone,connect,delete,execute,list,reload,start,stop} +
>> {create,clone,connect,delete,execute,reload,upgrade}
>> 
>> commands:
>> 
>> @@ -20,6 +20,8 @@ virt-sandbox-service - Secure container tool
>> 
>> reload              Reload a running sandbox container
>> 
>> +    upgrade             Upgrade the sandbox container + =head1
>> DESCRIPTION
>> 
>> virt-sandbox-service is used to provision secure sandboxed system
>> services. @@ -52,7 +54,7 @@ supported currently).
>> 
>> =head1 SEE ALSO
>> 
>> -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>,
>> C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>,
>> C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>,
>> C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)> 
>> +C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>,
>> C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>,
>> C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>,
>> C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>,
>> C<virt-sandbox-service-upgrade(1)>
> 
> 
> This SEE ALSO section should have some line wraps add too
> 
> 
> Regards, Daniel
> 

Actually my sendmail seems to be the problem.  I was sending from my host and
dwalsh at redsox.boston.redhat.com was getting rejected,  I have to change
sendmail config to send my address as dwalsh at redhat.com.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlH7/8IACgkQrlYvE4MpobNH1gCg6of+Q9Yi6NswiGTta+hgih0M
GPkAoLUgZy0MuIgTApv5QAVFrfu1AZtX
=tQPq
-----END PGP SIGNATURE-----

More information about the libvir-list mailing list