[libvirt] [PATCHv2 2/2] security: Add a new func use stat to get process DAC label
lhuang
lhuang at redhat.com
Fri Dec 5 06:57:28 UTC 2014
On 12/05/2014 12:58 AM, Ján Tomko wrote:
> On 12/03/2014 11:08 AM, Luyao Huang wrote:
>> When use qemuProcessAttach to attach a qemu process, cannot
>> get a right DAC label. Add a new func to get process label
>> via stat func. Do not remove virDomainDefGetSecurityLabelDef
>> before try to use stat to get process DAC label, because
>> There are some other func call virSecurityDACGetProcessLabel.
>>
>> v2 add support freeBSD.
>>
>> Signed-off-by: Luyao Huang <lhuang at redhat.com>
>> ---
>> src/security/security_dac.c | 95 ++++++++++++++++++++++++++++++++++++++++++++-
>> 1 file changed, 93 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
>> index 85253af..89cafa3 100644
>> --- a/src/security/security_dac.c
>> +++ b/src/security/security_dac.c
>> @@ -23,6 +23,11 @@
>> #include <sys/stat.h>
>> #include <fcntl.h>
>>
>> +#ifdef __FreeBSD__
>> +# include <sys/sysctl.h>
>> +# include <sys/user.h>
>> +#endif
>> +
>> #include "security_dac.h"
>> #include "virerror.h"
>> #include "virfile.h"
>> @@ -1236,18 +1241,104 @@ virSecurityDACReserveLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
>> return 0;
>> }
>>
>> +#ifdef __linux__
>> +static int
>> +virSecurityDACGetProcessLabelInternal(pid_t pid,
>> + virSecurityLabelPtr seclabel)
>> +{
>> + struct stat sb;
>> + char *path = NULL;
>> + char *label = NULL;
>> + int ret = -1;
>> +
>> + VIR_INFO("Getting DAC user and group on process '%d'", pid);
>> +
>> + if (virAsprintf(&path, "/proc/%d", (int) pid) < 0)
>> + goto cleanup;
>> +
>> + if (lstat(path, &sb) < 0)
>> + goto cleanup;
> A more specific error should be reported here via virReportSystemError.
Thanks, i will move error settings in this func.
>> +
>> + if (virAsprintf(&label, "+%u:+%u",
>> + (unsigned int) sb.st_uid,
>> + (unsigned int) sb.st_gid) < 0)
>> + goto cleanup;
>> +
>> + if (virStrcpy(seclabel->label, label,VIR_SECURITY_LABEL_BUFLEN) == NULL)
>> + goto cleanup;
> Using snprintf would simplify this code.
Oh, nice, i forgot this function, and thanks your pointing out.
>> + ret = 0;
>> +
>> +cleanup:
>> + VIR_FREE(path);
>> + VIR_FREE(label);
>> + return ret;
>> +}
>> +#elif defined(__FreeBSD__)
>> +static int
>> +virSecurityDACGetProcessLabelInternal(pid_t pid,
>> + virSecurityLabelPtr seclabel)
>> +{
>> + struct kinfo_proc p;
>> + int mib[4];
>> + size_t len = 4;
>> + char *label = NULL;
>> + int ret = -1;
>> +
>> + sysctlnametomib("kern.proc.pid", mib, &len);
>> +
>> + len = sizeof(struct kinfo_proc);
>> + mib[3] = pid;
>> +
>> + if (sysctl(mib, 4, &p, &len, NULL, 0) < 0)
>> + goto cleanup;
>> +
> sysctlbyname would remove the need for a separate nametomib call and get rid
> of a few variables.
Actually, i tried to use this func (sysctlbyname) before, but i found i
cannot make it
work well here...
If you have some good way to use it, please tell me, thanks a lot for
your answer:)
>
>> + if (virAsprintf(&label, "+%u:+%u",
>> + (unsigned int) p.ki_ruid,
>> + (unsigned int) p.ki_rgid) < 0)
>> + goto cleanup;
>> +
>> + if (virStrcpy(seclabel->label, label,VIR_SECURITY_LABEL_BUFLEN) == NULL)
>> + goto cleanup;
> Same comment as above.
Thanks
>> + ret = 0;
>> +
>> +cleanup:
>> + VIR_FREE(label);
>> + return ret;
>> +}
>> +#else
>> +static int
>> +virSecurityDACGetProcessLabelInternal(pid_t pid,
>> + virSecurityLabelPtr seclabel)
>> +{
>> + return -1;
>> +}
>> +#endif
>> +
>> static int
>> virSecurityDACGetProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
>> virDomainDefPtr def,
>> - pid_t pid ATTRIBUTE_UNUSED,
>> + pid_t pid,
>> virSecurityLabelPtr seclabel)
>> {
>> virSecurityLabelDefPtr secdef =
>> virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
>>
>> - if (!secdef || !seclabel)
>> + if (!seclabel)
>> return -1;
> The SELinux version of this function does not check if seclabel is non-NULL, I
> think we can safely remove the check here as well.
Okay
>>
>> + if (secdef == NULL) {
>> + VIR_DEBUG("missing label for DAC security "
>> + "driver in domain %s", def->name);
>> +
>> + if (virSecurityDACGetProcessLabelInternal(pid, seclabel) < 0) {
>> + virReportError(VIR_ERR_INTERNAL_ERROR,
>> + _("Cannot get process %d DAC label"),pid);
> This would overwrite the more-specific error message from the
> virSecurityDACGetProcessLabelInternal function.
Yes, got it, thanks for pointing out.
>> + return -1;
>> + }
>> +
>> + return 0;
>> + }
>> +
>> if (secdef->label)
>> ignore_value(virStrcpy(seclabel->label, secdef->label,
>> VIR_SECURITY_LABEL_BUFLEN));
>>
> Jan
>
>
More information about the libvir-list
mailing list