[libvirt] [PATCH v2 17/18] tools: Provide a script to recover fubar'ed XATTRs setup

[Daniel P. Berrangé]

On Thu, Nov 29, 2018 at 02:52:32PM +0100, Michal Privoznik wrote:
> Our code is not bug free. The refcounting I introduced will
> almost certainly not work in some use cases. Provide a script
> that will remove all the XATTRs set by libvirt so that it can
> start cleanly.

On this point, it would be a nice idea to be able to write some
unit tests to exercise the security drivers, as this is something
we're significantly lacking coverage of.

With mocking of the chown/setxattr/etc methods we can easily
detect some ofthe bugs you fixed here, such as forgetting to
restore labels of certain resource types.

> 
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
>  tools/Makefile.am               |  1 +
>  tools/libvirt_recover_xattrs.sh | 89 +++++++++++++++++++++++++++++++++
>  2 files changed, 90 insertions(+)
>  create mode 100755 tools/libvirt_recover_xattrs.sh
> 
> diff --git a/tools/Makefile.am b/tools/Makefile.am
> index f069167acc..1dc009c4fb 100644
> --- a/tools/Makefile.am
> +++ b/tools/Makefile.am
> @@ -75,6 +75,7 @@ EXTRA_DIST = \
>  	virt-login-shell.conf \
>  	virsh-edit.c \
>  	bash-completion/vsh \
> +	libvirt_recover_xattrs.sh \
>  	$(PODFILES) \
>  	$(MANINFILES) \
>  	$(NULL)

> +XATTRS=("trusted.libvirt.security.dac"
> +        "trusted.libvirt.security.ref_dac"
> +        "trusted.libvirt.security.selinux"
> +        "trusted.libvirt.security.ref_selinux")

Needs updating to account for FreeBSD naming now

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|