From patchwork Sun Aug 27 16:20:41 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cole Robinson X-Patchwork-Id: 111089 Delivered-To: patch@linaro.org Received: by 10.140.95.78 with SMTP id h72csp3737975qge; Sun, 27 Aug 2017 09:20:56 -0700 (PDT) X-Received: by 10.55.112.71 with SMTP id l68mr2921458qkc.10.1503850856545; Sun, 27 Aug 2017 09:20:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1503850856; cv=none; d=google.com; s=arc-20160816; b=yiHFAmcoa9TJu4kEiqQXE/WDZHTPh5HwcO8wRZCPbdWQnfsryNG2LdS+KHSfRopDOC xsFZPJue20vqSqsIK7VjuXv/3bTmMjZv7rpeF4DMA/ZqnyGJbWiHWOINkbfzrLWnnH1W MQdJAtuhqIIpqG8AwXSZol6mMyys+gPhgcW4mo0BN0DgTTjFscrSQzsCsrXJJOzyfNb2 V3dQdRXZopuWlHJGNtn1m1uWBw8Eslk9g5lDOUQftligTDRPcKqNypKQSBYWOKPX1l25 AfuB6AVqkkTRg3aldhKUIxT1YlaqIdthil/gvuQ5AjKhlfbbcwy/ld22GzoRuBIko3lC BmCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:references :in-reply-to:message-id:date:to:from:delivered-to:dmarc-filter :arc-authentication-results; bh=W9Z2q+88TRUipI04+NgJOQn0hcg6eyBASwmE9JKobO0=; b=koPGaCeODD438EjkUnHfnUU2ypVgY4wOVUYOkVDxFiBBeF7e3Jh/c3rbEHJi70hBXQ r7JycgvHnG5H/Ee8EGcMzUDv/fw/WUZ5GD8vcbDV/aGZ7jCrljBO4yj7qwW/mel0lzPM YxciOoC8rd/qmendpSgL79vco3P9JOS3g+qIRZ1uL4Y5S3FjKucJ7cS3v+zJ34qF9HCs WnsYYxrBNpYLGlGA+qkwFyxWmybtF/0xYQHAfC7V1JG7dxHCsfx2ebgwysmGPu71C7JW xPGOIQkvnF7T2YIw63seJR2RUVUqm8vMGrDOZedQWjdNa0MZbb40uz41DVN1cwTRDEjW IWvg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id j61si10188745qtd.429.2017.08.27.09.20.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 27 Aug 2017 09:20:56 -0700 (PDT) Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 22EAE883B9; Sun, 27 Aug 2017 16:20:55 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 22EAE883B9 Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CBAFB6292D; Sun, 27 Aug 2017 16:20:54 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 16E821806100; Sun, 27 Aug 2017 16:20:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7RGKpN6027605 for ; Sun, 27 Aug 2017 12:20:51 -0400 Received: by smtp.corp.redhat.com (Postfix) id 94D6C5C670; Sun, 27 Aug 2017 16:20:51 +0000 (UTC) Delivered-To: libvirt-list@redhat.com Received: from colepc.redhat.com (ovpn-116-34.phx2.redhat.com [10.3.116.34]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2E5C45C880; Sun, 27 Aug 2017 16:20:51 +0000 (UTC) From: Cole Robinson To: libvirt-list@redhat.com Date: Sun, 27 Aug 2017 12:20:41 -0400 Message-Id: In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 1/2] security: add MANAGER_MOUNT_NAMESPACE flag X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Sun, 27 Aug 2017 16:20:55 +0000 (UTC) The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver if mount namespaces are in use for the VM. Will be used for future changes. Wire it up in the qemu driver Signed-off-by: Cole Robinson --- src/qemu/qemu_driver.c | 2 ++ src/security/security_dac.c | 10 ++++++++++ src/security/security_dac.h | 3 +++ src/security/security_manager.c | 4 +++- src/security/security_manager.h | 1 + 5 files changed, 19 insertions(+), 1 deletion(-) -- 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 2ba6c80c4..ea1a85b41 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -419,6 +419,8 @@ qemuSecurityInit(virQEMUDriverPtr driver) if (virQEMUDriverIsPrivileged(driver)) { if (cfg->dynamicOwnership) flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP; + if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT)) + flags |= VIR_SECURITY_MANAGER_MOUNT_NAMESPACE; if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME, cfg->user, cfg->group, diff --git a/src/security/security_dac.c b/src/security/security_dac.c index ca7a6af6d..507be44a2 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -57,6 +57,7 @@ struct _virSecurityDACData { gid_t *groups; int ngroups; bool dynamicOwnership; + bool mountNamespace; char *baselabel; virSecurityManagerDACChownCallback chownCallback; }; @@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, } void +virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr, + bool mountNamespace) +{ + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); + priv->mountNamespace = mountNamespace; +} + + +void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr, virSecurityManagerDACChownCallback chownCallback) { diff --git a/src/security/security_dac.h b/src/security/security_dac.h index 846cefbb5..97681c961 100644 --- a/src/security/security_dac.h +++ b/src/security/security_dac.h @@ -32,6 +32,9 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr, void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, bool dynamic); +void virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr, + bool mountNamespace); + void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr, virSecurityManagerDACChownCallback chownCallback); diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 95b995230..e43c99d4f 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -146,7 +146,8 @@ virSecurityManagerNewDAC(const char *virtDriver, virSecurityManagerPtr mgr; virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK | - VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL); + VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP | + VIR_SECURITY_MANAGER_MOUNT_NAMESPACE, NULL); mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC, virtDriver, @@ -161,6 +162,7 @@ virSecurityManagerNewDAC(const char *virtDriver, } virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP); + virSecurityDACSetMountNamespace(mgr, flags & VIR_SECURITY_MANAGER_MOUNT_NAMESPACE); virSecurityDACSetChownCallback(mgr, chownCallback); return mgr; diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 01296d339..08fb89203 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -36,6 +36,7 @@ typedef enum { VIR_SECURITY_MANAGER_REQUIRE_CONFINED = 1 << 2, VIR_SECURITY_MANAGER_PRIVILEGED = 1 << 3, VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP = 1 << 4, + VIR_SECURITY_MANAGER_MOUNT_NAMESPACE = 1 << 5, } virSecurityManagerNewFlags; # define VIR_SECURITY_MANAGER_NEW_MASK \ From patchwork Sun Aug 27 16:20:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cole Robinson X-Patchwork-Id: 111090 Delivered-To: patch@linaro.org Received: by 10.140.95.78 with SMTP id h72csp3738191qge; Sun, 27 Aug 2017 09:21:14 -0700 (PDT) X-Received: by 10.55.217.80 with SMTP id u77mr6313456qki.186.1503850874254; Sun, 27 Aug 2017 09:21:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1503850874; cv=none; d=google.com; s=arc-20160816; b=CZMqQ1zo3RM4xQd7ZHGeX92eF2VHFwEI9opDDrcfLYxZFOxCvrGh4TMfqQ590F1Lus S4kmgHQ0QoU/qEqMlcW5P4oDKDTAj1W+K1/KyOMlynww+qOEpjoqaFpbvnoN1wuCsBYG 6q2k8eeYsoZWgzE9aKCN3Ai9ly1z6kPJV7onFBqBRqbvlEWtnT70wKAvLNQ4UFyQ32Nc n3/mlDbuhpWkaHZabEzXrkCc6ey7+Z+ZOERNPuEkkpAUqGtNTqukxCW4pHr2qvT06mlH fwyiWYtPjFrAyt8zscQIm2s9krR+gtJp0Fk02fJGbGk1bagznWSMiNWedB6oMXJ+Poz0 x81w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:references :in-reply-to:message-id:date:to:from:delivered-to:dmarc-filter :arc-authentication-results; bh=xstr2Q4cBL2nY5RmbjxCY62JPz/3slDOZdRM4S+QUyQ=; b=AHyn8UbOGlHlS0blA1h1ykYNFiwJ8/FYz9oLNPbLmzmXKYpndh+0T2iyn7yLzRgvgv w8Ft3O/x5OQzhWm1+u3HiCKLEjKbvivGqNfXO8KJlF87X7XBSfqKzgLaS1OKZE+91OPh QQsyRU53klThNKF4/s6bZq6eKyM82i5q7l70j+Gux3GnsFJ26zmPB/IM4/P8BrHfusc/ PR+cg7CSCmWHzna07j8i8r09G6HQRISHGebCYZ3rs3BaIZMBpf/hPLH8Wn57PO0/ZqM3 6lhs5YJMKPexcPGu6Y+P715sUlslTy/ZyGf/j1BsLwMrnuTI+uxRvmX0w8nQH+7l4VqN aLkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id l19si1514856qtf.77.2017.08.27.09.21.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 27 Aug 2017 09:21:14 -0700 (PDT) Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0746F5F7AE; Sun, 27 Aug 2017 16:21:13 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0746F5F7AE Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CD37460618; Sun, 27 Aug 2017 16:21:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8BE021806109; Sun, 27 Aug 2017 16:21:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7RGKqUn027613 for ; Sun, 27 Aug 2017 12:20:52 -0400 Received: by smtp.corp.redhat.com (Postfix) id 48E375C880; Sun, 27 Aug 2017 16:20:52 +0000 (UTC) Delivered-To: libvirt-list@redhat.com Received: from colepc.redhat.com (ovpn-116-34.phx2.redhat.com [10.3.116.34]) by smtp.corp.redhat.com (Postfix) with ESMTP id C4C9E5C66F; Sun, 27 Aug 2017 16:20:51 +0000 (UTC) From: Cole Robinson To: libvirt-list@redhat.com Date: Sun, 27 Aug 2017 12:20:42 -0400 Message-Id: <5531dc0a1a754d362478b2cda42b905a7bbb72d5.1503850638.git.crobinso@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 2/2] security: dac: relabel spice rendernode X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Sun, 27 Aug 2017 16:21:13 +0000 (UTC) For a logged in user this a path like /dev/dri/renderD128 will have default ownership root:video which won't work for the qemu:qemu user, so we need to chown it. We only do this when mount namespaces are enabled in the qemu driver, so the chown'ing doesn't interfere with other users of the shared render node path https://bugzilla.redhat.com/show_bug.cgi?id=1460804 Signed-off-by: Cole Robinson --- The restore bit is also motivated by a bug I hit when testing this: DAC /dev/* permissions are 'restored' to root:root even with mount namespaces enabled: https://bugzilla.redhat.com/show_bug.cgi?id=1485719 src/security/security_dac.c | 58 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) -- 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 507be44a2..349dbe81d 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1381,6 +1381,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr, static int +virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainGraphicsDefPtr gfx) + +{ + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityLabelDefPtr seclabel; + uid_t user; + gid_t group; + + /* Skip chowning the shared render file if namespaces are disabled */ + if (!priv->mountNamespace) + return 0; + + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); + if (seclabel && !seclabel->relabel) + return 0; + + if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0) + return -1; + + if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE && + gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES && + gfx->data.spice.rendernode) { + if (virSecurityDACSetOwnership(priv, NULL, + gfx->data.spice.rendernode, + user, group) < 0) + return -1; + } + + return 0; +} + + +static int +virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED, + virDomainGraphicsDefPtr gfx ATTRIBUTE_UNUSED) + +{ + /* The only graphics labelling we do is dependent on mountNamespaces, + in which case 'restoring' the label doesn't actually accomplish + anything, so there's nothing to do here */ + return 0; +} + + +static int virSecurityDACSetInputLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainInputDefPtr input) @@ -1491,6 +1539,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, rc = -1; } + for (i = 0; i < def->ngraphics; i++) { + if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i]) < 0) + return -1; + } + for (i = 0; i < def->ninputs; i++) { if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0) rc = -1; @@ -1611,6 +1664,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, return -1; } + for (i = 0; i < def->ngraphics; i++) { + if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0) + return -1; + } + for (i = 0; i < def->ninputs; i++) { if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0) return -1;