From nobody Mon Apr 29 19:05:19 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1496939766522630.2074694689996; Thu, 8 Jun 2017 09:36:06 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D245FC05FFFA; Thu, 8 Jun 2017 16:36:02 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0AE6390561; Thu, 8 Jun 2017 16:36:02 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A9D524BB7F; Thu, 8 Jun 2017 16:36:00 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v58GYGNt025963 for ; Thu, 8 Jun 2017 12:34:16 -0400 Received: by smtp.corp.redhat.com (Postfix) id A52C382272; Thu, 8 Jun 2017 16:34:16 +0000 (UTC) Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 96C6782274; Thu, 8 Jun 2017 16:34:14 +0000 (UTC) Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 71A17A08E2; Thu, 8 Jun 2017 16:34:12 +0000 (UTC) Received: from laptop.vms (mhy71-2-88-167-63-197.fbx.proxad.net [88.167.63.197]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Thu, 08 Jun 2017 18:34:10 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com D245FC05FFFA Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com D245FC05FFFA DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 71A17A08E2 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=cbosdonnat@suse.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 71A17A08E2 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= To: libvir-list@redhat.com Date: Thu, 8 Jun 2017 18:34:06 +0200 Message-Id: <20170608163407.6392-2-cbosdonnat@suse.com> In-Reply-To: <20170608163407.6392-1-cbosdonnat@suse.com> References: <20170608163407.6392-1-cbosdonnat@suse.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 203 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 08 Jun 2017 16:34:13 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 08 Jun 2017 16:34:13 +0000 (UTC) for IP:'195.135.221.5' DOMAIN:'smtp.nue.novell.com' HELO:'smtp.nue.novell.com' FROM:'cbosdonnat@suse.com' RCPT:'' X-RedHat-Spam-Score: -1.501 (BAYES_50, RCVD_IN_DNSWL_MED, SPF_PASS) 195.135.221.5 smtp.nue.novell.com 195.135.221.5 smtp.nue.novell.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.39 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= Subject: [libvirt] [sandbox 1/2] Pass debug and verbose values to init X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 08 Jun 2017 16:36:03 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" libvirt-sandbox-init-common is expecting -d and -v parameters to set it in debug or verbose mode... but those will never be passed by the launcher program. Writing the core.debug and core.verbose parameters in the sandbox configuration makes those values actually usable from the init. --- bin/virt-sandbox.c | 3 ++ libvirt-sandbox/libvirt-sandbox-config.c | 75 +++++++++++++++++++++++= ++++ libvirt-sandbox/libvirt-sandbox-config.h | 6 +++ libvirt-sandbox/libvirt-sandbox-init-common.c | 3 ++ libvirt-sandbox/libvirt-sandbox.sym | 4 ++ 5 files changed, 91 insertions(+) diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c index 3058013..6032562 100644 --- a/bin/virt-sandbox.c +++ b/bin/virt-sandbox.c @@ -273,6 +273,9 @@ int main(int argc, char **argv) { if (shell) gvir_sandbox_config_set_shell(cfg, TRUE); =20 + gvir_sandbox_config_set_debug(cfg, debug); + gvir_sandbox_config_set_verbose(cfg, verbose); + if (isatty(STDIN_FILENO)) gvir_sandbox_config_interactive_set_tty(icfg, TRUE); =20 diff --git a/libvirt-sandbox/libvirt-sandbox-config.c b/libvirt-sandbox/lib= virt-sandbox-config.c index 8709736..73a0fa4 100644 --- a/libvirt-sandbox/libvirt-sandbox-config.c +++ b/libvirt-sandbox/libvirt-sandbox-config.c @@ -68,6 +68,9 @@ struct _GVirSandboxConfigPrivate =20 gchar *secLabel; gboolean secDynamic; + + gboolean debug; + gboolean verbose; }; =20 G_DEFINE_ABSTRACT_TYPE(GVirSandboxConfig, gvir_sandbox_config, G_TYPE_OBJE= CT); @@ -1926,6 +1929,59 @@ gboolean gvir_sandbox_config_set_security_opts(GVirS= andboxConfig *config, return ret; } =20 +/** + * gvir_sandbox_config_set_debug: + * @config: (transfer none): the sandbox config + * @debug: true if the container init should print debugging messages + * + * Set whether the container init should print debugging messages. + */ +void gvir_sandbox_config_set_debug(GVirSandboxConfig *config, gboolean deb= ug) +{ + GVirSandboxConfigPrivate *priv =3D config->priv; + priv->debug =3D debug; +} + +/** + * gvir_sandbox_config_get_debug: + * @config: (transfer none): the sandbox config + * + * Retrieves the sandbox debug flag + * + * Returns: the debug flag + */ +gboolean gvir_sandbox_config_get_debug(GVirSandboxConfig *config) +{ + GVirSandboxConfigPrivate *priv =3D config->priv; + return priv->debug; +} + +/** + * gvir_sandbox_config_set_verbose: + * @config: (transfer none): the sandbox config + * @verbose: true if the container init should be verbose + * + * Set whether the container init should be verbose. + */ +void gvir_sandbox_config_set_verbose(GVirSandboxConfig *config, gboolean v= erbose) +{ + GVirSandboxConfigPrivate *priv =3D config->priv; + priv->verbose =3D verbose; +} + +/** + * gvir_sandbox_config_get_verbose: + * @config: (transfer none): the sandbox config + * + * Retrieves the sandbox verbose flag + * + * Returns: the verbose flag + */ +gboolean gvir_sandbox_config_get_verbose(GVirSandboxConfig *config) +{ + GVirSandboxConfigPrivate *priv =3D config->priv; + return priv->verbose; +} =20 static GVirSandboxConfigMount *gvir_sandbox_config_load_config_mount(GKeyF= ile *file, guint= i, @@ -2415,6 +2471,22 @@ static gboolean gvir_sandbox_config_load_config(GVir= SandboxConfig *config, priv->secDynamic =3D b; } =20 + b =3D g_key_file_get_boolean(file, "core", "debug", &e); + if (e) { + g_error_free(e); + e =3D NULL; + } else { + priv->debug =3D b; + } + + b =3D g_key_file_get_boolean(file, "core", "verbose", &e); + if (e) { + g_error_free(e); + e =3D NULL; + } else { + priv->verbose =3D b; + } + ret =3D TRUE; cleanup: return ret; @@ -2677,6 +2749,9 @@ static void gvir_sandbox_config_save_config(GVirSandb= oxConfig *config, if (priv->secLabel) g_key_file_set_string(file, "security", "label", priv->secLabel); g_key_file_set_boolean(file, "security", "dynamic", priv->secDynamic); + + g_key_file_set_boolean(file, "core", "debug", priv->debug); + g_key_file_set_boolean(file, "core", "verbose", priv->verbose); } =20 =20 diff --git a/libvirt-sandbox/libvirt-sandbox-config.h b/libvirt-sandbox/lib= virt-sandbox-config.h index e5e53f7..8950e25 100644 --- a/libvirt-sandbox/libvirt-sandbox-config.h +++ b/libvirt-sandbox/libvirt-sandbox-config.h @@ -180,6 +180,12 @@ gboolean gvir_sandbox_config_set_security_opts(GVirSan= dboxConfig *config, const gchar *optstr, GError**error); =20 +void gvir_sandbox_config_set_debug(GVirSandboxConfig *config, gboolean deb= ug); +gboolean gvir_sandbox_config_get_debug(GVirSandboxConfig *config); + +void gvir_sandbox_config_set_verbose(GVirSandboxConfig *config, gboolean v= erbose); +gboolean gvir_sandbox_config_get_verbose(GVirSandboxConfig *config); + gchar **gvir_sandbox_config_get_command(GVirSandboxConfig *config); =20 G_END_DECLS diff --git a/libvirt-sandbox/libvirt-sandbox-init-common.c b/libvirt-sandbo= x/libvirt-sandbox-init-common.c index 7ea63cf..240ca83 100644 --- a/libvirt-sandbox/libvirt-sandbox-init-common.c +++ b/libvirt-sandbox/libvirt-sandbox-init-common.c @@ -1442,6 +1442,9 @@ int main(int argc, char **argv) { goto cleanup; } =20 + debug =3D gvir_sandbox_config_get_debug(config); + verbose =3D gvir_sandbox_config_get_verbose(config); + setenv("PATH", "/bin:/usr/bin:/usr/local/bin:/sbin/:/usr/sbin", 1); unsetenv("LD_LIBRARY_PATH"); =20 diff --git a/libvirt-sandbox/libvirt-sandbox.sym b/libvirt-sandbox/libvirt-= sandbox.sym index b7c5921..1bead3e 100644 --- a/libvirt-sandbox/libvirt-sandbox.sym +++ b/libvirt-sandbox/libvirt-sandbox.sym @@ -120,6 +120,8 @@ LIBVIRT_SANDBOX_0.6.0 { gvir_sandbox_config_get_userid; gvir_sandbox_config_get_username; gvir_sandbox_config_get_uuid; + gvir_sandbox_config_get_debug; + gvir_sandbox_config_get_verbose; gvir_sandbox_config_find_mount; gvir_sandbox_config_has_networks; gvir_sandbox_config_has_mounts; @@ -143,6 +145,8 @@ LIBVIRT_SANDBOX_0.6.0 { gvir_sandbox_config_set_security_label; gvir_sandbox_config_set_security_opts; gvir_sandbox_config_set_uuid; + gvir_sandbox_config_set_debug; + gvir_sandbox_config_set_verbose; =20 gvir_sandbox_config_initrd_add_module; gvir_sandbox_config_initrd_get_init; --=20 2.12.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon Apr 29 19:05:19 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1496939960670182.77843352238528; Thu, 8 Jun 2017 09:39:20 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id D76C3C057FAF; Thu, 8 Jun 2017 16:39:17 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9A1DD83854; Thu, 8 Jun 2017 16:39:17 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4C567180BAF9; Thu, 8 Jun 2017 16:39:17 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v58GYG9Y025954 for ; Thu, 8 Jun 2017 12:34:16 -0400 Received: by smtp.corp.redhat.com (Postfix) id 33A878952D; Thu, 8 Jun 2017 16:34:16 +0000 (UTC) Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com [10.5.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7C0B689F00; Thu, 8 Jun 2017 16:34:14 +0000 (UTC) Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AD26FC06584A; Thu, 8 Jun 2017 16:34:12 +0000 (UTC) Received: from laptop.vms (mhy71-2-88-167-63-197.fbx.proxad.net [88.167.63.197]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Thu, 08 Jun 2017 18:34:11 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com D76C3C057FAF Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com D76C3C057FAF DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com AD26FC06584A Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=cbosdonnat@suse.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com AD26FC06584A From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= To: libvir-list@redhat.com Date: Thu, 8 Jun 2017 18:34:07 +0200 Message-Id: <20170608163407.6392-3-cbosdonnat@suse.com> In-Reply-To: <20170608163407.6392-1-cbosdonnat@suse.com> References: <20170608163407.6392-1-cbosdonnat@suse.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 203 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 08 Jun 2017 16:34:13 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 08 Jun 2017 16:34:13 +0000 (UTC) for IP:'195.135.221.5' DOMAIN:'smtp.nue.novell.com' HELO:'smtp.nue.novell.com' FROM:'cbosdonnat@suse.com' RCPT:'' X-RedHat-Spam-Score: -1.501 (BAYES_50, RCVD_IN_DNSWL_MED, SPF_PASS) 195.135.221.5 smtp.nue.novell.com 195.135.221.5 smtp.nue.novell.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.32 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= Subject: [libvirt] [sandbox 2/2] machine: use squash security mode for non-root virt-sandbox mounts X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 08 Jun 2017 16:39:19 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" When running virt-sandbox as a user with host-bind mount, the user can't write in the mounted folder. If run as root, use passthrough security mode, otherwise use squashed one to fix this. --- libvirt-sandbox/libvirt-sandbox-builder-machine.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libvirt-sandbox/libvirt-sandbox-builder-machine.c b/libvirt-sa= ndbox/libvirt-sandbox-builder-machine.c index 7204f71..b6f2218 100644 --- a/libvirt-sandbox/libvirt-sandbox-builder-machine.c +++ b/libvirt-sandbox/libvirt-sandbox-builder-machine.c @@ -589,7 +589,10 @@ static gboolean gvir_sandbox_builder_machine_construct= _devices(GVirSandboxBuilde =20 fs =3D gvir_config_domain_filesys_new(); gvir_config_domain_filesys_set_type(fs, GVIR_CONFIG_DOMAIN_FIL= ESYS_MOUNT); - gvir_config_domain_filesys_set_access_type(fs, GVIR_CONFIG_DOM= AIN_FILESYS_ACCESS_PASSTHROUGH); + if (getuid() =3D=3D 0) + gvir_config_domain_filesys_set_access_type(fs, GVIR_CONFIG= _DOMAIN_FILESYS_ACCESS_PASSTHROUGH); + else + gvir_config_domain_filesys_set_access_type(fs, GVIR_CONFIG= _DOMAIN_FILESYS_ACCESS_SQUASH); gvir_config_domain_filesys_set_source(fs, gvir_sandbox_config_moun= t_file_get_source(mfile)); gvir_config_domain_filesys_set_target(fs, target); --=20 2.12.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list