From nobody Mon Apr 29 09:36:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1502927707383729.986908198129; Wed, 16 Aug 2017 16:55:07 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BE0A1C058ECE; Wed, 16 Aug 2017 23:55:04 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7EC7451C89; Wed, 16 Aug 2017 23:55:04 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 465733FACF; Wed, 16 Aug 2017 23:55:04 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7GNsgxd001926 for ; Wed, 16 Aug 2017 19:54:42 -0400 Received: by smtp.corp.redhat.com (Postfix) id 69E9268D68; Wed, 16 Aug 2017 23:54:42 +0000 (UTC) Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 65C8E68D75 for ; Wed, 16 Aug 2017 23:54:42 +0000 (UTC) Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 66C13A8F4 for ; Wed, 16 Aug 2017 23:54:40 +0000 (UTC) Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com [137.65.251.240]) by smtp2.provo.novell.com with ESMTP (NOT encrypted); Wed, 16 Aug 2017 17:54:35 -0600 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com BE0A1C058ECE Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com BE0A1C058ECE DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 66C13A8F4 Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jfehlig@suse.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 66C13A8F4 From: Jim Fehlig To: libvir-list@redhat.com Date: Wed, 16 Aug 2017 17:54:07 -0600 Message-Id: <20170816235408.11670-2-jfehlig@suse.com> In-Reply-To: <20170816235408.11670-1-jfehlig@suse.com> References: <20170816235408.11670-1-jfehlig@suse.com> X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Wed, 16 Aug 2017 23:54:41 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Wed, 16 Aug 2017 23:54:41 +0000 (UTC) for IP:'137.65.250.81' DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com' FROM:'jfehlig@suse.com' RCPT:'' X-RedHat-Spam-Score: -2.301 (RCVD_IN_DNSWL_MED, SPF_PASS) 137.65.250.81 smtp2.provo.novell.com 137.65.250.81 smtp2.provo.novell.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.29 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH V2 1/2] Fix building domain def in securityselinuxtest X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 16 Aug 2017 23:55:05 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The virDomainDef created by testBuildDomainDef in securityselinuxtest adds a seclabel but does not increment nseclabels. Also, it should populate seclabel->model with 'selinux'. While at it, use the secdef itself to populate values instead of the indirection through def->seclabels[0]. Signed-off-by: Jim Fehlig --- tests/securityselinuxtest.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/tests/securityselinuxtest.c b/tests/securityselinuxtest.c index 767b6cc02..f6143fb06 100644 --- a/tests/securityselinuxtest.c +++ b/tests/securityselinuxtest.c @@ -73,24 +73,28 @@ testBuildDomainDef(bool dynamic, if (!(def =3D virDomainDefNew())) goto error; =20 + def->virtType =3D VIR_DOMAIN_VIRT_KVM; if (VIR_ALLOC_N(def->seclabels, 1) < 0) goto error; =20 + def->nseclabels++; + if (VIR_ALLOC(secdef) < 0) goto error; =20 - def->virtType =3D VIR_DOMAIN_VIRT_KVM; - def->seclabels[0] =3D secdef; - def->seclabels[0]->type =3D dynamic ? VIR_DOMAIN_SECLABEL_DYNAMIC : VI= R_DOMAIN_SECLABEL_STATIC; + if (VIR_STRDUP(secdef->model, "selinux") < 0) + goto error; =20 + secdef->type =3D dynamic ? VIR_DOMAIN_SECLABEL_DYNAMIC : VIR_DOMAIN_SE= CLABEL_STATIC; if (label && - VIR_STRDUP(def->seclabels[0]->label, label) < 0) + VIR_STRDUP(secdef->label, label) < 0) goto error; =20 if (baselabel && - VIR_STRDUP(def->seclabels[0]->baselabel, baselabel) < 0) + VIR_STRDUP(secdef->baselabel, baselabel) < 0) goto error; =20 + def->seclabels[0] =3D secdef; return def; =20 error: --=20 2.13.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon Apr 29 09:36:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1502927689702661.8756464851122; Wed, 16 Aug 2017 16:54:49 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B1E96883D9; Wed, 16 Aug 2017 23:54:47 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 540485D973; Wed, 16 Aug 2017 23:54:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 45FF83FC74; Wed, 16 Aug 2017 23:54:46 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7GNsi5F001944 for ; Wed, 16 Aug 2017 19:54:44 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2DED2E9966; Wed, 16 Aug 2017 23:54:44 +0000 (UTC) Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.30]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 297E56046F for ; Wed, 16 Aug 2017 23:54:42 +0000 (UTC) Received: from smtp2.provo.novell.com (smtp2.provo.novell.com [137.65.250.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7D1DC3E2D6 for ; Wed, 16 Aug 2017 23:54:40 +0000 (UTC) Received: from linux-tbji.provo.novell.com (prv-ext-foundry1int.gns.novell.com [137.65.251.240]) by smtp2.provo.novell.com with ESMTP (NOT encrypted); Wed, 16 Aug 2017 17:54:36 -0600 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com B1E96883D9 Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com B1E96883D9 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 7D1DC3E2D6 Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=suse.com Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jfehlig@suse.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 7D1DC3E2D6 From: Jim Fehlig To: libvir-list@redhat.com Date: Wed, 16 Aug 2017 17:54:08 -0600 Message-Id: <20170816235408.11670-3-jfehlig@suse.com> In-Reply-To: <20170816235408.11670-1-jfehlig@suse.com> References: <20170816235408.11670-1-jfehlig@suse.com> X-Greylist: Delayed for 47:46:15 by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Wed, 16 Aug 2017 23:54:41 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Wed, 16 Aug 2017 23:54:41 +0000 (UTC) for IP:'137.65.250.81' DOMAIN:'smtp2.provo.novell.com' HELO:'smtp2.provo.novell.com' FROM:'jfehlig@suse.com' RCPT:'' X-RedHat-Spam-Score: -2.301 (RCVD_IN_DNSWL_MED, SPF_PASS) 137.65.250.81 smtp2.provo.novell.com 137.65.250.81 smtp2.provo.novell.com X-Scanned-By: MIMEDefang 2.78 on 10.5.110.30 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH V2 2/2] Don't autogenerate seclabels of type 'none' X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Wed, 16 Aug 2017 23:54:48 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" When security drivers are active but confinement is not enabled, there is no need to autogenerate elements when starting a domain def that contains no elements. In fact, autogenerating the elements can result in needless save/restore and migration failures when the security driver is not active on the restore/migration target. This patch changes the virSecurityManagerGenLabel function in src/security_manager.c to only autogenerate a element if none is already defined for the domain *and* default confinement is enabled. Otherwise the needless autogeneration is skipped. Resolves: https://bugzilla.opensuse.org/show_bug.cgi?id=3D1051017 Signed-off-by: Jim Fehlig --- V2: Don't autogenerate a seclabel if domain does not contain one and confinement is disabled. src/security/security_manager.c | 42 +++++++++++++++++++++----------------= ---- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/src/security/security_manager.c b/src/security/security_manage= r.c index 013bbc37e..10515c314 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -650,30 +650,32 @@ virSecurityManagerGenLabel(virSecurityManagerPtr mgr, for (i =3D 0; sec_managers[i]; i++) { generated =3D false; seclabel =3D virDomainDefGetSecurityLabelDef(vm, sec_managers[i]->= drv->name); - if (!seclabel) { - if (!(seclabel =3D virSecurityLabelDefNew(sec_managers[i]->drv= ->name))) - goto cleanup; - generated =3D seclabel->implicit =3D true; - } + if (seclabel) { + if (seclabel->type =3D=3D VIR_DOMAIN_SECLABEL_DEFAULT) { + if (virSecurityManagerGetDefaultConfined(sec_managers[i]))= { + seclabel->type =3D VIR_DOMAIN_SECLABEL_DYNAMIC; + } else { + seclabel->type =3D VIR_DOMAIN_SECLABEL_NONE; + seclabel->relabel =3D false; + } + } =20 - if (seclabel->type =3D=3D VIR_DOMAIN_SECLABEL_DEFAULT) { + if (seclabel->type =3D=3D VIR_DOMAIN_SECLABEL_NONE) { + if (virSecurityManagerGetRequireConfined(sec_managers[i]))= { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Unconfined guests are not allowed on= this host")); + goto cleanup; + } + } + } else { + /* Only generate seclabel if confinement is enabled */ if (virSecurityManagerGetDefaultConfined(sec_managers[i])) { + if (!(seclabel =3D virSecurityLabelDefNew(sec_managers[i]-= >drv->name))) + goto cleanup; + generated =3D seclabel->implicit =3D true; seclabel->type =3D VIR_DOMAIN_SECLABEL_DYNAMIC; } else { - seclabel->type =3D VIR_DOMAIN_SECLABEL_NONE; - seclabel->relabel =3D false; - } - } - - if (seclabel->type =3D=3D VIR_DOMAIN_SECLABEL_NONE) { - if (virSecurityManagerGetRequireConfined(sec_managers[i])) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("Unconfined guests are not allowed on thi= s host")); - goto cleanup; - } else if (vm->nseclabels && generated) { - VIR_DEBUG("Skipping auto generated seclabel of type none"); - virSecurityLabelDefFree(seclabel); - seclabel =3D NULL; + VIR_DEBUG("Skipping auto generated seclabel"); continue; } } --=20 2.13.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list