From nobody Fri Apr 26 14:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566208919; cv=none; d=zoho.com; s=zohoarc; b=JHqe8nBuMCMzfZ+WLV0yx9LeAsVE3wKbJzDxd9lODDxaZ33411rC2bXRsVAb94wFfbEhhJwdVmgtZc+Hyqc7JthX1Sajk8lsh5zEfD+HoH1xr8eg3IlJYMAsFi23EvPn9K0tUm6HN50HMvmqGbRtch/QU/m7TjqFaLdsDYjkbLw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566208919; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=sqlUuTDbzDtK7+TyXKbamfVaW7xWB3uUJHlgFGIeYLM=; b=ADhxjjN02uO2AxzyDt7IMzdwdya7NdAn9RjFzcn8XQk7fhHirIdDitiDhssh+ktQFLFfdjRNGdGk6+wlLvtSjAwjCuOFw+Ys6+IWprlFUUfPYaVc//HL+YGf+lNE7R2IPjSruSIL6X7Hbv5ROypno71Q60lbdnYrIq/QKgZyjd4= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566208919451442.26939699631805; Mon, 19 Aug 2019 03:01:59 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2CEE73078A2E; Mon, 19 Aug 2019 10:01:58 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 07FB11E1; Mon, 19 Aug 2019 10:01:58 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B86DF180BA99; Mon, 19 Aug 2019 10:01:57 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7JA1mrE002041 for ; Mon, 19 Aug 2019 06:01:48 -0400 Received: by smtp.corp.redhat.com (Postfix) id 69F1C841D2; Mon, 19 Aug 2019 10:01:48 +0000 (UTC) Received: from kinshicho.brq.redhat.com (unknown [10.43.2.73]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E96F882489 for ; Mon, 19 Aug 2019 10:01:47 +0000 (UTC) From: Andrea Bolognani To: libvir-list@redhat.com Date: Mon, 19 Aug 2019 12:01:40 +0200 Message-Id: <20190819100142.16104-2-abologna@redhat.com> In-Reply-To: <20190819100142.16104-1-abologna@redhat.com> References: <20190819100142.16104-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/3] virt-aa-helper: Use virCommand APIs directly X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Mon, 19 Aug 2019 10:01:58 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Right now we're using the virRun() convenience API, but that doesn't allow the kind of control we want. Use the virCommand APIs directly instead. Signed-off-by: Andrea Bolognani Reviewed-by: J=C3=A1n Tomko --- src/security/virt-aa-helper.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index ad9a7dda94..c5080f698a 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -170,7 +170,9 @@ parserCommand(const char *profile_name, const char cmd) const char * const argv[] =3D { "/sbin/apparmor_parser", flag, profile, NULL }; - if ((ret =3D virRun(argv, &status)) !=3D 0 || + VIR_AUTOPTR(virCommand) command =3D virCommandNewArgs(argv); + + if ((ret =3D virCommandRun(command, &status)) !=3D 0 || (WIFEXITED(status) && WEXITSTATUS(status) !=3D 0)) { if (ret !=3D 0) { vah_error(NULL, 0, _("failed to run apparmor_parser")); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 14:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566208913; cv=none; d=zoho.com; s=zohoarc; b=B4m7bqLYbOhAUjS3hPCilzyWAUNanY9eR5zis5MO1aCvOxQ0VqTrdpQWw4D4NPoiPDPC+EqG4dzsWuk58yhjIaW3gHIzQeSq0e89RPPjN5uzVEfY0llW32JQxZt67V4X3dN5FiJD7Om7IYJumcZVERsgW/zc8ZtuM7fbbLP+LcI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566208913; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=8u5S+fd2WG8l2Ix042VdfeokGSRWaK37AWOBvVTsW4M=; b=TpmPng0FVDZSvr14JDL4uftPRqL8EHUub8/16VUVIPjfU8Qz2S5TF0tI+mwtPKnspXFaTPK/4hb8MF8PNMI/77gg1ysZ5NPToaUM1hq23/p21p7tf66bAMKum2I5Dm1YIyYbbwjnECIGwPbRc5C/S+34tgiof6mP3J/w2P6L2xQ= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566208913310275.8516937044021; Mon, 19 Aug 2019 03:01:53 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CA3BE3081D00; Mon, 19 Aug 2019 10:01:51 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A2FA15D9C3; Mon, 19 Aug 2019 10:01:51 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5D4D5180BA99; Mon, 19 Aug 2019 10:01:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7JA1nB9002051 for ; Mon, 19 Aug 2019 06:01:49 -0400 Received: by smtp.corp.redhat.com (Postfix) id 36B0E841D2; Mon, 19 Aug 2019 10:01:49 +0000 (UTC) Received: from kinshicho.brq.redhat.com (unknown [10.43.2.73]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B586382489 for ; Mon, 19 Aug 2019 10:01:48 +0000 (UTC) From: Andrea Bolognani To: libvir-list@redhat.com Date: Mon, 19 Aug 2019 12:01:41 +0200 Message-Id: <20190819100142.16104-3-abologna@redhat.com> In-Reply-To: <20190819100142.16104-1-abologna@redhat.com> References: <20190819100142.16104-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/3] virt-aa-helper: Call virCommandRawStatus() X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Mon, 19 Aug 2019 10:01:52 +0000 (UTC) Content-Type: text/plain; charset="utf-8" The way we're processing the return status, using WIFEXITED() and friends, only works when we have the raw return status; however, virCommand defaults to processing the return status for us. Call virCommandRawStatus() before virCommandRun() so that we get the raw return status and the logic can actually work. This results in guest startup failures caused by AppArmor issues being reported much earlier: for example, if virt-aa-helper exits with an error we're now reporting error: internal error: cannot load AppArmor profile 'libvirt-b20e9a8e-091= a-45e0-8823-537119e98bc6' instead of the misleading error: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-b20e9a8e-091a-45e0-8823-5= 37119e98bc6' for '/usr/bin/qemu-system-x86_64': No such file or directory Signed-off-by: Andrea Bolognani Reviewed-by: J=C3=A1n Tomko Suggested-by: J=C3=A1n Tomko --- src/security/virt-aa-helper.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index c5080f698a..60c9b75980 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -172,6 +172,7 @@ parserCommand(const char *profile_name, const char cmd) }; VIR_AUTOPTR(virCommand) command =3D virCommandNewArgs(argv); =20 + virCommandRawStatus(command); if ((ret =3D virCommandRun(command, &status)) !=3D 0 || (WIFEXITED(status) && WEXITSTATUS(status) !=3D 0)) { if (ret !=3D 0) { --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri Apr 26 14:34:24 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566208912; cv=none; d=zoho.com; s=zohoarc; b=NgWDR8xTcdkWNFI9LD4E1vLcVuTF8XY1fuu/XWHHPEM+8RwSWdiUv1E3+qk1qIm/WI/t7xUE/HLGKLd3Fp09sIS7MLmD8VbUwOJqMQFEkjSZPBgnIS+jm4pJQr7ons503KFyimMDiMBXdSj0y2hGTOUEtOSJ0QouhGuUXE1eyPw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566208912; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=qhiGUegXMxZ3kVmwV4OPJeeoUn70Xf3v/n/imrtB6nQ=; b=Ksh+eqw74SaEEHkthXcLPBXuNpVqvOtj6u2gqt5jeL+lf9br+Ll4dMcfTYJzDUsutXSj7/EY8JIcc1epfhvhKaoQ0YKpXsrJFFlRCad2svjfdVAdvRZCabm+tTbTordrI/R/n/2ZY/zp/Q8uwc4Wg7XYLa/hZcQmPbrWUH3vYik= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566208912978761.2034637349678; Mon, 19 Aug 2019 03:01:52 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A229F11A17; Mon, 19 Aug 2019 10:01:51 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4C6AB50; Mon, 19 Aug 2019 10:01:51 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C46143CB9; Mon, 19 Aug 2019 10:01:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7JA1otO002056 for ; Mon, 19 Aug 2019 06:01:50 -0400 Received: by smtp.corp.redhat.com (Postfix) id 09413841D2; Mon, 19 Aug 2019 10:01:50 +0000 (UTC) Received: from kinshicho.brq.redhat.com (unknown [10.43.2.73]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 81F2682489 for ; Mon, 19 Aug 2019 10:01:49 +0000 (UTC) From: Andrea Bolognani To: libvir-list@redhat.com Date: Mon, 19 Aug 2019 12:01:42 +0200 Message-Id: <20190819100142.16104-4-abologna@redhat.com> In-Reply-To: <20190819100142.16104-1-abologna@redhat.com> References: <20190819100142.16104-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 3/3] virt-aa-helper: Fix AppArmor profile X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Mon, 19 Aug 2019 10:01:52 +0000 (UTC) Since commit 432faf259b696043ee5d7e8f657d855419a9a3fa Author: Michal Privoznik Date: Tue Jul 2 19:49:51 2019 +0200 virCommand: use procfs to learn opened FDs When spawning a child process, between fork() and exec() we close all file descriptors and keep only those the caller wants us to pass onto the child. The problem is how we do that. Currently, we get the limit of opened files and then iterate through each one of them and either close() it or make it survive exec(). This approach is suboptimal (although, not that much in default configurations where the limit is pretty low - 1024). We have /proc where we can learn what FDs we hold open and thus we can selectively close only those. Signed-off-by: Michal Privoznik Reviewed-by: J=C3=A1n Tomko v5.5.0-173-g432faf259b programs using the virCommand APIs on Linux need read access to /proc/self/fd, or they will fail like error : virCommandWait:2796 : internal error: Child process (LIBVIRT_LOG_OUTPUTS=3D3:stderr /usr/lib/libvirt/virt-aa-helper -c -u libvirt-b20e9a8e-091a-45e0-8823-537119e98bc6) unexpected exit status 1: libvirt: error : cannot open directory '/proc/self/fd': Permission denied virt-aa-helper: error: apparmor_parser exited with error Update the AppArmor profile for virt-aa-helper so that read access to the relevant path is granted. Signed-off-by: Andrea Bolognani Reviewed-by: J=C3=A1n Tomko --- src/security/apparmor/usr.lib.libvirt.virt-aa-helper | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper b/src/sec= urity/apparmor/usr.lib.libvirt.virt-aa-helper index bf6bd297d1..d81dddef30 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper @@ -17,6 +17,10 @@ profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-= helper { owner @{PROC}/[0-9]*/status r, @{PROC}/filesystems r, =20 + # Used when internally running another command (namely apparmor_parser) + @{PROC}/self/fd r, + @{PROC}/@{pid}/fd r, + /etc/libnl-3/classid r, =20 # for gl enabled graphics --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list