From nobody Sun Feb 8 19:24:20 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1565793223; cv=none; d=zoho.com; s=zohoarc; b=iJXYruezL9CQpGfAInOLeJUN0ik2HJCkzv3zw+qQmSm6amVaswf0seUz3/9rigkuJuyMHuvi8zZbOq0KTXmFpkyvAHcC6naZNb9wyE+m+5dW99ZJfZB5hcH3FzDQ9+j5Gfd35TVTRAoctdYQaRC7dzQEv+1j8FWnRhcBA5vmbsc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1565793223; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=C2FyaWbOXkDYCdWItBOQ/YKXVV2klYhuEydZ0wsezLU=; b=J2jghrAe5N2iemHIVvCjwqUZQjXqfyQHNanwEe8zfMLYZw32IXpxMtM+AV896HdTUsGaaGIiXjCp1Kn3+Fb1FMkrT/YE1wfU7DDGvbk4aFYVMxL3vvgpbZeiTgTXMwYmC9jF0EXCupjBvH7TLs4jZem3PfjEpJGphCUQZ+eYHQY= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1565793223021773.5788702004236; Wed, 14 Aug 2019 07:33:43 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9B0AD8E37A; Wed, 14 Aug 2019 14:33:41 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 78A7A7A2E1; Wed, 14 Aug 2019 14:33:41 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 314B91806B09; Wed, 14 Aug 2019 14:33:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7EEXXPL022551 for ; Wed, 14 Aug 2019 10:33:33 -0400 Received: by smtp.corp.redhat.com (Postfix) id B56B48328E; Wed, 14 Aug 2019 14:33:33 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id 415668328B for ; Wed, 14 Aug 2019 14:33:33 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Wed, 14 Aug 2019 16:33:23 +0200 Message-Id: <3f9026eed7bf62cc8ad910156406e34a4b9eaa04.1565790969.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 5/5] security_util: Remove stale XATTRs X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Wed, 14 Aug 2019 14:33:42 +0000 (UTC) Content-Type: text/plain; charset="utf-8" It may happen that we leave some XATTRs behind. For instance, on a sudden power loss, the host just shuts down without calling restore on domain paths. This creates a problem, because when the host starts up again, the XATTRs are there but they don't reflect the true state and this may result in libvirt denying start of a domain. To solve this, save a unique timestamp among with our XATTRs. The timestamp consists of host UUID + boot timestamp. Signed-off-by: Michal Privoznik --- src/security/security_util.c | 202 ++++++++++++++++++++++++++++++++++- tests/qemusecuritymock.c | 12 +++ 2 files changed, 213 insertions(+), 1 deletion(-) diff --git a/src/security/security_util.c b/src/security/security_util.c index 365b2dd2d6..d063f526be 100644 --- a/src/security/security_util.c +++ b/src/security/security_util.c @@ -22,11 +22,16 @@ #include "virfile.h" #include "virstring.h" #include "virerror.h" +#include "virlog.h" +#include "viruuid.h" +#include "virhostuptime.h" =20 #include "security_util.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 +VIR_LOG_INIT("security.security_util"); + /* There are four namespaces available on Linux (xattr(7)): * * user - can be modified by anybody, @@ -83,6 +88,157 @@ virSecurityGetRefCountAttrName(const char *name ATTRIBU= TE_UNUSED) } =20 =20 +static char * +virSecurityGetTimestampAttrName(const char *name ATTRIBUTE_UNUSED) +{ + char *ret =3D NULL; +#ifdef XATTR_NAMESPACE + ignore_value(virAsprintf(&ret, XATTR_NAMESPACE".libvirt.security.times= tamp_%s", name)); +#else + errno =3D ENOSYS; + virReportSystemError(errno, "%s", + _("Extended attributes are not supported on this = system")); +#endif + return ret; +} + + +/* This global timestamp holds combination of host UUID + boot time so tha= t we + * can detect stale XATTRs. For instance, on a sudden power loss, XATTRs a= re + * not going to change (nobody will call restoreLabel()) and thus they ref= lect + * state from just before the power loss and if there was a machine runnin= g, + * then XATTRs there are stale and no one will ever remove them. They don't + * reflect the true state (most notably the ref counter). + */ +static char *timestamp; + + +static int +virSecurityEnsureTimestamp(void) +{ + unsigned char uuid[VIR_UUID_BUFLEN] =3D {0}; + char uuidstr[VIR_UUID_STRING_BUFLEN] =3D {0}; + unsigned long long boottime =3D 0; + + if (timestamp) + return 0; + + if (virGetHostUUID(uuid) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + "%s", _("cannot get the host uuid")); + return -1; + } + + virUUIDFormat(uuid, uuidstr); + + if (virHostGetBootTime(&boottime) < 0) { + virReportSystemError(errno, "%s", + _("Unable to get host boot time")); + return -1; + } + + if (virAsprintf(×tamp, "%s-%llu", uuidstr, boottime) < 0) + return -1; + + return 0; +} + + +/** + * virSecurityValidateTimestamp: + * @name: security driver name + * @path: file name + * + * Check if remembered label on @path for security driver @name + * is valid, i.e. the label has been set since the last boot. If + * the label was set in previous runs, all XATTRs related to + * @name are removed so that clean slate is restored. + * + * Returns: 0 if remembered label is valid, + * 1 if remembered label was not valid, + * -1 otherwise. + */ +static int +virSecurityValidateTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) value =3D NULL; + + if (virSecurityEnsureTimestamp() < 0) + return -1; + + if (!(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + errno =3D 0; + if (virFileGetXAttrQuiet(path, timestamp_name, &value) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { + /* XATTRs are not supported. */ + return -1; + } else if (errno !=3D ENODATA) { + virReportSystemError(errno, + _("Unable to get XATTR %s on %s"), + timestamp_name, + path); + return -1; + } + + /* Timestamp is missing. We can continue and claim a valid timesta= mp. + * But then we would never remove stale XATTRs. Therefore, claim it + * invalid and have the code below remove all XATTRs. This of cour= se + * means that we will not restore the original owner, but the plus= side + * is that we reset refcounter which will represent the true state. + */ + } + + if (STREQ_NULLABLE(value, timestamp)) { + /* Hooray, XATTRs are valid. */ + VIR_DEBUG("XATTRs on %s secdriver=3D%s are valid", path, name); + return 0; + } + + VIR_WARN("Invalid XATTR timestamp detected on %s secdriver=3D%s", path= , name); + + if (virSecurityMoveRememberedLabel(name, path, NULL) < 0) + return -1; + + return 1; +} + + +static int +virSecurityAddTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + + if (virSecurityEnsureTimestamp() < 0) + return -1; + + if (!(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + return virFileSetXAttr(path, timestamp_name, timestamp); +} + + +static int +virSecurityRemoveTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + + if (!(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + if (virFileRemoveXAttr(path, timestamp_name) < 0 && errno !=3D ENOENT) + return -1; + + return 0; +} + + /** * virSecurityGetRememberedLabel: * @name: security driver name @@ -120,6 +276,12 @@ virSecurityGetRememberedLabel(const char *name, =20 *label =3D NULL; =20 + if (virSecurityValidateTimestamp(name, path) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) + return -2; + return -1; + } + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) return -1; =20 @@ -163,6 +325,9 @@ virSecurityGetRememberedLabel(const char *name, =20 if (virFileRemoveXAttr(path, attr_name) < 0) return -1; + + if (virSecurityRemoveTimestamp(name, path) < 0) + return -1; } =20 return 0; @@ -199,6 +364,12 @@ virSecuritySetRememberedLabel(const char *name, VIR_AUTOFREE(char *) value =3D NULL; unsigned int refcount =3D 0; =20 + if (virSecurityValidateTimestamp(name, path) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) + return -2; + return -1; + } + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) return -1; =20 @@ -232,6 +403,9 @@ virSecuritySetRememberedLabel(const char *name, =20 if (virFileSetXAttr(path, attr_name, label) < 0) return -1; + + if (virSecurityAddTimestamp(name, path) < 0) + return -1; } =20 if (virAsprintf(&value, "%u", refcount) < 0) @@ -266,9 +440,12 @@ virSecurityMoveRememberedLabel(const char *name, VIR_AUTOFREE(char *) ref_value =3D NULL; VIR_AUTOFREE(char *) attr_name =3D NULL; VIR_AUTOFREE(char *) attr_value =3D NULL; + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) timestamp_value =3D NULL; =20 if (!(ref_name =3D virSecurityGetRefCountAttrName(name)) || - !(attr_name =3D virSecurityGetAttrName(name))) + !(attr_name =3D virSecurityGetAttrName(name)) || + !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) return -1; =20 if (virFileGetXAttrQuiet(src, ref_name, &ref_value) < 0) { @@ -293,6 +470,17 @@ virSecurityMoveRememberedLabel(const char *name, } } =20 + if (virFileGetXAttrQuiet(src, timestamp_name, ×tamp_value) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { + return -2; + } else if (errno !=3D ENODATA) { + virReportSystemError(errno, + _("Unable to get XATTR %s on %s"), + attr_name, src); + return -1; + } + } + if (ref_value && virFileRemoveXAttr(src, ref_name) < 0) { return -1; @@ -303,6 +491,11 @@ virSecurityMoveRememberedLabel(const char *name, return -1; } =20 + if (timestamp_value && + virFileRemoveXAttr(src, timestamp_name) < 0) { + return -1; + } + if (dst) { if (ref_value && virFileSetXAttr(dst, ref_name, ref_value) < 0) { @@ -314,6 +507,13 @@ virSecurityMoveRememberedLabel(const char *name, ignore_value(virFileRemoveXAttr(dst, ref_name)); return -1; } + + if (timestamp_value && + virFileSetXAttr(dst, timestamp_name, timestamp_value) < 0) { + ignore_value(virFileRemoveXAttr(dst, ref_name)); + ignore_value(virFileRemoveXAttr(dst, attr_name)); + return -1; + } } =20 return 0; diff --git a/tests/qemusecuritymock.c b/tests/qemusecuritymock.c index a15eef29c9..373d64305a 100644 --- a/tests/qemusecuritymock.c +++ b/tests/qemusecuritymock.c @@ -32,6 +32,7 @@ #include "viralloc.h" #include "qemusecuritytest.h" #include "security/security_manager.h" +#include "virhostuptime.h" =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 @@ -488,3 +489,14 @@ virProcessRunInFork(virProcessForkCallback cb, { return cb(-1, opaque); } + + +/* We don't really need to mock this function. The qemusecuritytest doesn't + * care about the actual value. However, travis runs build and tests in a + * container where utmp is missing and thus this function fails. */ +int +virHostGetBootTime(unsigned long long *when) +{ + *when =3D 1234567890; + return 0; +} --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list