From nobody Mon Dec 8 02:36:48 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1544618476663397.0801781030964; Wed, 12 Dec 2018 04:41:16 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id BC2BB30014AA; Wed, 12 Dec 2018 12:41:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 559EC60C61; Wed, 12 Dec 2018 12:41:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 6FD11246E3; Wed, 12 Dec 2018 12:41:13 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wBCCfCY5017130 for ; Wed, 12 Dec 2018 07:41:12 -0500 Received: by smtp.corp.redhat.com (Postfix) id 63EA95D73F; Wed, 12 Dec 2018 12:41:12 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.192]) by smtp.corp.redhat.com (Postfix) with ESMTP id DF47D5D70A for ; Wed, 12 Dec 2018 12:41:11 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Wed, 12 Dec 2018 13:40:46 +0100 Message-Id: <4cd10bcaea41775bdfae63492c66bdf97bbaedc3.1544618362.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v3 02/18] security: Include security_util X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Wed, 12 Dec 2018 12:41:15 +0000 (UTC) Content-Type: text/plain; charset="utf-8" This file implements wrappers over XATTR getter/setter. It ensures the proper XATTR namespace is used. Signed-off-by: Michal Privoznik --- src/security/Makefile.inc.am | 2 + src/security/security_util.c | 256 +++++++++++++++++++++++++++++++++++ src/security/security_util.h | 32 +++++ 3 files changed, 290 insertions(+) create mode 100644 src/security/security_util.c create mode 100644 src/security/security_util.h diff --git a/src/security/Makefile.inc.am b/src/security/Makefile.inc.am index f88b82df7b..0ade97d355 100644 --- a/src/security/Makefile.inc.am +++ b/src/security/Makefile.inc.am @@ -14,6 +14,8 @@ SECURITY_DRIVER_SOURCES =3D \ security/security_dac.c \ security/security_manager.h \ security/security_manager.c \ + security/security_util.h \ + security/security_util.c \ $(NULL) =20 SECURITY_DRIVER_SELINUX_SOURCES =3D \ diff --git a/src/security/security_util.c b/src/security/security_util.c new file mode 100644 index 0000000000..194343c407 --- /dev/null +++ b/src/security/security_util.c @@ -0,0 +1,256 @@ +/* + * Copyright (C) 2018 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#include "viralloc.h" +#include "virfile.h" +#include "virstring.h" +#include "virerror.h" + +#include "security_util.h" + +#define VIR_FROM_THIS VIR_FROM_SECURITY + +/* There are four namespaces available on Linux (xattr(7)): + * + * user - can be modified by anybody, + * system - used by ACLs + * security - used by SELinux + * trusted - accessibly by CAP_SYS_ADMIN processes only + * + * Looks like the last one is way to go. + * Unfortunately, FreeBSD only supports: + * + * user - can be modified by anybody, + * system - accessible by CAP_SYS_ADMIN processes only + * + * Note that 'system' on FreeBSD corresponds to 'trusted' on + * Linux. So far the only point where FreeBSD and Linux can meet + * is NFS which still doesn't support XATTRs. Therefore we can + * use different namespace on each system. If NFS gains support + * for XATTRs then we have to find a way to deal with the + * different namespaces. But that is a problem for future me. + */ +#if defined(__linux__) +# define XATTR_NAMESPACE "trusted" +#elif defined(__FreeBSD__) +# define XATTR_NAMESPACE "system" +#endif + +static char * +virSecurityGetAttrName(const char *name ATTRIBUTE_UNUSED) +{ + char *ret =3D NULL; +#ifdef XATTR_NAMESPACE + ignore_value(virAsprintf(&ret, XATTR_NAMESPACE".libvirt.security.%s", = name)); +#else + errno =3D ENOSYS; + virReportSystemError(errno, "%s", + _("Extended attributes are not supported on this = system")); +#endif + return ret; +} + + +static char * +virSecurityGetRefCountAttrName(const char *name ATTRIBUTE_UNUSED) +{ + char *ret =3D NULL; +#ifdef XATTR_NAMESPACE + ignore_value(virAsprintf(&ret, XATTR_NAMESPACE".libvirt.security.ref_%= s", name)); +#else + errno =3D ENOSYS; + virReportSystemError(errno, "%s", + _("Extended attributes are not supported on this = system")); +#endif + return ret; +} + + +/** + * virSecurityGetRememberedLabel: + * @name: security driver name + * @path: file name + * @label: label + * + * For given @path and security driver (@name) fetch remembered + * @label. The caller must not restore label if an error is + * indicated or if @label is NULL upon return. + * + * The idea is that the first time + * virSecuritySetRememberedLabel() is called over @path the + * @label is recorded and refcounter is set to 1. Each subsequent + * call to virSecuritySetRememberedLabel() increases the counter. + * Counterpart to this is virSecurityGetRememberedLabel() which + * decreases the counter and reads the @label only if the counter + * reached value of zero. For any other call (i.e. when the + * counter is not zero), virSecurityGetRememberedLabel() set + * @label to NULL (to notify the caller that the refcount is not + * zero) and returns zero. + * + * Returns: 0 on success, + * -1 otherwise (with error reported) + */ +int +virSecurityGetRememberedLabel(const char *name, + const char *path, + char **label) +{ + char *ref_name =3D NULL; + char *attr_name =3D NULL; + char *value =3D NULL; + unsigned int refcount =3D 0; + int ret =3D -1; + + *label =3D NULL; + + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) + goto cleanup; + + if (virFileGetXAttr(path, ref_name, &value) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENODATA || errno =3D=3D EN= OTSUP) { + ret =3D 0; + } else { + virReportSystemError(errno, + _("Unable to get XATTR %s on %s"), + ref_name, + path); + } + goto cleanup; + } + + if (virStrToLong_ui(value, NULL, 10, &refcount) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("malformed refcount %s on %s"), + value, path); + goto cleanup; + } + + VIR_FREE(value); + + refcount--; + + if (refcount > 0) { + if (virAsprintf(&value, "%u", refcount) < 0) + goto cleanup; + + if (virFileSetXAttr(path, ref_name, value) < 0) + goto cleanup; + } else { + if (virFileRemoveXAttr(path, ref_name) < 0) + goto cleanup; + + if (!(attr_name =3D virSecurityGetAttrName(name))) + goto cleanup; + + if (virFileGetXAttr(path, attr_name, label) < 0) + goto cleanup; + + if (virFileRemoveXAttr(path, attr_name) < 0) + goto cleanup; + } + + ret =3D 0; + cleanup: + VIR_FREE(value); + VIR_FREE(attr_name); + VIR_FREE(ref_name); + return ret; +} + + +/** + * virSecuritySetRememberedLabel: + * @name: security driver name + * @path: file name + * @label: label + * + * For given @path and security driver (@name), if called the + * first time over @path, set the @label to remember (i.e. the + * original owner of the @path). Any subsequent call over @path + * will increment refcounter. It is strongly recommended that the + * caller checks for the return value and if it is greater than 1 + * (meaning that some domain is already using @path) the current + * label is required instead of setting a new one. + * + * See also virSecurityGetRememberedLabel. + * + * Returns: the new refcount value on success, + * -1 otherwise (with error reported) + */ +int +virSecuritySetRememberedLabel(const char *name, + const char *path, + const char *label) +{ + char *ref_name =3D NULL; + char *attr_name =3D NULL; + char *value =3D NULL; + unsigned int refcount =3D 0; + int ret =3D -1; + + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) + goto cleanup; + + if (virFileGetXAttr(path, ref_name, &value) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { + ret =3D 0; + goto cleanup; + } else if (errno !=3D ENODATA) { + virReportSystemError(errno, + _("Unable to get XATTR %s on %s"), + ref_name, + path); + goto cleanup; + } + } + + if (value && + virStrToLong_ui(value, NULL, 10, &refcount) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("malformed refcount %s on %s"), + value, path); + goto cleanup; + } + + VIR_FREE(value); + + refcount++; + + if (refcount =3D=3D 1) { + if (!(attr_name =3D virSecurityGetAttrName(name))) + goto cleanup; + + if (virFileSetXAttr(path, attr_name, label) < 0) + goto cleanup; + } + + if (virAsprintf(&value, "%u", refcount) < 0) + goto cleanup; + + if (virFileSetXAttr(path, ref_name, value) < 0) + goto cleanup; + + ret =3D refcount; + cleanup: + VIR_FREE(value); + VIR_FREE(attr_name); + VIR_FREE(ref_name); + return ret; +} diff --git a/src/security/security_util.h b/src/security/security_util.h new file mode 100644 index 0000000000..a6e67f4390 --- /dev/null +++ b/src/security/security_util.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2018 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#ifndef __SECURITY_UTIL_H__ +# define __SECURITY_UTIL_H__ + +int +virSecurityGetRememberedLabel(const char *name, + const char *path, + char **label); + +int +virSecuritySetRememberedLabel(const char *name, + const char *path, + const char *label); + +#endif /* __SECURITY_UTIL_H__ */ --=20 2.19.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list