From nobody Mon Feb 9 00:07:02 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566472560; cv=none; d=zoho.com; s=zohoarc; b=Y4qVQx3cY65VGvXI3krltrZA9hpnNRe0XXmvwCV9S9mGFmidbHsPGESNLxjc5lVinDueMRAQ8hnPRHtNOB3JQJfTg0Z8ZM9JXGUqXzJ39KIts/zRC6U3ARvQw7HD/N9KpLYlUrNUFEZLmQIgtBPrm3SgGKX0re+32Zmek8UcdHg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566472560; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=YwuJ0eNDsA72IiNIZNN6hOeJenYoO+hiRPogBdLmCWs=; b=WSk+ILnc1TTtkM1diXPSLZfBHdaQ4p7/2bM8/Dkg/vxe/GV7TA1VGpz1H8ADjNMbFpMQji0CDD5WbYWXXgxVdhANZSgV8piRlqGAQeDvpe75lXV8GTj0D2EWS5vXuV6JHsaynnQUJ7SSyXKci2TfTIdf91RTET7kALMxq6D7oMw= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566472560742250.75003309019155; Thu, 22 Aug 2019 04:16:00 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 643B77FDCD; Thu, 22 Aug 2019 11:15:59 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 42DF65D713; Thu, 22 Aug 2019 11:15:59 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 04369180BA99; Thu, 22 Aug 2019 11:15:59 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MBFd0X018680 for ; Thu, 22 Aug 2019 07:15:39 -0400 Received: by smtp.corp.redhat.com (Postfix) id 1891660605; Thu, 22 Aug 2019 11:15:39 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id 96C4760603 for ; Thu, 22 Aug 2019 11:15:38 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 13:15:33 +0200 Message-Id: <4f03b8749d1e3e5091b58c10543f74c6e2ce4ff3.1566472451.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 2/2] security_util: Remove stale XATTRs X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 22 Aug 2019 11:15:59 +0000 (UTC) Content-Type: text/plain; charset="utf-8" It may happen that we leave some XATTRs behind. For instance, on a sudden power loss, the host just shuts down without calling restore on domain paths. This creates a problem, because when the host starts up again, the XATTRs are there but they don't reflect the true state and this may result in libvirt denying start of a domain. To solve this, save a unique timestamp (host boot time) among with our XATTRs. Signed-off-by: Michal Privoznik --- src/security/security_util.c | 196 +++++++++++++++++++++++++++++++- tests/qemusecuritymock.c | 12 ++ tools/libvirt_recover_xattrs.sh | 2 +- 3 files changed, 208 insertions(+), 2 deletions(-) diff --git a/src/security/security_util.c b/src/security/security_util.c index 365b2dd2d6..c65e27e6d4 100644 --- a/src/security/security_util.c +++ b/src/security/security_util.c @@ -22,11 +22,16 @@ #include "virfile.h" #include "virstring.h" #include "virerror.h" +#include "virlog.h" +#include "viruuid.h" +#include "virhostuptime.h" =20 #include "security_util.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 +VIR_LOG_INIT("security.security_util"); + /* There are four namespaces available on Linux (xattr(7)): * * user - can be modified by anybody, @@ -83,6 +88,151 @@ virSecurityGetRefCountAttrName(const char *name ATTRIBU= TE_UNUSED) } =20 =20 +#ifdef XATTR_NAMESPACE +static char * +virSecurityGetTimestampAttrName(const char *name) +{ + char *ret =3D NULL; + ignore_value(virAsprintf(&ret, XATTR_NAMESPACE".libvirt.security.times= tamp_%s", name)); + return ret; +} +#else /* !XATTR_NAMESPACE */ +static char * +virSecurityGetTimestampAttrName(const char *name ATTRIBUTE_UNUSED) +{ + errno =3D ENOSYS; + virReportSystemError(errno, "%s", + _("Extended attributes are not supported on this = system")); + return NULL; +} +#endif /* !XATTR_NAMESPACE */ + + +static char * +virSecurityGetTimestamp(void) +{ + unsigned long long boottime =3D 0; + char *ret =3D NULL; + + if (virHostGetBootTime(&boottime) < 0) { + virReportSystemError(errno, "%s", + _("Unable to get host boot time")); + return NULL; + } + + ignore_value(virAsprintf(&ret, "%llu", boottime)); + return ret; +} + + +/** + * virSecurityValidateTimestamp: + * @name: security driver name + * @path: file name + * + * Check if remembered label on @path for security driver @name + * is valid, i.e. the label has been set since the last boot. If + * the label was set in previous runs, all XATTRs related to + * @name are removed so that clean slate is restored. + * + * This is done having extra attribute timestamp_$SECDRIVER which + * contains the host boot time. Its value is then compared to + * actual host boot time. If these two values don't match then + * XATTRs are considered as stale and thus invalid. + * + * In ideal world, where there network file systems have XATTRs + * using plain host boot time is not enough as it may lead to a + * situation where a freshly started host sees XATTRs, sees the + * timestamp put there by some longer running host and considers + * the XATTRs invalid. Well, there is not an easy way out. We + * would need to somehow check if the longer running host is + * still there and is the @path (how?). + * Fortunately, there is only one network file system which + * supports XATTRs currently (GlusterFS via FUSE) and it is used + * so rarely that it's almost a corner case. + * The worst thing that happens there is that we remove XATTRs + * and thus return @path to the default label for $SECDRIVER. + * + * Returns: 0 if remembered label is valid, + * 1 if remembered label was not valid, + * -1 otherwise. + */ +static int +virSecurityValidateTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) expected_timestamp =3D NULL; + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) value =3D NULL; + + if (!(expected_timestamp =3D virSecurityGetTimestamp()) || + !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + errno =3D 0; + if (virFileGetXAttrQuiet(path, timestamp_name, &value) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { + return -1; + } else if (errno !=3D ENODATA) { + virReportSystemError(errno, + _("Unable to get XATTR %s on %s"), + timestamp_name, + path); + return -1; + } + + /* Timestamp is missing. We can continue and claim a valid timesta= mp. + * But then we would never remove stale XATTRs. Therefore, claim it + * invalid and have the code below remove all XATTRs. This of cour= se + * means that we will not restore the original owner, but the plus= side + * is that we reset refcounter which will represent the true state. + */ + } + + if (STREQ_NULLABLE(value, expected_timestamp)) { + VIR_DEBUG("XATTRs on %s secdriver=3D%s are valid", path, name); + return 0; + } + + VIR_WARN("Invalid XATTR timestamp detected on %s secdriver=3D%s", path= , name); + + if (virSecurityMoveRememberedLabel(name, path, NULL) < 0) + return -1; + + return 1; +} + + +static int +virSecurityAddTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) timestamp_value =3D NULL; + + if (!(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + return virFileSetXAttr(path, timestamp_name, timestamp_value); +} + + +static int +virSecurityRemoveTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + + if (!(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + if (virFileRemoveXAttr(path, timestamp_name) < 0 && errno !=3D ENOENT) + return -1; + + return 0; +} + + /** * virSecurityGetRememberedLabel: * @name: security driver name @@ -120,6 +270,12 @@ virSecurityGetRememberedLabel(const char *name, =20 *label =3D NULL; =20 + if (virSecurityValidateTimestamp(name, path) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) + return -2; + return -1; + } + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) return -1; =20 @@ -163,6 +319,9 @@ virSecurityGetRememberedLabel(const char *name, =20 if (virFileRemoveXAttr(path, attr_name) < 0) return -1; + + if (virSecurityRemoveTimestamp(name, path) < 0) + return -1; } =20 return 0; @@ -199,6 +358,12 @@ virSecuritySetRememberedLabel(const char *name, VIR_AUTOFREE(char *) value =3D NULL; unsigned int refcount =3D 0; =20 + if (virSecurityValidateTimestamp(name, path) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) + return -2; + return -1; + } + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) return -1; =20 @@ -232,6 +397,9 @@ virSecuritySetRememberedLabel(const char *name, =20 if (virFileSetXAttr(path, attr_name, label) < 0) return -1; + + if (virSecurityAddTimestamp(name, path) < 0) + return -1; } =20 if (virAsprintf(&value, "%u", refcount) < 0) @@ -266,9 +434,12 @@ virSecurityMoveRememberedLabel(const char *name, VIR_AUTOFREE(char *) ref_value =3D NULL; VIR_AUTOFREE(char *) attr_name =3D NULL; VIR_AUTOFREE(char *) attr_value =3D NULL; + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) timestamp_value =3D NULL; =20 if (!(ref_name =3D virSecurityGetRefCountAttrName(name)) || - !(attr_name =3D virSecurityGetAttrName(name))) + !(attr_name =3D virSecurityGetAttrName(name)) || + !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) return -1; =20 if (virFileGetXAttrQuiet(src, ref_name, &ref_value) < 0) { @@ -293,6 +464,17 @@ virSecurityMoveRememberedLabel(const char *name, } } =20 + if (virFileGetXAttrQuiet(src, timestamp_name, ×tamp_value) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { + return -2; + } else if (errno !=3D ENODATA) { + virReportSystemError(errno, + _("Unable to get XATTR %s on %s"), + attr_name, src); + return -1; + } + } + if (ref_value && virFileRemoveXAttr(src, ref_name) < 0) { return -1; @@ -303,6 +485,11 @@ virSecurityMoveRememberedLabel(const char *name, return -1; } =20 + if (timestamp_value && + virFileRemoveXAttr(src, timestamp_name) < 0) { + return -1; + } + if (dst) { if (ref_value && virFileSetXAttr(dst, ref_name, ref_value) < 0) { @@ -314,6 +501,13 @@ virSecurityMoveRememberedLabel(const char *name, ignore_value(virFileRemoveXAttr(dst, ref_name)); return -1; } + + if (timestamp_value && + virFileSetXAttr(dst, timestamp_name, timestamp_value) < 0) { + ignore_value(virFileRemoveXAttr(dst, ref_name)); + ignore_value(virFileRemoveXAttr(dst, attr_name)); + return -1; + } } =20 return 0; diff --git a/tests/qemusecuritymock.c b/tests/qemusecuritymock.c index a15eef29c9..373d64305a 100644 --- a/tests/qemusecuritymock.c +++ b/tests/qemusecuritymock.c @@ -32,6 +32,7 @@ #include "viralloc.h" #include "qemusecuritytest.h" #include "security/security_manager.h" +#include "virhostuptime.h" =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 @@ -488,3 +489,14 @@ virProcessRunInFork(virProcessForkCallback cb, { return cb(-1, opaque); } + + +/* We don't really need to mock this function. The qemusecuritytest doesn't + * care about the actual value. However, travis runs build and tests in a + * container where utmp is missing and thus this function fails. */ +int +virHostGetBootTime(unsigned long long *when) +{ + *when =3D 1234567890; + return 0; +} diff --git a/tools/libvirt_recover_xattrs.sh b/tools/libvirt_recover_xattrs= .sh index 58f02f8dfb..3907413c63 100755 --- a/tools/libvirt_recover_xattrs.sh +++ b/tools/libvirt_recover_xattrs.sh @@ -74,7 +74,7 @@ fi declare -a XATTRS for i in "dac" "selinux"; do for p in ${LIBVIRT_XATTR_PREFIXES[@]}; do - XATTRS+=3D("$p.$i" "$p.ref_$i") + XATTRS+=3D("$p.$i" "$p.ref_$i" "$p.timestamp_$i") done done =20 --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list