From nobody Fri May 3 16:35:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1503850856754784.5198281651599; Sun, 27 Aug 2017 09:20:56 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 22EAE883B9; Sun, 27 Aug 2017 16:20:55 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CBAFB6292D; Sun, 27 Aug 2017 16:20:54 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 16E821806100; Sun, 27 Aug 2017 16:20:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7RGKpN6027605 for ; Sun, 27 Aug 2017 12:20:51 -0400 Received: by smtp.corp.redhat.com (Postfix) id 94D6C5C670; Sun, 27 Aug 2017 16:20:51 +0000 (UTC) Received: from colepc.redhat.com (ovpn-116-34.phx2.redhat.com [10.3.116.34]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2E5C45C880; Sun, 27 Aug 2017 16:20:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 22EAE883B9 Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: Cole Robinson To: libvirt-list@redhat.com Date: Sun, 27 Aug 2017 12:20:41 -0400 Message-Id: In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 1/2] security: add MANAGER_MOUNT_NAMESPACE flag X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Sun, 27 Aug 2017 16:20:55 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver if mount namespaces are in use for the VM. Will be used for future changes. Wire it up in the qemu driver Signed-off-by: Cole Robinson --- src/qemu/qemu_driver.c | 2 ++ src/security/security_dac.c | 10 ++++++++++ src/security/security_dac.h | 3 +++ src/security/security_manager.c | 4 +++- src/security/security_manager.h | 1 + 5 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 2ba6c80c4..ea1a85b41 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -419,6 +419,8 @@ qemuSecurityInit(virQEMUDriverPtr driver) if (virQEMUDriverIsPrivileged(driver)) { if (cfg->dynamicOwnership) flags |=3D VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP; + if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT)) + flags |=3D VIR_SECURITY_MANAGER_MOUNT_NAMESPACE; if (!(mgr =3D qemuSecurityNewDAC(QEMU_DRIVER_NAME, cfg->user, cfg->group, diff --git a/src/security/security_dac.c b/src/security/security_dac.c index ca7a6af6d..507be44a2 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -57,6 +57,7 @@ struct _virSecurityDACData { gid_t *groups; int ngroups; bool dynamicOwnership; + bool mountNamespace; char *baselabel; virSecurityManagerDACChownCallback chownCallback; }; @@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPt= r mgr, } =20 void +virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr, + bool mountNamespace) +{ + virSecurityDACDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); + priv->mountNamespace =3D mountNamespace; +} + + +void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr, virSecurityManagerDACChownCallback chownCal= lback) { diff --git a/src/security/security_dac.h b/src/security/security_dac.h index 846cefbb5..97681c961 100644 --- a/src/security/security_dac.h +++ b/src/security/security_dac.h @@ -32,6 +32,9 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr m= gr, void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, bool dynamic); =20 +void virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr, + bool mountNamespace); + void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr, virSecurityManagerDACChownCallback cho= wnCallback); =20 diff --git a/src/security/security_manager.c b/src/security/security_manage= r.c index 95b995230..e43c99d4f 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -146,7 +146,8 @@ virSecurityManagerNewDAC(const char *virtDriver, virSecurityManagerPtr mgr; =20 virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK | - VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL); + VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP | + VIR_SECURITY_MANAGER_MOUNT_NAMESPACE, NULL); =20 mgr =3D virSecurityManagerNewDriver(&virSecurityDriverDAC, virtDriver, @@ -161,6 +162,7 @@ virSecurityManagerNewDAC(const char *virtDriver, } =20 virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DY= NAMIC_OWNERSHIP); + virSecurityDACSetMountNamespace(mgr, flags & VIR_SECURITY_MANAGER_MOUN= T_NAMESPACE); virSecurityDACSetChownCallback(mgr, chownCallback); =20 return mgr; diff --git a/src/security/security_manager.h b/src/security/security_manage= r.h index 01296d339..08fb89203 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -36,6 +36,7 @@ typedef enum { VIR_SECURITY_MANAGER_REQUIRE_CONFINED =3D 1 << 2, VIR_SECURITY_MANAGER_PRIVILEGED =3D 1 << 3, VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP =3D 1 << 4, + VIR_SECURITY_MANAGER_MOUNT_NAMESPACE =3D 1 << 5, } virSecurityManagerNewFlags; =20 # define VIR_SECURITY_MANAGER_NEW_MASK \ --=20 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Fri May 3 16:35:58 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1503850874616542.8812517291663; Sun, 27 Aug 2017 09:21:14 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0746F5F7AE; Sun, 27 Aug 2017 16:21:13 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CD37460618; Sun, 27 Aug 2017 16:21:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8BE021806109; Sun, 27 Aug 2017 16:21:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7RGKqUn027613 for ; Sun, 27 Aug 2017 12:20:52 -0400 Received: by smtp.corp.redhat.com (Postfix) id 48E375C880; Sun, 27 Aug 2017 16:20:52 +0000 (UTC) Received: from colepc.redhat.com (ovpn-116-34.phx2.redhat.com [10.3.116.34]) by smtp.corp.redhat.com (Postfix) with ESMTP id C4C9E5C66F; Sun, 27 Aug 2017 16:20:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0746F5F7AE Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com From: Cole Robinson To: libvirt-list@redhat.com Date: Sun, 27 Aug 2017 12:20:42 -0400 Message-Id: <5531dc0a1a754d362478b2cda42b905a7bbb72d5.1503850638.git.crobinso@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 2/2] security: dac: relabel spice rendernode X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Sun, 27 Aug 2017 16:21:13 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" For a logged in user this a path like /dev/dri/renderD128 will have default ownership root:video which won't work for the qemu:qemu user, so we need to chown it. We only do this when mount namespaces are enabled in the qemu driver, so the chown'ing doesn't interfere with other users of the shared render node path https://bugzilla.redhat.com/show_bug.cgi?id=3D1460804 Signed-off-by: Cole Robinson --- The restore bit is also motivated by a bug I hit when testing this: DAC /dev/* permissions are 'restored' to root:root even with mount namespaces enabled: https://bugzilla.redhat.com/show_bug.cgi?id=3D1485719 src/security/security_dac.c | 58 +++++++++++++++++++++++++++++++++++++++++= ++++ 1 file changed, 58 insertions(+) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 507be44a2..349dbe81d 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1381,6 +1381,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManager= Ptr mgr, =20 =20 static int +virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainGraphicsDefPtr gfx) + +{ + virSecurityDACDataPtr priv =3D virSecurityManagerGetPrivateData(mgr); + virSecurityLabelDefPtr seclabel; + uid_t user; + gid_t group; + + /* Skip chowning the shared render file if namespaces are disabled */ + if (!priv->mountNamespace) + return 0; + + seclabel =3D virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); + if (seclabel && !seclabel->relabel) + return 0; + + if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < = 0) + return -1; + + if (gfx->type =3D=3D VIR_DOMAIN_GRAPHICS_TYPE_SPICE && + gfx->data.spice.gl =3D=3D VIR_TRISTATE_BOOL_YES && + gfx->data.spice.rendernode) { + if (virSecurityDACSetOwnership(priv, NULL, + gfx->data.spice.rendernode, + user, group) < 0) + return -1; + } + + return 0; +} + + +static int +virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNU= SED, + virDomainDefPtr def ATTRIBUTE_UNUSED, + virDomainGraphicsDefPtr gfx ATTRIBUTE_UNUSE= D) + +{ + /* The only graphics labelling we do is dependent on mountNamespaces, + in which case 'restoring' the label doesn't actually accomplish + anything, so there's nothing to do here */ + return 0; +} + + +static int virSecurityDACSetInputLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainInputDefPtr input) @@ -1491,6 +1539,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr = mgr, rc =3D -1; } =20 + for (i =3D 0; i < def->ngraphics; i++) { + if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i])= < 0) + return -1; + } + for (i =3D 0; i < def->ninputs; i++) { if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0) rc =3D -1; @@ -1611,6 +1664,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, return -1; } =20 + for (i =3D 0; i < def->ngraphics; i++) { + if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0) + return -1; + } + for (i =3D 0; i < def->ninputs; i++) { if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0) return -1; --=20 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list