1. Patchew
  2. Libvirt
  3. [libvirt] [PATCH v2 00/18] Implement original label remembering
  4. View patch

[libvirt] [PATCH v2 17/18] tools: Provide a script to recover fubar'ed XATTRs setup

Michal Privoznik posted 18 patches 7 years, 2 months ago
There is a newer version of this series
[libvirt] [PATCH v2 17/18] tools: Provide a script to recover fubar'ed XATTRs setup
Posted by Michal Privoznik 7 years, 2 months ago 
Our code is not bug free. The refcounting I introduced will
almost certainly not work in some use cases. Provide a script
that will remove all the XATTRs set by libvirt so that it can
start cleanly.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 tools/Makefile.am               |  1 +
 tools/libvirt_recover_xattrs.sh | 89 +++++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+)
 create mode 100755 tools/libvirt_recover_xattrs.sh

diff --git a/tools/Makefile.am b/tools/Makefile.am
index f069167acc..1dc009c4fb 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -75,6 +75,7 @@ EXTRA_DIST = \
 	virt-login-shell.conf \
 	virsh-edit.c \
 	bash-completion/vsh \
+	libvirt_recover_xattrs.sh \
 	$(PODFILES) \
 	$(MANINFILES) \
 	$(NULL)
diff --git a/tools/libvirt_recover_xattrs.sh b/tools/libvirt_recover_xattrs.sh
new file mode 100755
index 0000000000..c4a8b27cbc
--- /dev/null
+++ b/tools/libvirt_recover_xattrs.sh
@@ -0,0 +1,89 @@
+#!/bin/bash
+
+function die {
+    echo $@ >&2
+    exit 1
+}
+
+function show_help {
+    cat << EOF
+Usage: ${0##*/} -[hqn] [PATH]
+
+Clear out any XATTRs set by libvirt on all files that have them.
+The idea is to reset refcounting, should it break.
+
+  -h    display this help and exit
+  -q    quiet (don't print which files are being fixed)
+  -n    dry run; don't remove any XATTR just report the file name
+
+PATH can be specified to refine search to only to given path
+instead of whole root ('/'), which is the default.
+EOF
+}
+
+QUIET=0
+DRY_RUN=0
+P="/"
+
+# So far only qemu and lxc drivers use security driver.
+URI=("qemu:///system"
+     "qemu:///session"
+     "lxc:///system")
+
+LIBVIRT_XATTR_PREFIX="trusted.libvirt.security"
+
+if [ `whoami` != "root" ]; then
+    die "Must be run as root"
+fi
+
+while getopts hqn opt; do
+    case $opt in
+        h)
+            show_help
+            exit 0
+            ;;
+        q)
+            QUIET=1
+            ;;
+        n)
+            DRY_RUN=1
+            ;;
+        *)
+            show_help >&2
+            exit 1
+            ;;
+    esac
+done
+
+shift $((OPTIND - 1))
+if [ $# -gt 0 ]; then
+    P=$1
+fi
+
+if [ ${DRY_RUN} -eq 0 ]; then
+    for u in ${URI[*]} ; do
+        if [ -n "`virsh -q -c $u list 2>/dev/null`" ]; then
+            die "There are still some domains running for $u"
+        fi
+    done
+fi
+
+XATTRS=("trusted.libvirt.security.dac"
+        "trusted.libvirt.security.ref_dac"
+        "trusted.libvirt.security.selinux"
+        "trusted.libvirt.security.ref_selinux")
+
+for i in $(getfattr -R -d -m ${LIBVIRT_XATTR_PREFIX} --absolute-names ${P} 2>/dev/null | grep "^# file:" | cut -d':' -f 2); do
+    if [ ${DRY_RUN} -ne 0 ]; then
+        echo $i
+        getfattr -d -m ${LIBVIRT_XATTR_PREFIX} $i
+        continue
+    fi
+
+    if [ ${QUIET} -eq 0 ]; then
+        echo "Fixing $i";
+    fi
+    for x in ${XATTRS[*]}; do
+        setfattr -x $x $i
+    done
+done
-- 
2.18.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2 17/18] tools: Provide a script to recover fubar'ed XATTRs setup
Posted by Daniel P. Berrangé 7 years, 2 months ago 
On Thu, Nov 29, 2018 at 02:52:32PM +0100, Michal Privoznik wrote:
> Our code is not bug free. The refcounting I introduced will
> almost certainly not work in some use cases. Provide a script
> that will remove all the XATTRs set by libvirt so that it can
> start cleanly.

On this point, it would be a nice idea to be able to write some
unit tests to exercise the security drivers, as this is something
we're significantly lacking coverage of.

With mocking of the chown/setxattr/etc methods we can easily
detect some ofthe bugs you fixed here, such as forgetting to
restore labels of certain resource types.

> 
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>  tools/Makefile.am               |  1 +
>  tools/libvirt_recover_xattrs.sh | 89 +++++++++++++++++++++++++++++++++
>  2 files changed, 90 insertions(+)
>  create mode 100755 tools/libvirt_recover_xattrs.sh
> 
> diff --git a/tools/Makefile.am b/tools/Makefile.am
> index f069167acc..1dc009c4fb 100644
> --- a/tools/Makefile.am
> +++ b/tools/Makefile.am
> @@ -75,6 +75,7 @@ EXTRA_DIST = \
>  	virt-login-shell.conf \
>  	virsh-edit.c \
>  	bash-completion/vsh \
> +	libvirt_recover_xattrs.sh \
>  	$(PODFILES) \
>  	$(MANINFILES) \
>  	$(NULL)

> +XATTRS=("trusted.libvirt.security.dac"
> +        "trusted.libvirt.security.ref_dac"
> +        "trusted.libvirt.security.selinux"
> +        "trusted.libvirt.security.ref_selinux")

Needs updating to account for FreeBSD naming now

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.