From nobody Sat May 4 08:49:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566472546; cv=none; d=zoho.com; s=zohoarc; b=Ddm7v2pr1azeBnl2R/mUNNtvHWek9qbhAoKtZAlzpAgxm4FlJyyy/Q8eHPWSbh/gHM4st9FgrFV2F8Ko1FDHUrdHp591Li/jYAEORy5RjOh1nY0CvToLFdWL42oQrReRnm24vy+NFEUNoC/pOsV2U30/UksNsHK4EGAbNB0gH8Q= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566472546; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=4az1j0Ou4gnJO3rKSBOeqNkbRDfhBe8jD8hwQLgHcmA=; b=bAd5Tdoxw8tj6BYB6aVVL4eInZaZQqaibg6+Dnjv2VbKAxF014SesLLxqx4lic9aWoNQt2nbUItSJCq31+e03amzAoWEevmQV+AVhHa3xG2ETD4O1GgJ1FNgAnTaQQiyOnPNZdwBikmll2dxARzgkuQZ/mtXcZ2vzyL7miadu9Y= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566472546141733.260449214951; Thu, 22 Aug 2019 04:15:46 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F2706C08EC25; Thu, 22 Aug 2019 11:15:43 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 985E15DE5C; Thu, 22 Aug 2019 11:15:42 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 97DB12551E; Thu, 22 Aug 2019 11:15:39 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MBFcI2018672 for ; Thu, 22 Aug 2019 07:15:38 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4A35B60603; Thu, 22 Aug 2019 11:15:38 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id C756960605 for ; Thu, 22 Aug 2019 11:15:37 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 13:15:32 +0200 Message-Id: <5e6dc2c30e287e8fdae90f1c5ced453cc0a3d943.1566472451.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 1/2] util: Introduce virhostuptime X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 22 Aug 2019 11:15:45 +0000 (UTC) Content-Type: text/plain; charset="utf-8" This module contains function to get host boot time. Signed-off-by: Michal Privoznik Reviewed-by: Jiri Denemark --- configure.ac | 1 + src/libvirt_private.syms | 4 ++ src/util/Makefile.inc.am | 2 + src/util/virhostuptime.c | 81 ++++++++++++++++++++++++++++++++++++++++ src/util/virhostuptime.h | 27 ++++++++++++++ 5 files changed, 115 insertions(+) create mode 100644 src/util/virhostuptime.c create mode 100644 src/util/virhostuptime.h diff --git a/configure.ac b/configure.ac index f41c6d5d86..6744ace578 100644 --- a/configure.ac +++ b/configure.ac @@ -337,6 +337,7 @@ AC_CHECK_FUNCS_ONCE([\ getpwuid_r \ getrlimit \ getuid \ + getutxid \ if_indextoname \ mmap \ newlocale \ diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 9db4ac7933..c230a852e7 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2135,6 +2135,10 @@ virHostMemGetStats; virHostMemSetParameters; =20 =20 +# util/virhostuptime.h +virHostGetBootTime; + + # util/viridentity.h virIdentityGetAttr; virIdentityGetCurrent; diff --git a/src/util/Makefile.inc.am b/src/util/Makefile.inc.am index a47f333a98..46866cf213 100644 --- a/src/util/Makefile.inc.am +++ b/src/util/Makefile.inc.am @@ -91,6 +91,8 @@ UTIL_SOURCES =3D \ util/virhostdev.h \ util/virhostmem.c \ util/virhostmem.h \ + util/virhostuptime.c \ + util/virhostuptime.h \ util/viridentity.c \ util/viridentity.h \ util/virinitctl.c \ diff --git a/src/util/virhostuptime.c b/src/util/virhostuptime.c new file mode 100644 index 0000000000..62b781acd5 --- /dev/null +++ b/src/util/virhostuptime.c @@ -0,0 +1,81 @@ +/* + * virhostuptime.c: helper APIs for host uptime + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#ifdef HAVE_GETUTXID +# include +#endif + +#include "virhostuptime.h" +#include "virthread.h" + +static unsigned long long bootTime; +static int bootTimeErrno; +static virOnceControl virHostGetBootTimeOnce =3D VIR_ONCE_CONTROL_INITIALI= ZER; + +#ifdef HAVE_GETUTXID +static void +virHostGetBootTimeOnceInit(void) +{ + struct utmpx id =3D {.ut_type =3D BOOT_TIME}; + struct utmpx *res =3D NULL; + + if (!(res =3D getutxid(&id))) { + bootTimeErrno =3D errno; + } else { + bootTime =3D res->ut_tv.tv_sec; + } + + endutxent(); +} + +#else /* !HAVE_GETUTXID */ + +static void +virHostGetBootTimeOnceInit(void) +{ + bootTimeErrno =3D ENOSYS; +} +#endif /* HAVE_GETUTXID */ + +/** + * virHostGetBootTime: + * @when: UNIX timestamp of boot time + * + * Get a UNIX timestamp of host boot time and store it at @when. + * + * Return: 0 on success, + * -1 otherwise. + */ +int +virHostGetBootTime(unsigned long long *when) +{ + if (virOnce(&virHostGetBootTimeOnce, virHostGetBootTimeOnceInit) < 0) + return -1; + + if (bootTimeErrno) { + errno =3D bootTimeErrno; + return -1; + } + + *when =3D bootTime; + return 0; +} diff --git a/src/util/virhostuptime.h b/src/util/virhostuptime.h new file mode 100644 index 0000000000..03c1517a64 --- /dev/null +++ b/src/util/virhostuptime.h @@ -0,0 +1,27 @@ +/* + * virhostuptime.h: helper APIs for host uptime + * + * Copyright (C) 2019 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#pragma once + +#include "internal.h" + +int +virHostGetBootTime(unsigned long long *when) + ATTRIBUTE_NOINLINE; --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sat May 4 08:49:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566472560; cv=none; d=zoho.com; s=zohoarc; b=Y4qVQx3cY65VGvXI3krltrZA9hpnNRe0XXmvwCV9S9mGFmidbHsPGESNLxjc5lVinDueMRAQ8hnPRHtNOB3JQJfTg0Z8ZM9JXGUqXzJ39KIts/zRC6U3ARvQw7HD/N9KpLYlUrNUFEZLmQIgtBPrm3SgGKX0re+32Zmek8UcdHg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566472560; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=YwuJ0eNDsA72IiNIZNN6hOeJenYoO+hiRPogBdLmCWs=; b=WSk+ILnc1TTtkM1diXPSLZfBHdaQ4p7/2bM8/Dkg/vxe/GV7TA1VGpz1H8ADjNMbFpMQji0CDD5WbYWXXgxVdhANZSgV8piRlqGAQeDvpe75lXV8GTj0D2EWS5vXuV6JHsaynnQUJ7SSyXKci2TfTIdf91RTET7kALMxq6D7oMw= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1566472560742250.75003309019155; Thu, 22 Aug 2019 04:16:00 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 643B77FDCD; Thu, 22 Aug 2019 11:15:59 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 42DF65D713; Thu, 22 Aug 2019 11:15:59 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 04369180BA99; Thu, 22 Aug 2019 11:15:59 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MBFd0X018680 for ; Thu, 22 Aug 2019 07:15:39 -0400 Received: by smtp.corp.redhat.com (Postfix) id 1891660605; Thu, 22 Aug 2019 11:15:39 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id 96C4760603 for ; Thu, 22 Aug 2019 11:15:38 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 13:15:33 +0200 Message-Id: <4f03b8749d1e3e5091b58c10543f74c6e2ce4ff3.1566472451.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 2/2] security_util: Remove stale XATTRs X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 22 Aug 2019 11:15:59 +0000 (UTC) Content-Type: text/plain; charset="utf-8" It may happen that we leave some XATTRs behind. For instance, on a sudden power loss, the host just shuts down without calling restore on domain paths. This creates a problem, because when the host starts up again, the XATTRs are there but they don't reflect the true state and this may result in libvirt denying start of a domain. To solve this, save a unique timestamp (host boot time) among with our XATTRs. Signed-off-by: Michal Privoznik --- src/security/security_util.c | 196 +++++++++++++++++++++++++++++++- tests/qemusecuritymock.c | 12 ++ tools/libvirt_recover_xattrs.sh | 2 +- 3 files changed, 208 insertions(+), 2 deletions(-) diff --git a/src/security/security_util.c b/src/security/security_util.c index 365b2dd2d6..c65e27e6d4 100644 --- a/src/security/security_util.c +++ b/src/security/security_util.c @@ -22,11 +22,16 @@ #include "virfile.h" #include "virstring.h" #include "virerror.h" +#include "virlog.h" +#include "viruuid.h" +#include "virhostuptime.h" =20 #include "security_util.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 +VIR_LOG_INIT("security.security_util"); + /* There are four namespaces available on Linux (xattr(7)): * * user - can be modified by anybody, @@ -83,6 +88,151 @@ virSecurityGetRefCountAttrName(const char *name ATTRIBU= TE_UNUSED) } =20 =20 +#ifdef XATTR_NAMESPACE +static char * +virSecurityGetTimestampAttrName(const char *name) +{ + char *ret =3D NULL; + ignore_value(virAsprintf(&ret, XATTR_NAMESPACE".libvirt.security.times= tamp_%s", name)); + return ret; +} +#else /* !XATTR_NAMESPACE */ +static char * +virSecurityGetTimestampAttrName(const char *name ATTRIBUTE_UNUSED) +{ + errno =3D ENOSYS; + virReportSystemError(errno, "%s", + _("Extended attributes are not supported on this = system")); + return NULL; +} +#endif /* !XATTR_NAMESPACE */ + + +static char * +virSecurityGetTimestamp(void) +{ + unsigned long long boottime =3D 0; + char *ret =3D NULL; + + if (virHostGetBootTime(&boottime) < 0) { + virReportSystemError(errno, "%s", + _("Unable to get host boot time")); + return NULL; + } + + ignore_value(virAsprintf(&ret, "%llu", boottime)); + return ret; +} + + +/** + * virSecurityValidateTimestamp: + * @name: security driver name + * @path: file name + * + * Check if remembered label on @path for security driver @name + * is valid, i.e. the label has been set since the last boot. If + * the label was set in previous runs, all XATTRs related to + * @name are removed so that clean slate is restored. + * + * This is done having extra attribute timestamp_$SECDRIVER which + * contains the host boot time. Its value is then compared to + * actual host boot time. If these two values don't match then + * XATTRs are considered as stale and thus invalid. + * + * In ideal world, where there network file systems have XATTRs + * using plain host boot time is not enough as it may lead to a + * situation where a freshly started host sees XATTRs, sees the + * timestamp put there by some longer running host and considers + * the XATTRs invalid. Well, there is not an easy way out. We + * would need to somehow check if the longer running host is + * still there and is the @path (how?). + * Fortunately, there is only one network file system which + * supports XATTRs currently (GlusterFS via FUSE) and it is used + * so rarely that it's almost a corner case. + * The worst thing that happens there is that we remove XATTRs + * and thus return @path to the default label for $SECDRIVER. + * + * Returns: 0 if remembered label is valid, + * 1 if remembered label was not valid, + * -1 otherwise. + */ +static int +virSecurityValidateTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) expected_timestamp =3D NULL; + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) value =3D NULL; + + if (!(expected_timestamp =3D virSecurityGetTimestamp()) || + !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + errno =3D 0; + if (virFileGetXAttrQuiet(path, timestamp_name, &value) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { + return -1; + } else if (errno !=3D ENODATA) { + virReportSystemError(errno, + _("Unable to get XATTR %s on %s"), + timestamp_name, + path); + return -1; + } + + /* Timestamp is missing. We can continue and claim a valid timesta= mp. + * But then we would never remove stale XATTRs. Therefore, claim it + * invalid and have the code below remove all XATTRs. This of cour= se + * means that we will not restore the original owner, but the plus= side + * is that we reset refcounter which will represent the true state. + */ + } + + if (STREQ_NULLABLE(value, expected_timestamp)) { + VIR_DEBUG("XATTRs on %s secdriver=3D%s are valid", path, name); + return 0; + } + + VIR_WARN("Invalid XATTR timestamp detected on %s secdriver=3D%s", path= , name); + + if (virSecurityMoveRememberedLabel(name, path, NULL) < 0) + return -1; + + return 1; +} + + +static int +virSecurityAddTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) timestamp_value =3D NULL; + + if (!(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + return virFileSetXAttr(path, timestamp_name, timestamp_value); +} + + +static int +virSecurityRemoveTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + + if (!(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + if (virFileRemoveXAttr(path, timestamp_name) < 0 && errno !=3D ENOENT) + return -1; + + return 0; +} + + /** * virSecurityGetRememberedLabel: * @name: security driver name @@ -120,6 +270,12 @@ virSecurityGetRememberedLabel(const char *name, =20 *label =3D NULL; =20 + if (virSecurityValidateTimestamp(name, path) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) + return -2; + return -1; + } + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) return -1; =20 @@ -163,6 +319,9 @@ virSecurityGetRememberedLabel(const char *name, =20 if (virFileRemoveXAttr(path, attr_name) < 0) return -1; + + if (virSecurityRemoveTimestamp(name, path) < 0) + return -1; } =20 return 0; @@ -199,6 +358,12 @@ virSecuritySetRememberedLabel(const char *name, VIR_AUTOFREE(char *) value =3D NULL; unsigned int refcount =3D 0; =20 + if (virSecurityValidateTimestamp(name, path) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) + return -2; + return -1; + } + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) return -1; =20 @@ -232,6 +397,9 @@ virSecuritySetRememberedLabel(const char *name, =20 if (virFileSetXAttr(path, attr_name, label) < 0) return -1; + + if (virSecurityAddTimestamp(name, path) < 0) + return -1; } =20 if (virAsprintf(&value, "%u", refcount) < 0) @@ -266,9 +434,12 @@ virSecurityMoveRememberedLabel(const char *name, VIR_AUTOFREE(char *) ref_value =3D NULL; VIR_AUTOFREE(char *) attr_name =3D NULL; VIR_AUTOFREE(char *) attr_value =3D NULL; + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) timestamp_value =3D NULL; =20 if (!(ref_name =3D virSecurityGetRefCountAttrName(name)) || - !(attr_name =3D virSecurityGetAttrName(name))) + !(attr_name =3D virSecurityGetAttrName(name)) || + !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) return -1; =20 if (virFileGetXAttrQuiet(src, ref_name, &ref_value) < 0) { @@ -293,6 +464,17 @@ virSecurityMoveRememberedLabel(const char *name, } } =20 + if (virFileGetXAttrQuiet(src, timestamp_name, ×tamp_value) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { + return -2; + } else if (errno !=3D ENODATA) { + virReportSystemError(errno, + _("Unable to get XATTR %s on %s"), + attr_name, src); + return -1; + } + } + if (ref_value && virFileRemoveXAttr(src, ref_name) < 0) { return -1; @@ -303,6 +485,11 @@ virSecurityMoveRememberedLabel(const char *name, return -1; } =20 + if (timestamp_value && + virFileRemoveXAttr(src, timestamp_name) < 0) { + return -1; + } + if (dst) { if (ref_value && virFileSetXAttr(dst, ref_name, ref_value) < 0) { @@ -314,6 +501,13 @@ virSecurityMoveRememberedLabel(const char *name, ignore_value(virFileRemoveXAttr(dst, ref_name)); return -1; } + + if (timestamp_value && + virFileSetXAttr(dst, timestamp_name, timestamp_value) < 0) { + ignore_value(virFileRemoveXAttr(dst, ref_name)); + ignore_value(virFileRemoveXAttr(dst, attr_name)); + return -1; + } } =20 return 0; diff --git a/tests/qemusecuritymock.c b/tests/qemusecuritymock.c index a15eef29c9..373d64305a 100644 --- a/tests/qemusecuritymock.c +++ b/tests/qemusecuritymock.c @@ -32,6 +32,7 @@ #include "viralloc.h" #include "qemusecuritytest.h" #include "security/security_manager.h" +#include "virhostuptime.h" =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 @@ -488,3 +489,14 @@ virProcessRunInFork(virProcessForkCallback cb, { return cb(-1, opaque); } + + +/* We don't really need to mock this function. The qemusecuritytest doesn't + * care about the actual value. However, travis runs build and tests in a + * container where utmp is missing and thus this function fails. */ +int +virHostGetBootTime(unsigned long long *when) +{ + *when =3D 1234567890; + return 0; +} diff --git a/tools/libvirt_recover_xattrs.sh b/tools/libvirt_recover_xattrs= .sh index 58f02f8dfb..3907413c63 100755 --- a/tools/libvirt_recover_xattrs.sh +++ b/tools/libvirt_recover_xattrs.sh @@ -74,7 +74,7 @@ fi declare -a XATTRS for i in "dac" "selinux"; do for p in ${LIBVIRT_XATTR_PREFIXES[@]}; do - XATTRS+=3D("$p.$i" "$p.ref_$i") + XATTRS+=3D("$p.$i" "$p.ref_$i" "$p.timestamp_$i") done done =20 --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sat May 4 08:49:17 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1566485774; cv=none; d=zoho.com; s=zohoarc; b=NxML57Hud8/aR/x2Tjf1KSfugS6SiQo5hMhouv0wenBwSXHBQnxpvQk6+VZqJNFjtuVAGC4q3uwGZeUEtl/hCPkTKNGdzHNBqQ4TE0cYL86PMiBEV7iSOpLCCEkrfNtZk8yNPua4UGIjcxDv7Fja9Di7sK7I1/iXEb+WYkJnw2g= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1566485774; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=c8cadalnXnZrxQgnhtXuPldd1vqFzlgAC57u2LxJsdk=; b=U7o9OIV21dPQP8C5rYtZ1JSO6McUv9bqMwwm1wSpJQvHbB1DDSTvkrTEkX4lYvgKb8z9Jv2PnqfqFwXldICA3/kdE02bfpCCaMnTWq8LFZQriakRNcf+KyhQkWErl2ER5S3W0db+p9vZSqrpf35N8ap9t9ntvcLUh2p+Z+000BQ= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 15664857740951019.361339676206; Thu, 22 Aug 2019 07:56:14 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B5563308FC4D; Thu, 22 Aug 2019 14:56:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1F84B60E1C; Thu, 22 Aug 2019 14:56:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 46ECA24F30; Thu, 22 Aug 2019 14:56:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x7MEuA4Q026430 for ; Thu, 22 Aug 2019 10:56:10 -0400 Received: by smtp.corp.redhat.com (Postfix) id 1CD395D9D3; Thu, 22 Aug 2019 14:56:10 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.30]) by smtp.corp.redhat.com (Postfix) with ESMTP id 73E645DC1E for ; Thu, 22 Aug 2019 14:56:06 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Thu, 22 Aug 2019 16:56:02 +0200 Message-Id: <45814a9a1ec4dce14f19c94dd9d03d87252fcf1f.1566485724.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v3 2/2] security_util: Remove stale XATTRs X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Thu, 22 Aug 2019 14:56:13 +0000 (UTC) Content-Type: text/plain; charset="utf-8" It may happen that we leave some XATTRs behind. For instance, on a sudden power loss, the host just shuts down without calling restore on domain paths. This creates a problem, because when the host starts up again, the XATTRs are there but they don't reflect the true state and this may result in libvirt denying start of a domain. To solve this, save a unique timestamp (host boot time) among with our XATTRs. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1741140 Signed-off-by: Michal Privoznik Reviewed-by: Jiri Denemark --- diff to v2: - Jirka's suggestions worked in. src/security/security_util.c | 194 +++++++++++++++++++++++++++++++- tests/qemusecuritymock.c | 12 ++ tools/libvirt_recover_xattrs.sh | 2 +- 3 files changed, 206 insertions(+), 2 deletions(-) diff --git a/src/security/security_util.c b/src/security/security_util.c index 365b2dd2d6..31f41cedfd 100644 --- a/src/security/security_util.c +++ b/src/security/security_util.c @@ -22,11 +22,16 @@ #include "virfile.h" #include "virstring.h" #include "virerror.h" +#include "virlog.h" +#include "viruuid.h" +#include "virhostuptime.h" =20 #include "security_util.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 +VIR_LOG_INIT("security.security_util"); + /* There are four namespaces available on Linux (xattr(7)): * * user - can be modified by anybody, @@ -83,6 +88,153 @@ virSecurityGetRefCountAttrName(const char *name ATTRIBU= TE_UNUSED) } =20 =20 +#ifdef XATTR_NAMESPACE +static char * +virSecurityGetTimestampAttrName(const char *name) +{ + char *ret =3D NULL; + ignore_value(virAsprintf(&ret, XATTR_NAMESPACE ".libvirt.security.time= stamp_%s", name)); + return ret; +} +#else /* !XATTR_NAMESPACE */ +static char * +virSecurityGetTimestampAttrName(const char *name ATTRIBUTE_UNUSED) +{ + errno =3D ENOSYS; + virReportSystemError(errno, "%s", + _("Extended attributes are not supported on this = system")); + return NULL; +} +#endif /* !XATTR_NAMESPACE */ + + +static char * +virSecurityGetTimestamp(void) +{ + unsigned long long boottime =3D 0; + char *ret =3D NULL; + + if (virHostGetBootTime(&boottime) < 0) { + virReportSystemError(errno, "%s", + _("Unable to get host boot time")); + return NULL; + } + + ignore_value(virAsprintf(&ret, "%llu", boottime)); + return ret; +} + + +/** + * virSecurityValidateTimestamp: + * @name: security driver name + * @path: file name + * + * Check if remembered label on @path for security driver @name + * is valid, i.e. the label has been set since the last boot. If + * the label was set in previous runs, all XATTRs related to + * @name are removed so that clean slate is restored. + * + * This is done having extra attribute timestamp_$SECDRIVER which + * contains the host boot time. Its value is then compared to + * actual host boot time. If these two values don't match then + * XATTRs are considered as stale and thus invalid. + * + * In ideal world, where there network file systems have XATTRs + * using plain host boot time is not enough as it may lead to a + * situation where a freshly started host sees XATTRs, sees the + * timestamp put there by some longer running host and considers + * the XATTRs invalid. Well, there is not an easy way out. We + * would need to somehow check if the longer running host is + * still there and uses the @path (how?). + * Fortunately, there is only one network file system which + * supports XATTRs currently (GlusterFS via FUSE) and it is used + * so rarely that it's almost a corner case. + * The worst thing that happens there is that we remove XATTRs + * and thus return @path to the default label for $SECDRIVER. + * + * Returns: 0 if remembered label is valid, + * 1 if remembered label was not valid, + * -2 if underlying file system doesn't support XATTRs, + * -1 otherwise. + */ +static int +virSecurityValidateTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) expected_timestamp =3D NULL; + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) value =3D NULL; + + if (!(expected_timestamp =3D virSecurityGetTimestamp()) || + !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + errno =3D 0; + if (virFileGetXAttrQuiet(path, timestamp_name, &value) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { + return -2; + } else if (errno !=3D ENODATA) { + virReportSystemError(errno, + _("Unable to get XATTR %s on %s"), + timestamp_name, + path); + return -1; + } + + /* Timestamp is missing. We could continue and claim a valid times= tamp. + * But then we would never remove stale XATTRs. Therefore, claim it + * invalid and have the code below remove all XATTRs. This of cour= se + * means that we will not restore the original owner, but the plus= side + * is that we reset refcounter which will represent the true state. + */ + } + + if (STREQ_NULLABLE(value, expected_timestamp)) { + VIR_DEBUG("XATTRs on %s secdriver=3D%s are valid", path, name); + return 0; + } + + VIR_WARN("Invalid XATTR timestamp detected on %s secdriver=3D%s", path= , name); + + if (virSecurityMoveRememberedLabel(name, path, NULL) < 0) + return -1; + + return 1; +} + + +static int +virSecurityAddTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) timestamp_value =3D NULL; + + if (!(timestamp_value =3D virSecurityGetTimestamp()) || + !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + return virFileSetXAttr(path, timestamp_name, timestamp_value); +} + + +static int +virSecurityRemoveTimestamp(const char *name, + const char *path) +{ + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + + if (!(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + return -1; + + if (virFileRemoveXAttr(path, timestamp_name) < 0 && errno !=3D ENOENT) + return -1; + + return 0; +} + + /** * virSecurityGetRememberedLabel: * @name: security driver name @@ -117,9 +269,13 @@ virSecurityGetRememberedLabel(const char *name, VIR_AUTOFREE(char *) attr_name =3D NULL; VIR_AUTOFREE(char *) value =3D NULL; unsigned int refcount =3D 0; + int rc; =20 *label =3D NULL; =20 + if ((rc =3D virSecurityValidateTimestamp(name, path)) < 0) + return rc; + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) return -1; =20 @@ -163,6 +319,9 @@ virSecurityGetRememberedLabel(const char *name, =20 if (virFileRemoveXAttr(path, attr_name) < 0) return -1; + + if (virSecurityRemoveTimestamp(name, path) < 0) + return -1; } =20 return 0; @@ -198,6 +357,10 @@ virSecuritySetRememberedLabel(const char *name, VIR_AUTOFREE(char *) attr_name =3D NULL; VIR_AUTOFREE(char *) value =3D NULL; unsigned int refcount =3D 0; + int rc; + + if ((rc =3D virSecurityValidateTimestamp(name, path)) < 0) + return rc; =20 if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) return -1; @@ -232,6 +395,9 @@ virSecuritySetRememberedLabel(const char *name, =20 if (virFileSetXAttr(path, attr_name, label) < 0) return -1; + + if (virSecurityAddTimestamp(name, path) < 0) + return -1; } =20 if (virAsprintf(&value, "%u", refcount) < 0) @@ -266,9 +432,12 @@ virSecurityMoveRememberedLabel(const char *name, VIR_AUTOFREE(char *) ref_value =3D NULL; VIR_AUTOFREE(char *) attr_name =3D NULL; VIR_AUTOFREE(char *) attr_value =3D NULL; + VIR_AUTOFREE(char *) timestamp_name =3D NULL; + VIR_AUTOFREE(char *) timestamp_value =3D NULL; =20 if (!(ref_name =3D virSecurityGetRefCountAttrName(name)) || - !(attr_name =3D virSecurityGetAttrName(name))) + !(attr_name =3D virSecurityGetAttrName(name)) || + !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) return -1; =20 if (virFileGetXAttrQuiet(src, ref_name, &ref_value) < 0) { @@ -293,6 +462,17 @@ virSecurityMoveRememberedLabel(const char *name, } } =20 + if (virFileGetXAttrQuiet(src, timestamp_name, ×tamp_value) < 0) { + if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { + return -2; + } else if (errno !=3D ENODATA) { + virReportSystemError(errno, + _("Unable to get XATTR %s on %s"), + attr_name, src); + return -1; + } + } + if (ref_value && virFileRemoveXAttr(src, ref_name) < 0) { return -1; @@ -303,6 +483,11 @@ virSecurityMoveRememberedLabel(const char *name, return -1; } =20 + if (timestamp_value && + virFileRemoveXAttr(src, timestamp_name) < 0) { + return -1; + } + if (dst) { if (ref_value && virFileSetXAttr(dst, ref_name, ref_value) < 0) { @@ -314,6 +499,13 @@ virSecurityMoveRememberedLabel(const char *name, ignore_value(virFileRemoveXAttr(dst, ref_name)); return -1; } + + if (timestamp_value && + virFileSetXAttr(dst, timestamp_name, timestamp_value) < 0) { + ignore_value(virFileRemoveXAttr(dst, ref_name)); + ignore_value(virFileRemoveXAttr(dst, attr_name)); + return -1; + } } =20 return 0; diff --git a/tests/qemusecuritymock.c b/tests/qemusecuritymock.c index a15eef29c9..373d64305a 100644 --- a/tests/qemusecuritymock.c +++ b/tests/qemusecuritymock.c @@ -32,6 +32,7 @@ #include "viralloc.h" #include "qemusecuritytest.h" #include "security/security_manager.h" +#include "virhostuptime.h" =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 @@ -488,3 +489,14 @@ virProcessRunInFork(virProcessForkCallback cb, { return cb(-1, opaque); } + + +/* We don't really need to mock this function. The qemusecuritytest doesn't + * care about the actual value. However, travis runs build and tests in a + * container where utmp is missing and thus this function fails. */ +int +virHostGetBootTime(unsigned long long *when) +{ + *when =3D 1234567890; + return 0; +} diff --git a/tools/libvirt_recover_xattrs.sh b/tools/libvirt_recover_xattrs= .sh index 58f02f8dfb..3907413c63 100755 --- a/tools/libvirt_recover_xattrs.sh +++ b/tools/libvirt_recover_xattrs.sh @@ -74,7 +74,7 @@ fi declare -a XATTRS for i in "dac" "selinux"; do for p in ${LIBVIRT_XATTR_PREFIXES[@]}; do - XATTRS+=3D("$p.$i" "$p.ref_$i") + XATTRS+=3D("$p.$i" "$p.ref_$i" "$p.timestamp_$i") done done =20 --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list