From nobody Sat May 4 21:24:01 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1604409238; cv=none; d=zohomail.com; s=zohoarc; b=Tn6ZZeBTdAGvq792tlnjkRzZPyNccWUAFb8kc38Eu0EQPt4Y9FWia4FXf+sI72zYIqAeY64W3KZIy7k7c4DREcQkuEZOi0VeXuBcgW1iA0tmus4F0IwjGz7neOkTy4NjnlpCbRKg0DJmasMDyJU4OnrzYywc804JgmwNYyJtsyc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1604409238; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7qW4S6J1YPlOkS234rAJUmz6FYJnJkPxesg5YgqnGKo=; b=djkt9Ep8+vQdyJG3N7B8/gpu0WyqQoCzbtDzPO06wCs0B3IlQMUy8z7OwH6oF2T/xgYkCv/U9AQ0TiwNHQZRPIh1UH32Kt5hKAd0xk2gBBHvNV6dqnvDGRy3oS1OeNEjdyF1xWto4cPB8BA3estLlp6tT1pgm3Q3GRYHCypvVDk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1604409238860682.9296653252377; Tue, 3 Nov 2020 05:13:58 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-213-gk-kAuiqO_SqXQL2wRX6hw-1; Tue, 03 Nov 2020 08:13:55 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 13FFB86ABCF; Tue, 3 Nov 2020 13:13:49 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DDA051002C3E; Tue, 3 Nov 2020 13:13:48 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A0ABE1826D39; Tue, 3 Nov 2020 13:13:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0A3DDaAR020140 for ; Tue, 3 Nov 2020 08:13:36 -0500 Received: by smtp.corp.redhat.com (Postfix) id E2D561002C29; Tue, 3 Nov 2020 13:13:36 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.195.148]) by smtp.corp.redhat.com (Postfix) with ESMTP id 31BA61002C1F; Tue, 3 Nov 2020 13:13:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1604409237; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=7qW4S6J1YPlOkS234rAJUmz6FYJnJkPxesg5YgqnGKo=; b=PTr06S50ez8X+oAvK0vlFElADARGV8W1HVKc5zcRxLoBNNofDwmU4AegB6DvL1RBqrupiY ZFMnZY+D+VEj9VKYP0JQOviib+av/DF9fsI+L/uHouh3TaEmCrv56C2h9KOStXuW/JDaUD DPz3VXMMJpCMb9Y9K9CcHt02M4PlyiQ= X-MC-Unique: gk-kAuiqO_SqXQL2wRX6hw-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 1/4] security_util: Don't error on macOS when getting/setting/moving XATTRs Date: Tue, 3 Nov 2020 14:13:26 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: r.bolshakov@yadro.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" There are three internal APIs implemented in this security_util file: virSecurityGetRememberedLabel(), virSecuritySetRememberedLabel() and virSecurityMoveRememberedLabel() for getting, setting and moving remembered seclabel. All three have a special return value of -2 when XATTRs are not supported (for whatever reason) and callers are expected to handle it gracefully. However, after my commit of v5.7.0-rc1~115 it may happen that one of the three functions returned -1 even though XATTRs are not supported (and thus -2 should have been returned). Fixes: 7cfb7aab573a031880a1f4fd20747843fea109ba Signed-off-by: Michal Privoznik Reviewed-by: Andrea Bolognani Reviewed-by: Roman Bolshakov Tested-By: Roman Bolshakov --- src/security/security_util.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/security/security_util.c b/src/security/security_util.c index 7fa5163fe4..622bd901ee 100644 --- a/src/security/security_util.c +++ b/src/security/security_util.c @@ -269,8 +269,11 @@ virSecurityGetRememberedLabel(const char *name, =20 *label =3D NULL; =20 - if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) { + if (errno =3D=3D ENOSYS) + return -2; return -1; + } =20 if (virFileGetXAttrQuiet(path, ref_name, &value) < 0) { if (errno =3D=3D ENOSYS || errno =3D=3D ENODATA || errno =3D=3D EN= OTSUP) @@ -364,8 +367,11 @@ virSecuritySetRememberedLabel(const char *name, g_autofree char *value =3D NULL; unsigned int refcount =3D 0; =20 - if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) + if (!(ref_name =3D virSecurityGetRefCountAttrName(name))) { + if (errno =3D=3D ENOSYS) + return -2; return -1; + } =20 if (virFileGetXAttrQuiet(path, ref_name, &value) < 0) { if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { @@ -452,8 +458,11 @@ virSecurityMoveRememberedLabel(const char *name, =20 if (!(ref_name =3D virSecurityGetRefCountAttrName(name)) || !(attr_name =3D virSecurityGetAttrName(name)) || - !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) + !(timestamp_name =3D virSecurityGetTimestampAttrName(name))) { + if (errno =3D=3D ENOSYS) + return -2; return -1; + } =20 if (virFileGetXAttrQuiet(src, ref_name, &ref_value) < 0) { if (errno =3D=3D ENOSYS || errno =3D=3D ENOTSUP) { --=20 2.26.2 From nobody Sat May 4 21:24:01 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1604409232; cv=none; d=zohomail.com; s=zohoarc; b=I4ojkmPlOoW5hHXk/Ah7EqUQNf8gdse98VRMAOYh9/UK4b804cDyirilAMV5byVwdFoV/C/v8NvHkDysAWCNjr94YpnwGMh0bpCMCD205RnEEbyYr/ihB2MmRV+MRKV0/Rmt4aVKhKGk4IYjxoB1tC35ib63iEyMDtOEfFnrvo4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1604409232; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=WTz5nsHpU2dzREai3Nn/aw3yHcUmqYbrYGD7CE87pPc=; b=aPXdKKdAYahtfwKbt+nySUHXhcugkhBW9BLEKa2ce6Dl0wpjHOPadQF7++DJrkRT6A+Xrk7Fuoe+LjvBWtrDcUSWDkP94zqu5wxGFscMczG5o4KYo1wlp6rYZALw8VhdXBKABIf5S3u7VgWyTynPx0S+QXm0oYk3xi14O+b/bAE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1604409232094504.1502460989302; Tue, 3 Nov 2020 05:13:52 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-59-GP36K5wCPKmGWGOIXaX2bA-1; Tue, 03 Nov 2020 08:13:48 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7A5A31800D4A; Tue, 3 Nov 2020 13:13:42 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8D7065B4D8; Tue, 3 Nov 2020 13:13:41 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id F291F1826D35; Tue, 3 Nov 2020 13:13:40 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0A3DDcOP020150 for ; Tue, 3 Nov 2020 08:13:38 -0500 Received: by smtp.corp.redhat.com (Postfix) id 225CA1002C29; Tue, 3 Nov 2020 13:13:38 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.195.148]) by smtp.corp.redhat.com (Postfix) with ESMTP id 41EA71002C1F; Tue, 3 Nov 2020 13:13:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1604409230; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=WTz5nsHpU2dzREai3Nn/aw3yHcUmqYbrYGD7CE87pPc=; b=JHVcpmzDWlMGb6xMW3beyHYgbkFCppiOifwA/jD+BwlIwMUamJsk2raD1R5LRNkQA5/OJR 94DqUH6Cfbm5zXVs0Iv5KDcoEUo+NxG3cRQhfZsQBXWWXJpzyDms1hqUpOWQrK5zS8kPOu AWzya0QQdXwUIycH3elcU1u35Xigujw= X-MC-Unique: GP36K5wCPKmGWGOIXaX2bA-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 2/4] qemusecuritytest: Test SELinux too Date: Tue, 3 Nov 2020 14:13:27 +0100 Message-Id: <9d44bbf6673ea01ae9cbe657625ea21c9ef194fa.1604409134.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: r.bolshakov@yadro.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" The qemusecuritytest checks for random domain XMLs from qemuxml2argvdata/ whether set+restore seclabels leaves something behind. It can be an XATTR that we forgot to remove or a file that the owner was not restored on. But so far only DAC driver is checked. Implement missing pieces and enable SELinux testing too. This is done by mocking some libselinux APIs and following the same logic used for DAC - everything is implemented in memory, there is new hash table introduced that holds SELinux labels for paths that were setfilecon_raw()-ed and in the end the hash table is checked for entries that don't have the default SELinux label (i.e. were not restored). Signed-off-by: Michal Privoznik Reviewed-by: Andrea Bolognani Tested-By: Roman Bolshakov --- tests/qemusecuritydata/virtual_domain_context | 2 + tests/qemusecuritydata/virtual_image_context | 2 + tests/qemusecuritymock.c | 195 +++++++++++++++++- tests/qemusecuritytest.c | 51 ++++- 4 files changed, 240 insertions(+), 10 deletions(-) create mode 100644 tests/qemusecuritydata/virtual_domain_context create mode 100644 tests/qemusecuritydata/virtual_image_context diff --git a/tests/qemusecuritydata/virtual_domain_context b/tests/qemusecu= ritydata/virtual_domain_context new file mode 100644 index 0000000000..150f281d10 --- /dev/null +++ b/tests/qemusecuritydata/virtual_domain_context @@ -0,0 +1,2 @@ +system_u:system_r:svirt_t:s0 +system_u:system_r:svirt_tcg_t:s0 diff --git a/tests/qemusecuritydata/virtual_image_context b/tests/qemusecur= itydata/virtual_image_context new file mode 100644 index 0000000000..8ab1e27ea2 --- /dev/null +++ b/tests/qemusecuritydata/virtual_image_context @@ -0,0 +1,2 @@ +system_u:object_r:svirt_image_t:s0 +system_u:object_r:virt_content_t:s0 diff --git a/tests/qemusecuritymock.c b/tests/qemusecuritymock.c index 543a5f7f3f..db03572dbe 100644 --- a/tests/qemusecuritymock.c +++ b/tests/qemusecuritymock.c @@ -24,6 +24,11 @@ #include #include =20 +#ifdef WITH_SELINUX +# include +# include +#endif + #include "virmock.h" #include "virfile.h" #include "virthread.h" @@ -41,7 +46,8 @@ * work as expected. Therefore there is a lot we have to mock * (chown, stat, XATTR APIs, etc.). Since the test won't run as * root chown() would fail, therefore we have to keep everything - * in memory. By default, all files are owned by 1:2. + * in memory. By default, all files are owned by 1:2 and have a + * SELinux label. * By the way, since there are some cases where real stat needs * to be called, the mocked functions are effective only if * $ENVVAR is set. @@ -49,11 +55,16 @@ =20 #define DEFAULT_UID 1 #define DEFAULT_GID 2 +#define DEFAULT_SELINUX_LABEL "system_u:object_r:default_t:s0" =20 =20 static int (*real_chown)(const char *path, uid_t uid, gid_t gid); static int (*real_open)(const char *path, int flags, ...); static int (*real_close)(int fd); +#ifdef WITH_SELINUX +static int (*real_setfilecon_raw)(const char *path, const char *context); +static int (*real_getfilecon_raw)(const char *path, char **context); +#endif =20 =20 /* Global mutex to avoid races */ @@ -71,6 +82,10 @@ virHashTablePtr xattr_paths =3D NULL; * the lower half is UID and the higher is GID. */ virHashTablePtr chown_paths =3D NULL; =20 +/* The SELinux label is stored in a hash table. For simplicity, + * the path os the key and the value is the label. */ +virHashTablePtr selinux_paths =3D NULL; + =20 static void init_hash(void) @@ -94,6 +109,11 @@ init_hash(void) fprintf(stderr, "Unable to create hash table for chowned paths\n"); abort(); } + + if (!(selinux_paths =3D virHashNew(g_free))) { + fprintf(stderr, "Unable to create hash table for selinux labels\n"= ); + abort(); + } } =20 =20 @@ -106,6 +126,10 @@ init_syms(void) VIR_MOCK_REAL_INIT(chown); VIR_MOCK_REAL_INIT(open); VIR_MOCK_REAL_INIT(close); +#ifdef WITH_SELINUX + VIR_MOCK_REAL_INIT(setfilecon_raw); + VIR_MOCK_REAL_INIT(getfilecon_raw); +#endif =20 /* Intentionally not calling init_hash() here */ } @@ -376,9 +400,30 @@ typedef struct _checkOwnerData checkOwnerData; struct _checkOwnerData { const char **paths; bool chown_fail; + bool selinux_fail; }; =20 =20 +static int +checkSELinux(void *payload, + const char *name, + void *opaque) +{ + checkOwnerData *data =3D opaque; + char *label =3D payload; + + if (STRNEQ(label, DEFAULT_SELINUX_LABEL) && + !virStringListHasString(data->paths, name)) { + fprintf(stderr, + "Path %s wasn't restored back to its original SELinux labe= l\n", + name); + data->selinux_fail =3D true; + } + + return 0; +} + + static int checkOwner(void *payload, const char *name, @@ -431,7 +476,7 @@ printXATTR(void *payload, int checkPaths(const char **paths) { int ret =3D -1; - checkOwnerData data =3D { .paths =3D paths, .chown_fail =3D false }; + checkOwnerData data =3D { .paths =3D paths, .chown_fail =3D false, .se= linux_fail =3D false }; bool xattr_fail =3D false; size_t i; =20 @@ -445,13 +490,16 @@ int checkPaths(const char **paths) } } =20 - if ((virHashForEach(chown_paths, checkOwner, &data)) < 0) + if (virHashForEach(selinux_paths, checkSELinux, &data) < 0) goto cleanup; =20 - if ((virHashForEach(xattr_paths, printXATTR, &xattr_fail)) < 0) + if (virHashForEach(chown_paths, checkOwner, &data) < 0) goto cleanup; =20 - if (data.chown_fail || xattr_fail) + if (virHashForEach(xattr_paths, printXATTR, &xattr_fail) < 0) + goto cleanup; + + if (data.chown_fail || data.selinux_fail || xattr_fail) goto cleanup; =20 ret =3D 0; @@ -466,9 +514,10 @@ void freePaths(void) virMutexLock(&m); init_hash(); =20 + virHashFree(selinux_paths); virHashFree(chown_paths); virHashFree(xattr_paths); - chown_paths =3D xattr_paths =3D NULL; + selinux_paths =3D chown_paths =3D xattr_paths =3D NULL; virMutexUnlock(&m); } =20 @@ -490,3 +539,137 @@ virHostGetBootTime(unsigned long long *when) *when =3D 1234567890; return 0; } + + +#ifdef WITH_SELINUX +int +is_selinux_enabled(void) +{ + return 1; +} + + +struct selabel_handle * +selabel_open(unsigned int backend G_GNUC_UNUSED, + const struct selinux_opt *opts G_GNUC_UNUSED, + unsigned nopts G_GNUC_UNUSED) +{ + return (void*)((intptr_t) 0x1); +} + + +void +selabel_close(struct selabel_handle *rec G_GNUC_UNUSED) +{ + /* nada */ +} + + +const char * +selinux_virtual_domain_context_path(void) +{ + return abs_srcdir "/qemusecuritydata/virtual_domain_context"; +} + + +const char * +selinux_virtual_image_context_path(void) +{ + return abs_srcdir "/qemusecuritydata/virtual_image_context"; +} + + +int getcon_raw(char **context) +{ + *context =3D g_strdup("system_u:system_r:virtd_t:s0-s0:c0.c1023"); + return 0; +} + + +static int +mock_setfilecon_raw(const char *path, + const char *context) +{ + g_autofree char *val =3D g_strdup(context); + int ret =3D -1; + + virMutexLock(&m); + init_hash(); + + if (virHashUpdateEntry(selinux_paths, path, val) < 0) + goto cleanup; + val =3D NULL; + + ret =3D 0; + cleanup: + virMutexUnlock(&m); + return ret; +} + + +static int +mock_getfilecon_raw(const char *path, + char **context) +{ + const char *val; + + virMutexLock(&m); + init_hash(); + + val =3D virHashLookup(selinux_paths, path); + if (!val) + val =3D DEFAULT_SELINUX_LABEL; + + *context =3D g_strdup(val); + virMutexUnlock(&m); + return 0; +} + + +int +setfilecon_raw(const char *path, + const char *context) +{ + int ret; + + init_syms(); + + if (getenv(ENVVAR)) + ret =3D mock_setfilecon_raw(path, context); + else + ret =3D real_setfilecon_raw(path, context); + + return ret; +} + + +int +getfilecon_raw(const char *path, + char **context) +{ + int ret; + + init_syms(); + + if (getenv(ENVVAR)) + ret =3D mock_getfilecon_raw(path, context); + else + ret =3D real_getfilecon_raw(path, context); + + return ret; +} + + +int +selabel_lookup_raw(struct selabel_handle *hnd G_GNUC_UNUSED, + char **context, + const char *key G_GNUC_UNUSED, + int type G_GNUC_UNUSED) +{ + /* This function will be called only if we haven't found original labe= l in + * XATTRs. Return something else than DEFAULT_SELINUX_LABEL so that it= is + * considered as error. */ + *context =3D g_strdup("system_u:object_r:default_t:s1"); + return 0; +} +#endif diff --git a/tests/qemusecuritytest.c b/tests/qemusecuritytest.c index 297200d9ad..7ee1ccd1b6 100644 --- a/tests/qemusecuritytest.c +++ b/tests/qemusecuritytest.c @@ -73,6 +73,9 @@ prepareObjects(virQEMUDriverPtr driver, 0))) return -1; =20 + if (virSecurityManagerGenLabel(driver->securityManager, vm->def) < 0) + return -1; + *vm_ret =3D g_steal_pointer(&vm); return 0; } @@ -134,6 +137,11 @@ static int mymain(void) { virQEMUDriver driver; + virSecurityManagerPtr stack =3D NULL; + virSecurityManagerPtr dac =3D NULL; +#ifdef WITH_SELINUX + virSecurityManagerPtr selinux =3D NULL; +#endif int ret =3D 0; =20 if (virInitialize() < 0 || @@ -142,15 +150,45 @@ mymain(void) =20 /* Now fix the secdriver */ virObjectUnref(driver.securityManager); - if (!(driver.securityManager =3D virSecurityManagerNewDAC("test", 1000= , 1000, - VIR_SECURITY_M= ANAGER_PRIVILEGED | - VIR_SECURITY_M= ANAGER_DYNAMIC_OWNERSHIP, - NULL))) { + + if (!(dac =3D virSecurityManagerNewDAC("test", 1000, 1000, + VIR_SECURITY_MANAGER_PRIVILEGED | + VIR_SECURITY_MANAGER_DYNAMIC_OWNE= RSHIP, + NULL))) { fprintf(stderr, "Cannot initialize DAC security driver"); ret =3D -1; goto cleanup; } =20 + if (!(stack =3D virSecurityManagerNewStack(dac))) { + fprintf(stderr, "Cannot initialize stack security driver"); + ret =3D -1; + goto cleanup; + } + dac =3D NULL; + +#if WITH_SELINUX + selinux =3D virSecurityManagerNew("selinux", "test", + VIR_SECURITY_MANAGER_PRIVILEGED | + VIR_SECURITY_MANAGER_DEFAULT_CONFINED | + VIR_SECURITY_MANAGER_REQUIRE_CONFINED); + if (!selinux) { + fprintf(stderr, "Cannot initialize selinux security driver"); + ret =3D -1; + goto cleanup; + } + + if (virSecurityManagerStackAddNested(stack, selinux) < 0) { + fprintf(stderr, "Cannot add selinux security driver onto stack"); + ret =3D -1; + goto cleanup; + } + selinux =3D NULL; +#endif + + driver.securityManager =3D g_steal_pointer(&stack); + + #define DO_TEST_DOMAIN(f) \ do { \ struct testData data =3D {.driver =3D &driver, .file =3D f}; \ @@ -214,6 +252,11 @@ mymain(void) =20 cleanup: qemuTestDriverFree(&driver); +#ifdef WITH_SELINUX + virObjectUnref(selinux); +#endif + virObjectUnref(dac); + virObjectUnref(stack); return ret; } =20 --=20 2.26.2 From nobody Sat May 4 21:24:01 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1604409325; cv=none; d=zohomail.com; s=zohoarc; b=i47J6PcLggF+d1zN+qTGdDYe8oZvWQJVJTTA+q/662IwY5NLnEIERdhrvTL/9zYiOgN8dxMkE1plTLVb/svQr8Ew0YQ+bzs8PyTD7CN3okLIzCqep0NhkENDTI7IUWg6++agcQI9tvWaPXQfOby4bMRZDQm5DYaj8o5f1O/kkGY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1604409325; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=o4NOixbd3udfsQuEr2DgKUS6tJxfGLT0sX6nJzcvzXs=; b=CreDJs+lP1mHcurEPN59/vSJ3YUbLkhhvactP4lDILsvYi3VeX7pJm6VM32U0PRJ/sP8mvBlJOyqGvUc/qZCNSZUAlAOsOFIpBPPugG9Dpy65X39WPoG87hATrrbBivQAkV+HJfN3C4suZDn++pv69yNvckYPxK4P2M6aGTc+Ik= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1604409325305553.9264524904501; Tue, 3 Nov 2020 05:15:25 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-185-UNp0ED-4Ng6BgBNo3y2Naw-1; Tue, 03 Nov 2020 08:13:54 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 079238058AC; Tue, 3 Nov 2020 13:13:49 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DAC4C75129; Tue, 3 Nov 2020 13:13:48 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A18908C7CB; Tue, 3 Nov 2020 13:13:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0A3DDdAh020160 for ; Tue, 3 Nov 2020 08:13:39 -0500 Received: by smtp.corp.redhat.com (Postfix) id 2CDBE1002C29; Tue, 3 Nov 2020 13:13:39 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.195.148]) by smtp.corp.redhat.com (Postfix) with ESMTP id 768E31002C1F; Tue, 3 Nov 2020 13:13:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1604409323; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=o4NOixbd3udfsQuEr2DgKUS6tJxfGLT0sX6nJzcvzXs=; b=YW84GwKh472uj4QPcd07qER7qSPDOXG5ePNJY2TiOHjmf6YoIsPDxRaqXwEvbv9ElIaoeL POCFWoautO8ZEdOHrxGyQChWUheW2YEXzYAiXkuds9XVAbnDWQIYeFCfVuyG5oonoZtPQl q5YffbbJTwDi+SzReyQmqRoUKy9AjOw= X-MC-Unique: UNp0ED-4Ng6BgBNo3y2Naw-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 3/4] qemusecuritytest: Skip on non supported platforms Date: Tue, 3 Nov 2020 14:13:28 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: r.bolshakov@yadro.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" For seclabel remembering we need to have XATTRs and a special namespace that is accessibly to CAP_SYS_ADMIN only (we don't want regular users to trick us into restoring to a different label). And what qemusecuritytest does is it checks whether we have not left any path behind with XATTRs or not restored to original seclabel after setAll + restoreAll round trip. But it can hardly do so if ran on a platform where there's no XATTR namespace we can use. Signed-off-by: Michal Privoznik Reviewed-by: Andrea Bolognani Reviewed-by: Roman Bolshakov Tested-By: Roman Bolshakov --- src/libvirt_private.syms | 4 ++++ src/security/security_util.c | 11 +++++++++++ src/security/security_util.h | 3 +++ tests/qemusecuritytest.c | 6 ++++++ 4 files changed, 24 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 95e50835ad..eb588a9357 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -1609,6 +1609,10 @@ virSecurityManagerTransactionStart; virSecurityManagerVerify; =20 =20 +# security/security_util.h +virSecurityXATTRNamespaceDefined; + + # util/glibcompat.h vir_g_canonicalize_filename; vir_g_fsync; diff --git a/src/security/security_util.c b/src/security/security_util.c index 622bd901ee..26a7861e29 100644 --- a/src/security/security_util.c +++ b/src/security/security_util.c @@ -107,6 +107,17 @@ virSecurityGetTimestampAttrName(const char *name G_GNU= C_UNUSED) #endif /* !XATTR_NAMESPACE */ =20 =20 +bool +virSecurityXATTRNamespaceDefined(void) +{ +#ifdef XATTR_NAMESPACE + return true; +#else + return false; +#endif +} + + static char * virSecurityGetTimestamp(void) { diff --git a/src/security/security_util.h b/src/security/security_util.h index 91de704e62..7af6f009e2 100644 --- a/src/security/security_util.h +++ b/src/security/security_util.h @@ -32,3 +32,6 @@ int virSecurityMoveRememberedLabel(const char *name, const char *src, const char *dst); + +bool +virSecurityXATTRNamespaceDefined(void); diff --git a/tests/qemusecuritytest.c b/tests/qemusecuritytest.c index 7ee1ccd1b6..dc3deb37d2 100644 --- a/tests/qemusecuritytest.c +++ b/tests/qemusecuritytest.c @@ -22,6 +22,7 @@ #include "testutils.h" #include "testutilsqemu.h" #include "security/security_manager.h" +#include "security/security_util.h" #include "conf/domain_conf.h" #include "qemu/qemu_domain.h" #include "qemu/qemu_security.h" @@ -148,6 +149,11 @@ mymain(void) qemuTestDriverInit(&driver) < 0) return -1; =20 + if (!virSecurityXATTRNamespaceDefined()) { + ret =3D EXIT_AM_SKIP; + goto cleanup; + } + /* Now fix the secdriver */ virObjectUnref(driver.securityManager); =20 --=20 2.26.2 From nobody Sat May 4 21:24:01 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1604409230; cv=none; d=zohomail.com; s=zohoarc; b=QyvbYyoS4SSvX1HP23a3KvPhKLvwC4gTbaHrBL6jwcP4FIjLpg7T6SeqETgLipqoWQArgCA2Y5uZMS1FQmw0Dugs0oTBj2xwC3jW1Y3iFykzBtU6g584FksbR3kB4xLRgNYuNMKEbKgZEzxc9iuuHdN9iL59Kwz7lYNHYzEIzJE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1604409230; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Djn4gpsEkbTXo4B4pVa+4EVh/535HBtE6iEYq00qtNg=; b=Ssp6H0AYARH6cejHzGy1ZbGVff5qpKtrqB2BsuJGAepLpykQziq0dN9au8RzKsH+0OIhdNtzgjSbHCUxSybT/edbd+LDoTqwULly87qvhtdoMmQgigAwkLgXMM3kwqEcF32YXD5+uECz0IGO3s5Iiv5afzUm1aiLgUp9RtQgEa4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1604409230849564.8475938265922; Tue, 3 Nov 2020 05:13:50 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-108-bEafNEr1NS6LcmW9ChbPtQ-1; Tue, 03 Nov 2020 08:13:48 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 98EF810B9CA3; Tue, 3 Nov 2020 13:13:42 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6F5F16CE4E; Tue, 3 Nov 2020 13:13:42 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 0FB1186BE9; Tue, 3 Nov 2020 13:13:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0A3DDehD020165 for ; Tue, 3 Nov 2020 08:13:40 -0500 Received: by smtp.corp.redhat.com (Postfix) id 37B141002C29; Tue, 3 Nov 2020 13:13:40 +0000 (UTC) Received: from localhost.localdomain (unknown [10.40.195.148]) by smtp.corp.redhat.com (Postfix) with ESMTP id 810321002C1F; Tue, 3 Nov 2020 13:13:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1604409229; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Djn4gpsEkbTXo4B4pVa+4EVh/535HBtE6iEYq00qtNg=; b=DjJUe20vTDyPnwVfn6+RbOaunETKVB6Lm4ZII4Zx+9qQPiJaij4gZVBqE8+Ii6D+UZbswQ pZl9DSP1zJXSjj8W3h/Xt//z4mbQzOnI3VaXZ9XFsxdxR2avcPWmqRGLxgSHxSZrAIPeSG Xmub1uPxnk1FBEvlp+grlsIva67yYss= X-MC-Unique: bEafNEr1NS6LcmW9ChbPtQ-1 From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 4/4] qemu_conf: Don't even attempt to enable rememberOwner if unsupported Date: Tue, 3 Nov 2020 14:13:29 +0100 Message-Id: <954dbef6fe2b3f1617066eb2901d8f30036f211f.1604409134.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: r.bolshakov@yadro.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" The remember owner feature uses XATTRs to store original seclabels. But that means we don't want a regular user to be able to change what we stored and thus trick us into setting different seclabel. Therefore, we use namespaces that are reserved to CAP_SYS_ADMIN only. Such namespaces exist on Linux and FreeBSD. That also means, that the whole feature is enabled only for qemu:///system. Now, while the secdriver code is capable of dealing with XATTRs being unsupported (it has to, not all filesystems support them) if the feature is enabled users will get an harmless error message in the logs and the feature disables itself. Since we have virSecurityXATTRNamespaceDefined() we can use it to make a wiser decision on the default state of the feature. Signed-off-by: Michal Privoznik Reviewed-by: Andrea Bolognani Reviewed-by: Roman Bolshakov Tested-By: Roman Bolshakov --- src/qemu/qemu_conf.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index ead9d1ee99..923aea8bd7 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -49,6 +49,7 @@ #include "storage_conf.h" #include "virutil.h" #include "configmake.h" +#include "security/security_util.h" =20 #define VIR_FROM_THIS VIR_FROM_QEMU =20 @@ -131,7 +132,11 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool pri= vileged, cfg->group =3D (gid_t)-1; } cfg->dynamicOwnership =3D privileged; - cfg->rememberOwner =3D privileged; + + if (privileged) + cfg->rememberOwner =3D virSecurityXATTRNamespaceDefined(); + else + cfg->rememberOwner =3D false; =20 cfg->cgroupControllers =3D -1; /* -1 =3D=3D auto-detect */ =20 --=20 2.26.2