From nobody Wed Nov 27 18:30:53 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1542201439591462.17214492786104; Wed, 14 Nov 2018 05:17:19 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id C14F2C04B2EF; Wed, 14 Nov 2018 13:17:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5E9151779E; Wed, 14 Nov 2018 13:17:16 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id EA0BA3D382; Wed, 14 Nov 2018 13:17:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wAECitC7026189 for ; Wed, 14 Nov 2018 07:44:55 -0500 Received: by smtp.corp.redhat.com (Postfix) id 34A806B468; Wed, 14 Nov 2018 12:44:55 +0000 (UTC) Received: from moe.brq.redhat.com (unknown [10.43.2.192]) by smtp.corp.redhat.com (Postfix) with ESMTP id AF4356E715 for ; Wed, 14 Nov 2018 12:44:54 +0000 (UTC) From: Michal Privoznik To: libvir-list@redhat.com Date: Wed, 14 Nov 2018 13:44:34 +0100 Message-Id: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v4 06/15] security_manager: Rework metadata locking X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 14 Nov 2018 13:17:18 +0000 (UTC) Content-Type: text/plain; charset="utf-8" Trying to use virlockd to lock metadata turns out to be too big gun. Since we will always spawn a separate process for relabeling we are safe to use thread unsafe POSIX locks and take out virtlockd completely out of the picture. Signed-off-by: Michal Privoznik Reviewed-by: John Ferlan --- src/security/security_dac.c | 12 +- src/security/security_manager.c | 225 +++++++++++++++++--------------- src/security/security_manager.h | 17 ++- src/security/security_selinux.c | 11 +- 4 files changed, 141 insertions(+), 124 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 0e100f7895..6b64d2c07a 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -205,6 +205,7 @@ virSecurityDACTransactionRun(pid_t pid ATTRIBUTE_UNUSED, void *opaque) { virSecurityDACChownListPtr list =3D opaque; + virSecurityManagerMetadataLockStatePtr state; const char **paths =3D NULL; size_t npaths =3D 0; size_t i; @@ -218,14 +219,10 @@ virSecurityDACTransactionRun(pid_t pid ATTRIBUTE_UNUS= ED, for (i =3D 0; i < list->nItems; i++) { const char *p =3D list->items[i]->path; =20 - if (!p || - virFileIsDir(p)) - continue; - VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p); } =20 - if (virSecurityManagerMetadataLock(list->manager, paths, npaths) <= 0) + if (!(state =3D virSecurityManagerMetadataLock(list->manager, path= s, npaths))) goto cleanup; } =20 @@ -249,9 +246,8 @@ virSecurityDACTransactionRun(pid_t pid ATTRIBUTE_UNUSED, break; } =20 - if (list->lock && - virSecurityManagerMetadataUnlock(list->manager, paths, npaths) < 0) - goto cleanup; + if (list->lock) + virSecurityManagerMetadataUnlock(list->manager, &state); =20 if (rv < 0) goto cleanup; diff --git a/src/security/security_manager.c b/src/security/security_manage= r.c index 712b785ae9..f527e6b5b3 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -21,6 +21,10 @@ */ #include =20 +#include +#include +#include + #include "security_driver.h" #include "security_stack.h" #include "security_dac.h" @@ -30,14 +34,11 @@ #include "virlog.h" #include "locking/lock_manager.h" #include "virfile.h" -#include "virtime.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 VIR_LOG_INIT("security.security_manager"); =20 -virMutex lockManagerMutex =3D VIR_MUTEX_INITIALIZER; - struct _virSecurityManager { virObjectLockable parent; =20 @@ -47,10 +48,6 @@ struct _virSecurityManager { void *privateData; =20 virLockManagerPluginPtr lockPlugin; - /* This is a FD that represents a connection to virtlockd so - * that connection is kept open in between MetdataLock() and - * MetadataUnlock() calls. */ - int clientfd; }; =20 static virClassPtr virSecurityManagerClass; @@ -66,7 +63,6 @@ void virSecurityManagerDispose(void *obj) mgr->drv->close(mgr); =20 virObjectUnref(mgr->lockPlugin); - VIR_FORCE_CLOSE(mgr->clientfd); =20 VIR_FREE(mgr->privateData); } @@ -119,7 +115,6 @@ virSecurityManagerNewDriver(virSecurityDriverPtr drv, mgr->flags =3D flags; mgr->virtDriver =3D virtDriver; VIR_STEAL_PTR(mgr->privateData, privateData); - mgr->clientfd =3D -1; =20 if (drv->open(mgr) < 0) goto error; @@ -1281,129 +1276,153 @@ virSecurityManagerRestoreTPMLabels(virSecurityMan= agerPtr mgr, } =20 =20 -static virLockManagerPtr -virSecurityManagerNewLockManager(virSecurityManagerPtr mgr, - const char * const *paths, - size_t npaths) +struct _virSecurityManagerMetadataLockState { + size_t nfds; + int *fds; +}; + + +static int +cmpstringp(const void *p1, const void *p2) { - virLockManagerPtr lock; - virLockManagerParam params[] =3D { - { .type =3D VIR_LOCK_MANAGER_PARAM_TYPE_UUID, - .key =3D "uuid", - }, - { .type =3D VIR_LOCK_MANAGER_PARAM_TYPE_STRING, - .key =3D "name", - .value =3D { .cstr =3D "libvirtd-sec" }, - }, - { .type =3D VIR_LOCK_MANAGER_PARAM_TYPE_UINT, - .key =3D "pid", - .value =3D { .iv =3D getpid() }, - }, - }; - const unsigned int flags =3D 0; - size_t i; + const char *s1 =3D *(char * const *) p1; + const char *s2 =3D *(char * const *) p2; =20 - if (virGetHostUUID(params[0].value.uuid) < 0) - return NULL; + if (!s1 && !s2) + return 0; =20 - if (!(lock =3D virLockManagerNew(virLockManagerPluginGetDriver(mgr->lo= ckPlugin), - VIR_LOCK_MANAGER_OBJECT_TYPE_DAEMON, - ARRAY_CARDINALITY(params), - params, - flags))) - return NULL; + if (!s1 || !s2) + return s2 ? -1 : 1; =20 - for (i =3D 0; i < npaths; i++) { - if (virLockManagerAddResource(lock, - VIR_LOCK_MANAGER_RESOURCE_TYPE_METAD= ATA, - paths[i], 0, NULL, 0) < 0) - goto error; - } - - return lock; - error: - virLockManagerFree(lock); - return NULL; + /* from man 3 qsort */ + return strcmp(s1, s2); } =20 +#define METADATA_OFFSET 1 +#define METADATA_LEN 1 =20 -/* How many seconds should we try to acquire the lock before - * giving up. */ -#define LOCK_ACQUIRE_TIMEOUT 60 - -int -virSecurityManagerMetadataLock(virSecurityManagerPtr mgr, - const char * const *paths, +/** + * virSecurityManagerMetadataLock: + * @mgr: security manager object + * @paths: paths to lock + * @npaths: number of items in @paths array + * + * Lock passed @paths for metadata change. The returned state + * should be passed to virSecurityManagerMetadataUnlock. + * + * NOTE: this function is not thread safe (because of usage of + * POSIX locks). + * + * Returns: state on success, + * NULL on failure. + */ +virSecurityManagerMetadataLockStatePtr +virSecurityManagerMetadataLock(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + const char **paths, size_t npaths) { - virLockManagerPtr lock; - virTimeBackOffVar timebackoff; - int fd =3D -1; - int rv =3D -1; - int ret =3D -1; + size_t i =3D 0; + size_t nfds =3D 0; + int *fds =3D NULL; + virSecurityManagerMetadataLockStatePtr ret =3D NULL; =20 - virMutexLock(&lockManagerMutex); + if (VIR_ALLOC_N(fds, npaths) < 0) + return NULL; =20 - if (!(lock =3D virSecurityManagerNewLockManager(mgr, paths, npaths))) - goto cleanup; + /* Sort paths to lock in order to avoid deadlocks. */ + qsort(paths, npaths, sizeof(*paths), cmpstringp); =20 - if (virTimeBackOffStart(&timebackoff, 1, LOCK_ACQUIRE_TIMEOUT * 1000) = < 0) - goto cleanup; - while (virTimeBackOffWait(&timebackoff)) { - rv =3D virLockManagerAcquire(lock, NULL, - VIR_LOCK_MANAGER_ACQUIRE_ROLLBACK, - VIR_DOMAIN_LOCK_FAILURE_DEFAULT, &fd); + for (i =3D 0; i < npaths; i++) { + const char *p =3D paths[i]; + struct stat sb; + int retries =3D 10 * 1000; + int fd; + + if (!p || stat(p, &sb) < 0) + continue; + + if (S_ISDIR(sb.st_mode)) { + /* Directories can't be locked */ + continue; + } + + if ((fd =3D open(p, O_RDWR)) < 0) { + if (S_ISSOCK(sb.st_mode)) { + /* Sockets can be opened only if there exists the + * other side that listens. */ + continue; + } + + virReportSystemError(errno, + _("unable to open %s"), + p); + goto cleanup; + } + + do { + if (virFileLock(fd, false, + METADATA_OFFSET, METADATA_LEN, false) < 0) { + if (retries && (errno =3D=3D EACCES || errno =3D=3D EAGAIN= )) { + /* File is locked. Try again. */ + retries--; + usleep(1000); + continue; + } else { + virReportSystemError(errno, + _("unable to lock %s for metadata= change"), + p); + VIR_FORCE_CLOSE(fd); + goto cleanup; + } + } =20 - if (rv >=3D 0) break; + } while (1); =20 - if (virGetLastErrorCode() =3D=3D VIR_ERR_RESOURCE_BUSY) - continue; - - goto cleanup; + VIR_APPEND_ELEMENT_COPY_INPLACE(fds, nfds, fd); } =20 - if (rv < 0) + if (VIR_ALLOC(ret) < 0) goto cleanup; =20 - mgr->clientfd =3D fd; - fd =3D -1; + VIR_STEAL_PTR(ret->fds, fds); + ret->nfds =3D nfds; + nfds =3D 0; =20 - ret =3D 0; cleanup: - virLockManagerFree(lock); - VIR_FORCE_CLOSE(fd); - if (ret < 0) - virMutexUnlock(&lockManagerMutex); + for (i =3D nfds; i > 0; i--) + VIR_FORCE_CLOSE(fds[i - 1]); + VIR_FREE(fds); return ret; } =20 =20 -int -virSecurityManagerMetadataUnlock(virSecurityManagerPtr mgr, - const char * const *paths, - size_t npaths) +void +virSecurityManagerMetadataUnlock(virSecurityManagerPtr mgr ATTRIBUTE_UNUSE= D, + virSecurityManagerMetadataLockStatePtr *s= tate) { - virLockManagerPtr lock; - int fd; - int ret =3D -1; + size_t i; =20 - /* lockManagerMutex acquired from previous - * virSecurityManagerMetadataLock() call. */ + if (!state) + return; =20 - fd =3D mgr->clientfd; - mgr->clientfd =3D -1; + for (i =3D 0; i < (*state)->nfds; i++) { + char ebuf[1024]; + int fd =3D (*state)->fds[i]; =20 - if (!(lock =3D virSecurityManagerNewLockManager(mgr, paths, npaths))) - goto cleanup; + /* Technically, unlock is not needed because it will + * happen on VIR_CLOSE() anyway. But let's play it nice. */ + if (virFileUnlock(fd, METADATA_OFFSET, METADATA_LEN) < 0) { + VIR_WARN("Unable to unlock fd %d: %s", + fd, virStrerror(errno, ebuf, sizeof(ebuf))); + } =20 - if (virLockManagerRelease(lock, NULL, 0) < 0) - goto cleanup; + if (VIR_CLOSE(fd) < 0) { + VIR_WARN("Unable to close fd %d: %s", + fd, virStrerror(errno, ebuf, sizeof(ebuf))); + } + } =20 - ret =3D 0; - cleanup: - virLockManagerFree(lock); - VIR_FORCE_CLOSE(fd); - virMutexUnlock(&lockManagerMutex); - return ret; + VIR_FREE((*state)->fds); + VIR_FREE(*state); } diff --git a/src/security/security_manager.h b/src/security/security_manage= r.h index 04bb54f61e..cacb17174f 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -200,11 +200,16 @@ int virSecurityManagerSetTPMLabels(virSecurityManager= Ptr mgr, int virSecurityManagerRestoreTPMLabels(virSecurityManagerPtr mgr, virDomainDefPtr vm); =20 -int virSecurityManagerMetadataLock(virSecurityManagerPtr mgr, - const char * const *paths, - size_t npaths); -int virSecurityManagerMetadataUnlock(virSecurityManagerPtr mgr, - const char * const *paths, - size_t npaths); +typedef struct _virSecurityManagerMetadataLockState virSecurityManagerMeta= dataLockState; +typedef virSecurityManagerMetadataLockState *virSecurityManagerMetadataLoc= kStatePtr; + +virSecurityManagerMetadataLockStatePtr +virSecurityManagerMetadataLock(virSecurityManagerPtr mgr, + const char **paths, + size_t npaths); + +void +virSecurityManagerMetadataUnlock(virSecurityManagerPtr mgr, + virSecurityManagerMetadataLockStatePtr *s= tate); =20 #endif /* VIR_SECURITY_MANAGER_H__ */ diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 5e72a3589a..95e9a1b0c7 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -215,6 +215,7 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UN= USED, void *opaque) { virSecuritySELinuxContextListPtr list =3D opaque; + virSecurityManagerMetadataLockStatePtr state; bool privileged =3D virSecurityManagerGetPrivileged(list->manager); const char **paths =3D NULL; size_t npaths =3D 0; @@ -229,13 +230,10 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_= UNUSED, for (i =3D 0; i < list->nItems; i++) { const char *p =3D list->items[i]->path; =20 - if (virFileIsDir(p)) - continue; - VIR_APPEND_ELEMENT_COPY_INPLACE(paths, npaths, p); } =20 - if (virSecurityManagerMetadataLock(list->manager, paths, npaths) <= 0) + if (!(state =3D virSecurityManagerMetadataLock(list->manager, path= s, npaths))) goto cleanup; } =20 @@ -253,9 +251,8 @@ virSecuritySELinuxTransactionRun(pid_t pid ATTRIBUTE_UN= USED, } } =20 - if (list->lock && - virSecurityManagerMetadataUnlock(list->manager, paths, npaths) < 0) - goto cleanup; + if (list->lock) + virSecurityManagerMetadataUnlock(list->manager, &state); =20 if (rv < 0) goto cleanup; --=20 2.18.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list