Re: [libvirt] [PATCH] Apply security label when entering LXC namespaces
On Tue, Mar 12, 2013 at 01:06:59PM -0600, Eric Blake wrote:
> On 03/12/2013 11:28 AM, Daniel P. Berrange wrote:
> > From: "Daniel P. Berrange"
> >
> > Add a new virDomainLxcEnterSecurityLabel() function as a
> > counterpart to virDomainLxcEnterNamespaces(), which can
> > change the current calling process to have a new security
> > context. This call runs client side, not in libvirtd
> > so we can't use the security driver infrastructure.
> >
> > When entering a namespace, the process spawned from virsh
> > will default to running with the security label of virsh.
> > The actual desired behaviour is to run with the security
> > label of the container most of the time. So this changes
> > virsh lxc-enter-namespace command to invoke the
> > virDomainLxcEnterSecurityLabel method.
> >
>
> > include/libvirt/libvirt-lxc.h | 4 ++
> > python/generator.py | 1 +
> > src/libvirt-lxc.c | 96
> > +++
> > tools/virsh-domain.c | 32 +++
> > 4 files changed, 133 insertions(+)
>
> Missing an entry in src/libvirt_lxc.syms to actually expose the new
> function in the .so.
Applying the following:
diff --git a/src/libvirt_lxc.syms b/src/libvirt_lxc.syms
index b5be18b..ccf1be9 100644
--- a/src/libvirt_lxc.syms
+++ b/src/libvirt_lxc.syms
@@ -15,3 +15,8 @@ LIBVIRT_LXC_1.0.2 {
virDomainLxcEnterNamespace;
virDomainLxcOpenNamespace;
};
+
+LIBVIRT_LXC_1.0.4 {
+global:
+virDomainLxcEnterSecurityLabel;
+} LIBVIRT_LXC_1.0.2;
Daniel
--
|: http://berrange.com -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] Apply security label when entering LXC namespaces
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/12/2013 03:06 PM, Eric Blake wrote:
> On 03/12/2013 11:28 AM, Daniel P. Berrange wrote:
>> From: "Daniel P. Berrange"
>>
>> Add a new virDomainLxcEnterSecurityLabel() function as a counterpart to
>> virDomainLxcEnterNamespaces(), which can change the current calling
>> process to have a new security context. This call runs client side, not
>> in libvirtd so we can't use the security driver infrastructure.
>>
>> When entering a namespace, the process spawned from virsh will default to
>> running with the security label of virsh. The actual desired behaviour is
>> to run with the security label of the container most of the time. So this
>> changes virsh lxc-enter-namespace command to invoke the
>> virDomainLxcEnterSecurityLabel method.
>>
>
>> include/libvirt/libvirt-lxc.h | 4 ++ python/generator.py | 1
>> + src/libvirt-lxc.c | 96
>> +++ tools/virsh-domain.c
>> | 32 +++ 4 files changed, 133 insertions(+)
>
> Missing an entry in src/libvirt_lxc.syms to actually expose the new
> function in the .so.
>
>> +++ b/src/libvirt-lxc.c @@ -29,6 +29,9 @@ #include "virlog.h" #include
>> "virprocess.h" #include "datatypes.h" +#ifdef WITH_SELINUX +#include
>> +#endif
>
> Will fail 'make syntax-check' if cppi is installed.
>
>> @@ -8029,12 +8036,35 @@ cmdLxcEnterNamespace(vshControl *ctl, const
>> vshCmd *cmd) if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) <
>> 0) goto cleanup;
>>
>> +if (setlabel) { +fprintf(stderr, "Getr sec\n");
>
> Spurious debug message?
>
> ACK with those things addressed.
>
Here is my current patch for this, with a fix for the syms file.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlE/hLoACgkQrlYvE4MpobPImgCggDyVpwbhsy4lMd2nZmTGavCF
qkIAn0gJT1xc2487N8HP081M1ydC02rn
=VTUO
-END PGP SIGNATURE-
diff --git a/include/libvirt/libvirt-lxc.h b/include/libvirt/libvirt-lxc.h
index f2c87fb..257637b 100644
--- a/include/libvirt/libvirt-lxc.h
+++ b/include/libvirt/libvirt-lxc.h
@@ -43,6 +43,9 @@ int virDomainLxcEnterNamespace(virDomainPtr domain,
int **oldfdlist,
unsigned int flags);
+int virDomainLxcGetSecurityLabel(virDomainPtr domain,
+ virSecurityLabelPtr seclabel);
+
# ifdef __cplusplus
}
# endif
diff --git a/python/generator.py b/python/generator.py
index 8236bd2..308b776 100755
--- a/python/generator.py
+++ b/python/generator.py
@@ -557,6 +557,7 @@ skip_function = (
lxc_skip_function = (
"virDomainLxcEnterNamespace",
+ "virDomainLxcGetSecurityLabel",
)
qemu_skip_function = (
#"virDomainQemuAttach",
diff --git a/src/libvirt-lxc.c b/src/libvirt-lxc.c
index f580c3c..a4aff59 100644
--- a/src/libvirt-lxc.c
+++ b/src/libvirt-lxc.c
@@ -41,6 +41,57 @@
__LINE__, info)
/**
+ * virDomainLxcGetSecurityLabel:
+ * @domain: a domain object
+ * @seclabel: pointer to a virSecurityLabel structure
+ *
+ * This API is LXC specific, so it will only work with hypervisor
+ * connections to the LXC driver.
+ *
+ * Get the security label associated with the container @domain.
+ *
+ * Returns 0 on success, or -1 on error
+ */
+int
+virDomainLxcGetSecurityLabel(virDomainPtr domain,
+ virSecurityLabelPtr seclabel)
+{
+virConnectPtr conn;
+
+VIR_DEBUG("domain=%p", domain);
+
+virResetLastError();
+
+if (!VIR_IS_CONNECTED_DOMAIN(domain)) {
+ virLibDomainError(NULL, VIR_ERR_INVALID_DOMAIN, __FUNCTION__);
+ virDispatchError(NULL);
+ return -1;
+}
+
+conn = domain->conn;
+
+if (conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+}
+
+if (conn->driver->domainGetSecurityLabel) {
+
+ if (conn->driver->domainGetSecurityLabel(domain,
+ seclabel) < 0)
+ goto error;
+
+ return 0;
+}
+
+virLibConnError(conn, VIR_ERR_NO_SUPPORT, __FUNCTION__);
+
+error:
+virDispatchError(conn);
+return -1;
+}
+
+/**
* virDomainLxcOpenNamespace:
* @domain: a domain object
* @fdlist: pointer to an array to be filled with FDs
diff --git a/src/libvirt_lxc.syms b/src/libvirt_lxc.syms
index b5be18b..3ef4eb8 100644
--- a/src/libvirt_lxc.syms
+++ b/src/libvirt_lxc.syms
@@ -14,4 +14,5 @@ LIBVIRT_LXC_1.0.2 {
global:
virDomainLxcEnterNamespace;
virDomainLxcOpenNamespace;
+virDomainLxcGetSecurityLabel;
};
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index f136df2..89f87f2 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1125,6 +1125,7 @@ static int lxcDomainGetSecurityLabel(virDomainPtr dom, virSecurityLabelPtr secla
{
virLXCDriverPtr driver = dom->conn->privateData;
virDomainObjPtr vm;
+virLXCDomainObjPrivatePtr priv;
int ret = -1;
lxcDriverLo
Re: [libvirt] [PATCH] Apply security label when entering LXC namespaces
On 03/12/2013 11:28 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange"
>
> Add a new virDomainLxcEnterSecurityLabel() function as a
> counterpart to virDomainLxcEnterNamespaces(), which can
> change the current calling process to have a new security
> context. This call runs client side, not in libvirtd
> so we can't use the security driver infrastructure.
>
> When entering a namespace, the process spawned from virsh
> will default to running with the security label of virsh.
> The actual desired behaviour is to run with the security
> label of the container most of the time. So this changes
> virsh lxc-enter-namespace command to invoke the
> virDomainLxcEnterSecurityLabel method.
>
> include/libvirt/libvirt-lxc.h | 4 ++
> python/generator.py | 1 +
> src/libvirt-lxc.c | 96
> +++
> tools/virsh-domain.c | 32 +++
> 4 files changed, 133 insertions(+)
Missing an entry in src/libvirt_lxc.syms to actually expose the new
function in the .so.
> +++ b/src/libvirt-lxc.c
> @@ -29,6 +29,9 @@
> #include "virlog.h"
> #include "virprocess.h"
> #include "datatypes.h"
> +#ifdef WITH_SELINUX
> +#include
> +#endif
Will fail 'make syntax-check' if cppi is installed.
> @@ -8029,12 +8036,35 @@ cmdLxcEnterNamespace(vshControl *ctl, const vshCmd
> *cmd)
> if ((nfdlist = virDomainLxcOpenNamespace(dom, &fdlist, 0)) < 0)
> goto cleanup;
>
> +if (setlabel) {
> +fprintf(stderr, "Getr sec\n");
Spurious debug message?
ACK with those things addressed.
--
Eric Blake eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] Apply security label when entering LXC namespaces
From: "Daniel P. Berrange"
Add a new virDomainLxcEnterSecurityLabel() function as a
counterpart to virDomainLxcEnterNamespaces(), which can
change the current calling process to have a new security
context. This call runs client side, not in libvirtd
so we can't use the security driver infrastructure.
When entering a namespace, the process spawned from virsh
will default to running with the security label of virsh.
The actual desired behaviour is to run with the security
label of the container most of the time. So this changes
virsh lxc-enter-namespace command to invoke the
virDomainLxcEnterSecurityLabel method.
The current behaviour is:
LABEL PID TTY TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps
Note the ps command is running as unconfined_t, After this patch,
The new behaviour is this:
virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ
LABEL PID TTY TIME CMD
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient
system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps
The '--noseclabel' flag can be used to skip security labelling.
---
include/libvirt/libvirt-lxc.h | 4 ++
python/generator.py | 1 +
src/libvirt-lxc.c | 96 +++
tools/virsh-domain.c | 32 +++
4 files changed, 133 insertions(+)
diff --git a/include/libvirt/libvirt-lxc.h b/include/libvirt/libvirt-lxc.h
index f2c87fb..5021813 100644
--- a/include/libvirt/libvirt-lxc.h
+++ b/include/libvirt/libvirt-lxc.h
@@ -42,6 +42,10 @@ int virDomainLxcEnterNamespace(virDomainPtr domain,
unsigned int *noldfdlist,
int **oldfdlist,
unsigned int flags);
+int virDomainLxcEnterSecurityLabel(virSecurityModelPtr model,
+ virSecurityLabelPtr label,
+ virSecurityLabelPtr oldlabel,
+ unsigned int flags);
# ifdef __cplusplus
}
diff --git a/python/generator.py b/python/generator.py
index 8236bd2..6a25c2d 100755
--- a/python/generator.py
+++ b/python/generator.py
@@ -557,6 +557,7 @@ skip_function = (
lxc_skip_function = (
"virDomainLxcEnterNamespace",
+ "virDomainLxcEnterSecurityLabel",
)
qemu_skip_function = (
#"virDomainQemuAttach",
diff --git a/src/libvirt-lxc.c b/src/libvirt-lxc.c
index f580c3c..c1bf168 100644
--- a/src/libvirt-lxc.c
+++ b/src/libvirt-lxc.c
@@ -29,6 +29,9 @@
#include "virlog.h"
#include "virprocess.h"
#include "datatypes.h"
+#ifdef WITH_SELINUX
+#include
+#endif
#define VIR_FROM_THIS VIR_FROM_NONE
@@ -163,3 +166,96 @@ error:
virDispatchError(domain->conn);
return -1;
}
+
+
+/**
+ * virDomainLxcEnterSecurityLabel:
+ * @model: the security model to set
+ * @label: the security label to apply
+ * @oldlabel: filled with old security label
+ * @flags: currently unused, pass 0
+ *
+ * This API is LXC specific, so it will only work with hypervisor
+ * connections to the LXC driver.
+ *
+ * Attaches the process to the security label specified
+ * by @label. @label is interpreted relative to @model
+ * Depending on the security driver, this may
+ * not take effect until the next call to exec().
+ *
+ * If @oldlabel is not NULL, it will be filled with info
+ * about the current security label. This may let the
+ * process be moved back to the previous label if no
+ * exec() has yet been performed.
+ *
+ * Returns 0 on success, -1 on error
+ */
+int
+virDomainLxcEnterSecurityLabel(virSecurityModelPtr model,
+ virSecurityLabelPtr label,
+ virSecurityLabelPtr oldlabel,
+ unsigned int flags)
+{
+virCheckFlagsGoto(0, error);
+
+virCheckNonNullArgGoto(model, error);
+virCheckNonNullArgGoto(label, error);
+
+if (oldlabel)
+memset(oldlabel, 0, sizeof(*oldlabel));
+
+if (STREQ(model->model, "selinux")) {
+#ifdef WITH_SELINUX
+if (oldlabel) {
+security_context_t ctx;
+
+if (getcon(&ctx) < 0) {
+virReportSystemError(errno,
+ _("unable to get PID %d security
context"),
+ getpid());
+goto error;
+}
+
+if (strlen((char *) ctx) >= VIR_SECURITY_LABEL_BUFLEN) {
+
