subject:"\[libvirt\] \[PATCHv4 1\/2\] lxc\: allow to keep or drop capabilities"

Re: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities

2014-07-23 Thread Ján Tomko

On 07/18/2014 10:02 AM, Cédric Bosdonnat wrote:
 Added capabilities in the features section of LXC domains
 configuration. This section can contain elements named after the
 capabilities like:
 
   mknod state=on/, keep CAP_MKNOD capability
   sys_chroot state=off/ drop CAP_SYS_CHROOT capability
 
 Users can restrict or give more capabilities than the default using
 this mechanism.
 ---
  docs/drvlxc.html.in |  47 +
  docs/schemas/domaincommon.rng   | 207 
  src/conf/domain_conf.c  | 126 -
  src/conf/domain_conf.h  |  56 ++
  src/libvirt_private.syms|   3 +
  src/lxc/lxc_cgroup.c|   8 +
  src/lxc/lxc_container.c | 241 
 ++--
  src/util/vircgroup.c|  57 +-
  src/util/vircgroup.h|   2 +
  tests/domainschemadata/domain-caps-features.xml |  28 +++
  10 files changed, 755 insertions(+), 20 deletions(-)
  create mode 100644 tests/domainschemadata/domain-caps-features.xml
 

 @@ -11847,6 +11892,22 @@ virDomainDefParseXML(xmlDocPtr xml,
  def-features[val] = VIR_DOMAIN_FEATURE_STATE_ON;
  break;
  
 +case VIR_DOMAIN_FEATURE_CAPABILITIES:
 +node = ctxt-node;
 +ctxt-node = nodes[i];
 +if ((tmp = virXPathString(string(./@policy), ctxt))) {
 +if ((def-features[val] = 
 virDomainCapabilitiesPolicyTypeFromString(tmp)) == -1) {

def-features is described as being of type 'enum virTristateSwitch' (was
virDomainFeatureState before I pushed the enum cleanup), but you're treating
it as 'virDomainCapabilitesPolicy' here.

Could you either
1) switch this to virTristateSwitch, using policy='on' / policy='off' instead
of allow/deny
2) document that a different enum is used for this feature in domain_conf.h
3) put the policy in a separate variable

Thanks,

Jan



signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities

2014-07-23 Thread Cedric Bosdonnat

On Wed, 2014-07-23 at 13:23 +0200, Ján Tomko wrote:
 On 07/18/2014 10:02 AM, Cédric Bosdonnat wrote:
  Added capabilities in the features section of LXC domains
  configuration. This section can contain elements named after the
  capabilities like:
  
mknod state=on/, keep CAP_MKNOD capability
sys_chroot state=off/ drop CAP_SYS_CHROOT capability
  
  Users can restrict or give more capabilities than the default using
  this mechanism.
  ---
   docs/drvlxc.html.in |  47 +
   docs/schemas/domaincommon.rng   | 207 
   src/conf/domain_conf.c  | 126 -
   src/conf/domain_conf.h  |  56 ++
   src/libvirt_private.syms|   3 +
   src/lxc/lxc_cgroup.c|   8 +
   src/lxc/lxc_container.c | 241 
  ++--
   src/util/vircgroup.c|  57 +-
   src/util/vircgroup.h|   2 +
   tests/domainschemadata/domain-caps-features.xml |  28 +++
   10 files changed, 755 insertions(+), 20 deletions(-)
   create mode 100644 tests/domainschemadata/domain-caps-features.xml
  
 
  @@ -11847,6 +11892,22 @@ virDomainDefParseXML(xmlDocPtr xml,
   def-features[val] = VIR_DOMAIN_FEATURE_STATE_ON;
   break;
   
  +case VIR_DOMAIN_FEATURE_CAPABILITIES:
  +node = ctxt-node;
  +ctxt-node = nodes[i];
  +if ((tmp = virXPathString(string(./@policy), ctxt))) {
  +if ((def-features[val] = 
  virDomainCapabilitiesPolicyTypeFromString(tmp)) == -1) {
 
 def-features is described as being of type 'enum virTristateSwitch' (was
 virDomainFeatureState before I pushed the enum cleanup), but you're treating
 it as 'virDomainCapabilitesPolicy' here.
 
 Could you either
 1) switch this to virTristateSwitch, using policy='on' / policy='off' instead
 of allow/deny
 2) document that a different enum is used for this feature in domain_conf.h

Just pushed a commit documenting that in domain_conf.h

--
Cedric

 3) put the policy in a separate variable
 
 Thanks,
 
 Jan
 


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities

2014-07-18 Thread Cédric Bosdonnat

Added capabilities in the features section of LXC domains
configuration. This section can contain elements named after the
capabilities like:

  mknod state=on/, keep CAP_MKNOD capability
  sys_chroot state=off/ drop CAP_SYS_CHROOT capability

Users can restrict or give more capabilities than the default using
this mechanism.
---
 docs/drvlxc.html.in |  47 +
 docs/schemas/domaincommon.rng   | 207 
 src/conf/domain_conf.c  | 126 -
 src/conf/domain_conf.h  |  56 ++
 src/libvirt_private.syms|   3 +
 src/lxc/lxc_cgroup.c|   8 +
 src/lxc/lxc_container.c | 241 ++--
 src/util/vircgroup.c|  57 +-
 src/util/vircgroup.h|   2 +
 tests/domainschemadata/domain-caps-features.xml |  28 +++
 10 files changed, 755 insertions(+), 20 deletions(-)
 create mode 100644 tests/domainschemadata/domain-caps-features.xml

diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in
index fc4bc20..403ce24 100644
--- a/docs/drvlxc.html.in
+++ b/docs/drvlxc.html.in
@@ -540,6 +540,53 @@ debootstrap, whatever) under /opt/vm-1-root:
 lt;/domaingt;
 /pre
 
+h2a name=capabilitiesAltering the available capabilities/a/h2
+
+p
+By default the libvirt LXC driver drops some capabilities among which 
CAP_MKNOD.
+However span class=sincesince 1.2.6/span libvirt can be told to keep or
+drop some capabilities using a domain configuration like the following:
+/p
+pre
+...
+lt;featuresgt;
+  lt;capabilities policy='default'gt;
+lt;mknod state='on'/gt;
+lt;sys_chroot state='off'/gt;
+  lt;/capabilitiesgt;
+lt;/featuresgt;
+...
+/pre
+p
+The capabilities children elements are named after the capabilities as defined 
in
+codeman 7 capabilities/code. An codeoff/code state tells libvirt to 
drop the
+capability, while an codeon/code state will force to keep the capability 
even though
+this one is dropped by default.
+/p
+p
+The codepolicy/code attribute can be one of codedefault/code, 
codeallow/code
+or codedeny/code. It defines the default rules for capabilities: either 
keep the
+default behavior that is dropping a few selected capabilities, or keep all 
capabilities
+or drop all capabilities. The interest of codeallow/code and 
codedeny/code is that
+they guarantee that all capabilities will be kept (or removed) even if new 
ones are added
+later.
+/p
+p
+The following example, drops all capabilities but CAP_MKNOD:
+/p
+pre
+...
+lt;featuresgt;
+  lt;capabilities policy='deny'gt;
+lt;mknod state='on'/gt;
+  lt;/capabilitiesgt;
+lt;/featuresgt;
+...
+/pre
+p
+Note that allowing capabilities that are normally dropped by default can 
seriously
+affect the security of the container and the host.
+/p
 
 h2a name=usageContainer usage / management/a/h2
 
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 2caeef9..cf0a66d 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3798,6 +3798,9 @@
   empty/
 /element
   /optional
+  optional
+ref name=capabilities/
+  /optional
 /interleave
   /element
 /optional
@@ -4370,6 +4373,200 @@
 /element
   /define
 
+  !-- Optional capabilities features --
+  define name=capabilities
+element name=capabilities
+  ref name=capabilitiespolicy/
+  interleave
+optional
+  element name=audit_control
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=audit_write
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=block_suspend
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=chown
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=dac_override
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=dac_read_search
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=fowner
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=fsetid
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=ipc_lock
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=ipc_owner
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=kill
+ref name=featurestate/
+  /element
+/optional
+optional
+  element name=lease
+

Re: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities

2014-07-18 Thread chenhanx...@cn.fujitsu.com



 -Original Message-
 From: libvir-list-boun...@redhat.com [mailto:libvir-list-boun...@redhat.com]
 On Behalf Of Cédric Bosdonnat
 Sent: Friday, July 18, 2014 4:02 PM
 To: libvir-list@redhat.com
 Cc: Cédric Bosdonnat
 Subject: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities
 
 Added capabilities in the features section of LXC domains
 configuration. This section can contain elements named after the
 capabilities like:
 
   mknod state=on/, keep CAP_MKNOD capability
   sys_chroot state=off/ drop CAP_SYS_CHROOT capability
 
 Users can restrict or give more capabilities than the default using
 this mechanism.
 ---

Reviewed-by: Chen Hanxiao chenhanx...@cn.fujitsu.com

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities

Re: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities

[libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities

Re: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities

4 matches

Site Navigation

Mail list logo

Footer information