Dear list,

there were several attempts in the past to implement this feature, but
none of them was successful. The problem is that we change security
labels when starting a domain but never record the original labels
therefore when restoring the labels back in domain shutdown phase we
have to go with root:root or restorecon. This is not user friendly.

Now that we have metadata locking implemented we have exclusive access
to the files we are touching and therefore can call functions to record
the original owner. Since this database needs to be distributed
(consider multiple daemons and an network file system) it can't be
stored inside a daemon (libvirtd knows nothing about other daemons
running on distant hosts). Therefore the next option is to store it with
the files themselves - in XATTRs.

There is one caveat though. A file can be passed to multiple domains at
the same time (for instance an installation ISO), therefore we need a
reference counter so that the only the last label restore call actually
restores the original owner. A picture is worth more than a thousand
words:

# chown 5:6 /var/lib/libvirt/images/fd.img

# ls -ln /var/lib/libvirt/images/fd.img
-rw-r--r-- 1 5 6 2097152 Mar 17  2018 /var/lib/libvirt/images/fd.img

# getfattr -d -m - /var/lib/libvirt/images/fd.img
(no output)

# virsh domblklist fedora
 Target   Source
------------------------------------------------
 sda      /var/lib/libvirt/images/fedora.qcow2
 sdb      /var/lib/libvirt/images/fd.img

# virsh domblklist gentoo
 Target   Source
----------------------------------------------------------------------
 fda      /var/lib/libvirt/images/fd.img
 sda      /var/lib/libvirt/images/gentoo.qcow2

# virsh start fedora
Domain fedora started

# getfattr -d -m - /var/lib/libvirt/images/fd.img
trusted.libvirt.security.dac="+5:+6"
trusted.libvirt.security.ref_dac="1"

# virsh start gentoo
Domain gentoo started

# getfattr -d -m - /var/lib/libvirt/images/fd.img
trusted.libvirt.security.dac="+5:+6"
trusted.libvirt.security.ref_dac="2"

# virsh shutdown --domain fedora
Domain fedora is being shutdown

# ls -ln /var/lib/libvirt/images/fd.img
-rw-r--r-- 1 0 0 2097152 Mar 17  2018 /var/lib/libvirt/images/fd.img

# getfattr -d -m - /var/lib/libvirt/images/fd.img
trusted.libvirt.security.dac="+5:+6"
trusted.libvirt.security.ref_dac="1"

# virsh shutdown --domain gentoo
Domain gentoo is being shutdown

# getfattr -d -m - /var/lib/libvirt/images/fd.img
(no output)

# ls -ln /var/lib/libvirt/images/fd.img
-rw-r--r-- 1 5 6 2097152 Mar 17  2018 /var/lib/libvirt/images/fd.img


Even though I'm showing DAC only in my example, it's the same story with
SELinux.

Of course, this plays nicely with filesystems that don't support XATTRs,
which there are not that much, but unfortunately NFS is one of them :(


Michal Prívozník (18):
  security: Unify header conditionals
  util: Introduce xattr getter/setter/remover
  security: Include security_util
  security_dac: Restore label on failed chown() attempt
  virSecurityDACTransactionRun: Implement rollback
  virSecurityDACRestoreAllLabel: Reorder device relabeling
  virSecurityDACRestoreAllLabel: Restore more labels
  security_dac: Allow callers to enable/disable label remembering/recall
  security_dac: Remember old labels
  virSecurityDACRestoreImageLabelInt: Restore even shared/RO disks
  security_selinux: Track if transaction is restore
  security_selinux: Remember old labels
  security_selinux: Restore label on failed setfilecon() attempt
  virSecuritySELinuxTransactionRun: Implement rollback
  virSecuritySELinuxRestoreAllLabel: Reorder device relabeling
  virSecuritySELinuxRestoreAllLabel: Restore more labels
  tools: Provide a script to recover fubar'ed XATTRs setup
  qemu.conf: Allow users to enable/disable label remembering

 src/libvirt_private.syms           |   3 +
 src/qemu/libvirtd_qemu.aug         |   1 +
 src/qemu/qemu.conf                 |   6 +
 src/qemu/qemu_conf.c               |   4 +
 src/qemu/test_libvirtd_qemu.aug.in |   1 +
 src/security/Makefile.inc.am       |   2 +
 src/security/security_apparmor.h   |   6 +-
 src/security/security_dac.c        | 212 +++++++++++++++++-------
 src/security/security_dac.h        |   6 +-
 src/security/security_driver.h     |   6 +-
 src/security/security_manager.h    |   6 +-
 src/security/security_nop.h        |   6 +-
 src/security/security_selinux.c    | 256 +++++++++++++++++++++--------
 src/security/security_selinux.h    |   6 +-
 src/security/security_stack.h      |   6 +-
 src/security/security_util.c       | 198 ++++++++++++++++++++++
 src/security/security_util.h       |  32 ++++
 src/util/virfile.c                 | 121 ++++++++++++++
 src/util/virfile.h                 |  11 ++
 tools/Makefile.am                  |   1 +
 tools/libvirt_recover_xattrs.sh    |  89 ++++++++++
 21 files changed, 829 insertions(+), 150 deletions(-)
 create mode 100644 src/security/security_util.c
 create mode 100644 src/security/security_util.h
 create mode 100755 tools/libvirt_recover_xattrs.sh

-- 
2.18.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to