shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-20 06:50:22 +03:00
Code Releases Activity

qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels

Browse Source 
The UNIX socket FDs were we passing to QEMU inherited a label based on
libvirtd's context. QEMU is thus denied ability to access the UNIX
socket. We need to use the security manager to change our current
context temporarily when creating the UNIX socket FD.

Reviewed-by: Laine Stump <laine@laine.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2018-06-07 16:55:07 +01:00
parent a2913aed53
commit b0c6300fc4
3 changed files with 63 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
src/qemu/qemu_command.c
View File

@ -4931,6 +4931,7 @@ qemuOpenChrChardevUNIXSocket(const virDomainChrSourceDef *dev)
* host side of the character device */
static char *
qemuBuildChrChardevStr(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
@ -5065,7 +5066,13 @@ qemuBuildChrChardevStr(virLogManagerPtr logManager,
case VIR_DOMAIN_CHR_TYPE_UNIX:
if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_CHARDEV_FD_PASS)) {
if (qemuSecuritySetSocketLabel(secManager, (virDomainDefPtr)def) < 0)
goto cleanup;
int fd = qemuOpenChrChardevUNIXSocket(dev);
if (qemuSecurityClearSocketLabel(secManager, (virDomainDefPtr)def) < 0) {
VIR_FORCE_CLOSE(fd);
goto cleanup;
}
if (fd < 0)
goto cleanup;
@ -5404,6 +5411,7 @@ qemuBuildHostdevCommandLine(virCommandPtr cmd,
static int
qemuBuildMonitorCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
virDomainDefPtr def,
@ -5414,7 +5422,8 @@ qemuBuildMonitorCommandLine(virLogManagerPtr logManager,
if (!priv->monConfig)
return 0;
if (!(chrdev = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(chrdev = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
priv->monConfig, "monitor",
priv->qemuCaps, true,
priv->chardevStdioLogd)))
@ -5533,6 +5542,7 @@ qemuBuildSclpDevStr(virDomainChrDefPtr dev)
static int
qemuBuildRNGBackendChrdevStr(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
@ -5550,7 +5560,8 @@ qemuBuildRNGBackendChrdevStr(virLogManagerPtr logManager,
return 0;
case VIR_DOMAIN_RNG_BACKEND_EGD:
if (!(*chr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(*chr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
rng->source.chardev,
rng->info.alias, qemuCaps, true,
chardevStdioLogd)))
@ -5680,6 +5691,7 @@ qemuBuildRNGDevStr(const virDomainDef *def,
static int
qemuBuildRNGCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
@ -5702,7 +5714,7 @@ qemuBuildRNGCommandLine(virLogManagerPtr logManager,
}
/* possibly add character device for backend */
if (qemuBuildRNGBackendChrdevStr(logManager, cmd, cfg, def,
if (qemuBuildRNGBackendChrdevStr(logManager, secManager, cmd, cfg, def,
rng, qemuCaps, &tmp,
chardevStdioLogd) < 0)
return -1;
@ -8135,6 +8147,7 @@ qemuBuildGraphicsCommandLine(virQEMUDriverConfigPtr cfg,
static int
qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virDomainDefPtr def,
virDomainNetDefPtr net,
@ -8157,7 +8170,8 @@ qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
switch ((virDomainChrType)net->data.vhostuser->type) {
case VIR_DOMAIN_CHR_TYPE_UNIX:
if (!(chardev = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(chardev = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
net->data.vhostuser,
net->info.alias, qemuCaps, false,
chardevStdioLogd)))
@ -8225,6 +8239,7 @@ qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver,
static int
qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virDomainDefPtr def,
virDomainNetDefPtr net,
@ -8356,7 +8371,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
break;
case VIR_DOMAIN_NET_TYPE_VHOSTUSER:
ret = qemuBuildVhostuserCommandLine(driver, logManager, cmd, def,
ret = qemuBuildVhostuserCommandLine(driver, logManager, secManager, cmd, def,
net, qemuCaps, bootindex,
chardevStdioLogd);
goto cleanup;
@ -8534,6 +8549,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver,
static int
qemuBuildNetCommandLine(virQEMUDriverPtr driver,
virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virDomainDefPtr def,
virQEMUCapsPtr qemuCaps,
@ -8566,7 +8582,7 @@ qemuBuildNetCommandLine(virQEMUDriverPtr driver,
for (i = 0; i < def->nnets; i++) {
virDomainNetDefPtr net = def->nets[i];
if (qemuBuildInterfaceCommandLine(driver, logManager, cmd, def, net,
if (qemuBuildInterfaceCommandLine(driver, logManager, secManager, cmd, def, net,
qemuCaps, bootNet, vmop,
standalone, nnicindexes,
nicindexes,
@ -8629,6 +8645,7 @@ qemuBuildSmartcardFindCCIDController(const virDomainDef *def,
static int
qemuBuildSmartcardCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
@ -8702,7 +8719,8 @@ qemuBuildSmartcardCommandLine(virLogManagerPtr logManager,
return -1;
}
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
smartcard->data.passthru,
smartcard->info.alias,
qemuCaps, true,
@ -8862,6 +8880,7 @@ qemuBuildShmemBackendMemProps(virDomainShmemDefPtr shmem)
static int
qemuBuildShmemCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
virDomainDefPtr def,
@ -8933,7 +8952,8 @@ qemuBuildShmemCommandLine(virLogManagerPtr logManager,
VIR_FREE(devstr);
if (shmem->server.enabled) {
devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
&shmem->server.chr,
shmem->info.alias, qemuCaps, true,
chardevStdioLogd);
@ -9020,6 +9040,7 @@ qemuChrIsPlatformDevice(const virDomainDef *def,
static int
qemuBuildSerialCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
@ -9043,7 +9064,8 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager,
if (serial->source->type == VIR_DOMAIN_CHR_TYPE_SPICEPORT && !havespice)
continue;
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
serial->source,
serial->info.alias,
qemuCaps, true,
@ -9080,6 +9102,7 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager,
static int
qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
@ -9092,7 +9115,8 @@ qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
virDomainChrDefPtr parallel = def->parallels[i];
char *devstr;
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
parallel->source,
parallel->info.alias,
qemuCaps, true,
@ -9113,6 +9137,7 @@ qemuBuildParallelsCommandLine(virLogManagerPtr logManager,
static int
qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
@ -9127,7 +9152,8 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
switch (channel->targetType) {
case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_GUESTFWD:
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
channel->source,
channel->info.alias,
qemuCaps, true,
@ -9144,7 +9170,8 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
break;
case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO:
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
channel->source,
channel->info.alias,
qemuCaps, true,
@ -9166,6 +9193,7 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager,
static int
qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
@ -9187,7 +9215,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
return -1;
}
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
console->source,
console->info.alias,
qemuCaps, true,
@ -9208,7 +9237,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
return -1;
}
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
console->source,
console->info.alias,
qemuCaps, true,
@ -9223,7 +9253,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager,
break;
case VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_VIRTIO:
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
console->source,
console->info.alias,
qemuCaps, true,
@ -9342,6 +9373,7 @@ qemuBuildRedirdevDevStr(const virDomainDef *def,
static int
qemuBuildRedirdevCommandLine(virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virCommandPtr cmd,
virQEMUDriverConfigPtr cfg,
const virDomainDef *def,
@ -9354,7 +9386,8 @@ qemuBuildRedirdevCommandLine(virLogManagerPtr logManager,
virDomainRedirdevDefPtr redirdev = def->redirdevs[i];
char *devstr;
if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def,
if (!(devstr = qemuBuildChrChardevStr(logManager, secManager,
cmd, cfg, def,
redirdev->source,
redirdev->info.alias,
qemuCaps, true,
@ -10065,6 +10098,7 @@ qemuBuildVsockCommandLine(virCommandPtr cmd,
virCommandPtr
qemuBuildCommandLine(virQEMUDriverPtr driver,
virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virDomainObjPtr vm,
const char *migrateURI,
virDomainSnapshotObjPtr snapshot,
@ -10181,7 +10215,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
if (qemuBuildSgaCommandLine(cmd, def, qemuCaps) < 0)
goto error;
if (qemuBuildMonitorCommandLine(logManager, cmd, cfg, def, priv) < 0)
if (qemuBuildMonitorCommandLine(logManager, secManager, cmd, cfg, def, priv) < 0)
goto error;
if (qemuBuildClockCommandLine(cmd, def, qemuCaps) < 0)
@ -10211,29 +10245,29 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
if (qemuBuildFSDevCommandLine(cmd, def, qemuCaps) < 0)
goto error;
if (qemuBuildNetCommandLine(driver, logManager, cmd, def,
if (qemuBuildNetCommandLine(driver, logManager, secManager, cmd, def,
qemuCaps, vmop, standalone,
nnicindexes, nicindexes, &bootHostdevNet,
chardevStdioLogd) < 0)
goto error;
if (qemuBuildSmartcardCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildSmartcardCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
if (qemuBuildSerialCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildSerialCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
if (qemuBuildParallelsCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildParallelsCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
if (qemuBuildChannelsCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildChannelsCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
if (qemuBuildConsoleCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildConsoleCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
@ -10258,7 +10292,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
if (qemuBuildWatchdogCommandLine(cmd, def, qemuCaps) < 0)
goto error;
if (qemuBuildRedirdevCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildRedirdevCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
@ -10271,7 +10305,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
if (qemuBuildMemballoonCommandLine(cmd, def, qemuCaps) < 0)
goto error;
if (qemuBuildRNGCommandLine(logManager, cmd, cfg, def, qemuCaps,
if (qemuBuildRNGCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps,
chardevStdioLogd) < 0)
goto error;
@ -10306,7 +10340,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver,
goto error;
for (i = 0; i < def->nshmems; i++) {
if (qemuBuildShmemCommandLine(logManager, cmd, cfg,
if (qemuBuildShmemCommandLine(logManager, secManager, cmd, cfg,
def, def->shmems[i], qemuCaps,
chardevStdioLogd))
goto error;

1
src/qemu/qemu_command.h
View File

@ -46,6 +46,7 @@ VIR_ENUM_DECL(qemuVideo)
virCommandPtr qemuBuildCommandLine(virQEMUDriverPtr driver,
virLogManagerPtr logManager,
virSecurityManagerPtr secManager,
virDomainObjPtr vm,
const char *migrateURI,
virDomainSnapshotObjPtr snapshot,

2
src/qemu/qemu_process.c
View File

@ -6174,6 +6174,7 @@ qemuProcessLaunch(virConnectPtr conn,
VIR_DEBUG("Building emulator command line");
if (!(cmd = qemuBuildCommandLine(driver,
qemuDomainLogContextGetManager(logCtxt),
driver->securityManager,
vm,
incoming ? incoming->launchURI : NULL,
snapshot, vmop,
@ -6642,6 +6643,7 @@ qemuProcessCreatePretendCmd(virQEMUDriverPtr driver,
VIR_DEBUG("Building emulator command line");
cmd = qemuBuildCommandLine(driver,
NULL,
driver->securityManager,
vm,
migrateURI,
NULL,