[libvirt] [PATCH] Solaris least privilege support

Daniel P. Berrange berrange at redhat.com
Mon Jan 19 13:21:02 UTC 2009


On Thu, Jan 15, 2009 at 09:19:39AM -0800, john.levon at sun.com wrote:

> +#ifdef __sun
> +static void
> +qemudSetupPrivs (struct qemud_server *server)
> +{
> +    chown ("/var/run/libvirt", SYSTEM_UID, SYSTEM_UID);
> +    chown (server->logDir, SYSTEM_UID, SYSTEM_UID);
> +
> +    if (__init_daemon_priv (PU_RESETGROUPS | PU_CLEARLIMITSET,
> +        SYSTEM_UID, SYSTEM_UID, PRIV_XVM_CONTROL, NULL)) {
> +        fprintf (stderr, "additional privileges are required\n");
> +        exit (1);
> +    }
> +
> +    if (priv_set (PRIV_OFF, PRIV_ALLSETS, PRIV_FILE_LINK_ANY, PRIV_PROC_INFO,
> +        PRIV_PROC_SESSION, PRIV_PROC_EXEC, PRIV_PROC_FORK, NULL)) {
> +        fprintf (stderr, "failed to set reduced privileges\n");
> +        exit (1);
> +    }
> +}
> +#else
> +#define qemudSetupPrivs(a)
> +#endif

I think this function should be made to return int 0/-1 for
failure, and let the caller propagate errors & do any cleanup
it may desire, since that's the way most other failures in
the daemon initialization are dealt with.

>  
>  /* Print command-line usage. */
>  static void
> @@ -2417,6 +2493,20 @@ int main(int argc, char **argv) {
>      sig_action.sa_handler = SIG_IGN;
>      sigaction(SIGPIPE, &sig_action, NULL);
>  
> +    /* Change the group ownership of /var/run/libvirt to unix_sock_gid */
> +    if (geteuid () == 0) {
> +        const char *rundir = LOCAL_STATE_DIR "/run/libvirt";
> +
> +        if (mkdir (rundir, 0755)) {
> +            if (errno != EEXIST) {
> +                VIR_ERROR0 (_("unable to create rundir"));
> +                return (-1);
> +            }
> +        }
> +    }
> +
> +    qemudSetupPrivs(server);

This would need a   "if(qemudSetupPrivs(server) < 0) return -1;"


> diff --git a/src/remote_internal.c b/src/remote_internal.c
> --- a/src/remote_internal.c
> +++ b/src/remote_internal.c
> @@ -90,7 +90,7 @@
>  #define MAGIC 999               /* private_data->magic if OK */
>  #define DEAD 998                /* private_data->magic if dead/closed */
>  
> -static int inside_daemon = 0;
> +int inside_daemon = 0;

Eek no, the Xen code shouldn't reference this variable directly - it
should track its own. We need to avoid compile dependancies inbetween
any of the drivers, because all drivers need to be able to be turned
on/off independantly, and may be dlopen'd at runtime, so you can't
guarentee you'll have access to another driver's data.

> diff --git a/src/xen_unified.c b/src/xen_unified.c
> --- a/src/xen_unified.c
> +++ b/src/xen_unified.c
> @@ -231,6 +231,16 @@ xenUnifiedOpen (virConnectPtr conn, virC
>      xenUnifiedPrivatePtr priv;
>      virDomainEventCallbackListPtr cbList;
>  
> +#ifdef __sun
> +    extern int inside_daemon;

This flags needs to be tracked by the Xen driver explicitly &
independantly of the daemon code.


Aside from those two issues, I think this patch looks pretty good now.

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|




More information about the libvir-list mailing list