[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 0/2] fix nwfilter when /tmp is mounted noexec



On Wed, Nov 09, 2011 at 11:01:58AM -0700, Eric Blake wrote:
> This series does not solve a more fundamental issue that has been on
> my mind - are we still sure that the best design for manipulating
> network filters involves the creation of a series of shell scripting
> commands, where we have to worry about proper quoting and so forth?
> Is it possible to refactor this code to make more direct use of
> virCommand for every call to iptables and friends (that is, doing
> the glue logic in C rather than using C to generate shell scripting
> commands where the glue logic is in generated sh)?  Or perhaps to
> even refactor things into a well-defined file format that we can
> feed to a helper executable, which would allow finer-grained SELinux
> labelling (by isolating the direct execution of iptables into a
> well-defined helper executable, then SELinux can enforce that
> libvirtd cannot alter the host firewall except by going through the
> helper executable, which has been audited to make only known sets of
> iptables calls based on well-formed input)?

I think virCommand is a little too low level to do what nwfilter wants
here, but we can definitely build a higher level API around it to
replace the shell scripting.

I has been a while since I looked at the generated scripts, IIUC,
the shell scripts generated are basically defining groups of iptables
commands to make "interesting" changes, and periodically a "rollback"
command which is run if something fails.

So I was thinking you could design a libvirt level API that would be
used something like:

  virCommandScriptPtr script = virCommandScriptNew();

  virCommandScriptBeginGroup(script);
  virCommandScriptAddCommandArgList(script, "/some/command", args.....);
  virCommandScriptAddRollbackArgList(script, "/some/command", args...);


  virCommandScriptBeginGroup(script);
  virCommandScriptAddCommandArgList(script, "/some/command", args.....);
  virCommandScriptAddCommandArgList(script, "/some/command", args.....);
  virCommandScriptAddCommandArgList(script, "/some/command", args.....);
   ...repeat...
  virCommandScriptAddRollbackArgList(script, "/some/command", args...);

  virCommandScriptRun();

If one of the commands following the 'BeginGroup' failed, then it would
execute the Rollback command for that group, and for every preceeding
group.

Personally I would dearly love to kill off this use of shell scripting
in libvirt, because I fear it is only a matter of time before we introduce
some flaw wrt escaping.

In general I'd like to be able to say that libvirt *never* runs shell
commands, always uses execve() directly.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]