[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [sandbox PATCH 1/2] Add virt-sandbox -s inherit, to execute the sandbox from the parent.



This will allow us to run sandbox as the calling process,  If I am
running a shell as staff_u:unconfined_r:unconfined_t:s0, and I
execute virt-sandbox -c lxc/// -- /bin/sh

/bin/sh will run as staff_u:unconfined_r:unconfined_t:s0
---
 bin/virt-sandbox-service.pod             |  6 +++++-
 bin/virt-sandbox.c                       |  9 ++++++++-
 configure.ac                             |  1 +
 libvirt-sandbox.spec.in                  |  1 +
 libvirt-sandbox/Makefile.am              |  2 ++
 libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++
 m4/virt-selinux.m4                       | 11 +++++++++++
 7 files changed, 42 insertions(+), 2 deletions(-)
 create mode 100644 m4/virt-selinux.m4

diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod
index 7752145..b879a46 100644
--- a/bin/virt-sandbox-service.pod
+++ b/bin/virt-sandbox-service.pod
@@ -54,7 +54,11 @@ supported currently).
 
 =head1 SEE ALSO
 
-C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, C<virt-sandbox-service-upgrade(1)>
+C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>,
+C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>,
+C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>,
+C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>,
+C<virt-sandbox-service-upgrade(1)>
 
 =head1 FILES
 
diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
index 3ddcd17..1132c09 100644
--- a/bin/virt-sandbox.c
+++ b/bin/virt-sandbox.c
@@ -285,7 +285,10 @@ not allowed to open any other files.
 =item B<-c URI>, B<--connect=URI>
 
 Set the libvirt connection URI, defaults to qemu:///session if
-omitted. Currently only the QEMU and LXC drivers are supported.
+omitted. Alternatively the C<LIBVIRT_DEFAULT_URI> environment
+variable can be set, or the config file C</etc/libvirt/libvirt.conf>
+can have a default URI set.  Currently only the QEMU and LXC drivers
+are supported.
 
 =item B<-n NAME>, B<--name=NAME>
 
@@ -417,6 +420,10 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context.
 To set a completely static label. For example,
 static,label=system_u:system_r:svirt_t:s0:c412,c355
 
+=item inherit
+
+Inherit the context from the process that is executing virt-sandbox.
+
 =back
 
 =item B<-p>, B<--privileged>
diff --git a/configure.ac b/configure.ac
index 32206b8..50f23fc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -84,6 +84,7 @@ LIBVIRT_SANDBOX_WIN32
 LIBVIRT_SANDBOX_COVERAGE
 LIBVIRT_SANDBOX_INTROSPECTION
 LIBVIRT_SANDBOX_RPCGEN
+LIBVIRT_SANDBOX_SELINUX
 
 dnl Should be in m4/virt-gettext.m4 but intltoolize is too
 dnl dumb to find it there
diff --git a/libvirt-sandbox.spec.in b/libvirt-sandbox.spec.in
index a9721b5..718c27b 100644
--- a/libvirt-sandbox.spec.in
+++ b/libvirt-sandbox.spec.in
@@ -25,6 +25,7 @@ BuildRequires: gobject-introspection-devel
 BuildRequires: glibc-static
 BuildRequires: /usr/bin/pod2man
 BuildRequires: intltool
+BuildRequires: libselinux-devel
 BuildRequires: glib2-devel >= 2.32.0
 Requires: rpm-python
 # For virsh lxc-enter-namespace command
diff --git a/libvirt-sandbox/Makefile.am b/libvirt-sandbox/Makefile.am
index 4e0ea00..0882490 100644
--- a/libvirt-sandbox/Makefile.am
+++ b/libvirt-sandbox/Makefile.am
@@ -169,6 +169,7 @@ libvirt_sandbox_init_common_CFLAGS = \
 			$(LIBVIRT_GLIB_CFLAGS) \
 			$(LIBVIRT_GOBJECT_CFLAGS) \
 			$(CAPNG_CFLAGS) \
+			$(SELINUX_CFLAGS) \
 			$(WARN_CFLAGS) \
 			$(NULL)
 libvirt_sandbox_init_common_LDFLAGS = \
@@ -178,6 +179,7 @@ libvirt_sandbox_init_common_LDFLAGS = \
 			$(LIBVIRT_GLIB_LIBS) \
 			$(LIBVIRT_GOBJECT_LIBS) \
 			$(CAPNG_LIBS) \
+			$(SELINUX_LIBS) \
 			$(WARN_CFLAGS) \
 			$(NULL)
 libvirt_sandbox_init_common_LDADD = \
diff --git a/libvirt-sandbox/libvirt-sandbox-config.c b/libvirt-sandbox/libvirt-sandbox-config.c
index ccdb3bc..8e8ac65 100644
--- a/libvirt-sandbox/libvirt-sandbox-config.c
+++ b/libvirt-sandbox/libvirt-sandbox-config.c
@@ -27,6 +27,8 @@
 #include <glib/gi18n.h>
 
 #include "libvirt-sandbox/libvirt-sandbox.h"
+#include <errno.h>
+#include <selinux/selinux.h>
 
 /**
  * SECTION: libvirt-sandbox-config
@@ -1521,6 +1523,18 @@ gboolean gvir_sandbox_config_set_security_opts(GVirSandboxConfig *config,
         gvir_sandbox_config_set_security_dynamic(config, TRUE);
     } else if (g_str_equal(tmp, "static")) {
         gvir_sandbox_config_set_security_dynamic(config, FALSE);
+    } else if (g_str_equal(tmp, "inherit")) {
+        gvir_sandbox_config_set_security_dynamic(config, FALSE);
+        security_context_t scon;
+        if (getcon(&scon) < 0) {
+                g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0,
+                            _("Unable to get SELinux context of user: %s"),
+                            strerror(errno));
+                return FALSE;
+        }
+        gvir_sandbox_config_set_security_label(config, scon);
+        freecon(scon);
+
     } else {
         g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0,
                     _("Unknown security option '%s'"), tmp);
diff --git a/m4/virt-selinux.m4 b/m4/virt-selinux.m4
new file mode 100644
index 0000000..ef41721
--- /dev/null
+++ b/m4/virt-selinux.m4
@@ -0,0 +1,11 @@
+AC_DEFUN([LIBVIRT_SANDBOX_SELINUX], [
+  fail=0
+  old_LIBS=$LIBS
+  old_CFLAGS=$CFLAGS
+  AC_CHECK_HEADER([selinux/selinux.h],[],[fail=1])
+  AC_CHECK_LIB([selinux], [fgetfilecon],[],[fail=1])
+  LIBS=$old_LIBS
+  CFLAGS=$old_CFLAGS
+  test $fail = 1 &&
+    AC_MSG_ERROR([You must install the libselinux development package in order to compile libvirt-sandbox])
+])
-- 
1.8.3.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]