[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] This patch adds the label to lxc-enter-namespace



On Thu, Jan 24, 2013 at 08:47:13AM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> (Resend to the correct list)
> 
> 
> lxc-enter-namespace  allows a process from outside a container to start a
> process inside a container.  One problem with the current code is the process
> running within the container would run with the label of the process that
> created it.
> 
> For example if the admin process is running as unconfined_t and executes the
> following command
> 
> 
> # virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ
> LABEL                             PID TTY          TIME CMD
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 29 ? 00:00:00 dhclient
> staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 47 ? 00:00:00 ps
> 
> Note the ps command is running as unconfined_t,  After this patch,
> 
> 
> virsh -c lxc:/// lxc-enter-namespace dan -- /bin/ps -eZ
> LABEL                             PID TTY          TIME CMD
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 38 ? 00:00:00 ps
> 
> I also add a --nolabel command to virsh, which can go back to the original
> behaviour.
> 
> virsh -c lxc:/// lxc-enter-namespace --nolabel dan -- /bin/ps -eZ
> LABEL                             PID TTY          TIME CMD
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 1 pts/0 00:00:00 systemd
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 3 pts/1 00:00:00 sh
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 24 ? 00:00:00 systemd-journal
> system_u:system_r:svirt_lxc_net_t:s0:c0.c1023 32 ? 00:00:00 dhclient
> staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 37 ? 00:00:00 ps
> 
> 
> One problem I had when I originally did the patch is
> lxcDomainGetSecurityLabel was returning the incorrect label, I needed the
> label of the initpid within the container not its parent process,  so I
> changed this function to match OpenNamespaces function.
> 
> One last strangeness, about half the time I run this, virsh hangs and never
> returns.
> Seems like
> 
>  if (conn->driver->domainGetSecurityLabel(domain,
>                                                  seclabel) == 0) {
> 
> 
> Gets hung up.  I have attached the strace in out1.gz

virDomainLxcEnterNamespace is run in the child process context - it is
forbidden to use the RPC connection once you've forked, becuase it
belongs to the parent process. The reason for the random hang is that
sometimes your child process reads the incoming I/O, sometimes the
parent process reads the incoming I/O.

This has to be implemented entirely in virsh, rather than in the
virDomainLxcEnterNamespace API. virsh should call virDomainGetSecurityLabel
before forking, and then call setexeccon inside the child process with
the data it obtained. That way no libvirt RPC calls take place in the
child.


> @@ -7719,13 +7721,17 @@ cmdLxcEnterNamespace(vshControl *ctl, const vshCmd *cmd)
>       */
>      if (virFork(&pid) < 0)
>          goto cleanup;
> +
> +    if (!vshCommandOptBool(cmd, "nolabel"))
> +        flags |= SECURITY_LABEL;
> +
>      if (pid == 0) {

...at this point you're in the child process...

>          if (virDomainLxcEnterNamespace(dom,
>                                         nfdlist,
>                                         fdlist,
>                                         NULL,
>                                         NULL,
> -                                       0) < 0)
> +                                       flags) < 0)
>              _exit(255);
>  
>          /* Fork a second time because entering the


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]