[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 2/2] libvirt patch to write a mcs translation file to /run/setrans directory



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/17/2013 05:52 AM, Daniel P. Berrange wrote:
> On Wed, May 15, 2013 at 02:36:32PM -0400, dwalsh redhat com wrote:
>> From: Dan Walsh <dwalsh redhat com>
>> 
>> mcstransd is a translation tool that can translate MCS Labels into human 
>> understandable code.  I have patched it to watch for translation files in
>> the /run/setrans directory.  This allows us to run commands like ps -eZ
>> and see system_u:system_r:svirt_t:Fedora18 rather then
>> system_u:system_r:svirt_t:s0:c1,c2. When used with containers it would
>> make an easy way to list all processes within a container using ps -eZ |
>> grep Fedora18 --- src/security/security_selinux.c | 59
>> ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 58
>> insertions(+), 1 deletion(-)
>> 
>> diff --git a/src/security/security_selinux.c
>> b/src/security/security_selinux.c index 5d108b9..cbcd013 100644 ---
>> a/src/security/security_selinux.c +++ b/src/security/security_selinux.c 
>> @@ -83,6 +83,57 @@
>> virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr
>> mgr, virDomainTPMDefPtr tpm);
>> 
>> 
>> +static int +virSecuritySELinuxAddMCSFile(const char *name, +
>> const char *label) +{ +    int ret = -1; +    char *tmp = NULL; +
>> context_t con = NULL; + +    if (virAsprintf(&tmp, "%s/%s",
>> SELINUX_TRANS_DIR, name) < 0) { +        virReportOOMError(); +
>> return -1; +    } +    if (! (con = context_new(label))) { +
>> virReportSystemError(errno, "%s", +                             _("unable
>> to allocate security context")); +        goto cleanup; +    } +    if
>> (virFileWriteStr(tmp, context_range_get(con), 0) < 0) { +
>> virReportSystemError(errno, +                             _("unable to
>> create MCS file %s"), tmp); +        goto cleanup; +    } +    ret = 0; 
>> + +cleanup: +    VIR_FREE(tmp); +    context_free(con); +    return ret; 
>> +} + +static int +virSecuritySELinuxRemoveMCSFile(const char *name) +{ +
>> char *tmp=NULL; +    int ret = -1; +    if (virAsprintf(&tmp, "%s/%s",
>> SELINUX_TRANS_DIR, name) < 0) { +        virReportOOMError(); +
>> return -1; +    } +    if (unlink(tmp) < 0 && errno != ENOENT) { +
>> virReportSystemError(errno, +                             _("Unable to
>> remove MCS file %s"), tmp); +        goto cleanup; +    } +    ret = 0; 
>> + +cleanup: +    VIR_FREE(tmp); +    return ret; +} + /* * Returns 0 on
>> success, 1 if already reserved, or -1 on fatal error */ @@ -1953,7
>> +2004,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr
>> mgr, } VIR_FREE(secdef->imagelabel);
>> 
>> -    return 0; +    return virSecuritySELinuxRemoveMCSFile(def->name); }
>> 
>> 
>> @@ -2047,10 +2098,16 @@
>> virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr
>> ATTRIBUTE_UN return -1; }
>> 
>> +    if (virSecuritySELinuxAddMCSFile(def->name, secdef->label) < 0) { +
>> if (security_getenforce() == 1) +            return -1; +    } +
> 
> As you mentioned offlist, this is not going to work because the 
> SetProcessLabel function is called in a child process, where you can't
> guarantee to see the host's /run directory.
> 
> Instead it should be done in the GenSecurityLabel function which is called
> from a safe context.
> 
> 
> Daniel
> 

I did get this to work last night by moving the location of the
virSecurityManagerSetProcessLabel to happen in the PivorRoot code before
calling lxcContainerMountAllFS  Which overmounts the /run directory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGWMYQACgkQrlYvE4MpobO9LgCePeIBlJuCTONdoAgeRk11EFE1
saYAnjX5ViWMMTXDI9qDlk59wlE6+3F8
=ju8u
-----END PGP SIGNATURE-----
>From 3faf3644d44771f49b61fb5cf453d1321f8c0272 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh redhat com>
Date: Thu, 16 May 2013 21:21:05 -0400
Subject: [PATCH 2/2] libvirt writes an mcs translation file to /run/setrans
 directory

mcstransd is a translation tool that can translate MCS Labels into human
understandable code.  I have patched it to watch for translation files in the
/run/setrans directory.  This allows us to run commands like ps -eZ and see
system_u:system_r:svirt_t:Fedora18 rather then system_u:system_r:svirt_t:s0:c1,c2.
When used with containers it would make an easy way to list all processes within
a container using ps -eZ | grep Fedora18
---
 src/lxc/lxc_container.c         |  8 +++---
 src/security/security_selinux.c | 57 ++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 60 insertions(+), 5 deletions(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 48ccc09..cb6ae6a 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1829,6 +1829,10 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
     if (lxcContainerPopulateDevices(ttyPaths, nttyPaths) < 0)
         goto cleanup;
 
+    VIR_DEBUG("Setting up security labeling");
+    if (virSecurityManagerSetProcessLabel(securityDriver, vmDef) < 0)
+        goto cleanup;
+
     /* Sets up any non-root mounts from guest config */
     if (lxcContainerMountAllFS(vmDef, sec_mount_options) < 0)
         goto cleanup;
@@ -2027,10 +2031,6 @@ static int lxcContainerChild(void *data)
         goto cleanup;
     }
 
-    VIR_DEBUG("Setting up security labeling");
-    if (virSecurityManagerSetProcessLabel(argv->securityDriver, vmDef) < 0)
-        goto cleanup;
-
     if (lxcContainerSetStdio(argv->monitor, ttyfd, argv->handshakefd) < 0) {
         goto cleanup;
     }
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 5d108b9..5c04d5e 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -83,6 +83,57 @@ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
                                                  virDomainTPMDefPtr tpm);
 
 
+static int
+virSecuritySELinuxAddMCSFile(const char *name,
+                             const char *label)
+{
+    int ret = -1;
+    char *tmp = NULL;
+    context_t con = NULL;
+
+    if (virAsprintf(&tmp, "%s/%s", SELINUX_TRANS_DIR, name) < 0) {
+        virReportOOMError();
+        return -1;
+    }
+    if (!(con = context_new(label))) {
+        virReportSystemError(errno, "%s",
+                             _("unable to allocate security context"));
+        goto cleanup;
+    }
+    if (virFileWriteStr(tmp, context_range_get(con),  S_IRUSR|S_IWUSR) < 0) {
+        virReportSystemError(errno,
+                             _("unable to create MCS file %s"), tmp);
+        goto cleanup;
+    }
+    ret = 0;
+
+cleanup:
+    VIR_FREE(tmp);
+    context_free(con);
+    return ret;
+}
+
+static int
+virSecuritySELinuxRemoveMCSFile(const char *name)
+{
+    char *tmp = NULL;
+    int ret = -1;
+    if (virAsprintf(&tmp, "%s/%s", SELINUX_TRANS_DIR, name) < 0) {
+        virReportOOMError();
+        return -1;
+    }
+    if (unlink(tmp) < 0 && errno != ENOENT) {
+        virReportSystemError(errno,
+                             _("Unable to remove MCS file %s"), tmp);
+        goto cleanup;
+    }
+    ret = 0;
+
+cleanup:
+    VIR_FREE(tmp);
+    return ret;
+}
+
 /*
  * Returns 0 on success, 1 if already reserved, or -1 on fatal error
  */
@@ -1953,7 +2004,7 @@ virSecuritySELinuxReleaseSecurityLabel(virSecurityManagerPtr mgr,
     }
     VIR_FREE(secdef->imagelabel);
 
-    return 0;
+    return virSecuritySELinuxRemoveMCSFile(def->name);
 }
 
 
@@ -2047,10 +2098,14 @@ virSecuritySELinuxSetSecurityProcessLabel(virSecurityManagerPtr mgr ATTRIBUTE_UN
             return -1;
     }
 
+    if (virSecuritySELinuxAddMCSFile(def->name, secdef->label) < 0)
+        return -1;
+
     if (setexeccon_raw(secdef->label) == -1) {
         virReportSystemError(errno,
                              _("unable to set security context '%s'"),
                              secdef->label);
+        virSecuritySELinuxRemoveMCSFile(def->name);
         if (security_getenforce() == 1)
             return -1;
     }
-- 
1.8.2.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]