Fix selinux errors with /dev/net/tun (bz #1147057)

This commit is contained in:
Cole Robinson 2014-10-09 13:00:53 -04:00
parent 0a64085f47
commit 503330ba5d
4 changed files with 103 additions and 15 deletions

View File

@ -1,4 +1,4 @@
From e543e857120b8a1b352bf34fd8a983e95ea70487 Mon Sep 17 00:00:00 2001 From 96a7f7fa1953707e1eb9f0f638baf213507a5cb2 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com> From: Cole Robinson <crobinso@redhat.com>
Date: Tue, 23 Sep 2014 11:35:57 -0400 Date: Tue, 23 Sep 2014 11:35:57 -0400
Subject: [PATCH] qemu_command: Split qemuBuildCpuArgStr Subject: [PATCH] qemu_command: Split qemuBuildCpuArgStr
@ -12,10 +12,10 @@ code movement and re-indentation.
1 file changed, 122 insertions(+), 104 deletions(-) 1 file changed, 122 insertions(+), 104 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 2184caa..96ba081 100644 index eb72451..db5ea35 100644
--- a/src/qemu/qemu_command.c --- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c
@@ -6052,139 +6052,162 @@ qemuBuildClockArgStr(virDomainClockDefPtr def) @@ -6140,139 +6140,162 @@ qemuBuildClockArgStr(virDomainClockDefPtr def)
return NULL; return NULL;
} }
@ -277,7 +277,7 @@ index 2184caa..96ba081 100644
have_cpu = true; have_cpu = true;
} else { } else {
/* /*
@@ -6309,11 +6332,6 @@ qemuBuildCpuArgStr(virQEMUDriverPtr driver, @@ -6398,11 +6421,6 @@ qemuBuildCpuArgStr(virQEMUDriverPtr driver,
ret = 0; ret = 0;
cleanup: cleanup:

View File

@ -1,4 +1,4 @@
From fe13df3feab361cd7596e67af87ad1ca2c4158c5 Mon Sep 17 00:00:00 2001 From bbdbfbfc03494f5cbba4ee869149cca37c1fd53c Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com> From: Cole Robinson <crobinso@redhat.com>
Date: Tue, 23 Sep 2014 13:07:09 -0400 Date: Tue, 23 Sep 2014 13:07:09 -0400
Subject: [PATCH] qemu: Don't compare CPU against host for TCG Subject: [PATCH] qemu: Don't compare CPU against host for TCG
@ -53,10 +53,10 @@ correctly.
25 files changed, 90 insertions(+), 69 deletions(-) 25 files changed, 90 insertions(+), 69 deletions(-)
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 96ba081..a3bcab9 100644 index db5ea35..cd34445 100644
--- a/src/qemu/qemu_command.c --- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c
@@ -6072,6 +6072,8 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver, @@ -6160,6 +6160,8 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
virCPUCompareResult cmp; virCPUCompareResult cmp;
const char *preferred; const char *preferred;
virCapsPtr caps = NULL; virCapsPtr caps = NULL;
@ -65,7 +65,7 @@ index 96ba081..a3bcab9 100644
if (!(caps = virQEMUDriverGetCapabilities(driver, false))) if (!(caps = virQEMUDriverGetCapabilities(driver, false)))
goto cleanup; goto cleanup;
@@ -6094,30 +6096,33 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver, @@ -6182,30 +6184,33 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
cpuUpdate(cpu, host) < 0) cpuUpdate(cpu, host) < 0)
goto cleanup; goto cleanup;
@ -117,7 +117,7 @@ index 96ba081..a3bcab9 100644
int hasSVM = cpuHasFeature(data, "svm"); int hasSVM = cpuHasFeature(data, "svm");
if (hasSVM < 0) if (hasSVM < 0)
goto cleanup; goto cleanup;
@@ -6145,16 +6150,23 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver, @@ -6233,16 +6238,23 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
if (VIR_STRDUP(guest->vendor_id, cpu->vendor_id) < 0) if (VIR_STRDUP(guest->vendor_id, cpu->vendor_id) < 0)
goto cleanup; goto cleanup;
@ -150,7 +150,7 @@ index 96ba081..a3bcab9 100644
virBufferAdd(buf, guest->model, -1); virBufferAdd(buf, guest->model, -1);
if (guest->vendor_id) if (guest->vendor_id)
@@ -6171,7 +6183,7 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver, @@ -6259,7 +6271,7 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
} }
ret = 0; ret = 0;
@ -470,10 +470,10 @@ index 1e09680..9927294 100644
-mon chardev=charmonitor,id=monitor,mode=readline -no-acpi -boot c -usb \ -mon chardev=charmonitor,id=monitor,mode=readline -no-acpi -boot c -usb \
-chardev pty,id=charserial0 \ -chardev pty,id=charserial0 \
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 3feb2fe..e649aa5 100644 index b380fd8..483ca90 100644
--- a/tests/qemuxml2argvtest.c --- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c
@@ -920,7 +920,7 @@ mymain(void) @@ -933,7 +933,7 @@ mymain(void)
QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE, QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
QEMU_CAPS_DEVICE_QXL); QEMU_CAPS_DEVICE_QXL);
DO_TEST("graphics-spice-timeout", DO_TEST("graphics-spice-timeout",
@ -482,7 +482,7 @@ index 3feb2fe..e649aa5 100644
QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL, QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE, QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
QEMU_CAPS_DEVICE_QXL_VGA); QEMU_CAPS_DEVICE_QXL_VGA);
@@ -1192,14 +1192,14 @@ mymain(void) @@ -1208,14 +1208,14 @@ mymain(void)
DO_TEST("cpu-topology1", QEMU_CAPS_SMP_TOPOLOGY); DO_TEST("cpu-topology1", QEMU_CAPS_SMP_TOPOLOGY);
DO_TEST("cpu-topology2", QEMU_CAPS_SMP_TOPOLOGY); DO_TEST("cpu-topology2", QEMU_CAPS_SMP_TOPOLOGY);
DO_TEST("cpu-topology3", NONE); DO_TEST("cpu-topology3", NONE);
@ -505,7 +505,7 @@ index 3feb2fe..e649aa5 100644
DO_TEST("cpu-numa1", NONE); DO_TEST("cpu-numa1", NONE);
DO_TEST("cpu-numa2", QEMU_CAPS_SMP_TOPOLOGY); DO_TEST("cpu-numa2", QEMU_CAPS_SMP_TOPOLOGY);
DO_TEST_PARSE_ERROR("cpu-numa3", NONE); DO_TEST_PARSE_ERROR("cpu-numa3", NONE);
@@ -1284,7 +1284,8 @@ mymain(void) @@ -1303,7 +1303,8 @@ mymain(void)
DO_TEST("pseries-usb-kbd", QEMU_CAPS_PCI_OHCI, DO_TEST("pseries-usb-kbd", QEMU_CAPS_PCI_OHCI,
QEMU_CAPS_DEVICE_USB_KBD, QEMU_CAPS_CHARDEV, QEMU_CAPS_DEVICE_USB_KBD, QEMU_CAPS_CHARDEV,
QEMU_CAPS_DEVICE, QEMU_CAPS_NODEFCONFIG); QEMU_CAPS_DEVICE, QEMU_CAPS_NODEFCONFIG);

View File

@ -0,0 +1,81 @@
From 1c20d4a0a608d65d02953b360c6f10397d3c4069 Mon Sep 17 00:00:00 2001
From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 7 Oct 2014 16:22:17 +0200
Subject: [PATCH] security_selinux: Don't relabel /dev/net/tun
https://bugzilla.redhat.com/show_bug.cgi?id=1147057
The code for relabelling the TAP FD is there due to a race. When
libvirt creates a /dev/tapN device it's labeled as
'system_u:object_r:device_t:s0' by default. Later, when
udev/systemd reacts to this device, it's relabelled to the
expected label 'system_u:object_r:tun_tap_device_t:s0'. Hence, we
have a code that relabels the device, to cut the race down. For
more info see ae368ebfcc4.
But the problem is, the relabel function is called on all TUN/TAP
devices. Yes, on /dev/net/tun too. This is however a special kind
of device - other processes uses it too. We shouldn't touch it's
label then.
Ideally, there would an API in SELinux that would label just the
passed FD and not the underlying path. That way, we wouldn't need
to care as we would be not labeling /dev/net/tun but the FD
passed to the domain. Unfortunately, there's no such API so we
have to workaround until then.
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
(cherry picked from commit ebc05263960f41065fa7d882959ea754b9281ab1)
---
src/security/security_selinux.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b7c1015..352f1ab 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2352,7 +2352,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
struct stat buf;
security_context_t fcon = NULL;
virSecurityLabelDefPtr secdef;
- char *str = NULL;
+ char *str = NULL, *proc = NULL, *fd_path = NULL;
int rc = -1;
secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
@@ -2370,7 +2370,24 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
goto cleanup;
}
- if (getContext(mgr, "/dev/tap.*", buf.st_mode, &fcon) < 0) {
+ /* Label /dev/tap.* devices only. Leave /dev/net/tun alone! */
+ if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)
+ goto cleanup;
+
+ if (virFileResolveLink(proc, &fd_path) < 0) {
+ virReportSystemError(errno,
+ _("Unable to resolve link: %s"), proc);
+ goto cleanup;
+ }
+
+ if (!STRPREFIX(fd_path, "/dev/tap")) {
+ VIR_DEBUG("fd=%d points to %s not setting SELinux label",
+ fd, fd_path);
+ rc = 0;
+ goto cleanup;
+ }
+
+ if (getContext(mgr, "/dev/tap*", buf.st_mode, &fcon) < 0) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("cannot lookup default selinux label for tap fd %d"), fd);
goto cleanup;
@@ -2384,6 +2401,8 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
cleanup:
freecon(fcon);
+ VIR_FREE(fd_path);
+ VIR_FREE(proc);
VIR_FREE(str);
return rc;
}

View File

@ -363,7 +363,7 @@
Summary: Library providing a simple virtualization API Summary: Library providing a simple virtualization API
Name: libvirt Name: libvirt
Version: 1.2.9 Version: 1.2.9
Release: 2%{?dist}%{?extra_release} Release: 3%{?dist}%{?extra_release}
License: LGPLv2+ License: LGPLv2+
Group: Development/Libraries Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -377,6 +377,8 @@ Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz
# Fix specifying CPU for qemu aarch64 # Fix specifying CPU for qemu aarch64
Patch0001: 0001-qemu_command-Split-qemuBuildCpuArgStr.patch Patch0001: 0001-qemu_command-Split-qemuBuildCpuArgStr.patch
Patch0002: 0002-qemu-Don-t-compare-CPU-against-host-for-TCG.patch Patch0002: 0002-qemu-Don-t-compare-CPU-against-host-for-TCG.patch
# Fix selinux errors with /dev/net/tun (bz #1147057)
Patch0003: 0003-security_selinux-Don-t-relabel-dev-net-tun.patch
%if %{with_libvirtd} %if %{with_libvirtd}
Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon = %{version}-%{release}
@ -1205,6 +1207,8 @@ driver
# Fix specifying CPU for qemu aarch64 # Fix specifying CPU for qemu aarch64
%patch0001 -p1 %patch0001 -p1
%patch0002 -p1 %patch0002 -p1
# Fix selinux errors with /dev/net/tun (bz #1147057)
%patch0003 -p1
%build %build
%if ! %{with_xen} %if ! %{with_xen}
@ -2282,6 +2286,9 @@ exit 0
%doc examples/systemtap %doc examples/systemtap
%changelog %changelog
* Thu Oct 09 2014 Cole Robinson <crobinso@redhat.com> - 1.2.9-3
- Fix selinux errors with /dev/net/tun (bz #1147057)
* Fri Oct 03 2014 Cole Robinson <crobinso@redhat.com> - 1.2.9-2 * Fri Oct 03 2014 Cole Robinson <crobinso@redhat.com> - 1.2.9-2
- Fix specifying CPU for qemu aarch64 - Fix specifying CPU for qemu aarch64