Fix selinux errors with /dev/net/tun (bz #1147057)

2014-10-09 13:00:53 -04:00 · 2014-10-09 13:00:53 -04:00 · 503330ba5d
commit 503330ba5d
parent 0a64085f47
4 changed files with 103 additions and 15 deletions
--- a/0001-qemu_command-Split-qemuBuildCpuArgStr.patch
+++ b/0001-qemu_command-Split-qemuBuildCpuArgStr.patch
@ -1,4 +1,4 @@
-From e543e857120b8a1b352bf34fd8a983e95ea70487 Mon Sep 17 00:00:00 2001
+From 96a7f7fa1953707e1eb9f0f638baf213507a5cb2 Mon Sep 17 00:00:00 2001
 From: Cole Robinson <crobinso@redhat.com>
 Date: Tue, 23 Sep 2014 11:35:57 -0400
 Subject: [PATCH] qemu_command: Split qemuBuildCpuArgStr
@ -12,10 +12,10 @@ code movement and re-indentation.
 1 file changed, 122 insertions(+), 104 deletions(-)
 diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
-index 2184caa..96ba081 100644
+index eb72451..db5ea35 100644
 --- a/src/qemu/qemu_command.c
 +++ b/src/qemu/qemu_command.c
-@@ -6052,139 +6052,162 @@ qemuBuildClockArgStr(virDomainClockDefPtr def)
+@@ -6140,139 +6140,162 @@ qemuBuildClockArgStr(virDomainClockDefPtr def)
     return NULL;
 }
@ -277,7 +277,7 @@ index 2184caa..96ba081 100644
         have_cpu = true;
     } else {
         /*
-@@ -6309,11 +6332,6 @@ qemuBuildCpuArgStr(virQEMUDriverPtr driver,
+@@ -6398,11 +6421,6 @@ qemuBuildCpuArgStr(virQEMUDriverPtr driver,
     ret = 0;
  cleanup:
--- a/0002-qemu-Don-t-compare-CPU-against-host-for-TCG.patch
+++ b/0002-qemu-Don-t-compare-CPU-against-host-for-TCG.patch
@ -1,4 +1,4 @@
-From fe13df3feab361cd7596e67af87ad1ca2c4158c5 Mon Sep 17 00:00:00 2001
+From bbdbfbfc03494f5cbba4ee869149cca37c1fd53c Mon Sep 17 00:00:00 2001
 From: Cole Robinson <crobinso@redhat.com>
 Date: Tue, 23 Sep 2014 13:07:09 -0400
 Subject: [PATCH] qemu: Don't compare CPU against host for TCG
@ -53,10 +53,10 @@ correctly.
 25 files changed, 90 insertions(+), 69 deletions(-)
 diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
-index 96ba081..a3bcab9 100644
+index db5ea35..cd34445 100644
 --- a/src/qemu/qemu_command.c
 +++ b/src/qemu/qemu_command.c
-@@ -6072,6 +6072,8 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
+@@ -6160,6 +6160,8 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
     virCPUCompareResult cmp;
     const char *preferred;
     virCapsPtr caps = NULL;
@ -65,7 +65,7 @@ index 96ba081..a3bcab9 100644
     if (!(caps = virQEMUDriverGetCapabilities(driver, false)))
         goto cleanup;
-@@ -6094,30 +6096,33 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
+@@ -6182,30 +6184,33 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
         cpuUpdate(cpu, host) < 0)
         goto cleanup;
@ -117,7 +117,7 @@ index 96ba081..a3bcab9 100644
         int hasSVM = cpuHasFeature(data, "svm");
         if (hasSVM < 0)
             goto cleanup;
-@@ -6145,16 +6150,23 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
+@@ -6233,16 +6238,23 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
         if (VIR_STRDUP(guest->vendor_id, cpu->vendor_id) < 0)
             goto cleanup;
@ -150,7 +150,7 @@ index 96ba081..a3bcab9 100644
         virBufferAdd(buf, guest->model, -1);
         if (guest->vendor_id)
-@@ -6171,7 +6183,7 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
+@@ -6259,7 +6271,7 @@ qemuBuildCpuModelArgStr(virQEMUDriverPtr driver,
     }
     ret = 0;
@ -470,10 +470,10 @@ index 1e09680..9927294 100644
 -mon chardev=charmonitor,id=monitor,mode=readline -no-acpi -boot c -usb \
 -chardev pty,id=charserial0 \
 diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
-index 3feb2fe..e649aa5 100644
+index b380fd8..483ca90 100644
 --- a/tests/qemuxml2argvtest.c
 +++ b/tests/qemuxml2argvtest.c
-@@ -920,7 +920,7 @@ mymain(void)
+@@ -933,7 +933,7 @@ mymain(void)
             QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
             QEMU_CAPS_DEVICE_QXL);
     DO_TEST("graphics-spice-timeout",
@ -482,7 +482,7 @@ index 3feb2fe..e649aa5 100644
             QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
             QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
             QEMU_CAPS_DEVICE_QXL_VGA);
-@@ -1192,14 +1192,14 @@ mymain(void)
+@@ -1208,14 +1208,14 @@ mymain(void)
     DO_TEST("cpu-topology1", QEMU_CAPS_SMP_TOPOLOGY);
     DO_TEST("cpu-topology2", QEMU_CAPS_SMP_TOPOLOGY);
     DO_TEST("cpu-topology3", NONE);
@ -505,7 +505,7 @@ index 3feb2fe..e649aa5 100644
     DO_TEST("cpu-numa1", NONE);
     DO_TEST("cpu-numa2", QEMU_CAPS_SMP_TOPOLOGY);
     DO_TEST_PARSE_ERROR("cpu-numa3", NONE);
-@@ -1284,7 +1284,8 @@ mymain(void)
+@@ -1303,7 +1303,8 @@ mymain(void)
     DO_TEST("pseries-usb-kbd", QEMU_CAPS_PCI_OHCI,
             QEMU_CAPS_DEVICE_USB_KBD, QEMU_CAPS_CHARDEV,
             QEMU_CAPS_DEVICE, QEMU_CAPS_NODEFCONFIG);
--- a/0003-security_selinux-Don-t-relabel-dev-net-tun.patch
+++ b/0003-security_selinux-Don-t-relabel-dev-net-tun.patch
@ -0,0 +1,81 @@
 From 1c20d4a0a608d65d02953b360c6f10397d3c4069 Mon Sep 17 00:00:00 2001
 From: Michal Privoznik <mprivozn@redhat.com>
 Date: Tue, 7 Oct 2014 16:22:17 +0200
 Subject: [PATCH] security_selinux: Don't relabel /dev/net/tun
 https://bugzilla.redhat.com/show_bug.cgi?id=1147057
 The code for relabelling the TAP FD is there due to a race. When
 libvirt creates a /dev/tapN device it's labeled as
 'system_u:object_r:device_t:s0' by default. Later, when
 udev/systemd reacts to this device, it's relabelled to the
 expected label 'system_u:object_r:tun_tap_device_t:s0'. Hence, we
 have a code that relabels the device, to cut the race down. For
 more info see ae368ebfcc4.
 But the problem is, the relabel function is called on all TUN/TAP
 devices. Yes, on /dev/net/tun too. This is however a special kind
 of device - other processes uses it too. We shouldn't touch it's
 label then.
 Ideally, there would an API in SELinux that would label just the
 passed FD and not the underlying path. That way, we wouldn't need
 to care as we would be not labeling /dev/net/tun but the FD
 passed to the domain. Unfortunately, there's no such API so we
 have to workaround until then.
 Tested-by: Richard W.M. Jones <rjones@redhat.com>
 Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
 (cherry picked from commit ebc05263960f41065fa7d882959ea754b9281ab1)
 ---
 src/security/security_selinux.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)
 diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
 index b7c1015..352f1ab 100644
 --- a/src/security/security_selinux.c
 +++ b/src/security/security_selinux.c
@@ -2352,7 +2352,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
     struct stat buf;
     security_context_t fcon = NULL;
     virSecurityLabelDefPtr secdef;
 -    char *str = NULL;
 +    char *str = NULL, *proc = NULL, *fd_path = NULL;
     int rc = -1;
     secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
@@ -2370,7 +2370,24 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
         goto cleanup;
     }
 -    if (getContext(mgr, "/dev/tap.*", buf.st_mode, &fcon) < 0) {
 +    /* Label /dev/tap.* devices only. Leave /dev/net/tun alone! */
 +    if (virAsprintf(&proc, "/proc/self/fd/%d", fd) == -1)
 +        goto cleanup;
 +
 +    if (virFileResolveLink(proc, &fd_path) < 0) {
 +        virReportSystemError(errno,
 +                             _("Unable to resolve link: %s"), proc);
 +        goto cleanup;
 +    }
 +
 +    if (!STRPREFIX(fd_path, "/dev/tap")) {
 +        VIR_DEBUG("fd=%d points to %s not setting SELinux label",
 +                  fd, fd_path);
 +        rc = 0;
 +        goto cleanup;
 +    }
 +
 +    if (getContext(mgr, "/dev/tap*", buf.st_mode, &fcon) < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("cannot lookup default selinux label for tap fd %d"), fd);
         goto cleanup;
@@ -2384,6 +2401,8 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
  cleanup:
     freecon(fcon);
 +    VIR_FREE(fd_path);
 +    VIR_FREE(proc);
     VIR_FREE(str);
     return rc;
 }
--- a/libvirt.spec
+++ b/libvirt.spec
@ -363,7 +363,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 1.2.9
-Release: 2%{?dist}%{?extra_release}
+Release: 3%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -377,6 +377,8 @@ Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz
 # Fix specifying CPU for qemu aarch64
 Patch0001: 0001-qemu_command-Split-qemuBuildCpuArgStr.patch
 Patch0002: 0002-qemu-Don-t-compare-CPU-against-host-for-TCG.patch
 # Fix selinux errors with /dev/net/tun (bz #1147057)
 Patch0003: 0003-security_selinux-Don-t-relabel-dev-net-tun.patch
 %if %{with_libvirtd}
 Requires: libvirt-daemon = %{version}-%{release}
@ -1205,6 +1207,8 @@ driver
 # Fix specifying CPU for qemu aarch64
 %patch0001 -p1
 %patch0002 -p1
 # Fix selinux errors with /dev/net/tun (bz #1147057)
 %patch0003 -p1
 %build
 %if ! %{with_xen}
@ -2282,6 +2286,9 @@ exit 0
 %doc examples/systemtap
 %changelog
 * Thu Oct 09 2014 Cole Robinson <crobinso@redhat.com> - 1.2.9-3
 - Fix selinux errors with /dev/net/tun (bz #1147057)
 * Fri Oct 03 2014 Cole Robinson <crobinso@redhat.com> - 1.2.9-2
 - Fix specifying CPU for qemu aarch64