From f4bfe638b65f924a22d9801a4a2b6660e0993fbd Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Mon, 22 Mar 2010 15:19:02 +0000 Subject: [PATCH] Fix USB devices by product with security enabled (bz 574136) Set kernel/initrd in security driver, fixes some URL installs (bz 566425) --- libvirt-0.7.7-fix-usb-product.patch | 233 +++++++++++++++++++++++++++ libvirt-0.7.7-set-kernel-perms.patch | 87 ++++++++++ libvirt.spec | 12 +- 3 files changed, 331 insertions(+), 1 deletion(-) create mode 100644 libvirt-0.7.7-fix-usb-product.patch create mode 100644 libvirt-0.7.7-set-kernel-perms.patch diff --git a/libvirt-0.7.7-fix-usb-product.patch b/libvirt-0.7.7-fix-usb-product.patch new file mode 100644 index 0000000..8ce24a9 --- /dev/null +++ b/libvirt-0.7.7-fix-usb-product.patch @@ -0,0 +1,233 @@ +From 3a441522017aa9c1b8b54d2ce4569d0f0d96fa72 Mon Sep 17 00:00:00 2001 +From: Cole Robinson +Date: Fri, 12 Mar 2010 12:36:56 -0500 +Subject: [PATCH] qemu: Add some debugging at domain startup + +--- + src/qemu/qemu_driver.c | 24 +++++++++++++++++++++++- + 1 files changed, 23 insertions(+), 1 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index f8ab545..040d645 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -2695,6 +2695,8 @@ static int qemudStartVMDaemon(virConnectPtr conn, + + FD_ZERO(&keepfd); + ++ DEBUG0("Beginning VM startup process"); ++ + if (virDomainObjIsActive(vm)) { + qemuReportError(VIR_ERR_OPERATION_INVALID, + "%s", _("VM is already active")); +@@ -2703,22 +2705,27 @@ static int qemudStartVMDaemon(virConnectPtr conn, + + /* If you are using a SecurityDriver with dynamic labelling, + then generate a security label for isolation */ ++ DEBUG0("Generating domain security label (if required)"); + if (driver->securityDriver && + driver->securityDriver->domainGenSecurityLabel && + driver->securityDriver->domainGenSecurityLabel(vm) < 0) + return -1; + ++ DEBUG0("Generating setting domain security labels (if required)"); + if (driver->securityDriver && + driver->securityDriver->domainSetSecurityAllLabel && + driver->securityDriver->domainSetSecurityAllLabel(vm) < 0) + goto cleanup; + +- /* Ensure no historical cgroup for this VM is lieing around bogus settings */ ++ /* Ensure no historical cgroup for this VM is lying around bogus ++ * settings */ ++ DEBUG0("Ensuring no historical cgroup is lying around"); + qemuRemoveCgroup(driver, vm, 1); + + if ((vm->def->ngraphics == 1) && + vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC && + vm->def->graphics[0]->data.vnc.autoport) { ++ DEBUG0("Determining VNC port"); + int port = qemudNextFreeVNCPort(driver); + if (port < 0) { + qemuReportError(VIR_ERR_INTERNAL_ERROR, +@@ -2735,6 +2742,7 @@ static int qemudStartVMDaemon(virConnectPtr conn, + goto cleanup; + } + ++ DEBUG0("Creating domain log file"); + if ((logfile = qemudLogFD(driver, vm->def->name)) < 0) + goto cleanup; + +@@ -2751,14 +2759,17 @@ static int qemudStartVMDaemon(virConnectPtr conn, + goto cleanup; + } + ++ DEBUG0("Determing emulator version"); + if (qemudExtractVersionInfo(emulator, + NULL, + &qemuCmdFlags) < 0) + goto cleanup; + ++ DEBUG0("Setting up domain cgroup (if required)"); + if (qemuSetupCgroup(driver, vm) < 0) + goto cleanup; + ++ DEBUG0("Preparing host devices"); + if (qemuPrepareHostDevices(driver, vm->def) < 0) + goto cleanup; + +@@ -2767,6 +2778,7 @@ static int qemudStartVMDaemon(virConnectPtr conn, + goto cleanup; + } + ++ DEBUG0("Preparing monitor state"); + if (qemuPrepareMonitorChr(driver, priv->monConfig, vm->def->name) < 0) + goto cleanup; + +@@ -2798,6 +2810,7 @@ static int qemudStartVMDaemon(virConnectPtr conn, + * use in hotplug + */ + if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) { ++ DEBUG0("Assigning domain PCI addresses"); + /* Populate cache with current addresses */ + if (priv->pciaddrs) { + qemuDomainPCIAddressSetFree(priv->pciaddrs); +@@ -2816,6 +2829,7 @@ static int qemudStartVMDaemon(virConnectPtr conn, + priv->persistentAddrs = 0; + } + ++ DEBUG0("Building emulator command line"); + vm->def->id = driver->nextvmid++; + if (qemudBuildCommandLine(conn, driver, vm->def, priv->monConfig, + priv->monJSON, qemuCmdFlags, &argv, &progenv, +@@ -2899,25 +2913,31 @@ static int qemudStartVMDaemon(virConnectPtr conn, + if (ret == -1) /* The VM failed to start */ + goto cleanup; + ++ DEBUG0("Waiting for monitor to show up"); + if (qemudWaitForMonitor(driver, vm, pos) < 0) + goto abort; + ++ DEBUG0("Detecting VCPU PIDs"); + if (qemuDetectVcpuPIDs(driver, vm) < 0) + goto abort; + ++ DEBUG0("Setting CPU affinity"); + if (qemudInitCpuAffinity(vm) < 0) + goto abort; + ++ DEBUG0("Setting any required VM passwords"); + if (qemuInitPasswords(conn, driver, vm, qemuCmdFlags) < 0) + goto abort; + + /* If we have -device, then addresses are assigned explicitly. + * If not, then we have to detect dynamic ones here */ + if (!(qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) { ++ DEBUG0("Determining domain device PCI addresses"); + if (qemuInitPCIAddresses(driver, vm) < 0) + goto abort; + } + ++ DEBUG0("Setting initial memory amount"); + qemuDomainObjEnterMonitorWithDriver(driver, vm); + if (qemuMonitorSetBalloon(priv->mon, vm->def->memory) < 0) { + qemuDomainObjExitMonitorWithDriver(driver, vm); +@@ -2925,6 +2945,7 @@ static int qemudStartVMDaemon(virConnectPtr conn, + } + + if (migrateFrom == NULL) { ++ DEBUG0("Starting domain CPUs"); + /* Allow the CPUS to start executing */ + if (qemuMonitorStartCPUs(priv->mon, conn) < 0) { + if (virGetLastError() == NULL) +@@ -2937,6 +2958,7 @@ static int qemudStartVMDaemon(virConnectPtr conn, + qemuDomainObjExitMonitorWithDriver(driver, vm); + + ++ DEBUG0("Writing domain status to disk"); + if (virDomainSaveStatus(driver->caps, driver->stateDir, vm) < 0) + goto abort; + +-- +1.6.6.1 + +From 6d5c8a8f51db8ce97ab35ab6022dd5c94ab016b4 Mon Sep 17 00:00:00 2001 +From: Cole Robinson +Date: Fri, 12 Mar 2010 12:37:52 -0500 +Subject: [PATCH] qemu: Fix USB by product with security enabled + +We need to call PrepareHostdevs to determine the USB device path before +any security calls. PrepareHostUSBDevices was also incorrectly skipping +all USB devices. +--- + src/qemu/qemu_driver.c | 11 ++++++----- + 1 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 040d645..b17d26d 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -2360,7 +2360,7 @@ qemuPrepareHostUSBDevices(struct qemud_driver *driver ATTRIBUTE_UNUSED, + + if (hostdev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) + continue; +- if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI) ++ if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB) + continue; + + /* Resolve a vendor/product to bus/device */ +@@ -2703,6 +2703,11 @@ static int qemudStartVMDaemon(virConnectPtr conn, + return -1; + } + ++ /* Must be run before security labelling */ ++ DEBUG0("Preparing host devices"); ++ if (qemuPrepareHostDevices(driver, vm->def) < 0) ++ goto cleanup; ++ + /* If you are using a SecurityDriver with dynamic labelling, + then generate a security label for isolation */ + DEBUG0("Generating domain security label (if required)"); +@@ -2769,10 +2774,6 @@ static int qemudStartVMDaemon(virConnectPtr conn, + if (qemuSetupCgroup(driver, vm) < 0) + goto cleanup; + +- DEBUG0("Preparing host devices"); +- if (qemuPrepareHostDevices(driver, vm->def) < 0) +- goto cleanup; +- + if (VIR_ALLOC(priv->monConfig) < 0) { + virReportOOMError(); + goto cleanup; +-- +1.6.6.1 + +From 65e97240e6e4606820dd1c42ac172319e0af4d8d Mon Sep 17 00:00:00 2001 +From: Cole Robinson +Date: Mon, 22 Mar 2010 10:45:36 -0400 +Subject: [PATCH] security: selinux: Fix crash when releasing non-existent label + +This can be triggered by the qemuStartVMDaemon cleanup path if a +VM references a non-existent USB device (by product) in the XML. + +Signed-off-by: Cole Robinson +--- + src/security/security_selinux.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index 975b315..6680e2d 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -632,7 +632,8 @@ SELinuxReleaseSecurityLabel(virDomainObjPtr vm) + { + const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + +- if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC) ++ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC || ++ secdef->label == NULL) + return 0; + + context_t con = context_new(secdef->label); +-- +1.6.6.1 + diff --git a/libvirt-0.7.7-set-kernel-perms.patch b/libvirt-0.7.7-set-kernel-perms.patch new file mode 100644 index 0000000..aa623ff --- /dev/null +++ b/libvirt-0.7.7-set-kernel-perms.patch @@ -0,0 +1,87 @@ +From 3f1aa08af6580c215d973bc6bf57f505dbf8b926 Mon Sep 17 00:00:00 2001 +From: Cole Robinson +Date: Fri, 12 Mar 2010 13:38:39 -0500 +Subject: [PATCH] security: Set permissions for kernel/initrd + +Fixes URL installs when running virt-install as root on Fedora. +--- + src/qemu/qemu_security_dac.c | 21 +++++++++++++++++++++ + src/security/security_selinux.c | 16 ++++++++++++++++ + 2 files changed, 37 insertions(+), 0 deletions(-) + +diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c +index 6911f48..1883fbe 100644 +--- a/src/qemu/qemu_security_dac.c ++++ b/src/qemu/qemu_security_dac.c +@@ -332,6 +332,15 @@ qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm) + vm->def->disks[i]) < 0) + rc = -1; + } ++ ++ if (vm->def->os.kernel && ++ qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0) ++ rc = -1; ++ ++ if (vm->def->os.initrd && ++ qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0) ++ rc = -1; ++ + return rc; + } + +@@ -356,6 +365,18 @@ qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm) + return -1; + } + ++ if (vm->def->os.kernel && ++ qemuSecurityDACSetOwnership(vm->def->os.kernel, ++ driver->user, ++ driver->group) < 0) ++ return -1; ++ ++ if (vm->def->os.initrd && ++ qemuSecurityDACSetOwnership(vm->def->os.initrd, ++ driver->user, ++ driver->group) < 0) ++ return -1; ++ + return 0; + } + +diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c +index b2c8581..975b315 100644 +--- a/src/security/security_selinux.c ++++ b/src/security/security_selinux.c +@@ -616,6 +616,14 @@ SELinuxRestoreSecurityAllLabel(virDomainObjPtr vm) + rc = -1; + } + ++ if (vm->def->os.kernel && ++ SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0) ++ rc = -1; ++ ++ if (vm->def->os.initrd && ++ SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0) ++ rc = -1; ++ + return rc; + } + +@@ -736,6 +744,14 @@ SELinuxSetSecurityAllLabel(virDomainObjPtr vm) + return -1; + } + ++ if (vm->def->os.kernel && ++ SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0) ++ return -1; ++ ++ if (vm->def->os.initrd && ++ SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0) ++ return -1; ++ + return 0; + } + +-- +1.6.6.1 + diff --git a/libvirt.spec b/libvirt.spec index e2dea73..1273be3 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -169,10 +169,14 @@ Summary: Library providing a simple API virtualization Name: libvirt Version: 0.7.7 -Release: 1%{?dist}%{?extra_release} +Release: 2%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz +# Fix USB devices by product with security enabled (bz 574136) +Patch1: %{name}-%{version}-fix-usb-product.patch +# Set kernel/initrd in security driver, fixes some URL installs (bz 566425) +Patch2: %{name}-%{version}-set-kernel-perms.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root URL: http://libvirt.org/ BuildRequires: python-devel @@ -394,6 +398,8 @@ of recent versions of Linux (and other OSes). %prep %setup -q +%patch1 -p1 +%patch2 -p1 %build %if ! %{with_xen} @@ -815,6 +821,10 @@ fi %endif %changelog +* Mon Mar 22 2010 Cole Robinson - 0.7.7-2.fc14 +- Fix USB devices by product with security enabled (bz 574136) +- Set kernel/initrd in security driver, fixes some URL installs (bz 566425) + * Fri Mar 5 2010 Daniel Veillard - 0.7.7-1 - macvtap support - async job handling