rpms/libvirt
7
0
Fork 1
Code Issues Pull Requests Releases Activity

Fix USB devices by product with security enabled (bz 574136)

Browse Source 
Set kernel/initrd in security driver, fixes some URL installs (bz 566425)
This commit is contained in:
Cole Robinson 2010-03-22 15:19:02 +00:00
parent 0e9d242f05
commit f4bfe638b6
3 changed files with 331 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

233
libvirt-0.7.7-fix-usb-product.patch Normal file
View File

@ -0,0 +1,233 @@
From 3a441522017aa9c1b8b54d2ce4569d0f0d96fa72 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 12 Mar 2010 12:36:56 -0500
Subject: [PATCH] qemu: Add some debugging at domain startup
---
src/qemu/qemu_driver.c | 24 +++++++++++++++++++++++-
1 files changed, 23 insertions(+), 1 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index f8ab545..040d645 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -2695,6 +2695,8 @@ static int qemudStartVMDaemon(virConnectPtr conn,
FD_ZERO(&keepfd);
+ DEBUG0("Beginning VM startup process");
+
if (virDomainObjIsActive(vm)) {
qemuReportError(VIR_ERR_OPERATION_INVALID,
"%s", _("VM is already active"));
@@ -2703,22 +2705,27 @@ static int qemudStartVMDaemon(virConnectPtr conn,
/* If you are using a SecurityDriver with dynamic labelling,
then generate a security label for isolation */
+ DEBUG0("Generating domain security label (if required)");
if (driver->securityDriver &&
driver->securityDriver->domainGenSecurityLabel &&
driver->securityDriver->domainGenSecurityLabel(vm) < 0)
return -1;
+ DEBUG0("Generating setting domain security labels (if required)");
if (driver->securityDriver &&
driver->securityDriver->domainSetSecurityAllLabel &&
driver->securityDriver->domainSetSecurityAllLabel(vm) < 0)
goto cleanup;
- /* Ensure no historical cgroup for this VM is lieing around bogus settings */
+ /* Ensure no historical cgroup for this VM is lying around bogus
+ * settings */
+ DEBUG0("Ensuring no historical cgroup is lying around");
qemuRemoveCgroup(driver, vm, 1);
if ((vm->def->ngraphics == 1) &&
vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
vm->def->graphics[0]->data.vnc.autoport) {
+ DEBUG0("Determining VNC port");
int port = qemudNextFreeVNCPort(driver);
if (port < 0) {
qemuReportError(VIR_ERR_INTERNAL_ERROR,
@@ -2735,6 +2742,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
goto cleanup;
}
+ DEBUG0("Creating domain log file");
if ((logfile = qemudLogFD(driver, vm->def->name)) < 0)
goto cleanup;
@@ -2751,14 +2759,17 @@ static int qemudStartVMDaemon(virConnectPtr conn,
goto cleanup;
}
+ DEBUG0("Determing emulator version");
if (qemudExtractVersionInfo(emulator,
NULL,
&qemuCmdFlags) < 0)
goto cleanup;
+ DEBUG0("Setting up domain cgroup (if required)");
if (qemuSetupCgroup(driver, vm) < 0)
goto cleanup;
+ DEBUG0("Preparing host devices");
if (qemuPrepareHostDevices(driver, vm->def) < 0)
goto cleanup;
@@ -2767,6 +2778,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
goto cleanup;
}
+ DEBUG0("Preparing monitor state");
if (qemuPrepareMonitorChr(driver, priv->monConfig, vm->def->name) < 0)
goto cleanup;
@@ -2798,6 +2810,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
* use in hotplug
*/
if (qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE) {
+ DEBUG0("Assigning domain PCI addresses");
/* Populate cache with current addresses */
if (priv->pciaddrs) {
qemuDomainPCIAddressSetFree(priv->pciaddrs);
@@ -2816,6 +2829,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
priv->persistentAddrs = 0;
}
+ DEBUG0("Building emulator command line");
vm->def->id = driver->nextvmid++;
if (qemudBuildCommandLine(conn, driver, vm->def, priv->monConfig,
priv->monJSON, qemuCmdFlags, &argv, &progenv,
@@ -2899,25 +2913,31 @@ static int qemudStartVMDaemon(virConnectPtr conn,
if (ret == -1) /* The VM failed to start */
goto cleanup;
+ DEBUG0("Waiting for monitor to show up");
if (qemudWaitForMonitor(driver, vm, pos) < 0)
goto abort;
+ DEBUG0("Detecting VCPU PIDs");
if (qemuDetectVcpuPIDs(driver, vm) < 0)
goto abort;
+ DEBUG0("Setting CPU affinity");
if (qemudInitCpuAffinity(vm) < 0)
goto abort;
+ DEBUG0("Setting any required VM passwords");
if (qemuInitPasswords(conn, driver, vm, qemuCmdFlags) < 0)
goto abort;
/* If we have -device, then addresses are assigned explicitly.
* If not, then we have to detect dynamic ones here */
if (!(qemuCmdFlags & QEMUD_CMD_FLAG_DEVICE)) {
+ DEBUG0("Determining domain device PCI addresses");
if (qemuInitPCIAddresses(driver, vm) < 0)
goto abort;
}
+ DEBUG0("Setting initial memory amount");
qemuDomainObjEnterMonitorWithDriver(driver, vm);
if (qemuMonitorSetBalloon(priv->mon, vm->def->memory) < 0) {
qemuDomainObjExitMonitorWithDriver(driver, vm);
@@ -2925,6 +2945,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
}
if (migrateFrom == NULL) {
+ DEBUG0("Starting domain CPUs");
/* Allow the CPUS to start executing */
if (qemuMonitorStartCPUs(priv->mon, conn) < 0) {
if (virGetLastError() == NULL)
@@ -2937,6 +2958,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
qemuDomainObjExitMonitorWithDriver(driver, vm);
+ DEBUG0("Writing domain status to disk");
if (virDomainSaveStatus(driver->caps, driver->stateDir, vm) < 0)
goto abort;
--
1.6.6.1
From 6d5c8a8f51db8ce97ab35ab6022dd5c94ab016b4 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 12 Mar 2010 12:37:52 -0500
Subject: [PATCH] qemu: Fix USB by product with security enabled
We need to call PrepareHostdevs to determine the USB device path before
any security calls. PrepareHostUSBDevices was also incorrectly skipping
all USB devices.
---
src/qemu/qemu_driver.c | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 040d645..b17d26d 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -2360,7 +2360,7 @@ qemuPrepareHostUSBDevices(struct qemud_driver *driver ATTRIBUTE_UNUSED,
if (hostdev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
continue;
- if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI)
+ if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB)
continue;
/* Resolve a vendor/product to bus/device */
@@ -2703,6 +2703,11 @@ static int qemudStartVMDaemon(virConnectPtr conn,
return -1;
}
+ /* Must be run before security labelling */
+ DEBUG0("Preparing host devices");
+ if (qemuPrepareHostDevices(driver, vm->def) < 0)
+ goto cleanup;
+
/* If you are using a SecurityDriver with dynamic labelling,
then generate a security label for isolation */
DEBUG0("Generating domain security label (if required)");
@@ -2769,10 +2774,6 @@ static int qemudStartVMDaemon(virConnectPtr conn,
if (qemuSetupCgroup(driver, vm) < 0)
goto cleanup;
- DEBUG0("Preparing host devices");
- if (qemuPrepareHostDevices(driver, vm->def) < 0)
- goto cleanup;
-
if (VIR_ALLOC(priv->monConfig) < 0) {
virReportOOMError();
goto cleanup;
--
1.6.6.1
From 65e97240e6e4606820dd1c42ac172319e0af4d8d Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Mon, 22 Mar 2010 10:45:36 -0400
Subject: [PATCH] security: selinux: Fix crash when releasing non-existent label
This can be triggered by the qemuStartVMDaemon cleanup path if a
VM references a non-existent USB device (by product) in the XML.
Signed-off-by: Cole Robinson <crobinso@redhat.com>
---
src/security/security_selinux.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 975b315..6680e2d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -632,7 +632,8 @@ SELinuxReleaseSecurityLabel(virDomainObjPtr vm)
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
- if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC)
+ if (secdef->type == VIR_DOMAIN_SECLABEL_STATIC ||
+ secdef->label == NULL)
return 0;
context_t con = context_new(secdef->label);
--
1.6.6.1

87
libvirt-0.7.7-set-kernel-perms.patch Normal file
View File

@ -0,0 +1,87 @@
From 3f1aa08af6580c215d973bc6bf57f505dbf8b926 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 12 Mar 2010 13:38:39 -0500
Subject: [PATCH] security: Set permissions for kernel/initrd
Fixes URL installs when running virt-install as root on Fedora.
---
src/qemu/qemu_security_dac.c | 21 +++++++++++++++++++++
src/security/security_selinux.c | 16 ++++++++++++++++
2 files changed, 37 insertions(+), 0 deletions(-)
diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
index 6911f48..1883fbe 100644
--- a/src/qemu/qemu_security_dac.c
+++ b/src/qemu/qemu_security_dac.c
@@ -332,6 +332,15 @@ qemuSecurityDACRestoreSecurityAllLabel(virDomainObjPtr vm)
vm->def->disks[i]) < 0)
rc = -1;
}
+
+ if (vm->def->os.kernel &&
+ qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
+ rc = -1;
+
+ if (vm->def->os.initrd &&
+ qemuSecurityDACRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
+ rc = -1;
+
return rc;
}
@@ -356,6 +365,18 @@ qemuSecurityDACSetSecurityAllLabel(virDomainObjPtr vm)
return -1;
}
+ if (vm->def->os.kernel &&
+ qemuSecurityDACSetOwnership(vm->def->os.kernel,
+ driver->user,
+ driver->group) < 0)
+ return -1;
+
+ if (vm->def->os.initrd &&
+ qemuSecurityDACSetOwnership(vm->def->os.initrd,
+ driver->user,
+ driver->group) < 0)
+ return -1;
+
return 0;
}
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index b2c8581..975b315 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -616,6 +616,14 @@ SELinuxRestoreSecurityAllLabel(virDomainObjPtr vm)
rc = -1;
}
+ if (vm->def->os.kernel &&
+ SELinuxRestoreSecurityFileLabel(vm->def->os.kernel) < 0)
+ rc = -1;
+
+ if (vm->def->os.initrd &&
+ SELinuxRestoreSecurityFileLabel(vm->def->os.initrd) < 0)
+ rc = -1;
+
return rc;
}
@@ -736,6 +744,14 @@ SELinuxSetSecurityAllLabel(virDomainObjPtr vm)
return -1;
}
+ if (vm->def->os.kernel &&
+ SELinuxSetFilecon(vm->def->os.kernel, default_content_context) < 0)
+ return -1;
+
+ if (vm->def->os.initrd &&
+ SELinuxSetFilecon(vm->def->os.initrd, default_content_context) < 0)
+ return -1;
+
return 0;
}
--
1.6.6.1

12
libvirt.spec
View File

@ -169,10 +169,14 @@
Summary: Library providing a simple API virtualization Summary: Library providing a simple API virtualization
Name: libvirt Name: libvirt
Version: 0.7.7 Version: 0.7.7
Release: 1%{?dist}%{?extra_release} Release: 2%{?dist}%{?extra_release}
License: LGPLv2+ License: LGPLv2+
Group: Development/Libraries Group: Development/Libraries
Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz
# Fix USB devices by product with security enabled (bz 574136)
Patch1: %{name}-%{version}-fix-usb-product.patch
# Set kernel/initrd in security driver, fixes some URL installs (bz 566425)
Patch2: %{name}-%{version}-set-kernel-perms.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
URL: http://libvirt.org/ URL: http://libvirt.org/
BuildRequires: python-devel BuildRequires: python-devel
@ -394,6 +398,8 @@ of recent versions of Linux (and other OSes).
%prep %prep
%setup -q %setup -q
%patch1 -p1
%patch2 -p1
%build %build
%if ! %{with_xen} %if ! %{with_xen}
@ -815,6 +821,10 @@ fi
%endif %endif
%changelog %changelog
* Mon Mar 22 2010 Cole Robinson <crobinso@redhat.com> - 0.7.7-2.fc14
- Fix USB devices by product with security enabled (bz 574136)
- Set kernel/initrd in security driver, fixes some URL installs (bz 566425)
* Fri Mar 5 2010 Daniel Veillard <veillard@redhat.com> - 0.7.7-1 * Fri Mar 5 2010 Daniel Veillard <veillard@redhat.com> - 0.7.7-1
- macvtap support - macvtap support
- async job handling - async job handling