[libvirt] [PATCH 6/7] Use cgroups for block device whitelisting in QEMU guests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* src/qemu_driver.c: Set a restrictive block device whitelist for
  all QEMU guests. Update whitelist when hotplugging disks.
* src/cgroup.h, src/cgroup.c: Add some more convenience methods
  for dealing with block device whitelists.
---
 src/cgroup.c      |   98 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/cgroup.h      |   12 ++++++
 src/qemu_driver.c |   87 ++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 195 insertions(+), 2 deletions(-)

diff --git a/src/cgroup.c b/src/cgroup.c
index d9c3141..21e0dd4 100644
--- a/src/cgroup.c
+++ b/src/cgroup.c
@@ -782,6 +782,104 @@ int virCgroupAllowDeviceMajor(virCgroupPtr group,
     return rc;
 }
 
+int virCgroupAllowDevicePath(virCgroupPtr group,
+                             const char *path)
+{
+    struct stat sb;
+
+    if (stat(path, &sb) < 0)
+        return -errno;
+
+    if (!S_ISCHR(sb.st_mode) && !S_ISBLK(sb.st_mode))
+        return -EINVAL;
+
+    return virCgroupAllowDevice(group,
+                                S_ISCHR(sb.st_mode) ? 'c' : 'b',
+                                major(sb.st_rdev),
+                                minor(sb.st_rdev));
+}
+
+/**
+ * virCgroupDenyDevice:
+ *
+ * @group: The cgroup to deny a device for
+ * @type: The device type (i.e., 'c' or 'b')
+ * @major: The major number of the device
+ * @minor: The minor number of the device
+ *
+ * Returns: 0 on success
+ */
+int virCgroupDenyDevice(virCgroupPtr group,
+                         char type,
+                         int major,
+                         int minor)
+{
+    int rc;
+    char *devstr = NULL;
+
+    if (virAsprintf(&devstr, "%c %i:%i rwm", type, major, minor) == -1) {
+        rc = -ENOMEM;
+        goto out;
+    }
+
+    rc = virCgroupSetValueStr(group,
+                              VIR_CGROUP_CONTROLLER_DEVICES,
+                              "devices.deny",
+                              devstr);
+out:
+    VIR_FREE(devstr);
+
+    return rc;
+}
+
+/**
+ * virCgroupDenyDeviceMajor:
+ *
+ * @group: The cgroup to deny an entire device major type for
+ * @type: The device type (i.e., 'c' or 'b')
+ * @major: The major number of the device type
+ *
+ * Returns: 0 on success
+ */
+int virCgroupDenyDeviceMajor(virCgroupPtr group,
+                              char type,
+                              int major)
+{
+    int rc;
+    char *devstr = NULL;
+
+    if (virAsprintf(&devstr, "%c %i:* rwm", type, major) == -1) {
+        rc = -ENOMEM;
+        goto out;
+    }
+
+    rc = virCgroupSetValueStr(group,
+                              VIR_CGROUP_CONTROLLER_DEVICES,
+                              "devices.deny",
+                              devstr);
+ out:
+    VIR_FREE(devstr);
+
+    return rc;
+}
+
+int virCgroupDenyDevicePath(virCgroupPtr group,
+                             const char *path)
+{
+    struct stat sb;
+
+    if (stat(path, &sb) < 0)
+        return -errno;
+
+    if (!S_ISCHR(sb.st_mode) && !S_ISBLK(sb.st_mode))
+        return -EINVAL;
+
+    return virCgroupDenyDevice(group,
+                               S_ISCHR(sb.st_mode) ? 'c' : 'b',
+                               major(sb.st_rdev),
+                               minor(sb.st_rdev));
+}
+
 int virCgroupSetCpuShares(virCgroupPtr group, unsigned long shares)
 {
     return virCgroupSetValueU64(group,
diff --git a/src/cgroup.h b/src/cgroup.h
index 11c44f9..89bd4a1 100644
--- a/src/cgroup.h
+++ b/src/cgroup.h
@@ -38,6 +38,18 @@ int virCgroupAllowDevice(virCgroupPtr group,
 int virCgroupAllowDeviceMajor(virCgroupPtr group,
                               char type,
                               int major);
+int virCgroupAllowDevicePath(virCgroupPtr group,
+                             const char *path);
+
+int virCgroupDenyDevice(virCgroupPtr group,
+                        char type,
+                        int major,
+                        int minor);
+int virCgroupDenyDeviceMajor(virCgroupPtr group,
+                             char type,
+                             int major);
+int virCgroupDenyDevicePath(virCgroupPtr group,
+                            const char *path);
 
 int virCgroupSetCpuShares(virCgroupPtr group, unsigned long shares);
 int virCgroupGetCpuShares(virCgroupPtr group, unsigned long *shares);
diff --git a/src/qemu_driver.c b/src/qemu_driver.c
index f6d3f52..33e9cfa 100644
--- a/src/qemu_driver.c
+++ b/src/qemu_driver.c
@@ -1378,12 +1378,19 @@ error:
     return -1;
 }
 
+static const char *const devs[] = {
+    "/dev/null", "/dev/full", "/dev/zero",
+    "/dev/random", "/dev/urandom",
+    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
+};
+
 static int qemuSetupCgroup(virConnectPtr conn,
                            struct qemud_driver *driver ATTRIBUTE_UNUSED,
                            virDomainObjPtr vm)
 {
     virCgroupPtr cgroup = NULL;
     int rc;
+    unsigned int i;
 
     if (virCgroupHaveSupport() != 0)
         return 0; /* Not supported, so claim success */
@@ -1395,6 +1402,54 @@ static int qemuSetupCgroup(virConnectPtr conn,
         goto cleanup;
     }
 
+    rc = virCgroupDenyAllDevices(cgroup);
+    if (rc != 0) {
+        if (rc == -EPERM) {
+            VIR_WARN0("Group devices ACL is not accessible, disabling whitelisting");
+            goto done;
+        }
+
+        virReportSystemError(conn, -rc,
+                             _("Unable to deny all devices for %s"), vm->def->name);
+        goto cleanup;
+    }
+
+    for (i = 0; i < vm->def->ndisks ; i++) {
+        if (vm->def->disks[i]->type != VIR_DOMAIN_DISK_TYPE_BLOCK ||
+            vm->def->disks[i]->src == NULL)
+            continue;
+
+        rc = virCgroupAllowDevicePath(cgroup,
+                                      vm->def->disks[i]->src);
+        if (rc != 0) {
+            virReportSystemError(conn, -rc,
+                                 _("Unable to allow device %s for %s"),
+                                 vm->def->disks[i]->src, vm->def->name);
+            goto cleanup;
+        }
+    }
+
+    rc = virCgroupAllowDeviceMajor(cgroup, 'c', 136);
+    if (rc != 0) {
+        virReportSystemError(conn, -rc,
+                             _("unable to allow device %s"),
+                             devs[i]);
+        goto cleanup;
+    }
+
+    for (i = 0; i < ARRAY_CARDINALITY(devs) ; i++) {
+        rc = virCgroupAllowDevicePath(cgroup,
+                                      devs[i]);
+        if (rc < 0 &&
+            rc != -ENOENT) {
+            virReportSystemError(conn, -rc,
+                                 _("unable to allow device %s"),
+                                 devs[i]);
+            goto cleanup;
+        }
+    }
+
+done:
     virCgroupFree(&cgroup);
     return 0;
 
@@ -4637,6 +4692,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
     struct qemud_driver *driver = dom->conn->privateData;
     virDomainObjPtr vm;
     virDomainDeviceDefPtr dev = NULL;
+    virCgroupPtr cgroup = NULL;
     int ret = -1;
 
     qemuDriverLock(driver);
@@ -4662,6 +4718,26 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
 
 
     if (dev->type == VIR_DOMAIN_DEVICE_DISK) {
+        if (virCgroupHaveSupport() == 0) {
+            if (virCgroupForDomain(vm->def, "qemu", &cgroup) !=0 ) {
+                qemudReportError(dom->conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+                                 _("Unable to create cgroup for %s\n"),
+                                 vm->def->name);
+                goto cleanup;
+            }
+            if (dev->data.disk->src != NULL &&
+                virCgroupAllowDevicePath(cgroup,
+                                         dev->data.disk->src) < 0) {
+                qemudReportError(dom->conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+                                 _("unable to allow device %s"),
+                                 dev->data.disk->src);
+                goto cleanup;
+            }
+        }
+
+        if (driver->securityDriver)
+            driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk);
+
         switch (dev->data.disk->device) {
         case VIR_DOMAIN_DISK_DEVICE_CDROM:
         case VIR_DOMAIN_DISK_DEVICE_FLOPPY:
@@ -4690,7 +4766,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
                 qemudReportError(dom->conn, dom, NULL, VIR_ERR_NO_SUPPORT,
                                  _("disk bus '%s' cannot be hotplugged."),
                                  virDomainDiskBusTypeToString(dev->data.disk->bus));
-                goto cleanup;
+                /* fallthrough */
             }
             break;
 
@@ -4698,7 +4774,11 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
             qemudReportError(dom->conn, dom, NULL, VIR_ERR_NO_SUPPORT,
                              _("disk device type '%s' cannot be hotplugged"),
                              virDomainDiskDeviceTypeToString(dev->data.disk->device));
-            goto cleanup;
+            /* Fallthrough */
+        }
+        if (ret != 0) {
+            virCgroupDenyDevicePath(cgroup,
+                                    dev->data.disk->src);
         }
     } else if (dev->type == VIR_DOMAIN_DEVICE_HOSTDEV &&
                dev->data.hostdev->mode == VIR_DOMAIN_HOSTDEV_MODE_SUBSYS &&
@@ -4718,6 +4798,9 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
         ret = -1;
 
 cleanup:
+    if (cgroup)
+        virCgroupFree(&cgroup);
+
     if (ret < 0) {
         if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0)
             VIR_WARN0("Fail to restore disk device ownership");
-- 
1.6.2.5

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]