On Tue, Nov 03, 2020 at 02:13:28PM +0100, Michal Privoznik wrote:
> For seclabel remembering we need to have XATTRs and a special
> namespace that is accessibly to CAP_SYS_ADMIN only (we don't want
> regular users to trick us into restoring to a different label).
> And what qemusecuritytest does is it checks whether we have not
> left any path behind with XATTRs or not restored to original
> seclabel after setAll + restoreAll round trip. But it can hardly
> do so if ran on a platform where there's no XATTR namespace we
> can use.
>
> Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
> ---
> src/libvirt_private.syms | 4 ++++
> src/security/security_util.c | 11 +++++++++++
> src/security/security_util.h | 3 +++
> tests/qemusecuritytest.c | 6 ++++++
> 4 files changed, 24 insertions(+)
>
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index 95e50835ad..eb588a9357 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -1609,6 +1609,10 @@ virSecurityManagerTransactionStart;
> virSecurityManagerVerify;
>
>
> +# security/security_util.h
> +virSecurityXATTRNamespaceDefined;
> +
> +
> # util/glibcompat.h
> vir_g_canonicalize_filename;
> vir_g_fsync;
> diff --git a/src/security/security_util.c b/src/security/security_util.c
> index 622bd901ee..26a7861e29 100644
> --- a/src/security/security_util.c
> +++ b/src/security/security_util.c
> @@ -107,6 +107,17 @@ virSecurityGetTimestampAttrName(const char *name G_GNUC_UNUSED)
> #endif /* !XATTR_NAMESPACE */
>
>
> +bool
> +virSecurityXATTRNamespaceDefined(void)
> +{
> +#ifdef XATTR_NAMESPACE
> + return true;
> +#else
> + return false;
> +#endif
> +}
> +
> +
> static char *
> virSecurityGetTimestamp(void)
> {
> diff --git a/src/security/security_util.h b/src/security/security_util.h
> index 91de704e62..7af6f009e2 100644
> --- a/src/security/security_util.h
> +++ b/src/security/security_util.h
> @@ -32,3 +32,6 @@ int
> virSecurityMoveRememberedLabel(const char *name,
> const char *src,
> const char *dst);
> +
> +bool
> +virSecurityXATTRNamespaceDefined(void);
> diff --git a/tests/qemusecuritytest.c b/tests/qemusecuritytest.c
> index 7ee1ccd1b6..dc3deb37d2 100644
> --- a/tests/qemusecuritytest.c
> +++ b/tests/qemusecuritytest.c
> @@ -22,6 +22,7 @@
> #include "testutils.h"
> #include "testutilsqemu.h"
> #include "security/security_manager.h"
> +#include "security/security_util.h"
> #include "conf/domain_conf.h"
> #include "qemu/qemu_domain.h"
> #include "qemu/qemu_security.h"
> @@ -148,6 +149,11 @@ mymain(void)
> qemuTestDriverInit(&driver) < 0)
> return -1;
>
> + if (!virSecurityXATTRNamespaceDefined()) {
> + ret = EXIT_AM_SKIP;
> + goto cleanup;
> + }
> +
> /* Now fix the secdriver */
> virObjectUnref(driver.securityManager);
>
> --
> 2.26.2
>
Reviewed-by: Roman Bolshakov <r.bolshakov@xxxxxxxxx>
