-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
for some reason my git-sendmail keeps failing.
[sandbox PATCH 1/3] Add virt-sandbox -s inherit, to execute the
[sandbox PATCH 2/3] Add comment about LIBVIRT_DEFAULT_URI to
[sandbox PATCH 3/3] virt-sandbox-service.pod did not mention upgrade
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlH7zjAACgkQrlYvE4MpobPBIQCgvOYtY0ccFTUNBNA4tWWQs02t
tYwAn15nXX9WhTyG0Piw4QVYwide9/RZ
=g+dS
-----END PGP SIGNATURE-----
>From fcf2e72b78b66075ca5f061423a259e058f4f39d Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Wed, 31 Jul 2013 17:04:58 -0400
Subject: [sandbox PATCH 1/3] Add virt-sandbox -s inherit, to execute the
sandbox from the parent.
This will allow us to run sandbox as the calling process, If I am
running a shell as staff_u:unconfined_r:unconfined_t:s0, and I
execute virt-sandbox -c lxc/// -- /bin/sh
/bin/sh will run as staff_u:unconfined_r:unconfined_t:s0
---
bin/virt-sandbox.c | 4 ++++
libvirt-sandbox/libvirt-sandbox-config.c | 14 ++++++++++++++
2 files changed, 18 insertions(+)
diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
index b51465d..9a75f3c 100644
--- a/bin/virt-sandbox.c
+++ b/bin/virt-sandbox.c
@@ -403,6 +403,10 @@ USER:ROLE:TYPE:LEVEL, instead of the default base context.
To set a completely static label. For example,
static,label=system_u:system_r:svirt_t:s0:c412,c355
+=item inherit
+
+Inherit the context from the process that is executing virt-sandbox.
+
=back
=item B<-p>, B<--privileged>
diff --git a/libvirt-sandbox/libvirt-sandbox-config.c b/libvirt-sandbox/libvirt-sandbox-config.c
index ccdb3bc..8e8ac65 100644
--- a/libvirt-sandbox/libvirt-sandbox-config.c
+++ b/libvirt-sandbox/libvirt-sandbox-config.c
@@ -27,6 +27,8 @@
#include <glib/gi18n.h>
#include "libvirt-sandbox/libvirt-sandbox.h"
+#include <errno.h>
+#include <selinux/selinux.h>
/**
* SECTION: libvirt-sandbox-config
@@ -1521,6 +1523,18 @@ gboolean gvir_sandbox_config_set_security_opts(GVirSandboxConfig *config,
gvir_sandbox_config_set_security_dynamic(config, TRUE);
} else if (g_str_equal(tmp, "static")) {
gvir_sandbox_config_set_security_dynamic(config, FALSE);
+ } else if (g_str_equal(tmp, "inherit")) {
+ gvir_sandbox_config_set_security_dynamic(config, FALSE);
+ security_context_t scon;
+ if (getcon(&scon) < 0) {
+ g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0,
+ _("Unable to get SELinux context of user: %s"),
+ strerror(errno));
+ return FALSE;
+ }
+ gvir_sandbox_config_set_security_label(config, scon);
+ freecon(scon);
+
} else {
g_set_error(error, GVIR_SANDBOX_CONFIG_ERROR, 0,
_("Unknown security option '%s'"), tmp);
--
1.8.3.1
>From f94804786ca1b41d2bb8c58ba04d6412ec49f3ae Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Wed, 31 Jul 2013 17:36:21 -0400
Subject: [sandbox PATCH 2/3] Add comment about LIBVIRT_DEFAULT_URI to
virt-sandbox man page
---
bin/virt-sandbox.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/bin/virt-sandbox.c b/bin/virt-sandbox.c
index 9a75f3c..26eefcf 100644
--- a/bin/virt-sandbox.c
+++ b/bin/virt-sandbox.c
@@ -280,6 +280,7 @@ not allowed to open any other files.
Set the libvirt connection URI, defaults to qemu:///session if
omitted. Currently only the QEMU and LXC drivers are supported.
+Alternatively the C<LIBVIRT_DEFAULT_URI> environment variable can be set, or the config file C</etc/libvirt/libvirt.conf> can have a default URI set.
=item B<-n NAME>, B<--name=NAME>
--
1.8.3.1
>From af40cc741f69b335975f36801efe91f822a2b8cc Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Thu, 1 Aug 2013 11:09:51 -0400
Subject: [sandbox PATCH 3/3] virt-sandbox-service.pod did not mention upgrade
Also still had references to start, stop and list
---
bin/virt-sandbox-service.pod | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod
index 32caad9..b317ad4 100644
--- a/bin/virt-sandbox-service.pod
+++ b/bin/virt-sandbox-service.pod
@@ -4,7 +4,7 @@ virt-sandbox-service - Secure container tool
=head1 SYNOPSIS
- {create,clone,connect,delete,execute,list,reload,start,stop}
+ {create,clone,connect,delete,execute,reload,upgrade}
commands:
@@ -20,6 +20,8 @@ virt-sandbox-service - Secure container tool
reload Reload a running sandbox container
+ upgrade Upgrade the sandbox container
+
=head1 DESCRIPTION
virt-sandbox-service is used to provision secure sandboxed system services.
@@ -52,7 +54,7 @@ supported currently).
=head1 SEE ALSO
-C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>
+C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>, C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>, C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>, C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>, C<virt-sandbox-service-upgrade(1)>
=head1 FILES
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list