On Wed, Sep 25, 2013 at 04:50:23PM -0400, Dan Walsh wrote:
> virt-sandbox should be launching containers based off the lxc_context
> file from selinux-policy. I changed the hard coded paths to match the
> latest fedora assigned labels.
>
> Fedora 20 SELinux Policy and beyond will have proper SELinux labels in its
> lxc_contexts file.
> ---
> bin/virt-sandbox-service | 2 +-
> bin/virt-sandbox-service-clone.pod | 5 ++-
> bin/virt-sandbox-service-create.pod | 7 ++--
> bin/virt-sandbox.c | 5 ++-
> libvirt-sandbox/libvirt-sandbox-builder.c | 58 +++++++++++++++++++++++++------
> 5 files changed, 55 insertions(+), 22 deletions(-)
>
> diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
> index c4c4f54..b42fe08 100755
> --- a/bin/virt-sandbox-service
> +++ b/bin/virt-sandbox-service
> @@ -101,7 +101,7 @@ def copydirtree(src, dst):
> class Container:
> DEFAULT_PATH = "/var/lib/libvirt/filesystems"
> DEFAULT_IMAGE = "/var/lib/libvirt/images/%s.raw"
> - SELINUX_FILE_TYPE = "svirt_lxc_file_t"
> + SELINUX_FILE_TYPE = "svirt_sandbox_file_t"
This change will make it impossible to use the new release on existing
distros since they won't have this new policy type. We need this to be
conditionally changed.
> diff --git a/libvirt-sandbox/libvirt-sandbox-builder.c b/libvirt-sandbox/libvirt-sandbox-builder.c
> index 1335042..613161a 100644
> --- a/libvirt-sandbox/libvirt-sandbox-builder.c
> +++ b/libvirt-sandbox/libvirt-sandbox-builder.c
> @@ -67,6 +67,48 @@ gvir_sandbox_builder_error_quark(void)
> {
> return g_quark_from_static_string("gvir-sandbox-builder");
> }
> +#include <selinux/selinux.h>
> +#include <errno.h>
> +static char line[1024];
> +
> +static const char *get_label(int type) {
> + const char *path = selinux_lxc_contexts_path();
> +
> + FILE *fp = fopen(path, "r");
> + if (fp) {
> + GType gt = gvir_config_domain_virt_type_get_type ();
> + GEnumClass *cls = g_type_class_ref (gt);
> + GEnumValue *val = g_enum_get_value (cls, type);
> +
> + while (val && fgets(line, sizeof line, fp)) {
> + int len = strlen(line);
> + if (len > 2)
> + continue;
> + if (line[len-1] == '\n')
> + line[len-1] = '\0';
> + char *name = line;
> + char *value = strchr(name, '=');
> + if (!value)
> + continue;
> + *value = '\0';
> + value++;
> + if (strcmp(name,val->value_nick))
> + continue;
> + return value;
> + }
> + fclose(fp);
I'm not sure I really understand what this code is doing. You seem to
be opening /etc/selinux/targetted/context/lxc_contexts and then searching
for the type for LXC, QEMU or KVM. This doesn't really make sense to me.
I wonder what the point of any of this code us, when the switch statement
below looks to be sufficient.
> + }
> +
> + switch (type) {
> + case GVIR_CONFIG_DOMAIN_VIRT_KVM:
> + return "system_u:system_r:svirt_qemu_net_t:s0";
This should be 'svirt_kvm_net_t' otherwise you are granting the
KVM process permission to use execmem & execstack, which is
bad from a security POV.
> + case GVIR_CONFIG_DOMAIN_VIRT_QEMU:
> + return "system_u:system_r:svirt_qemu_net_t:s0";
This again looks like it might have back compat problems, if we
try to use this on old policy based systems. Though those hosts
were already broken due to svirt_t type not allowing sufficient
privileges, so perhaps its ok.
> + case GVIR_CONFIG_DOMAIN_VIRT_LXC:
> + default:
> + return "system_u:system_r:svirt_lxc_net_t:s0";
The default case should report an error - we shouldn't assume that
if we add usermode linux or vmware support, that it'll want this
lxc type.
> + }
> +}
>
> static gboolean gvir_sandbox_builder_construct_domain(GVirSandboxBuilder *builder,
> GVirSandboxConfig *config,
> @@ -335,17 +377,11 @@ static gboolean gvir_sandbox_builder_construct_security(GVirSandboxBuilder *buil
> if (gvir_sandbox_config_get_security_dynamic(config)) {
> gvir_config_domain_seclabel_set_type(sec,
> GVIR_CONFIG_DOMAIN_SECLABEL_DYNAMIC);
> - if (label)
> - gvir_config_domain_seclabel_set_baselabel(sec, label);
> - else if (gvir_config_domain_get_virt_type(domain) ==
> - GVIR_CONFIG_DOMAIN_VIRT_LXC)
> - gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_lxc_net_t:s0");
> - else if (gvir_config_domain_get_virt_type(domain) ==
> - GVIR_CONFIG_DOMAIN_VIRT_QEMU)
> - gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_tcg_t:s0");
> - else if (gvir_config_domain_get_virt_type(domain) ==
> - GVIR_CONFIG_DOMAIN_VIRT_KVM)
> - gvir_config_domain_seclabel_set_baselabel(sec, "system_u:system_r:svirt_t:s0");
> + if (!label)
> + label = get_label(gvir_config_domain_get_virt_type(domain));
> +
> + gvir_config_domain_seclabel_set_baselabel(sec, label);
> +
> } else {
> gvir_config_domain_seclabel_set_type(sec,
> GVIR_CONFIG_DOMAIN_SECLABEL_STATIC);
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list