From 0b3a0a1f9333d989fd09b7567ebd06247eec6eee0aa864845c1d5f69e70c1753 Mon Sep 17 00:00:00 2001 From: James Fehlig Date: Mon, 7 Dec 2020 23:13:45 +0000 Subject: [PATCH] - apparmor: Allow lxc processes to receive signals from libvirt lxc: Set default security model in XML parser config 0d05d51b-apparmor-lxc-fix.patch, cf4e7e62-lxc-def-secmodel.patch bsc#1179735 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=863 --- ...c-implement-connectGetAllDomainStats.patch | 4 +- 0d05d51b-apparmor-lxc-fix.patch | 40 +++++++ cf4e7e62-lxc-def-secmodel.patch | 108 ++++++++++++++++++ libvirt.changes | 8 ++ libvirt.spec | 2 + lxc-wait-after-eth-del.patch | 4 +- 6 files changed, 162 insertions(+), 4 deletions(-) create mode 100644 0d05d51b-apparmor-lxc-fix.patch create mode 100644 cf4e7e62-lxc-def-secmodel.patch diff --git a/0002-lxc-implement-connectGetAllDomainStats.patch b/0002-lxc-implement-connectGetAllDomainStats.patch index 76aca1c..0986cab 100644 --- a/0002-lxc-implement-connectGetAllDomainStats.patch +++ b/0002-lxc-implement-connectGetAllDomainStats.patch @@ -22,7 +22,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c #define VIR_FROM_THIS VIR_FROM_LXC -@@ -5068,6 +5070,128 @@ lxcDomainHasManagedSaveImage(virDomainPt +@@ -5071,6 +5073,128 @@ lxcDomainHasManagedSaveImage(virDomainPt return ret; } @@ -151,7 +151,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c /* Function Tables */ static virHypervisorDriver lxcHypervisorDriver = { -@@ -5165,6 +5289,7 @@ static virHypervisorDriver lxcHypervisor +@@ -5168,6 +5292,7 @@ static virHypervisorDriver lxcHypervisor .nodeGetFreePages = lxcNodeGetFreePages, /* 1.2.6 */ .nodeAllocPages = lxcNodeAllocPages, /* 1.2.9 */ .domainHasManagedSaveImage = lxcDomainHasManagedSaveImage, /* 1.2.13 */ diff --git a/0d05d51b-apparmor-lxc-fix.patch b/0d05d51b-apparmor-lxc-fix.patch new file mode 100644 index 0000000..66d1df6 --- /dev/null +++ b/0d05d51b-apparmor-lxc-fix.patch @@ -0,0 +1,40 @@ +commit 0d05d51b715390e08cd112f83e03b6776412aaeb +Author: Jim Fehlig +Date: Wed Dec 2 16:24:21 2020 -0700 + + apparmor: Allow lxc processes to receive signals from libvirt + + LXC processes confined by apparmor are not permitted to receive signals + from libvirtd. Attempting to destroy such a process fails + + virsh --connect lxc:/// destroy distro_apparmor + error: Failed to destroy domain distro_apparmor + error: Failed to kill process 29491: Permission denied + + And from /var/log/audit/audit.log + + type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED" + operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1" + pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive" + signal=term peer="libvirtd" + + Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc + abstraction allowing reception of signals from libvirtd. + + Signed-off-by: Jim Fehlig + Reviewed-by: Christian Ehrhardt + +Index: libvirt-6.10.0/src/security/apparmor/libvirt-lxc +=================================================================== +--- libvirt-6.10.0.orig/src/security/apparmor/libvirt-lxc ++++ libvirt-6.10.0/src/security/apparmor/libvirt-lxc +@@ -1,5 +1,9 @@ + #include + ++ # Allow receiving signals from libvirtd ++ signal (receive) peer=libvirtd, ++ signal (receive) peer=/usr/sbin/libvirtd, ++ + umount, + + # ignore DENIED message on / remount diff --git a/cf4e7e62-lxc-def-secmodel.patch b/cf4e7e62-lxc-def-secmodel.patch new file mode 100644 index 0000000..721060d --- /dev/null +++ b/cf4e7e62-lxc-def-secmodel.patch @@ -0,0 +1,108 @@ +commit cf4e7e620a3ecd109f23c8cdb577893d0e088201 +Author: Jim Fehlig +Date: Thu Dec 3 11:55:24 2020 -0700 + + lxc: Set default security model in XML parser config + + Attempting to create a lxc domain with fails + + virsh --connect lxc:/// create distro_nosec.xml + error: Failed to create domain from distro_nosec.xml + error: unsupported configuration: Security driver model '(null)' is not available + + Commit 638ffa2228 adjusted the logic for setting a driver's default + security model. + + The lxc driver does not set a default security driver model in the XML + parser config, causing seclabels of type='none' to have a null model. + The lxc driver's security manager is initialized in lxcStateInitialize() + by calling lxcSecurityInit(). Use the model of this manager as the + default in the XML parser config. + + For the record, this is a regression caused by commit 638ffa2228, which + changed the logic for setting a driver's default security model. The + qemu driver was adjusted accordingly, but a similar change was missed + in the lxc driver. + + Signed-off-by: Jim Fehlig + Reviewed-by: Michal Privoznik + +Index: libvirt-6.10.0/src/lxc/lxc_conf.c +=================================================================== +--- libvirt-6.10.0.orig/src/lxc/lxc_conf.c ++++ libvirt-6.10.0/src/lxc/lxc_conf.c +@@ -209,9 +209,10 @@ virCapsPtr virLXCDriverGetCapabilities(v + + + virDomainXMLOptionPtr +-lxcDomainXMLConfInit(virLXCDriverPtr driver) ++lxcDomainXMLConfInit(virLXCDriverPtr driver, const char *defsecmodel) + { + virLXCDriverDomainDefParserConfig.priv = driver; ++ virLXCDriverDomainDefParserConfig.defSecModel = defsecmodel; + return virDomainXMLOptionNew(&virLXCDriverDomainDefParserConfig, + &virLXCDriverPrivateDataCallbacks, + &virLXCDriverDomainXMLNamespace, +Index: libvirt-6.10.0/src/lxc/lxc_conf.h +=================================================================== +--- libvirt-6.10.0.orig/src/lxc/lxc_conf.h ++++ libvirt-6.10.0/src/lxc/lxc_conf.h +@@ -112,7 +112,8 @@ int virLXCLoadDriverConfig(virLXCDriverC + virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver); + virCapsPtr virLXCDriverGetCapabilities(virLXCDriverPtr driver, + bool refresh); +-virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver); ++virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver, ++ const char *defsecmodel); + + static inline void lxcDriverLock(virLXCDriverPtr driver) + { +Index: libvirt-6.10.0/src/lxc/lxc_controller.c +=================================================================== +--- libvirt-6.10.0.orig/src/lxc/lxc_controller.c ++++ libvirt-6.10.0/src/lxc/lxc_controller.c +@@ -169,7 +169,7 @@ virLXCControllerDriverNew(void) + } + + driver->caps = virLXCDriverCapsInit(NULL); +- driver->xmlopt = lxcDomainXMLConfInit(driver); ++ driver->xmlopt = lxcDomainXMLConfInit(driver, NULL); + + return driver; + } +Index: libvirt-6.10.0/src/lxc/lxc_driver.c +=================================================================== +--- libvirt-6.10.0.orig/src/lxc/lxc_driver.c ++++ libvirt-6.10.0/src/lxc/lxc_driver.c +@@ -1470,6 +1470,7 @@ static int lxcStateInitialize(bool privi + { + virLXCDriverConfigPtr cfg = NULL; + bool autostart = true; ++ const char *defsecmodel; + + if (root != NULL) { + virReportError(VIR_ERR_INVALID_ARG, "%s", +@@ -1525,7 +1526,9 @@ static int lxcStateInitialize(bool privi + if (!(lxc_driver->hostdevMgr = virHostdevManagerGetDefault())) + goto cleanup; + +- if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver))) ++ defsecmodel = virSecurityManagerGetModel(lxc_driver->securityManager); ++ ++ if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver, defsecmodel))) + goto cleanup; + + if (!(lxc_driver->closeCallbacks = virCloseCallbacksNew())) +Index: libvirt-6.10.0/tests/testutilslxc.c +=================================================================== +--- libvirt-6.10.0.orig/tests/testutilslxc.c ++++ libvirt-6.10.0/tests/testutilslxc.c +@@ -71,7 +71,7 @@ testLXCDriverInit(void) + } + + driver->caps = testLXCCapsInit(); +- driver->xmlopt = lxcDomainXMLConfInit(driver); ++ driver->xmlopt = lxcDomainXMLConfInit(driver, NULL); + + return driver; + } diff --git a/libvirt.changes b/libvirt.changes index 503f87a..16f2e7b 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Dec 7 23:11:45 UTC 2020 - James Fehlig + +- apparmor: Allow lxc processes to receive signals from libvirt + lxc: Set default security model in XML parser config + 0d05d51b-apparmor-lxc-fix.patch, cf4e7e62-lxc-def-secmodel.patch + bsc#1179735 + ------------------------------------------------------------------- Tue Dec 1 23:55:16 UTC 2020 - James Fehlig diff --git a/libvirt.spec b/libvirt.spec index 17b0268..3576244 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -291,6 +291,8 @@ Source6: libvirtd-relocation-server.xml Source99: baselibs.conf Source100: %{name}-rpmlintrc # Upstream patches +Patch0: 0d05d51b-apparmor-lxc-fix.patch +Patch1: cf4e7e62-lxc-def-secmodel.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch diff --git a/lxc-wait-after-eth-del.patch b/lxc-wait-after-eth-del.patch index 3d64942..9e3dcbc 100644 --- a/lxc-wait-after-eth-del.patch +++ b/lxc-wait-after-eth-del.patch @@ -37,7 +37,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c #include "virstring.h" #include "viraccessapicheck.h" #include "viraccessapichecklxc.h" -@@ -3546,6 +3547,7 @@ lxcDomainAttachDeviceNetLive(virLXCDrive +@@ -3549,6 +3550,7 @@ lxcDomainAttachDeviceNetLive(virLXCDrive case VIR_DOMAIN_NET_TYPE_NETWORK: case VIR_DOMAIN_NET_TYPE_ETHERNET: ignore_value(virNetDevVethDelete(veth)); @@ -45,7 +45,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c break; case VIR_DOMAIN_NET_TYPE_DIRECT: -@@ -3985,6 +3987,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb +@@ -3988,6 +3990,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb virDomainAuditNet(vm, detach, NULL, "detach", false); goto cleanup; }