pool/libvirt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- apparmor: Allow lxc processes to receive signals from libvirt

Browse Source 
lxc: Set default security model in XML parser config
  0d05d51b-apparmor-lxc-fix.patch, cf4e7e62-lxc-def-secmodel.patch
  bsc#1179735

OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=863
This commit is contained in:
James Fehlig 2020-12-07 23:13:45 +00:00 committed by Git OBS Bridge
parent b2cb9c7395
commit 0b3a0a1f93
6 changed files with 162 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
0002-lxc-implement-connectGetAllDomainStats.patch
View File

@ -22,7 +22,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
#define VIR_FROM_THIS VIR_FROM_LXC #define VIR_FROM_THIS VIR_FROM_LXC
@@ -5068,6 +5070,128 @@ lxcDomainHasManagedSaveImage(virDomainPt @@ -5071,6 +5073,128 @@ lxcDomainHasManagedSaveImage(virDomainPt
return ret; return ret;
} }
@ -151,7 +151,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
/* Function Tables */ /* Function Tables */
static virHypervisorDriver lxcHypervisorDriver = { static virHypervisorDriver lxcHypervisorDriver = {
@@ -5165,6 +5289,7 @@ static virHypervisorDriver lxcHypervisor @@ -5168,6 +5292,7 @@ static virHypervisorDriver lxcHypervisor
.nodeGetFreePages = lxcNodeGetFreePages, /* 1.2.6 */ .nodeGetFreePages = lxcNodeGetFreePages, /* 1.2.6 */
.nodeAllocPages = lxcNodeAllocPages, /* 1.2.9 */ .nodeAllocPages = lxcNodeAllocPages, /* 1.2.9 */
.domainHasManagedSaveImage = lxcDomainHasManagedSaveImage, /* 1.2.13 */ .domainHasManagedSaveImage = lxcDomainHasManagedSaveImage, /* 1.2.13 */

40
0d05d51b-apparmor-lxc-fix.patch Normal file
View File

@ -0,0 +1,40 @@
commit 0d05d51b715390e08cd112f83e03b6776412aaeb
Author: Jim Fehlig <jfehlig@suse.com>
Date: Wed Dec 2 16:24:21 2020 -0700
apparmor: Allow lxc processes to receive signals from libvirt
LXC processes confined by apparmor are not permitted to receive signals
from libvirtd. Attempting to destroy such a process fails
virsh --connect lxc:/// destroy distro_apparmor
error: Failed to destroy domain distro_apparmor
error: Failed to kill process 29491: Permission denied
And from /var/log/audit/audit.log
type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED"
operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1"
pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive"
signal=term peer="libvirtd"
Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc
abstraction allowing reception of signals from libvirtd.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Index: libvirt-6.10.0/src/security/apparmor/libvirt-lxc
===================================================================
--- libvirt-6.10.0.orig/src/security/apparmor/libvirt-lxc
+++ libvirt-6.10.0/src/security/apparmor/libvirt-lxc
@@ -1,5 +1,9 @@
#include <abstractions/base>
+ # Allow receiving signals from libvirtd
+ signal (receive) peer=libvirtd,
+ signal (receive) peer=/usr/sbin/libvirtd,
+
umount,
# ignore DENIED message on / remount

108
cf4e7e62-lxc-def-secmodel.patch Normal file
View File

@ -0,0 +1,108 @@
commit cf4e7e620a3ecd109f23c8cdb577893d0e088201
Author: Jim Fehlig <jfehlig@suse.com>
Date: Thu Dec 3 11:55:24 2020 -0700
lxc: Set default security model in XML parser config
Attempting to create a lxc domain with <seclabel type='none'/> fails
virsh --connect lxc:/// create distro_nosec.xml
error: Failed to create domain from distro_nosec.xml
error: unsupported configuration: Security driver model '(null)' is not available
Commit 638ffa2228 adjusted the logic for setting a driver's default
security model.
The lxc driver does not set a default security driver model in the XML
parser config, causing seclabels of type='none' to have a null model.
The lxc driver's security manager is initialized in lxcStateInitialize()
by calling lxcSecurityInit(). Use the model of this manager as the
default in the XML parser config.
For the record, this is a regression caused by commit 638ffa2228, which
changed the logic for setting a driver's default security model. The
qemu driver was adjusted accordingly, but a similar change was missed
in the lxc driver.
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Index: libvirt-6.10.0/src/lxc/lxc_conf.c
===================================================================
--- libvirt-6.10.0.orig/src/lxc/lxc_conf.c
+++ libvirt-6.10.0/src/lxc/lxc_conf.c
@@ -209,9 +209,10 @@ virCapsPtr virLXCDriverGetCapabilities(v
virDomainXMLOptionPtr
-lxcDomainXMLConfInit(virLXCDriverPtr driver)
+lxcDomainXMLConfInit(virLXCDriverPtr driver, const char *defsecmodel)
{
virLXCDriverDomainDefParserConfig.priv = driver;
+ virLXCDriverDomainDefParserConfig.defSecModel = defsecmodel;
return virDomainXMLOptionNew(&virLXCDriverDomainDefParserConfig,
&virLXCDriverPrivateDataCallbacks,
&virLXCDriverDomainXMLNamespace,
Index: libvirt-6.10.0/src/lxc/lxc_conf.h
===================================================================
--- libvirt-6.10.0.orig/src/lxc/lxc_conf.h
+++ libvirt-6.10.0/src/lxc/lxc_conf.h
@@ -112,7 +112,8 @@ int virLXCLoadDriverConfig(virLXCDriverC
virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver);
virCapsPtr virLXCDriverGetCapabilities(virLXCDriverPtr driver,
bool refresh);
-virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver);
+virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver,
+ const char *defsecmodel);
static inline void lxcDriverLock(virLXCDriverPtr driver)
{
Index: libvirt-6.10.0/src/lxc/lxc_controller.c
===================================================================
--- libvirt-6.10.0.orig/src/lxc/lxc_controller.c
+++ libvirt-6.10.0/src/lxc/lxc_controller.c
@@ -169,7 +169,7 @@ virLXCControllerDriverNew(void)
}
driver->caps = virLXCDriverCapsInit(NULL);
- driver->xmlopt = lxcDomainXMLConfInit(driver);
+ driver->xmlopt = lxcDomainXMLConfInit(driver, NULL);
return driver;
}
Index: libvirt-6.10.0/src/lxc/lxc_driver.c
===================================================================
--- libvirt-6.10.0.orig/src/lxc/lxc_driver.c
+++ libvirt-6.10.0/src/lxc/lxc_driver.c
@@ -1470,6 +1470,7 @@ static int lxcStateInitialize(bool privi
{
virLXCDriverConfigPtr cfg = NULL;
bool autostart = true;
+ const char *defsecmodel;
if (root != NULL) {
virReportError(VIR_ERR_INVALID_ARG, "%s",
@@ -1525,7 +1526,9 @@ static int lxcStateInitialize(bool privi
if (!(lxc_driver->hostdevMgr = virHostdevManagerGetDefault()))
goto cleanup;
- if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver)))
+ defsecmodel = virSecurityManagerGetModel(lxc_driver->securityManager);
+
+ if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver, defsecmodel)))
goto cleanup;
if (!(lxc_driver->closeCallbacks = virCloseCallbacksNew()))
Index: libvirt-6.10.0/tests/testutilslxc.c
===================================================================
--- libvirt-6.10.0.orig/tests/testutilslxc.c
+++ libvirt-6.10.0/tests/testutilslxc.c
@@ -71,7 +71,7 @@ testLXCDriverInit(void)
}
driver->caps = testLXCCapsInit();
- driver->xmlopt = lxcDomainXMLConfInit(driver);
+ driver->xmlopt = lxcDomainXMLConfInit(driver, NULL);
return driver;
}

8
libvirt.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Mon Dec 7 23:11:45 UTC 2020 - James Fehlig <jfehlig@suse.com>
- apparmor: Allow lxc processes to receive signals from libvirt
lxc: Set default security model in XML parser config
0d05d51b-apparmor-lxc-fix.patch, cf4e7e62-lxc-def-secmodel.patch
bsc#1179735
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Dec 1 23:55:16 UTC 2020 - James Fehlig <jfehlig@suse.com> Tue Dec 1 23:55:16 UTC 2020 - James Fehlig <jfehlig@suse.com>

2
libvirt.spec
View File

@ -291,6 +291,8 @@ Source6: libvirtd-relocation-server.xml
Source99: baselibs.conf Source99: baselibs.conf
Source100: %{name}-rpmlintrc Source100: %{name}-rpmlintrc
# Upstream patches # Upstream patches
Patch0: 0d05d51b-apparmor-lxc-fix.patch
Patch1: cf4e7e62-lxc-def-secmodel.patch
# Patches pending upstream review # Patches pending upstream review
Patch100: libxl-dom-reset.patch Patch100: libxl-dom-reset.patch
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch

4
lxc-wait-after-eth-del.patch
View File

@ -37,7 +37,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
#include "virstring.h" #include "virstring.h"
#include "viraccessapicheck.h" #include "viraccessapicheck.h"
#include "viraccessapichecklxc.h" #include "viraccessapichecklxc.h"
@@ -3546,6 +3547,7 @@ lxcDomainAttachDeviceNetLive(virLXCDrive @@ -3549,6 +3550,7 @@ lxcDomainAttachDeviceNetLive(virLXCDrive
case VIR_DOMAIN_NET_TYPE_NETWORK: case VIR_DOMAIN_NET_TYPE_NETWORK:
case VIR_DOMAIN_NET_TYPE_ETHERNET: case VIR_DOMAIN_NET_TYPE_ETHERNET:
ignore_value(virNetDevVethDelete(veth)); ignore_value(virNetDevVethDelete(veth));
@ -45,7 +45,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
break; break;
case VIR_DOMAIN_NET_TYPE_DIRECT: case VIR_DOMAIN_NET_TYPE_DIRECT:
@@ -3985,6 +3987,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb @@ -3988,6 +3990,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb
virDomainAuditNet(vm, detach, NULL, "detach", false); virDomainAuditNet(vm, detach, NULL, "detach", false);
goto cleanup; goto cleanup;
} }