Accepting request 262985 from home:cbosdonnat:branches:Virtualization

- Fix potential crasher in virt-aa-helper
  2222123-virt-aa-helper-crash.patch
- ip link add now needs the 'name' parameter.
  433b427-iplink-name.patch
- Fixes for virt-sandbox-service to work:
  - Allow adding virt-sandbox service config to apparmor rules.
    c264eea-virt-aa-helper-sandbox.patch
  - fix symlink resolving for containers to start.
    72fecf1-lxc-resolve-symlinks.patch
  - fix unmounting file system if it contains the source to mount.
    e50457d-lxc-unmount-check.patch

- Remove security_driver = "none" in qemu config. This completely
  disabled all security drivers instead of probing them.
- Changed default value of QEMU's security_default_confined to 0 to
  keep QEMU domains unconfined by default.

OBS-URL: https://build.opensuse.org/request/show/262985
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=422
This commit is contained in:
Cédric Bosdonnat 2014-11-25 13:41:55 +00:00 committed by Git OBS Bridge
parent dd4dfc896b
commit d6a22feac8
8 changed files with 352 additions and 15 deletions

View File

@ -0,0 +1,27 @@
From 22221233d0c2fd2c2d41b7527fe2bec13295a427 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Thu, 20 Nov 2014 11:31:44 +0100
Subject: [PATCH 1/5] virt-aa-helper wasn't running virErrorInitialize
This turns out to be working by magic but needs to be fixed.
---
src/security/virt-aa-helper.c | 6 ++++++
1 file changed, 6 insertions(+)
Index: libvirt-1.2.10/src/security/virt-aa-helper.c
===================================================================
--- libvirt-1.2.10.orig/src/security/virt-aa-helper.c
+++ libvirt-1.2.10/src/security/virt-aa-helper.c
@@ -1251,6 +1251,12 @@ main(int argc, char **argv)
exit(EXIT_FAILURE);
}
+ if (virThreadInitialize() < 0 ||
+ virErrorInitialize() < 0) {
+ fprintf(stderr, _("%s: initialization failed\n"), argv[0]);
+ exit(EXIT_FAILURE);
+ }
+
/* clear the environment */
environ = NULL;
if (setenv("PATH", "/sbin:/usr/sbin", 1) != 0) {

40
433b427-iplink-name.patch Normal file
View File

@ -0,0 +1,40 @@
From 433b427ff853ab72d32573d415e6ec569b77c7cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Thu, 20 Nov 2014 15:26:35 +0100
Subject: [PATCH 3/5] ip link needs 'name' in 3.16 to create the veth pair
Due to a change (or bug?) in ip link implementation, the command
'ip link add vnet0...'
is forced into
'ip link add name vnet0...'
The changed command also works on older versions of iproute2, just the
'name' parameter has been made mandatory.
---
src/util/virnetdevveth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/util/virnetdevveth.c b/src/util/virnetdevveth.c
index e9d6f9c..ad30e1d 100644
--- a/src/util/virnetdevveth.c
+++ b/src/util/virnetdevveth.c
@@ -89,7 +89,7 @@ static int virNetDevVethGetFreeNum(int startDev)
* @veth2: pointer to return name for container end of veth pair
*
* Creates a veth device pair using the ip command:
- * ip link add veth1 type veth peer name veth2
+ * ip link add name veth1 type veth peer name veth2
* If veth1 points to NULL on entry, it will be a valid interface on
* return. veth2 should point to NULL on entry.
*
@@ -146,7 +146,7 @@ int virNetDevVethCreate(char** veth1, char** veth2)
}
cmd = virCommandNew("ip");
- virCommandAddArgList(cmd, "link", "add",
+ virCommandAddArgList(cmd, "link", "add", "name",
*veth1 ? *veth1 : veth1auto,
"type", "veth", "peer", "name",
*veth2 ? *veth2 : veth2auto,
--
2.1.2

View File

@ -0,0 +1,158 @@
From 72fecf1813b9e77a7f89bc1e708f91bdab7d9ad4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Fri, 21 Nov 2014 17:45:55 +0100
Subject: [PATCH 4/5] lxc: be more patient while resolving symlinks
Resolving symlinks can fail before mounting any file system if one file
system depends on another being mounted. Symlinks are now resolved in
two passes:
* Before any file system is mounted, but then we are more gentle if
the source path can't be accessed
* Right before mounting a file system, so that we are sure that we
have the resolved path... but then if it can't be accessed we raise
an error.
---
src/conf/domain_conf.h | 1 +
src/lxc/lxc_container.c | 77 ++++++++++++++++++++++++++++++++++---------------
2 files changed, 54 insertions(+), 24 deletions(-)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index d428451..dcb30bc 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -821,6 +821,7 @@ struct _virDomainFSDef {
virDomainDeviceInfo info;
unsigned long long space_hard_limit; /* in bytes */
unsigned long long space_soft_limit; /* in bytes */
+ bool symlinksResolved;
};
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index db823d6..12f3a41 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -608,6 +608,48 @@ static int lxcContainerUnmountSubtree(const char *prefix,
return ret;
}
+static int lxcContainerResolveSymlinks(virDomainFSDefPtr fs, bool gentle)
+{
+ char *newroot;
+
+ if (!fs->src || fs->symlinksResolved)
+ return 0;
+
+ if (access(fs->src, F_OK)) {
+ if (gentle) {
+ /* Just ignore the error for the while, we'll try again later */
+ VIR_DEBUG("Skipped unaccessible '%s'", fs->src);
+ return 0;
+ } else {
+ virReportSystemError(errno,
+ _("Failed to access '%s'"), fs->src);
+ return -1;
+ }
+ }
+
+ VIR_DEBUG("Resolving '%s'", fs->src);
+ if (virFileResolveAllLinks(fs->src, &newroot) < 0) {
+ if (gentle) {
+ VIR_DEBUG("Skipped non-resolvable '%s'", fs->src);
+ return 0;
+ } else {
+ virReportSystemError(errno,
+ _("Failed to resolve symlink at %s"),
+ fs->src);
+ }
+ return -1;
+ }
+
+ /* Mark it resolved to skip it the next time */
+ fs->symlinksResolved = true;
+
+ VIR_DEBUG("Resolved '%s' to %s", fs->src, newroot);
+
+ VIR_FREE(fs->src);
+ fs->src = newroot;
+
+ return 0;
+}
static int lxcContainerPrepareRoot(virDomainDefPtr def,
virDomainFSDefPtr root,
@@ -634,6 +676,9 @@ static int lxcContainerPrepareRoot(virDomainDefPtr def,
return -1;
}
+ if (lxcContainerResolveSymlinks(root, false) < 0)
+ return -1;
+
if (virAsprintf(&dst, "%s/%s.root",
LXC_STATE_DIR, def->name) < 0)
return -1;
@@ -1552,6 +1597,9 @@ static int lxcContainerMountAllFS(virDomainDefPtr vmDef,
if (STREQ(vmDef->fss[i]->dst, "/"))
continue;
+ if (lxcContainerResolveSymlinks(vmDef->fss[i], false) < 0)
+ return -1;
+
if (lxcContainerUnmountSubtree(vmDef->fss[i]->dst,
false) < 0)
return -1;
@@ -1735,37 +1783,18 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
return ret;
}
-
-static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef)
+static int lxcContainerResolveAllSymlinks(virDomainDefPtr vmDef)
{
- char *newroot;
size_t i;
VIR_DEBUG("Resolving symlinks");
for (i = 0; i < vmDef->nfss; i++) {
virDomainFSDefPtr fs = vmDef->fss[i];
- if (!fs->src)
- continue;
-
- if (access(fs->src, F_OK)) {
- virReportSystemError(errno,
- _("Failed to access '%s'"), fs->src);
+ /* In the first pass, be gentle as some files may
+ depend on other filesystems to be mounted */
+ if (lxcContainerResolveSymlinks(fs, true) < 0)
return -1;
- }
-
- VIR_DEBUG("Resolving '%s'", fs->src);
- if (virFileResolveAllLinks(fs->src, &newroot) < 0) {
- virReportSystemError(errno,
- _("Failed to resolve symlink at %s"),
- fs->src);
- return -1;
- }
-
- VIR_DEBUG("Resolved '%s' to %s", fs->src, newroot);
-
- VIR_FREE(fs->src);
- fs->src = newroot;
}
VIR_DEBUG("Resolved all filesystem symlinks");
@@ -2106,7 +2135,7 @@ static int lxcContainerChild(void *data)
goto cleanup;
}
- if (lxcContainerResolveSymlinks(vmDef) < 0)
+ if (lxcContainerResolveAllSymlinks(vmDef) < 0)
goto cleanup;
VIR_DEBUG("Setting up pivot");
--
2.1.2

View File

@ -0,0 +1,29 @@
From c264eeaa381a917f01ba74526bf202073358a9dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Thu, 20 Nov 2014 11:32:38 +0100
Subject: [PATCH 2/5] virt-aa-helper: /etc/libvirt-sandbox/services isn't
restricted
To get virt-sandbox-service working with AppArmor, virt-aa-helper
needs not to choke on path in /etc/libvirt-sandbox/services.
---
src/security/virt-aa-helper.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 81f9f40..f273e09 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -571,7 +571,8 @@ valid_path(const char *path, const bool readonly)
};
/* override the above with these */
const char * const override[] = {
- "/sys/devices/pci" /* for hostdev pci devices */
+ "/sys/devices/pci", /* for hostdev pci devices */
+ "/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */
};
if (path == NULL) {
--
2.1.2

View File

@ -0,0 +1,45 @@
From e50457dd4cc5d4ba1ac7b05734157524620d087f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Mon, 24 Nov 2014 15:10:19 +0100
Subject: [PATCH 5/5] lxc: don't unmount subtree if it contains the source of
the mount
The typical case where we had a problem is with such a filesystem
definition as created by virt-sandbox-service:
<filesystem type='bind' accessmode='passthrough'>
<source dir='/var/lib/libvirt/filesystems/mysshd/var'/>
<target dir='/var'/>
</filesystem>
In this case, we don't want to unmount the /var subtree or we may
loose the access to the source folder.
---
src/lxc/lxc_container.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 12f3a41..334a1df 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1597,11 +1597,15 @@ static int lxcContainerMountAllFS(virDomainDefPtr vmDef,
if (STREQ(vmDef->fss[i]->dst, "/"))
continue;
+ VIR_DEBUG("Mounting '%s' -> '%s'", vmDef->fss[i]->src, vmDef->fss[i]->dst);
+
if (lxcContainerResolveSymlinks(vmDef->fss[i], false) < 0)
return -1;
- if (lxcContainerUnmountSubtree(vmDef->fss[i]->dst,
- false) < 0)
+
+ if (!(vmDef->fss[i]->src &&
+ STRPREFIX(vmDef->fss[i]->src, vmDef->fss[i]->dst)) &&
+ lxcContainerUnmountSubtree(vmDef->fss[i]->dst, false) < 0)
return -1;
if (lxcContainerMountFS(vmDef->fss[i], sec_mount_options) < 0)
--
2.1.2

View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Thu Nov 20 11:56:16 UTC 2014 - cbosdonnat@suse.com
- Fix potential crasher in virt-aa-helper
2222123-virt-aa-helper-crash.patch
- ip link add now needs the 'name' parameter.
433b427-iplink-name.patch
- Fixes for virt-sandbox-service to work:
- Allow adding virt-sandbox service config to apparmor rules.
c264eea-virt-aa-helper-sandbox.patch
- fix symlink resolving for containers to start.
72fecf1-lxc-resolve-symlinks.patch
- fix unmounting file system if it contains the source to mount.
e50457d-lxc-unmount-check.patch
-------------------------------------------------------------------
Tue Nov 18 17:21:55 UTC 2014 - cbosdonnat@suse.com
- Remove security_driver = "none" in qemu config. This completely
disabled all security drivers instead of probing them.
- Changed default value of QEMU's security_default_confined to 0 to
keep QEMU domains unconfined by default.
-------------------------------------------------------------------
Mon Nov 10 22:01:31 MST 2014 - jfehlig@suse.com

View File

@ -435,6 +435,11 @@ Source4: libvirtd-relocation-server.fw
Source99: baselibs.conf
# Upstream patches
Patch0: b1674ad5-CVE-2014-7823.patch
Patch1: 2222123-virt-aa-helper-crash.patch
Patch2: c264eea-virt-aa-helper-sandbox.patch
Patch3: 433b427-iplink-name.patch
Patch4: 72fecf1-lxc-resolve-symlinks.patch
Patch5: e50457d-lxc-unmount-check.patch
# Patches pending upstream review
# Need to go upstream
Patch150: xen-name-for-devid.patch
@ -968,6 +973,11 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch150 -p1
%patch151 -p1
%patch152 -p1

View File

@ -2,24 +2,16 @@ Index: libvirt-1.2.10/src/qemu/qemu.conf
===================================================================
--- libvirt-1.2.10.orig/src/qemu/qemu.conf
+++ libvirt-1.2.10/src/qemu/qemu.conf
@@ -200,7 +200,16 @@
# a special value; security_driver can be set to that value in
# isolation, but it cannot appear in a list of drivers.
#
+# SUSE Note:
+# Currently, Apparmor is the default security framework in SUSE
+# distros. If Apparmor is enabled on the host, libvirtd is
+# generously confined but users must opt-in to confine qemu
+# instances. Change this to 'apparmor' to enable Apparmor
+# confinement of qemu instances.
+#
#security_driver = "selinux"
+# security_driver = "apparmor"
+security_driver = "none"
@@ -204,7 +204,7 @@
# If set to non-zero, then the default security labeling
# will make guests confined. If set to zero, then guests
@@ -417,11 +426,22 @@
-# will be unconfined by default. Defaults to 1.
+# will be unconfined by default. Defaults to 0.
#security_default_confined = 1
# If set to non-zero, then attempts to create unconfined
@@ -417,11 +417,22 @@
#allow_disk_format_probing = 1
@ -47,3 +39,16 @@ Index: libvirt-1.2.10/src/qemu/qemu.conf
#
#lock_manager = "lockd"
Index: libvirt-1.2.10/src/qemu/qemu_conf.c
===================================================================
--- libvirt-1.2.10.orig/src/qemu/qemu_conf.c
+++ libvirt-1.2.10/src/qemu/qemu_conf.c
@@ -249,7 +249,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
cfg->clearEmulatorCapabilities = true;
- cfg->securityDefaultConfined = true;
+ cfg->securityDefaultConfined = false;
cfg->securityRequireConfined = false;
cfg->keepAliveInterval = 5;