forked from pool/libvirt
- apparmor: Allow lxc processes to receive signals from libvirt
lxc: Set default security model in XML parser config 0d05d51b-apparmor-lxc-fix.patch, cf4e7e62-lxc-def-secmodel.patch bsc#1179735 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=863
This commit is contained in:
parent
b2cb9c7395
commit
0b3a0a1f93
@ -22,7 +22,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
|
||||
|
||||
#define VIR_FROM_THIS VIR_FROM_LXC
|
||||
|
||||
@@ -5068,6 +5070,128 @@ lxcDomainHasManagedSaveImage(virDomainPt
|
||||
@@ -5071,6 +5073,128 @@ lxcDomainHasManagedSaveImage(virDomainPt
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -151,7 +151,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
|
||||
|
||||
/* Function Tables */
|
||||
static virHypervisorDriver lxcHypervisorDriver = {
|
||||
@@ -5165,6 +5289,7 @@ static virHypervisorDriver lxcHypervisor
|
||||
@@ -5168,6 +5292,7 @@ static virHypervisorDriver lxcHypervisor
|
||||
.nodeGetFreePages = lxcNodeGetFreePages, /* 1.2.6 */
|
||||
.nodeAllocPages = lxcNodeAllocPages, /* 1.2.9 */
|
||||
.domainHasManagedSaveImage = lxcDomainHasManagedSaveImage, /* 1.2.13 */
|
||||
|
40
0d05d51b-apparmor-lxc-fix.patch
Normal file
40
0d05d51b-apparmor-lxc-fix.patch
Normal file
@ -0,0 +1,40 @@
|
||||
commit 0d05d51b715390e08cd112f83e03b6776412aaeb
|
||||
Author: Jim Fehlig <jfehlig@suse.com>
|
||||
Date: Wed Dec 2 16:24:21 2020 -0700
|
||||
|
||||
apparmor: Allow lxc processes to receive signals from libvirt
|
||||
|
||||
LXC processes confined by apparmor are not permitted to receive signals
|
||||
from libvirtd. Attempting to destroy such a process fails
|
||||
|
||||
virsh --connect lxc:/// destroy distro_apparmor
|
||||
error: Failed to destroy domain distro_apparmor
|
||||
error: Failed to kill process 29491: Permission denied
|
||||
|
||||
And from /var/log/audit/audit.log
|
||||
|
||||
type=AVC msg=audit(1606949706.142:6345): apparmor="DENIED"
|
||||
operation="signal" profile="libvirt-314b7109-fdce-48dc-ad28-7c47958a27c1"
|
||||
pid=29390 comm="libvirtd" requested_mask="receive" denied_mask="receive"
|
||||
signal=term peer="libvirtd"
|
||||
|
||||
Similar to the libvirt-qemu abstraction, add a rule to the libvirt-lxc
|
||||
abstraction allowing reception of signals from libvirtd.
|
||||
|
||||
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
||||
Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
|
||||
|
||||
Index: libvirt-6.10.0/src/security/apparmor/libvirt-lxc
|
||||
===================================================================
|
||||
--- libvirt-6.10.0.orig/src/security/apparmor/libvirt-lxc
|
||||
+++ libvirt-6.10.0/src/security/apparmor/libvirt-lxc
|
||||
@@ -1,5 +1,9 @@
|
||||
#include <abstractions/base>
|
||||
|
||||
+ # Allow receiving signals from libvirtd
|
||||
+ signal (receive) peer=libvirtd,
|
||||
+ signal (receive) peer=/usr/sbin/libvirtd,
|
||||
+
|
||||
umount,
|
||||
|
||||
# ignore DENIED message on / remount
|
108
cf4e7e62-lxc-def-secmodel.patch
Normal file
108
cf4e7e62-lxc-def-secmodel.patch
Normal file
@ -0,0 +1,108 @@
|
||||
commit cf4e7e620a3ecd109f23c8cdb577893d0e088201
|
||||
Author: Jim Fehlig <jfehlig@suse.com>
|
||||
Date: Thu Dec 3 11:55:24 2020 -0700
|
||||
|
||||
lxc: Set default security model in XML parser config
|
||||
|
||||
Attempting to create a lxc domain with <seclabel type='none'/> fails
|
||||
|
||||
virsh --connect lxc:/// create distro_nosec.xml
|
||||
error: Failed to create domain from distro_nosec.xml
|
||||
error: unsupported configuration: Security driver model '(null)' is not available
|
||||
|
||||
Commit 638ffa2228 adjusted the logic for setting a driver's default
|
||||
security model.
|
||||
|
||||
The lxc driver does not set a default security driver model in the XML
|
||||
parser config, causing seclabels of type='none' to have a null model.
|
||||
The lxc driver's security manager is initialized in lxcStateInitialize()
|
||||
by calling lxcSecurityInit(). Use the model of this manager as the
|
||||
default in the XML parser config.
|
||||
|
||||
For the record, this is a regression caused by commit 638ffa2228, which
|
||||
changed the logic for setting a driver's default security model. The
|
||||
qemu driver was adjusted accordingly, but a similar change was missed
|
||||
in the lxc driver.
|
||||
|
||||
Signed-off-by: Jim Fehlig <jfehlig@suse.com>
|
||||
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
|
||||
|
||||
Index: libvirt-6.10.0/src/lxc/lxc_conf.c
|
||||
===================================================================
|
||||
--- libvirt-6.10.0.orig/src/lxc/lxc_conf.c
|
||||
+++ libvirt-6.10.0/src/lxc/lxc_conf.c
|
||||
@@ -209,9 +209,10 @@ virCapsPtr virLXCDriverGetCapabilities(v
|
||||
|
||||
|
||||
virDomainXMLOptionPtr
|
||||
-lxcDomainXMLConfInit(virLXCDriverPtr driver)
|
||||
+lxcDomainXMLConfInit(virLXCDriverPtr driver, const char *defsecmodel)
|
||||
{
|
||||
virLXCDriverDomainDefParserConfig.priv = driver;
|
||||
+ virLXCDriverDomainDefParserConfig.defSecModel = defsecmodel;
|
||||
return virDomainXMLOptionNew(&virLXCDriverDomainDefParserConfig,
|
||||
&virLXCDriverPrivateDataCallbacks,
|
||||
&virLXCDriverDomainXMLNamespace,
|
||||
Index: libvirt-6.10.0/src/lxc/lxc_conf.h
|
||||
===================================================================
|
||||
--- libvirt-6.10.0.orig/src/lxc/lxc_conf.h
|
||||
+++ libvirt-6.10.0/src/lxc/lxc_conf.h
|
||||
@@ -112,7 +112,8 @@ int virLXCLoadDriverConfig(virLXCDriverC
|
||||
virCapsPtr virLXCDriverCapsInit(virLXCDriverPtr driver);
|
||||
virCapsPtr virLXCDriverGetCapabilities(virLXCDriverPtr driver,
|
||||
bool refresh);
|
||||
-virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver);
|
||||
+virDomainXMLOptionPtr lxcDomainXMLConfInit(virLXCDriverPtr driver,
|
||||
+ const char *defsecmodel);
|
||||
|
||||
static inline void lxcDriverLock(virLXCDriverPtr driver)
|
||||
{
|
||||
Index: libvirt-6.10.0/src/lxc/lxc_controller.c
|
||||
===================================================================
|
||||
--- libvirt-6.10.0.orig/src/lxc/lxc_controller.c
|
||||
+++ libvirt-6.10.0/src/lxc/lxc_controller.c
|
||||
@@ -169,7 +169,7 @@ virLXCControllerDriverNew(void)
|
||||
}
|
||||
|
||||
driver->caps = virLXCDriverCapsInit(NULL);
|
||||
- driver->xmlopt = lxcDomainXMLConfInit(driver);
|
||||
+ driver->xmlopt = lxcDomainXMLConfInit(driver, NULL);
|
||||
|
||||
return driver;
|
||||
}
|
||||
Index: libvirt-6.10.0/src/lxc/lxc_driver.c
|
||||
===================================================================
|
||||
--- libvirt-6.10.0.orig/src/lxc/lxc_driver.c
|
||||
+++ libvirt-6.10.0/src/lxc/lxc_driver.c
|
||||
@@ -1470,6 +1470,7 @@ static int lxcStateInitialize(bool privi
|
||||
{
|
||||
virLXCDriverConfigPtr cfg = NULL;
|
||||
bool autostart = true;
|
||||
+ const char *defsecmodel;
|
||||
|
||||
if (root != NULL) {
|
||||
virReportError(VIR_ERR_INVALID_ARG, "%s",
|
||||
@@ -1525,7 +1526,9 @@ static int lxcStateInitialize(bool privi
|
||||
if (!(lxc_driver->hostdevMgr = virHostdevManagerGetDefault()))
|
||||
goto cleanup;
|
||||
|
||||
- if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver)))
|
||||
+ defsecmodel = virSecurityManagerGetModel(lxc_driver->securityManager);
|
||||
+
|
||||
+ if (!(lxc_driver->xmlopt = lxcDomainXMLConfInit(lxc_driver, defsecmodel)))
|
||||
goto cleanup;
|
||||
|
||||
if (!(lxc_driver->closeCallbacks = virCloseCallbacksNew()))
|
||||
Index: libvirt-6.10.0/tests/testutilslxc.c
|
||||
===================================================================
|
||||
--- libvirt-6.10.0.orig/tests/testutilslxc.c
|
||||
+++ libvirt-6.10.0/tests/testutilslxc.c
|
||||
@@ -71,7 +71,7 @@ testLXCDriverInit(void)
|
||||
}
|
||||
|
||||
driver->caps = testLXCCapsInit();
|
||||
- driver->xmlopt = lxcDomainXMLConfInit(driver);
|
||||
+ driver->xmlopt = lxcDomainXMLConfInit(driver, NULL);
|
||||
|
||||
return driver;
|
||||
}
|
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 7 23:11:45 UTC 2020 - James Fehlig <jfehlig@suse.com>
|
||||
|
||||
- apparmor: Allow lxc processes to receive signals from libvirt
|
||||
lxc: Set default security model in XML parser config
|
||||
0d05d51b-apparmor-lxc-fix.patch, cf4e7e62-lxc-def-secmodel.patch
|
||||
bsc#1179735
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 1 23:55:16 UTC 2020 - James Fehlig <jfehlig@suse.com>
|
||||
|
||||
|
@ -291,6 +291,8 @@ Source6: libvirtd-relocation-server.xml
|
||||
Source99: baselibs.conf
|
||||
Source100: %{name}-rpmlintrc
|
||||
# Upstream patches
|
||||
Patch0: 0d05d51b-apparmor-lxc-fix.patch
|
||||
Patch1: cf4e7e62-lxc-def-secmodel.patch
|
||||
# Patches pending upstream review
|
||||
Patch100: libxl-dom-reset.patch
|
||||
Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch
|
||||
|
@ -37,7 +37,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
|
||||
#include "virstring.h"
|
||||
#include "viraccessapicheck.h"
|
||||
#include "viraccessapichecklxc.h"
|
||||
@@ -3546,6 +3547,7 @@ lxcDomainAttachDeviceNetLive(virLXCDrive
|
||||
@@ -3549,6 +3550,7 @@ lxcDomainAttachDeviceNetLive(virLXCDrive
|
||||
case VIR_DOMAIN_NET_TYPE_NETWORK:
|
||||
case VIR_DOMAIN_NET_TYPE_ETHERNET:
|
||||
ignore_value(virNetDevVethDelete(veth));
|
||||
@ -45,7 +45,7 @@ Index: libvirt-6.10.0/src/lxc/lxc_driver.c
|
||||
break;
|
||||
|
||||
case VIR_DOMAIN_NET_TYPE_DIRECT:
|
||||
@@ -3985,6 +3987,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb
|
||||
@@ -3988,6 +3990,7 @@ lxcDomainDetachDeviceNetLive(virDomainOb
|
||||
virDomainAuditNet(vm, detach, NULL, "detach", false);
|
||||
goto cleanup;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user