forked from pool/libvirt
Accepting request 262985 from home:cbosdonnat:branches:Virtualization
- Fix potential crasher in virt-aa-helper 2222123-virt-aa-helper-crash.patch - ip link add now needs the 'name' parameter. 433b427-iplink-name.patch - Fixes for virt-sandbox-service to work: - Allow adding virt-sandbox service config to apparmor rules. c264eea-virt-aa-helper-sandbox.patch - fix symlink resolving for containers to start. 72fecf1-lxc-resolve-symlinks.patch - fix unmounting file system if it contains the source to mount. e50457d-lxc-unmount-check.patch - Remove security_driver = "none" in qemu config. This completely disabled all security drivers instead of probing them. - Changed default value of QEMU's security_default_confined to 0 to keep QEMU domains unconfined by default. OBS-URL: https://build.opensuse.org/request/show/262985 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=422
This commit is contained in:
parent
dd4dfc896b
commit
d6a22feac8
27
2222123-virt-aa-helper-crash.patch
Normal file
27
2222123-virt-aa-helper-crash.patch
Normal file
@ -0,0 +1,27 @@
|
||||
From 22221233d0c2fd2c2d41b7527fe2bec13295a427 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
|
||||
Date: Thu, 20 Nov 2014 11:31:44 +0100
|
||||
Subject: [PATCH 1/5] virt-aa-helper wasn't running virErrorInitialize
|
||||
|
||||
This turns out to be working by magic but needs to be fixed.
|
||||
---
|
||||
src/security/virt-aa-helper.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
Index: libvirt-1.2.10/src/security/virt-aa-helper.c
|
||||
===================================================================
|
||||
--- libvirt-1.2.10.orig/src/security/virt-aa-helper.c
|
||||
+++ libvirt-1.2.10/src/security/virt-aa-helper.c
|
||||
@@ -1251,6 +1251,12 @@ main(int argc, char **argv)
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
+ if (virThreadInitialize() < 0 ||
|
||||
+ virErrorInitialize() < 0) {
|
||||
+ fprintf(stderr, _("%s: initialization failed\n"), argv[0]);
|
||||
+ exit(EXIT_FAILURE);
|
||||
+ }
|
||||
+
|
||||
/* clear the environment */
|
||||
environ = NULL;
|
||||
if (setenv("PATH", "/sbin:/usr/sbin", 1) != 0) {
|
40
433b427-iplink-name.patch
Normal file
40
433b427-iplink-name.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 433b427ff853ab72d32573d415e6ec569b77c7cb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
|
||||
Date: Thu, 20 Nov 2014 15:26:35 +0100
|
||||
Subject: [PATCH 3/5] ip link needs 'name' in 3.16 to create the veth pair
|
||||
|
||||
Due to a change (or bug?) in ip link implementation, the command
|
||||
'ip link add vnet0...'
|
||||
is forced into
|
||||
'ip link add name vnet0...'
|
||||
The changed command also works on older versions of iproute2, just the
|
||||
'name' parameter has been made mandatory.
|
||||
---
|
||||
src/util/virnetdevveth.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/util/virnetdevveth.c b/src/util/virnetdevveth.c
|
||||
index e9d6f9c..ad30e1d 100644
|
||||
--- a/src/util/virnetdevveth.c
|
||||
+++ b/src/util/virnetdevveth.c
|
||||
@@ -89,7 +89,7 @@ static int virNetDevVethGetFreeNum(int startDev)
|
||||
* @veth2: pointer to return name for container end of veth pair
|
||||
*
|
||||
* Creates a veth device pair using the ip command:
|
||||
- * ip link add veth1 type veth peer name veth2
|
||||
+ * ip link add name veth1 type veth peer name veth2
|
||||
* If veth1 points to NULL on entry, it will be a valid interface on
|
||||
* return. veth2 should point to NULL on entry.
|
||||
*
|
||||
@@ -146,7 +146,7 @@ int virNetDevVethCreate(char** veth1, char** veth2)
|
||||
}
|
||||
|
||||
cmd = virCommandNew("ip");
|
||||
- virCommandAddArgList(cmd, "link", "add",
|
||||
+ virCommandAddArgList(cmd, "link", "add", "name",
|
||||
*veth1 ? *veth1 : veth1auto,
|
||||
"type", "veth", "peer", "name",
|
||||
*veth2 ? *veth2 : veth2auto,
|
||||
--
|
||||
2.1.2
|
||||
|
158
72fecf1-lxc-resolve-symlinks.patch
Normal file
158
72fecf1-lxc-resolve-symlinks.patch
Normal file
@ -0,0 +1,158 @@
|
||||
From 72fecf1813b9e77a7f89bc1e708f91bdab7d9ad4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
|
||||
Date: Fri, 21 Nov 2014 17:45:55 +0100
|
||||
Subject: [PATCH 4/5] lxc: be more patient while resolving symlinks
|
||||
|
||||
Resolving symlinks can fail before mounting any file system if one file
|
||||
system depends on another being mounted. Symlinks are now resolved in
|
||||
two passes:
|
||||
|
||||
* Before any file system is mounted, but then we are more gentle if
|
||||
the source path can't be accessed
|
||||
* Right before mounting a file system, so that we are sure that we
|
||||
have the resolved path... but then if it can't be accessed we raise
|
||||
an error.
|
||||
---
|
||||
src/conf/domain_conf.h | 1 +
|
||||
src/lxc/lxc_container.c | 77 ++++++++++++++++++++++++++++++++++---------------
|
||||
2 files changed, 54 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
|
||||
index d428451..dcb30bc 100644
|
||||
--- a/src/conf/domain_conf.h
|
||||
+++ b/src/conf/domain_conf.h
|
||||
@@ -821,6 +821,7 @@ struct _virDomainFSDef {
|
||||
virDomainDeviceInfo info;
|
||||
unsigned long long space_hard_limit; /* in bytes */
|
||||
unsigned long long space_soft_limit; /* in bytes */
|
||||
+ bool symlinksResolved;
|
||||
};
|
||||
|
||||
|
||||
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
|
||||
index db823d6..12f3a41 100644
|
||||
--- a/src/lxc/lxc_container.c
|
||||
+++ b/src/lxc/lxc_container.c
|
||||
@@ -608,6 +608,48 @@ static int lxcContainerUnmountSubtree(const char *prefix,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int lxcContainerResolveSymlinks(virDomainFSDefPtr fs, bool gentle)
|
||||
+{
|
||||
+ char *newroot;
|
||||
+
|
||||
+ if (!fs->src || fs->symlinksResolved)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (access(fs->src, F_OK)) {
|
||||
+ if (gentle) {
|
||||
+ /* Just ignore the error for the while, we'll try again later */
|
||||
+ VIR_DEBUG("Skipped unaccessible '%s'", fs->src);
|
||||
+ return 0;
|
||||
+ } else {
|
||||
+ virReportSystemError(errno,
|
||||
+ _("Failed to access '%s'"), fs->src);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ VIR_DEBUG("Resolving '%s'", fs->src);
|
||||
+ if (virFileResolveAllLinks(fs->src, &newroot) < 0) {
|
||||
+ if (gentle) {
|
||||
+ VIR_DEBUG("Skipped non-resolvable '%s'", fs->src);
|
||||
+ return 0;
|
||||
+ } else {
|
||||
+ virReportSystemError(errno,
|
||||
+ _("Failed to resolve symlink at %s"),
|
||||
+ fs->src);
|
||||
+ }
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ /* Mark it resolved to skip it the next time */
|
||||
+ fs->symlinksResolved = true;
|
||||
+
|
||||
+ VIR_DEBUG("Resolved '%s' to %s", fs->src, newroot);
|
||||
+
|
||||
+ VIR_FREE(fs->src);
|
||||
+ fs->src = newroot;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
|
||||
static int lxcContainerPrepareRoot(virDomainDefPtr def,
|
||||
virDomainFSDefPtr root,
|
||||
@@ -634,6 +676,9 @@ static int lxcContainerPrepareRoot(virDomainDefPtr def,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if (lxcContainerResolveSymlinks(root, false) < 0)
|
||||
+ return -1;
|
||||
+
|
||||
if (virAsprintf(&dst, "%s/%s.root",
|
||||
LXC_STATE_DIR, def->name) < 0)
|
||||
return -1;
|
||||
@@ -1552,6 +1597,9 @@ static int lxcContainerMountAllFS(virDomainDefPtr vmDef,
|
||||
if (STREQ(vmDef->fss[i]->dst, "/"))
|
||||
continue;
|
||||
|
||||
+ if (lxcContainerResolveSymlinks(vmDef->fss[i], false) < 0)
|
||||
+ return -1;
|
||||
+
|
||||
if (lxcContainerUnmountSubtree(vmDef->fss[i]->dst,
|
||||
false) < 0)
|
||||
return -1;
|
||||
@@ -1735,37 +1783,18 @@ static int lxcContainerSetupPivotRoot(virDomainDefPtr vmDef,
|
||||
return ret;
|
||||
}
|
||||
|
||||
-
|
||||
-static int lxcContainerResolveSymlinks(virDomainDefPtr vmDef)
|
||||
+static int lxcContainerResolveAllSymlinks(virDomainDefPtr vmDef)
|
||||
{
|
||||
- char *newroot;
|
||||
size_t i;
|
||||
|
||||
VIR_DEBUG("Resolving symlinks");
|
||||
|
||||
for (i = 0; i < vmDef->nfss; i++) {
|
||||
virDomainFSDefPtr fs = vmDef->fss[i];
|
||||
- if (!fs->src)
|
||||
- continue;
|
||||
-
|
||||
- if (access(fs->src, F_OK)) {
|
||||
- virReportSystemError(errno,
|
||||
- _("Failed to access '%s'"), fs->src);
|
||||
+ /* In the first pass, be gentle as some files may
|
||||
+ depend on other filesystems to be mounted */
|
||||
+ if (lxcContainerResolveSymlinks(fs, true) < 0)
|
||||
return -1;
|
||||
- }
|
||||
-
|
||||
- VIR_DEBUG("Resolving '%s'", fs->src);
|
||||
- if (virFileResolveAllLinks(fs->src, &newroot) < 0) {
|
||||
- virReportSystemError(errno,
|
||||
- _("Failed to resolve symlink at %s"),
|
||||
- fs->src);
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
- VIR_DEBUG("Resolved '%s' to %s", fs->src, newroot);
|
||||
-
|
||||
- VIR_FREE(fs->src);
|
||||
- fs->src = newroot;
|
||||
}
|
||||
VIR_DEBUG("Resolved all filesystem symlinks");
|
||||
|
||||
@@ -2106,7 +2135,7 @@ static int lxcContainerChild(void *data)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- if (lxcContainerResolveSymlinks(vmDef) < 0)
|
||||
+ if (lxcContainerResolveAllSymlinks(vmDef) < 0)
|
||||
goto cleanup;
|
||||
|
||||
VIR_DEBUG("Setting up pivot");
|
||||
--
|
||||
2.1.2
|
||||
|
29
c264eea-virt-aa-helper-sandbox.patch
Normal file
29
c264eea-virt-aa-helper-sandbox.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From c264eeaa381a917f01ba74526bf202073358a9dc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
|
||||
Date: Thu, 20 Nov 2014 11:32:38 +0100
|
||||
Subject: [PATCH 2/5] virt-aa-helper: /etc/libvirt-sandbox/services isn't
|
||||
restricted
|
||||
|
||||
To get virt-sandbox-service working with AppArmor, virt-aa-helper
|
||||
needs not to choke on path in /etc/libvirt-sandbox/services.
|
||||
---
|
||||
src/security/virt-aa-helper.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
|
||||
index 81f9f40..f273e09 100644
|
||||
--- a/src/security/virt-aa-helper.c
|
||||
+++ b/src/security/virt-aa-helper.c
|
||||
@@ -571,7 +571,8 @@ valid_path(const char *path, const bool readonly)
|
||||
};
|
||||
/* override the above with these */
|
||||
const char * const override[] = {
|
||||
- "/sys/devices/pci" /* for hostdev pci devices */
|
||||
+ "/sys/devices/pci", /* for hostdev pci devices */
|
||||
+ "/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */
|
||||
};
|
||||
|
||||
if (path == NULL) {
|
||||
--
|
||||
2.1.2
|
||||
|
45
e50457d-lxc-unmount-check.patch
Normal file
45
e50457d-lxc-unmount-check.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From e50457dd4cc5d4ba1ac7b05734157524620d087f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
|
||||
Date: Mon, 24 Nov 2014 15:10:19 +0100
|
||||
Subject: [PATCH 5/5] lxc: don't unmount subtree if it contains the source of
|
||||
the mount
|
||||
|
||||
The typical case where we had a problem is with such a filesystem
|
||||
definition as created by virt-sandbox-service:
|
||||
|
||||
<filesystem type='bind' accessmode='passthrough'>
|
||||
<source dir='/var/lib/libvirt/filesystems/mysshd/var'/>
|
||||
<target dir='/var'/>
|
||||
</filesystem>
|
||||
|
||||
In this case, we don't want to unmount the /var subtree or we may
|
||||
loose the access to the source folder.
|
||||
---
|
||||
src/lxc/lxc_container.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
|
||||
index 12f3a41..334a1df 100644
|
||||
--- a/src/lxc/lxc_container.c
|
||||
+++ b/src/lxc/lxc_container.c
|
||||
@@ -1597,11 +1597,15 @@ static int lxcContainerMountAllFS(virDomainDefPtr vmDef,
|
||||
if (STREQ(vmDef->fss[i]->dst, "/"))
|
||||
continue;
|
||||
|
||||
+ VIR_DEBUG("Mounting '%s' -> '%s'", vmDef->fss[i]->src, vmDef->fss[i]->dst);
|
||||
+
|
||||
if (lxcContainerResolveSymlinks(vmDef->fss[i], false) < 0)
|
||||
return -1;
|
||||
|
||||
- if (lxcContainerUnmountSubtree(vmDef->fss[i]->dst,
|
||||
- false) < 0)
|
||||
+
|
||||
+ if (!(vmDef->fss[i]->src &&
|
||||
+ STRPREFIX(vmDef->fss[i]->src, vmDef->fss[i]->dst)) &&
|
||||
+ lxcContainerUnmountSubtree(vmDef->fss[i]->dst, false) < 0)
|
||||
return -1;
|
||||
|
||||
if (lxcContainerMountFS(vmDef->fss[i], sec_mount_options) < 0)
|
||||
--
|
||||
2.1.2
|
||||
|
@ -1,3 +1,26 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 20 11:56:16 UTC 2014 - cbosdonnat@suse.com
|
||||
|
||||
- Fix potential crasher in virt-aa-helper
|
||||
2222123-virt-aa-helper-crash.patch
|
||||
- ip link add now needs the 'name' parameter.
|
||||
433b427-iplink-name.patch
|
||||
- Fixes for virt-sandbox-service to work:
|
||||
- Allow adding virt-sandbox service config to apparmor rules.
|
||||
c264eea-virt-aa-helper-sandbox.patch
|
||||
- fix symlink resolving for containers to start.
|
||||
72fecf1-lxc-resolve-symlinks.patch
|
||||
- fix unmounting file system if it contains the source to mount.
|
||||
e50457d-lxc-unmount-check.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 18 17:21:55 UTC 2014 - cbosdonnat@suse.com
|
||||
|
||||
- Remove security_driver = "none" in qemu config. This completely
|
||||
disabled all security drivers instead of probing them.
|
||||
- Changed default value of QEMU's security_default_confined to 0 to
|
||||
keep QEMU domains unconfined by default.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 10 22:01:31 MST 2014 - jfehlig@suse.com
|
||||
|
||||
|
10
libvirt.spec
10
libvirt.spec
@ -435,6 +435,11 @@ Source4: libvirtd-relocation-server.fw
|
||||
Source99: baselibs.conf
|
||||
# Upstream patches
|
||||
Patch0: b1674ad5-CVE-2014-7823.patch
|
||||
Patch1: 2222123-virt-aa-helper-crash.patch
|
||||
Patch2: c264eea-virt-aa-helper-sandbox.patch
|
||||
Patch3: 433b427-iplink-name.patch
|
||||
Patch4: 72fecf1-lxc-resolve-symlinks.patch
|
||||
Patch5: e50457d-lxc-unmount-check.patch
|
||||
# Patches pending upstream review
|
||||
# Need to go upstream
|
||||
Patch150: xen-name-for-devid.patch
|
||||
@ -968,6 +973,11 @@ Provides a dissector for the libvirt RPC protocol to help debugging it.
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch150 -p1
|
||||
%patch151 -p1
|
||||
%patch152 -p1
|
||||
|
@ -2,24 +2,16 @@ Index: libvirt-1.2.10/src/qemu/qemu.conf
|
||||
===================================================================
|
||||
--- libvirt-1.2.10.orig/src/qemu/qemu.conf
|
||||
+++ libvirt-1.2.10/src/qemu/qemu.conf
|
||||
@@ -200,7 +200,16 @@
|
||||
# a special value; security_driver can be set to that value in
|
||||
# isolation, but it cannot appear in a list of drivers.
|
||||
#
|
||||
+# SUSE Note:
|
||||
+# Currently, Apparmor is the default security framework in SUSE
|
||||
+# distros. If Apparmor is enabled on the host, libvirtd is
|
||||
+# generously confined but users must opt-in to confine qemu
|
||||
+# instances. Change this to 'apparmor' to enable Apparmor
|
||||
+# confinement of qemu instances.
|
||||
+#
|
||||
#security_driver = "selinux"
|
||||
+# security_driver = "apparmor"
|
||||
+security_driver = "none"
|
||||
@@ -204,7 +204,7 @@
|
||||
|
||||
# If set to non-zero, then the default security labeling
|
||||
# will make guests confined. If set to zero, then guests
|
||||
@@ -417,11 +426,22 @@
|
||||
-# will be unconfined by default. Defaults to 1.
|
||||
+# will be unconfined by default. Defaults to 0.
|
||||
#security_default_confined = 1
|
||||
|
||||
# If set to non-zero, then attempts to create unconfined
|
||||
@@ -417,11 +417,22 @@
|
||||
#allow_disk_format_probing = 1
|
||||
|
||||
|
||||
@ -47,3 +39,16 @@ Index: libvirt-1.2.10/src/qemu/qemu.conf
|
||||
#
|
||||
#lock_manager = "lockd"
|
||||
|
||||
Index: libvirt-1.2.10/src/qemu/qemu_conf.c
|
||||
===================================================================
|
||||
--- libvirt-1.2.10.orig/src/qemu/qemu_conf.c
|
||||
+++ libvirt-1.2.10/src/qemu/qemu_conf.c
|
||||
@@ -249,7 +249,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
|
||||
|
||||
cfg->clearEmulatorCapabilities = true;
|
||||
|
||||
- cfg->securityDefaultConfined = true;
|
||||
+ cfg->securityDefaultConfined = false;
|
||||
cfg->securityRequireConfined = false;
|
||||
|
||||
cfg->keepAliveInterval = 5;
|
||||
|
Loading…
Reference in New Issue
Block a user