Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2
libvirt
CVE-2010-223x-0007.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2010-223x-0007.patch of Package libvirt
>From 38d7c5a26e4c12a784619f1ed4fc993d9af82032 Mon Sep 17 00:00:00 2001 From: Daniel P. Berrange <berrange@redhat.com> Date: Tue, 15 Jun 2010 17:44:19 +0100 Subject: [PATCH 07/10] Security driver params --- src/qemu/qemu_driver.c | 85 +++++++++++++++++++----------- src/qemu/qemu_security_dac.c | 44 +++++++++++----- src/qemu/qemu_security_stacked.c | 107 +++++++++++++++++++++++++------------- src/security/security_apparmor.c | 57 +++++++++++++------- src/security/security_driver.h | 40 ++++++++++---- src/security/security_selinux.c | 56 +++++++++++++------ 6 files changed, 258 insertions(+), 131 deletions(-) Index: libvirt-0.7.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-0.7.2.orig/src/qemu/qemu_driver.c +++ libvirt-0.7.2/src/qemu/qemu_driver.c @@ -312,7 +312,9 @@ qemuReconnectDomain(struct qemud_driver if (obj->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && driver->securityDriver && driver->securityDriver->domainReserveSecurityLabel && - driver->securityDriver->domainReserveSecurityLabel(NULL, obj) < 0) + driver->securityDriver->domainReserveSecurityLabel(NULL, + driver->securityDriver, + obj) < 0) return -1; if (obj->def->id >= driver->nextvmid) @@ -1662,7 +1664,8 @@ static int qemudDomainSetSecurityLabel(v { if (vm->def->seclabel.label != NULL) if (driver->securityDriver && driver->securityDriver->domainSetSecurityLabel) - return driver->securityDriver->domainSetSecurityLabel(conn, driver->securityDriver, + return driver->securityDriver->domainSetSecurityLabel(conn, + driver->securityDriver, vm); return 0; } @@ -1975,7 +1978,9 @@ static int qemudStartVMDaemon(virConnect if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC && driver->securityDriver && driver->securityDriver->domainGenSecurityLabel && - driver->securityDriver->domainGenSecurityLabel(conn, vm) < 0) + driver->securityDriver->domainGenSecurityLabel(conn, + driver->securityDriver, + vm) < 0) return -1; /* Ensure no historical cgroup for this VM is lieing around bogus settings */ @@ -2203,7 +2208,9 @@ static void qemudShutdownVMDaemon(virCon /* Reset Security Labels */ if (driver->securityDriver) - driver->securityDriver->domainRestoreSecurityLabel(conn, vm); + driver->securityDriver->domainRestoreSecurityLabel(conn, + driver->securityDriver, + vm); /* Clear out dynamically assigned labels */ if (vm->def->seclabel.type == VIR_DOMAIN_SECLABEL_DYNAMIC) { @@ -4756,7 +4763,10 @@ static int qemudDomainAttachHostDevice(v if (qemuDomainSetDeviceOwnership(conn, driver, dev, 0) < 0) return -1; if (driver->securityDriver && - driver->securityDriver->domainSetSecurityHostdevLabel(conn, vm, dev->data.hostdev) < 0) + driver->securityDriver->domainSetSecurityHostdevLabel(conn, + driver->securityDriver, + vm, + dev->data.hostdev) < 0) return -1; switch (hostdev->source.subsys.type) { @@ -4830,7 +4840,10 @@ static int qemudDomainAttachDevice(virDo case VIR_DOMAIN_DISK_DEVICE_CDROM: case VIR_DOMAIN_DISK_DEVICE_FLOPPY: if (driver->securityDriver) - driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk); + driver->securityDriver->domainSetSecurityImageLabel(dom->conn, + driver->securityDriver, + vm, + dev->data.disk); if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 0) < 0) goto cleanup; @@ -4840,7 +4853,10 @@ static int qemudDomainAttachDevice(virDo case VIR_DOMAIN_DISK_DEVICE_DISK: if (driver->securityDriver) - driver->securityDriver->domainSetSecurityImageLabel(dom->conn, vm, dev->data.disk); + driver->securityDriver->domainSetSecurityImageLabel(dom->conn, + driver->securityDriver, + vm, + dev->data.disk); if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 0) < 0) goto cleanup; @@ -5121,7 +5137,10 @@ static int qemudDomainDetachHostDevice(v } if (driver->securityDriver && - driver->securityDriver->domainSetSecurityHostdevLabel(conn, vm, dev->data.hostdev) < 0) + driver->securityDriver->domainSetSecurityHostdevLabel(conn, + driver->securityDriver, + vm, + dev->data.hostdev) < 0) VIR_WARN0("Failed to restore device labelling"); if (qemuDomainSetDeviceOwnership(conn, driver, dev, 1) < 0) @@ -5165,7 +5184,10 @@ static int qemudDomainDetachDevice(virDo dev->data.disk->bus == VIR_DOMAIN_DISK_BUS_VIRTIO)) { ret = qemudDomainDetachPciDiskDevice(dom->conn, vm, dev); if (driver->securityDriver) - driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, vm, dev->data.disk); + driver->securityDriver->domainRestoreSecurityImageLabel(dom->conn, + driver->securityDriver, + vm, + dev->data.disk); if (qemuDomainSetDeviceOwnership(dom->conn, driver, dev, 1) < 0) VIR_WARN0("Fail to restore disk device ownership"); } else if (dev->type == VIR_DOMAIN_DEVICE_NET) { Index: libvirt-0.7.2/src/security/security_apparmor.c =================================================================== --- libvirt-0.7.2.orig/src/security/security_apparmor.c +++ libvirt-0.7.2/src/security/security_apparmor.c @@ -148,7 +148,10 @@ profile_status_file(const char *str) * load (add) a profile. Will create one if necessary */ static int -load_profile(virConnectPtr conn, const char *profile, virDomainObjPtr vm, +load_profile(virConnectPtr conn, + virSecurityDriverPtr drv, + const char *profile, + virDomainObjPtr vm, virDomainDiskDefPtr disk) { int rc = -1, status, ret; @@ -319,7 +322,9 @@ AppArmorSecurityDriverOpen(virConnectPtr * called on shutdown. */ static int -AppArmorGenSecurityLabel(virConnectPtr conn, virDomainObjPtr vm) +AppArmorGenSecurityLabel(virConnectPtr conn, + virSecurityDriverPtr drv ATTRIBUTE_UNUSED, + virDomainObjPtr vm) { int rc = -1; char *profile_name = NULL; @@ -337,7 +342,7 @@ AppArmorGenSecurityLabel(virConnectPtr c /* if the profile is not already loaded, then load one */ if (profile_loaded(profile_name) < 0) { - if (load_profile(conn, profile_name, vm, NULL) < 0) { + if (load_profile(conn, drv, profile_name, vm, NULL) < 0) { virSecurityReportError(conn, VIR_ERR_ERROR, _("cannot generate AppArmor profile " "\'%s\'"), profile_name); @@ -476,6 +481,7 @@ AppArmorSetSecurityLabel(virConnectPtr c /* Called when hotplugging */ static int AppArmorRestoreSecurityImageLabel(virConnectPtr conn, + virSecurityDriverPtr drv, virDomainObjPtr vm, virDomainDiskDefPtr disk ATTRIBUTE_UNUSED) { @@ -489,7 +495,7 @@ AppArmorRestoreSecurityImageLabel(virCon /* Update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(conn, secdef->imagelabel, vm, NULL) < 0) { + if (load_profile(conn, drv, secdef->imagelabel, vm, NULL) < 0) { virSecurityReportError(conn, VIR_ERR_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -508,7 +514,9 @@ AppArmorRestoreSecurityImageLabel(virCon /* Called when hotplugging */ static int AppArmorSetSecurityImageLabel(virConnectPtr conn, - virDomainObjPtr vm, virDomainDiskDefPtr disk) + virSecurityDriverPtr drv, + virDomainObjPtr vm, + virDomainDiskDefPtr disk) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; int rc = -1; @@ -530,7 +538,7 @@ AppArmorSetSecurityImageLabel(virConnect /* update the profile only if it is loaded */ if (profile_loaded(secdef->imagelabel) >= 0) { - if (load_profile(conn, secdef->imagelabel, vm, disk) < 0) { + if (load_profile(conn, drv, secdef->imagelabel, vm, disk) < 0) { virSecurityReportError(conn, VIR_ERR_ERROR, _("cannot update AppArmor profile " "\'%s\'"), @@ -565,7 +573,8 @@ AppArmorSecurityVerify(virConnectPtr con static int AppArmorReserveSecurityLabel(virConnectPtr conn ATTRIBUTE_UNUSED, - virDomainObjPtr vm ATTRIBUTE_UNUSED) + virSecurityDriverPtr drv ATTRIBUTE_UNUSED, + virDomainObjPtr vm ATTRIBUTE_UNUSED) { /* NOOP. Nothing to reserve with AppArmor */ return 0; @@ -573,6 +582,7 @@ AppArmorReserveSecurityLabel(virConnectP static int AppArmorSetSecurityHostdevLabel(virConnectPtr conn ATTRIBUTE_UNUSED, + virSecurityDriverPtr drv ATTRIBUTE_UNUSED, virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) @@ -583,6 +593,7 @@ AppArmorSetSecurityHostdevLabel(virConne static int AppArmorRestoreSecurityHostdevLabel(virConnectPtr conn ATTRIBUTE_UNUSED, + virSecurityDriverPtr drv ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev ATTRIBUTE_UNUSED) { Index: libvirt-0.7.2/src/security/security_driver.h =================================================================== --- libvirt-0.7.2.orig/src/security/security_driver.h +++ libvirt-0.7.2/src/security/security_driver.h @@ -32,24 +32,31 @@ typedef virSecurityDriverStatus (*virSec typedef int (*virSecurityDriverOpen) (virConnectPtr conn, virSecurityDriverPtr drv); typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn, + virSecurityDriverPtr drv, virDomainObjPtr vm, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainSetImageLabel) (virConnectPtr conn, + virSecurityDriverPtr drv, virDomainObjPtr vm, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainRestoreHostdevLabel) (virConnectPtr conn, + virSecurityDriverPtr drv, virDomainHostdevDefPtr dev); typedef int (*virSecurityDomainSetHostdevLabel) (virConnectPtr conn, + virSecurityDriverPtr drv, virDomainObjPtr vm, virDomainHostdevDefPtr dev); typedef int (*virSecurityDomainGenLabel) (virConnectPtr conn, + virSecurityDriverPtr drv, virDomainObjPtr sec); typedef int (*virSecurityDomainReserveLabel) (virConnectPtr conn, + virSecurityDriverPtr drv, virDomainObjPtr sec); typedef int (*virSecurityDomainGetLabel) (virConnectPtr conn, virDomainObjPtr vm, virSecurityLabelPtr sec); typedef int (*virSecurityDomainRestoreLabel) (virConnectPtr conn, + virSecurityDriverPtr drv, virDomainObjPtr vm); typedef int (*virSecurityDomainSetLabel) (virConnectPtr conn, virSecurityDriverPtr drv, Index: libvirt-0.7.2/src/security/security_selinux.c =================================================================== --- libvirt-0.7.2.orig/src/security/security_selinux.c +++ libvirt-0.7.2/src/security/security_selinux.c @@ -159,6 +159,7 @@ SELinuxInitialize(virConnectPtr conn) static int SELinuxGenSecurityLabel(virConnectPtr conn, + virSecurityDriverPtr drv ATTRIBUTE_UNUSED, virDomainObjPtr vm) { int rc = -1; @@ -221,6 +222,7 @@ done: static int SELinuxReserveSecurityLabel(virConnectPtr conn, + virSecurityDriverPtr drv ATTRIBUTE_UNUSED, virDomainObjPtr vm) { security_context_t pctx; @@ -378,6 +380,7 @@ err: static int SELinuxRestoreSecurityImageLabel(virConnectPtr conn, + virSecurityDriverPtr drv ATTRIBUTE_UNUSED, virDomainObjPtr vm ATTRIBUTE_UNUSED, virDomainDiskDefPtr disk) { @@ -423,6 +426,7 @@ SELinuxSetSecurityFileLabel(virDomainDis static int SELinuxSetSecurityImageLabel(virConnectPtr conn, + virSecurityDriverPtr drv ATTRIBUTE_UNUSED, virDomainObjPtr vm, virDomainDiskDefPtr disk) @@ -462,6 +466,7 @@ SELinuxSetSecurityUSBLabel(virConnectPtr static int SELinuxSetSecurityHostdevLabel(virConnectPtr conn, + virSecurityDriverPtr drv ATTRIBUTE_UNUSED, virDomainObjPtr vm, virDomainHostdevDefPtr dev) @@ -535,6 +540,7 @@ SELinuxRestoreSecurityUSBLabel(virConnec static int SELinuxRestoreSecurityHostdevLabel(virConnectPtr conn, + virSecurityDriverPtr drv ATTRIBUTE_UNUSED, virDomainHostdevDefPtr dev) { @@ -585,6 +591,7 @@ done: static int SELinuxRestoreSecurityLabel(virConnectPtr conn, + virSecurityDriverPtr drv, virDomainObjPtr vm) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; @@ -595,11 +602,11 @@ SELinuxRestoreSecurityLabel(virConnectPt if (secdef->imagelabel) { for (i = 0 ; i < vm->def->nhostdevs ; i++) { - if (SELinuxRestoreSecurityHostdevLabel(conn, vm->def->hostdevs[i]) < 0) + if (SELinuxRestoreSecurityHostdevLabel(conn, drv, vm->def->hostdevs[i]) < 0) rc = -1; } for (i = 0 ; i < vm->def->ndisks ; i++) { - if (SELinuxRestoreSecurityImageLabel(conn, vm, + if (SELinuxRestoreSecurityImageLabel(conn, drv, vm, vm->def->disks[i]) < 0) rc = -1; } @@ -658,11 +665,11 @@ SELinuxSetSecurityLabel(virConnectPtr co if (secdef->imagelabel) { for (i = 0 ; i < vm->def->ndisks ; i++) { - if (SELinuxSetSecurityImageLabel(conn, vm, vm->def->disks[i]) < 0) + if (SELinuxSetSecurityImageLabel(conn, drv, vm, vm->def->disks[i]) < 0) return -1; } for (i = 0 ; i < vm->def->nhostdevs ; i++) { - if (SELinuxSetSecurityHostdevLabel(conn, vm, vm->def->hostdevs[i]) < 0) + if (SELinuxSetSecurityHostdevLabel(conn, drv, vm, vm->def->hostdevs[i]) < 0) return -1; } }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor