From: Eric Blake <eblake@redhat.com>
To: "Richard W.M. Jones" <rjones@redhat.com>
Cc: vsementsov@virtuozzo.com, berrange@redhat.com,
qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [PATCH v2] nbd/server: Add --selinux-label option
Date: Mon, 27 Sep 2021 16:18:34 -0500 [thread overview]
Message-ID: <20210927211834.tzqpx4egzwbvjmrs@redhat.com> (raw)
In-Reply-To: <20210723103303.1731437-2-rjones@redhat.com>
On Fri, Jul 23, 2021 at 11:33:03AM +0100, Richard W.M. Jones wrote:
> Under SELinux, Unix domain sockets have two labels. One is on the
> disk and can be set with commands such as chcon(1). There is a
> different label stored in memory (called the process label). This can
> only be set by the process creating the socket. When using SELinux +
> SVirt and wanting qemu to be able to connect to a qemu-nbd instance,
> you must set both labels correctly first.
>
> For qemu-nbd the options to set the second label are awkward. You can
> create the socket in a wrapper program and then exec into qemu-nbd.
> Or you could try something with LD_PRELOAD.
>
> This commit adds the ability to set the label straightforwardly on the
> command line, via the new --selinux-label flag. (The name of the flag
> is the same as the equivalent nbdkit option.)
>
> A worked example showing how to use the new option can be found in
> this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1984938
>
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1984938
> Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
> ---
I'm making one tweak to your patch before sending the pull request:
> +++ b/qemu-nbd.c
> @@ -64,6 +68,7 @@
> #define QEMU_NBD_OPT_FORK 263
> #define QEMU_NBD_OPT_TLSAUTHZ 264
> #define QEMU_NBD_OPT_PID_FILE 265
> +#define QEMU_NBD_OPT_SELINUX_LABEL 266
>
> #define MBR_SIZE 512
>
> @@ -116,6 +121,9 @@ static void usage(const char *name)
> " --fork fork off the server process and exit the parent\n"
> " once the server is running\n"
> " --pid-file=PATH store the server's process ID in the given file\n"
> +#ifdef CONFIG_SELINUX
> +" --selinux-label=LABEL set SELinux process label on listening socket\n"
> +#endif
The new option is only conditionally advertised under --help (qemu-nbd
lacks a stable machine-parseable output, so scraping --help output
will have to do for now)...
> #if HAVE_NBD_DEVICE
> "\n"
> "Kernel NBD client support:\n"
> @@ -532,6 +540,8 @@ int main(int argc, char **argv)
> { "trace", required_argument, NULL, 'T' },
> { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
> { "pid-file", required_argument, NULL, QEMU_NBD_OPT_PID_FILE },
> + { "selinux-label", required_argument, NULL,
> + QEMU_NBD_OPT_SELINUX_LABEL },
...but is unconditionally supported as a long option even when support
was not compiled in...
> { NULL, 0, NULL, 0 }
> };
> int ch;
> @@ -558,6 +568,7 @@ int main(int argc, char **argv)
> int old_stderr = -1;
> unsigned socket_activation;
> const char *pid_file_name = NULL;
> + const char *selinux_label = NULL;
> BlockExportOptions *export_opts;
>
> #ifdef CONFIG_POSIX
> @@ -747,6 +758,9 @@ int main(int argc, char **argv)
> case QEMU_NBD_OPT_PID_FILE:
> pid_file_name = optarg;
> break;
> + case QEMU_NBD_OPT_SELINUX_LABEL:
> + selinux_label = optarg;
> + break;
> }
> }
>
> @@ -938,6 +952,16 @@ int main(int argc, char **argv)
> } else {
> backlog = MIN(shared, SOMAXCONN);
> }
> + if (sockpath && selinux_label) {
> +#ifdef CONFIG_SELINUX
> + if (setsockcreatecon_raw(selinux_label) == -1) {
> + error_report("Cannot set SELinux socket create context "
> + "to %s: %s",
> + selinux_label, strerror(errno));
> + exit(EXIT_FAILURE);
> + }
> +#endif
...but here we silently ignore it if support is not compiled in.
Better is to issue an error message about using an unsupported option,
so I'll squash this in:
diff --git i/qemu-nbd.c w/qemu-nbd.c
index 5dc82c419255..94f8ec07c064 100644
--- i/qemu-nbd.c
+++ w/qemu-nbd.c
@@ -962,6 +962,9 @@ int main(int argc, char **argv)
selinux_label, strerror(errno));
exit(EXIT_FAILURE);
}
+#else
+ error_report("SELinux support not enabled in this binary");
+ exit(EXIT_FAILURE);
#endif
}
saddr = nbd_build_socket_address(sockpath, bindto, port);
@@ -978,6 +981,9 @@ int main(int argc, char **argv)
strerror(errno));
exit(EXIT_FAILURE);
}
+#else
+ error_report("SELinux support not enabled in this binary");
+ exit(EXIT_FAILURE);
#endif
}
} else {
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
next prev parent reply other threads:[~2021-09-27 21:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-23 10:33 [PATCH v2] nbd/server: Add --selinux-label option Richard W.M. Jones
2021-07-23 10:33 ` Richard W.M. Jones
2021-07-23 10:47 ` Daniel P. Berrangé
2021-07-26 14:22 ` Eric Blake
2021-07-23 16:18 ` Kevin Wolf
2021-07-23 16:34 ` Richard W.M. Jones
2021-07-23 16:38 ` Daniel P. Berrangé
2021-08-25 19:35 ` Eric Blake
2021-09-24 19:23 ` Eric Blake
2021-09-27 12:48 ` Vladimir Sementsov-Ogievskiy
2021-09-27 12:55 ` Daniel P. Berrangé
2021-09-27 21:18 ` Eric Blake [this message]
2021-09-27 21:39 ` Richard W.M. Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210927211834.tzqpx4egzwbvjmrs@redhat.com \
--to=eblake@redhat.com \
--cc=berrange@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
--cc=vsementsov@virtuozzo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).