* [PULL 0/2] NBD patches for 6.2-rc1, 2021-11-16
@ 2021-11-16 16:54 Eric Blake
2021-11-16 16:54 ` [PULL 1/2] nbd/server: Silence clang sanitizer warning Eric Blake
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Eric Blake @ 2021-11-16 16:54 UTC (permalink / raw)
To: qemu-devel
The following changes since commit 9f0f846465d4c52ce9857787e947dffb64367fae:
Merge tag 'machine-core-20211115' of https://github.com/philmd/qemu into staging (2021-11-16 12:50:27 +0100)
are available in the Git repository at:
https://repo.or.cz/qemu/ericb.git tags/pull-nbd-2021-11-16
for you to fetch changes up to 3d212b41e9ccb3f37d04f22c59a960bac099c1d4:
nbd/server: Add --selinux-label option (2021-11-16 10:16:38 -0600)
----------------------------------------------------------------
nbd patches for 2021-11-16
- Rich Jones: Add 'qemu-nbd --selinux-label' option for running Unix
socket with appropriate SELinux labeling
- Eric Blake: Address clang sanitizer warning
----------------------------------------------------------------
Eric Blake (1):
nbd/server: Silence clang sanitizer warning
Richard W.M. Jones (1):
nbd/server: Add --selinux-label option
meson.build | 10 ++++-
nbd/server.c | 13 +++++--
qemu-nbd.c | 46 +++++++++++++++++++++++
meson_options.txt | 3 ++
scripts/meson-buildoptions.sh | 3 ++
tests/docker/dockerfiles/centos8.docker | 1 +
tests/docker/dockerfiles/fedora-i386-cross.docker | 1 +
tests/docker/dockerfiles/fedora.docker | 1 +
tests/docker/dockerfiles/opensuse-leap.docker | 1 +
tests/docker/dockerfiles/ubuntu1804.docker | 1 +
tests/docker/dockerfiles/ubuntu2004.docker | 1 +
11 files changed, 76 insertions(+), 5 deletions(-)
--
2.33.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PULL 1/2] nbd/server: Silence clang sanitizer warning
2021-11-16 16:54 [PULL 0/2] NBD patches for 6.2-rc1, 2021-11-16 Eric Blake
@ 2021-11-16 16:54 ` Eric Blake
2021-11-16 16:54 ` [PULL 2/2] nbd/server: Add --selinux-label option Eric Blake
2021-11-16 20:04 ` [PULL 0/2] NBD patches for 6.2-rc1, 2021-11-16 Richard Henderson
2 siblings, 0 replies; 4+ messages in thread
From: Eric Blake @ 2021-11-16 16:54 UTC (permalink / raw)
To: qemu-devel
Cc: Peter Maydell, Vladimir Sementsov-Ogievskiy,
Philippe Mathieu-Daudé, open list:Network Block Dev...
clang's sanitizer is picky: memset(NULL, x, 0) is technically
undefined behavior, even though no sane implementation of memset()
deferences the NULL. Caught by the nbd-qemu-allocation iotest.
The alternative to checking before each memset is to instead force an
allocation of 1 element instead of g_new0(type, 0)'s behavior of
returning NULL for a 0-length array.
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 3b1f244c59 (nbd: Allow export of multiple bitmaps for one device)
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20211115223943.626416-1-eblake@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
nbd/server.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/nbd/server.c b/nbd/server.c
index 6d03e8a4b436..d9164ee6d0da 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2020 Red Hat, Inc.
+ * Copyright (C) 2016-2021 Red Hat, Inc.
* Copyright (C) 2005 Anthony Liguori <anthony@codemonkey.ws>
*
* Network Block Device Server Side
@@ -879,7 +879,9 @@ static bool nbd_meta_qemu_query(NBDClient *client, NBDExportMetaContexts *meta,
if (!*query) {
if (client->opt == NBD_OPT_LIST_META_CONTEXT) {
meta->allocation_depth = meta->exp->allocation_depth;
- memset(meta->bitmaps, 1, meta->exp->nr_export_bitmaps);
+ if (meta->exp->nr_export_bitmaps) {
+ memset(meta->bitmaps, 1, meta->exp->nr_export_bitmaps);
+ }
}
trace_nbd_negotiate_meta_query_parse("empty");
return true;
@@ -894,7 +896,8 @@ static bool nbd_meta_qemu_query(NBDClient *client, NBDExportMetaContexts *meta,
if (nbd_strshift(&query, "dirty-bitmap:")) {
trace_nbd_negotiate_meta_query_parse("dirty-bitmap:");
if (!*query) {
- if (client->opt == NBD_OPT_LIST_META_CONTEXT) {
+ if (client->opt == NBD_OPT_LIST_META_CONTEXT &&
+ meta->exp->nr_export_bitmaps) {
memset(meta->bitmaps, 1, meta->exp->nr_export_bitmaps);
}
trace_nbd_negotiate_meta_query_parse("empty");
@@ -1024,7 +1027,9 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
/* enable all known contexts */
meta->base_allocation = true;
meta->allocation_depth = meta->exp->allocation_depth;
- memset(meta->bitmaps, 1, meta->exp->nr_export_bitmaps);
+ if (meta->exp->nr_export_bitmaps) {
+ memset(meta->bitmaps, 1, meta->exp->nr_export_bitmaps);
+ }
} else {
for (i = 0; i < nb_queries; ++i) {
ret = nbd_negotiate_meta_query(client, meta, errp);
--
2.33.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PULL 2/2] nbd/server: Add --selinux-label option
2021-11-16 16:54 [PULL 0/2] NBD patches for 6.2-rc1, 2021-11-16 Eric Blake
2021-11-16 16:54 ` [PULL 1/2] nbd/server: Silence clang sanitizer warning Eric Blake
@ 2021-11-16 16:54 ` Eric Blake
2021-11-16 20:04 ` [PULL 0/2] NBD patches for 6.2-rc1, 2021-11-16 Richard Henderson
2 siblings, 0 replies; 4+ messages in thread
From: Eric Blake @ 2021-11-16 16:54 UTC (permalink / raw)
To: qemu-devel
Cc: Thomas Huth, Vladimir Sementsov-Ogievskiy,
Daniel P . Berrangé, open list:Network Block Dev...,
Richard W.M. Jones, Wainer dos Santos Moschetta,
Philippe Mathieu-Daudé,
Willian Rampazzo, Alex Bennée
From: "Richard W.M. Jones" <rjones@redhat.com>
Under SELinux, Unix domain sockets have two labels. One is on the
disk and can be set with commands such as chcon(1). There is a
different label stored in memory (called the process label). This can
only be set by the process creating the socket. When using SELinux +
SVirt and wanting qemu to be able to connect to a qemu-nbd instance,
you must set both labels correctly first.
For qemu-nbd the options to set the second label are awkward. You can
create the socket in a wrapper program and then exec into qemu-nbd.
Or you could try something with LD_PRELOAD.
This commit adds the ability to set the label straightforwardly on the
command line, via the new --selinux-label flag. (The name of the flag
is the same as the equivalent nbdkit option.)
A worked example showing how to use the new option can be found in
this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1984938
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1984938
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
[eblake: rebase to configure changes, reject --selinux-label if it is
not compiled in or not used on a Unix socket]
Note that we may relax some of these restrictions at a later date,
such as making it possible to label a TCP socket, although it may be
smarter to do so as a generic QMP action rather than more one-off
command lines in qemu-nbd.
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20211115202944.615966-1-eblake@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
[eblake: adjust meson output as suggested by thuth]
Signed-off-by: Eric Blake <eblake@redhat.com>
---
meson.build | 10 +++-
qemu-nbd.c | 46 +++++++++++++++++++
meson_options.txt | 3 ++
scripts/meson-buildoptions.sh | 3 ++
tests/docker/dockerfiles/centos8.docker | 1 +
.../dockerfiles/fedora-i386-cross.docker | 1 +
tests/docker/dockerfiles/fedora.docker | 1 +
tests/docker/dockerfiles/opensuse-leap.docker | 1 +
tests/docker/dockerfiles/ubuntu1804.docker | 1 +
tests/docker/dockerfiles/ubuntu2004.docker | 1 +
10 files changed, 67 insertions(+), 1 deletion(-)
diff --git a/meson.build b/meson.build
index 2ece4fe0889a..084806a9415c 100644
--- a/meson.build
+++ b/meson.build
@@ -1201,6 +1201,11 @@ keyutils = dependency('libkeyutils', required: false,
has_gettid = cc.has_function('gettid')
+# libselinux
+selinux = dependency('libselinux',
+ required: get_option('selinux'),
+ method: 'pkg-config', kwargs: static_kwargs)
+
# Malloc tests
malloc = []
@@ -1479,6 +1484,7 @@ config_host_data.set('CONFIG_SPICE_PROTOCOL', spice_protocol.found())
config_host_data.set('CONFIG_SPICE', spice.found())
config_host_data.set('CONFIG_X11', x11.found())
config_host_data.set('CONFIG_CFI', get_option('cfi'))
+config_host_data.set('CONFIG_SELINUX', selinux.found())
config_host_data.set('QEMU_VERSION', '"@0@"'.format(meson.project_version()))
config_host_data.set('QEMU_VERSION_MAJOR', meson.project_version().split('.')[0])
config_host_data.set('QEMU_VERSION_MINOR', meson.project_version().split('.')[1])
@@ -3054,7 +3060,8 @@ if have_tools
qemu_io = executable('qemu-io', files('qemu-io.c'),
dependencies: [block, qemuutil], install: true)
qemu_nbd = executable('qemu-nbd', files('qemu-nbd.c'),
- dependencies: [blockdev, qemuutil, gnutls], install: true)
+ dependencies: [blockdev, qemuutil, gnutls, selinux],
+ install: true)
subdir('storage-daemon')
subdir('contrib/rdmacm-mux')
@@ -3430,6 +3437,7 @@ summary_info += {'libdaxctl support': libdaxctl}
summary_info += {'libudev': libudev}
# Dummy dependency, keep .found()
summary_info += {'FUSE lseek': fuse_lseek.found()}
+summary_info += {'selinux': selinux}
summary(summary_info, bool_yn: true, section: 'Dependencies')
if not supported_cpus.contains(cpu)
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 9d895ba24b1e..c6c20df68a4d 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -47,6 +47,10 @@
#include "trace/control.h"
#include "qemu-version.h"
+#ifdef CONFIG_SELINUX
+#include <selinux/selinux.h>
+#endif
+
#ifdef __linux__
#define HAVE_NBD_DEVICE 1
#else
@@ -64,6 +68,7 @@
#define QEMU_NBD_OPT_FORK 263
#define QEMU_NBD_OPT_TLSAUTHZ 264
#define QEMU_NBD_OPT_PID_FILE 265
+#define QEMU_NBD_OPT_SELINUX_LABEL 266
#define MBR_SIZE 512
@@ -116,6 +121,9 @@ static void usage(const char *name)
" --fork fork off the server process and exit the parent\n"
" once the server is running\n"
" --pid-file=PATH store the server's process ID in the given file\n"
+#ifdef CONFIG_SELINUX
+" --selinux-label=LABEL set SELinux process label on listening socket\n"
+#endif
#if HAVE_NBD_DEVICE
"\n"
"Kernel NBD client support:\n"
@@ -454,6 +462,7 @@ static const char *socket_activation_validate_opts(const char *device,
const char *sockpath,
const char *address,
const char *port,
+ const char *selinux,
bool list)
{
if (device != NULL) {
@@ -472,6 +481,10 @@ static const char *socket_activation_validate_opts(const char *device,
return "TCP port number can't be set when using socket activation";
}
+ if (selinux != NULL) {
+ return "SELinux label can't be set when using socket activation";
+ }
+
if (list) {
return "List mode is incompatible with socket activation";
}
@@ -534,6 +547,8 @@ int main(int argc, char **argv)
{ "trace", required_argument, NULL, 'T' },
{ "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
{ "pid-file", required_argument, NULL, QEMU_NBD_OPT_PID_FILE },
+ { "selinux-label", required_argument, NULL,
+ QEMU_NBD_OPT_SELINUX_LABEL },
{ NULL, 0, NULL, 0 }
};
int ch;
@@ -560,6 +575,7 @@ int main(int argc, char **argv)
int old_stderr = -1;
unsigned socket_activation;
const char *pid_file_name = NULL;
+ const char *selinux_label = NULL;
BlockExportOptions *export_opts;
#ifdef CONFIG_POSIX
@@ -749,6 +765,9 @@ int main(int argc, char **argv)
case QEMU_NBD_OPT_PID_FILE:
pid_file_name = optarg;
break;
+ case QEMU_NBD_OPT_SELINUX_LABEL:
+ selinux_label = optarg;
+ break;
}
}
@@ -788,6 +807,7 @@ int main(int argc, char **argv)
/* Using socket activation - check user didn't use -p etc. */
const char *err_msg = socket_activation_validate_opts(device, sockpath,
bindto, port,
+ selinux_label,
list);
if (err_msg != NULL) {
error_report("%s", err_msg);
@@ -827,6 +847,18 @@ int main(int argc, char **argv)
}
}
+ if (selinux_label) {
+#ifdef CONFIG_SELINUX
+ if (sockpath == NULL && device == NULL) {
+ error_report("--selinux-label is not permitted without --socket");
+ exit(EXIT_FAILURE);
+ }
+#else
+ error_report("SELinux support not enabled in this binary");
+ exit(EXIT_FAILURE);
+#endif
+ }
+
if (list) {
saddr = nbd_build_socket_address(sockpath, bindto, port);
return qemu_nbd_client_list(saddr, tlscreds, bindto);
@@ -940,6 +972,13 @@ int main(int argc, char **argv)
} else {
backlog = MIN(shared, SOMAXCONN);
}
+#ifdef CONFIG_SELINUX
+ if (selinux_label && setsockcreatecon_raw(selinux_label) == -1) {
+ error_report("Cannot set SELinux socket create context to %s: %s",
+ selinux_label, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+#endif
saddr = nbd_build_socket_address(sockpath, bindto, port);
if (qio_net_listener_open_sync(server, saddr, backlog,
&local_err) < 0) {
@@ -947,6 +986,13 @@ int main(int argc, char **argv)
error_report_err(local_err);
exit(EXIT_FAILURE);
}
+#ifdef CONFIG_SELINUX
+ if (selinux_label && setsockcreatecon_raw(NULL) == -1) {
+ error_report("Cannot clear SELinux socket create context: %s",
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+#endif
} else {
size_t i;
/* See comment in check_socket_activation above. */
diff --git a/meson_options.txt b/meson_options.txt
index 411952bc91af..e3923237322a 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -201,3 +201,6 @@ option('slirp', type: 'combo', value: 'auto',
option('fdt', type: 'combo', value: 'auto',
choices: ['disabled', 'enabled', 'auto', 'system', 'internal'],
description: 'Whether and how to find the libfdt library')
+
+option('selinux', type: 'feature', value: 'auto',
+ description: 'SELinux support in qemu-nbd')
diff --git a/scripts/meson-buildoptions.sh b/scripts/meson-buildoptions.sh
index 45e1f2e20daa..7a17ff42182f 100644
--- a/scripts/meson-buildoptions.sh
+++ b/scripts/meson-buildoptions.sh
@@ -72,6 +72,7 @@ meson_options_help() {
printf "%s\n" ' sdl SDL user interface'
printf "%s\n" ' sdl-image SDL Image support for icons'
printf "%s\n" ' seccomp seccomp support'
+ printf "%s\n" ' selinux SELinux support in qemu-nbd'
printf "%s\n" ' smartcard CA smartcard emulation support'
printf "%s\n" ' snappy snappy compression support'
printf "%s\n" ' sparse sparse checker'
@@ -215,6 +216,8 @@ _meson_option_parse() {
--disable-sdl-image) printf "%s" -Dsdl_image=disabled ;;
--enable-seccomp) printf "%s" -Dseccomp=enabled ;;
--disable-seccomp) printf "%s" -Dseccomp=disabled ;;
+ --enable-selinux) printf "%s" -Dselinux=enabled ;;
+ --disable-selinux) printf "%s" -Dselinux=disabled ;;
--enable-slirp) printf "%s" -Dslirp=enabled ;;
--disable-slirp) printf "%s" -Dslirp=disabled ;;
--enable-slirp=*) quote_sh "-Dslirp=$2" ;;
diff --git a/tests/docker/dockerfiles/centos8.docker b/tests/docker/dockerfiles/centos8.docker
index 46398c61eea9..7f135f8e8c00 100644
--- a/tests/docker/dockerfiles/centos8.docker
+++ b/tests/docker/dockerfiles/centos8.docker
@@ -51,6 +51,7 @@ ENV PACKAGES \
libpng-devel \
librbd-devel \
libseccomp-devel \
+ libselinux-devel \
libslirp-devel \
libssh-devel \
libtasn1-devel \
diff --git a/tests/docker/dockerfiles/fedora-i386-cross.docker b/tests/docker/dockerfiles/fedora-i386-cross.docker
index f62a71ce2296..13328e6081f9 100644
--- a/tests/docker/dockerfiles/fedora-i386-cross.docker
+++ b/tests/docker/dockerfiles/fedora-i386-cross.docker
@@ -8,6 +8,7 @@ ENV PACKAGES \
gcc \
git \
libffi-devel.i686 \
+ libselinux-devel.i686 \
libtasn1-devel.i686 \
libzstd-devel.i686 \
make \
diff --git a/tests/docker/dockerfiles/fedora.docker b/tests/docker/dockerfiles/fedora.docker
index eec1add7f620..c6fd7e1113d4 100644
--- a/tests/docker/dockerfiles/fedora.docker
+++ b/tests/docker/dockerfiles/fedora.docker
@@ -53,6 +53,7 @@ ENV PACKAGES \
libpng-devel \
librbd-devel \
libseccomp-devel \
+ libselinux-devel \
libslirp-devel \
libssh-devel \
libtasn1-devel \
diff --git a/tests/docker/dockerfiles/opensuse-leap.docker b/tests/docker/dockerfiles/opensuse-leap.docker
index 5a8bee028951..3bbdb67f4fad 100644
--- a/tests/docker/dockerfiles/opensuse-leap.docker
+++ b/tests/docker/dockerfiles/opensuse-leap.docker
@@ -55,6 +55,7 @@ ENV PACKAGES \
libpulse-devel \
librbd-devel \
libseccomp-devel \
+ libselinux-devel \
libspice-server-devel \
libssh-devel \
libtasn1-devel \
diff --git a/tests/docker/dockerfiles/ubuntu1804.docker b/tests/docker/dockerfiles/ubuntu1804.docker
index 0880bf3e2928..450fd06d0d57 100644
--- a/tests/docker/dockerfiles/ubuntu1804.docker
+++ b/tests/docker/dockerfiles/ubuntu1804.docker
@@ -60,6 +60,7 @@ ENV PACKAGES \
libsdl2-dev \
libsdl2-image-dev \
libseccomp-dev \
+ libselinux-dev \
libsnappy-dev \
libspice-protocol-dev \
libspice-server-dev \
diff --git a/tests/docker/dockerfiles/ubuntu2004.docker b/tests/docker/dockerfiles/ubuntu2004.docker
index 39de63d0129f..15a026be0913 100644
--- a/tests/docker/dockerfiles/ubuntu2004.docker
+++ b/tests/docker/dockerfiles/ubuntu2004.docker
@@ -60,6 +60,7 @@ ENV PACKAGES \
libsdl2-dev \
libsdl2-image-dev \
libseccomp-dev \
+ libselinux-dev \
libslirp-dev \
libsnappy-dev \
libspice-protocol-dev \
--
2.33.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PULL 0/2] NBD patches for 6.2-rc1, 2021-11-16
2021-11-16 16:54 [PULL 0/2] NBD patches for 6.2-rc1, 2021-11-16 Eric Blake
2021-11-16 16:54 ` [PULL 1/2] nbd/server: Silence clang sanitizer warning Eric Blake
2021-11-16 16:54 ` [PULL 2/2] nbd/server: Add --selinux-label option Eric Blake
@ 2021-11-16 20:04 ` Richard Henderson
2 siblings, 0 replies; 4+ messages in thread
From: Richard Henderson @ 2021-11-16 20:04 UTC (permalink / raw)
To: Eric Blake, qemu-devel
On 11/16/21 5:54 PM, Eric Blake wrote:
> The following changes since commit 9f0f846465d4c52ce9857787e947dffb64367fae:
>
> Merge tag 'machine-core-20211115' of https://github.com/philmd/qemu into staging (2021-11-16 12:50:27 +0100)
>
> are available in the Git repository at:
>
> https://repo.or.cz/qemu/ericb.git tags/pull-nbd-2021-11-16
>
> for you to fetch changes up to 3d212b41e9ccb3f37d04f22c59a960bac099c1d4:
>
> nbd/server: Add --selinux-label option (2021-11-16 10:16:38 -0600)
>
> ----------------------------------------------------------------
> nbd patches for 2021-11-16
>
> - Rich Jones: Add 'qemu-nbd --selinux-label' option for running Unix
> socket with appropriate SELinux labeling
> - Eric Blake: Address clang sanitizer warning
>
> ----------------------------------------------------------------
> Eric Blake (1):
> nbd/server: Silence clang sanitizer warning
>
> Richard W.M. Jones (1):
> nbd/server: Add --selinux-label option
>
> meson.build | 10 ++++-
> nbd/server.c | 13 +++++--
> qemu-nbd.c | 46 +++++++++++++++++++++++
> meson_options.txt | 3 ++
> scripts/meson-buildoptions.sh | 3 ++
> tests/docker/dockerfiles/centos8.docker | 1 +
> tests/docker/dockerfiles/fedora-i386-cross.docker | 1 +
> tests/docker/dockerfiles/fedora.docker | 1 +
> tests/docker/dockerfiles/opensuse-leap.docker | 1 +
> tests/docker/dockerfiles/ubuntu1804.docker | 1 +
> tests/docker/dockerfiles/ubuntu2004.docker | 1 +
> 11 files changed, 76 insertions(+), 5 deletions(-)
Applied, thanks.
r~
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-11-16 20:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-16 16:54 [PULL 0/2] NBD patches for 6.2-rc1, 2021-11-16 Eric Blake
2021-11-16 16:54 ` [PULL 1/2] nbd/server: Silence clang sanitizer warning Eric Blake
2021-11-16 16:54 ` [PULL 2/2] nbd/server: Add --selinux-label option Eric Blake
2021-11-16 20:04 ` [PULL 0/2] NBD patches for 6.2-rc1, 2021-11-16 Richard Henderson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.