qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
From: "Richard W.M. Jones" <rjones@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: vsementsov@virtuozzo.com, berrange@redhat.com,
	qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [PATCH v2] nbd/server: Add --selinux-label option
Date: Mon, 27 Sep 2021 22:39:06 +0100	[thread overview]
Message-ID: <20210927213906.GW3361@redhat.com> (raw)
In-Reply-To: <20210927211834.tzqpx4egzwbvjmrs@redhat.com>

On Mon, Sep 27, 2021 at 04:18:34PM -0500, Eric Blake wrote:
> On Fri, Jul 23, 2021 at 11:33:03AM +0100, Richard W.M. Jones wrote:
> > Under SELinux, Unix domain sockets have two labels.  One is on the
> > disk and can be set with commands such as chcon(1).  There is a
> > different label stored in memory (called the process label).  This can
> > only be set by the process creating the socket.  When using SELinux +
> > SVirt and wanting qemu to be able to connect to a qemu-nbd instance,
> > you must set both labels correctly first.
> > 
> > For qemu-nbd the options to set the second label are awkward.  You can
> > create the socket in a wrapper program and then exec into qemu-nbd.
> > Or you could try something with LD_PRELOAD.
> > 
> > This commit adds the ability to set the label straightforwardly on the
> > command line, via the new --selinux-label flag.  (The name of the flag
> > is the same as the equivalent nbdkit option.)
> > 
> > A worked example showing how to use the new option can be found in
> > this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1984938
> > 
> > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1984938
> > Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
> > ---
> 
> I'm making one tweak to your patch before sending the pull request:
> 
> > +++ b/qemu-nbd.c
> > @@ -64,6 +68,7 @@
> >  #define QEMU_NBD_OPT_FORK          263
> >  #define QEMU_NBD_OPT_TLSAUTHZ      264
> >  #define QEMU_NBD_OPT_PID_FILE      265
> > +#define QEMU_NBD_OPT_SELINUX_LABEL 266
> >  
> >  #define MBR_SIZE 512
> >  
> > @@ -116,6 +121,9 @@ static void usage(const char *name)
> >  "  --fork                    fork off the server process and exit the parent\n"
> >  "                            once the server is running\n"
> >  "  --pid-file=PATH           store the server's process ID in the given file\n"
> > +#ifdef CONFIG_SELINUX
> > +"  --selinux-label=LABEL     set SELinux process label on listening socket\n"
> > +#endif
> 
> The new option is only conditionally advertised under --help (qemu-nbd
> lacks a stable machine-parseable output, so scraping --help output
> will have to do for now)...
> 
> >  #if HAVE_NBD_DEVICE
> >  "\n"
> >  "Kernel NBD client support:\n"
> > @@ -532,6 +540,8 @@ int main(int argc, char **argv)
> >          { "trace", required_argument, NULL, 'T' },
> >          { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
> >          { "pid-file", required_argument, NULL, QEMU_NBD_OPT_PID_FILE },
> > +        { "selinux-label", required_argument, NULL,
> > +          QEMU_NBD_OPT_SELINUX_LABEL },
> 
> ...but is unconditionally supported as a long option even when support
> was not compiled in...
> 
> >          { NULL, 0, NULL, 0 }
> >      };
> >      int ch;
> > @@ -558,6 +568,7 @@ int main(int argc, char **argv)
> >      int old_stderr = -1;
> >      unsigned socket_activation;
> >      const char *pid_file_name = NULL;
> > +    const char *selinux_label = NULL;
> >      BlockExportOptions *export_opts;
> >  
> >  #ifdef CONFIG_POSIX
> > @@ -747,6 +758,9 @@ int main(int argc, char **argv)
> >          case QEMU_NBD_OPT_PID_FILE:
> >              pid_file_name = optarg;
> >              break;
> > +        case QEMU_NBD_OPT_SELINUX_LABEL:
> > +            selinux_label = optarg;
> > +            break;
> >          }
> >      }
> >  
> > @@ -938,6 +952,16 @@ int main(int argc, char **argv)
> >          } else {
> >              backlog = MIN(shared, SOMAXCONN);
> >          }
> > +        if (sockpath && selinux_label) {
> > +#ifdef CONFIG_SELINUX
> > +            if (setsockcreatecon_raw(selinux_label) == -1) {
> > +                error_report("Cannot set SELinux socket create context "
> > +                             "to %s: %s",
> > +                             selinux_label, strerror(errno));
> > +                exit(EXIT_FAILURE);
> > +            }
> > +#endif
> 
> ...but here we silently ignore it if support is not compiled in.
> Better is to issue an error message about using an unsupported option,
> so I'll squash this in:
> 
> diff --git i/qemu-nbd.c w/qemu-nbd.c
> index 5dc82c419255..94f8ec07c064 100644
> --- i/qemu-nbd.c
> +++ w/qemu-nbd.c
> @@ -962,6 +962,9 @@ int main(int argc, char **argv)
>                               selinux_label, strerror(errno));
>                  exit(EXIT_FAILURE);
>              }
> +#else
> +            error_report("SELinux support not enabled in this binary");
> +            exit(EXIT_FAILURE);
>  #endif
>          }
>          saddr = nbd_build_socket_address(sockpath, bindto, port);
> @@ -978,6 +981,9 @@ int main(int argc, char **argv)
>                               strerror(errno));
>                  exit(EXIT_FAILURE);
>              }
> +#else
> +            error_report("SELinux support not enabled in this binary");
> +            exit(EXIT_FAILURE);
>  #endif
>          }
>      } else {
> 

Good idea, thanks.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/



      reply	other threads:[~2021-09-27 21:40 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-23 10:33 [PATCH v2] nbd/server: Add --selinux-label option Richard W.M. Jones
2021-07-23 10:33 ` Richard W.M. Jones
2021-07-23 10:47   ` Daniel P. Berrangé
2021-07-26 14:22     ` Eric Blake
2021-07-23 16:18   ` Kevin Wolf
2021-07-23 16:34     ` Richard W.M. Jones
2021-07-23 16:38     ` Daniel P. Berrangé
2021-08-25 19:35       ` Eric Blake
2021-09-24 19:23         ` Eric Blake
2021-09-27 12:48           ` Vladimir Sementsov-Ogievskiy
2021-09-27 12:55         ` Daniel P. Berrangé
2021-09-27 21:18   ` Eric Blake
2021-09-27 21:39     ` Richard W.M. Jones [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210927213906.GW3361@redhat.com \
    --to=rjones@redhat.com \
    --cc=berrange@redhat.com \
    --cc=eblake@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=vsementsov@virtuozzo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).