Fix TPM2 passthrough (bz #1486240)
Fix spice GL qemu:///system rendernode permissions (bz #1460804)
This commit is contained in:
parent
2a9c282548
commit
7042f56045
@ -0,0 +1,34 @@
|
|||||||
|
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
|
||||||
|
Date: Thu, 29 Jun 2017 14:01:11 -0400
|
||||||
|
Subject: [PATCH] tpm: Use /dev/null for cancel path if none was found
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
TPM 2 does not implement sysfs files for cancellation of commands.
|
||||||
|
We therefore use /dev/null for the cancel path passed to QEMU.
|
||||||
|
|
||||||
|
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
|
||||||
|
Tested-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||||
|
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
||||||
|
(cherry picked from commit dfbb15b75433e520fb1b905c1c3e28753e53e4a5)
|
||||||
|
---
|
||||||
|
src/util/virtpm.c | 4 +---
|
||||||
|
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/virtpm.c b/src/util/virtpm.c
|
||||||
|
index 6d9b0657a..d5c10da38 100644
|
||||||
|
--- a/src/util/virtpm.c
|
||||||
|
+++ b/src/util/virtpm.c
|
||||||
|
@@ -61,9 +61,7 @@ virTPMCreateCancelPath(const char *devpath)
|
||||||
|
VIR_FREE(path);
|
||||||
|
}
|
||||||
|
if (!path)
|
||||||
|
- virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
||||||
|
- _("No usable sysfs TPM cancel file could be "
|
||||||
|
- "found"));
|
||||||
|
+ ignore_value(VIR_STRDUP(path, "/dev/null"));
|
||||||
|
} else {
|
||||||
|
virReportError(VIR_ERR_INTERNAL_ERROR,
|
||||||
|
_("TPM device path %s is invalid"), devpath);
|
108
0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
Normal file
108
0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
Normal file
@ -0,0 +1,108 @@
|
|||||||
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
|
Date: Sun, 27 Aug 2017 11:23:47 -0400
|
||||||
|
Subject: [PATCH] security: add MANAGER_MOUNT_NAMESPACE flag
|
||||||
|
|
||||||
|
The VIR_SECURITY_MANAGER_MOUNT_NAMESPACE flag informs the DAC driver
|
||||||
|
if mount namespaces are in use for the VM. Will be used for future
|
||||||
|
changes.
|
||||||
|
|
||||||
|
Wire it up in the qemu driver
|
||||||
|
|
||||||
|
(cherry picked from commit 321031e482425dfeae0f125cdac6df870f079efd)
|
||||||
|
---
|
||||||
|
src/qemu/qemu_driver.c | 2 ++
|
||||||
|
src/security/security_dac.c | 10 ++++++++++
|
||||||
|
src/security/security_dac.h | 3 +++
|
||||||
|
src/security/security_manager.c | 4 +++-
|
||||||
|
src/security/security_manager.h | 1 +
|
||||||
|
5 files changed, 19 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
|
||||||
|
index b7824512c..1f9264639 100644
|
||||||
|
--- a/src/qemu/qemu_driver.c
|
||||||
|
+++ b/src/qemu/qemu_driver.c
|
||||||
|
@@ -419,6 +419,8 @@ qemuSecurityInit(virQEMUDriverPtr driver)
|
||||||
|
if (virQEMUDriverIsPrivileged(driver)) {
|
||||||
|
if (cfg->dynamicOwnership)
|
||||||
|
flags |= VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP;
|
||||||
|
+ if (virBitmapIsBitSet(cfg->namespaces, QEMU_DOMAIN_NS_MOUNT))
|
||||||
|
+ flags |= VIR_SECURITY_MANAGER_MOUNT_NAMESPACE;
|
||||||
|
if (!(mgr = qemuSecurityNewDAC(QEMU_DRIVER_NAME,
|
||||||
|
cfg->user,
|
||||||
|
cfg->group,
|
||||||
|
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
|
||||||
|
index ca7a6af6d..507be44a2 100644
|
||||||
|
--- a/src/security/security_dac.c
|
||||||
|
+++ b/src/security/security_dac.c
|
||||||
|
@@ -57,6 +57,7 @@ struct _virSecurityDACData {
|
||||||
|
gid_t *groups;
|
||||||
|
int ngroups;
|
||||||
|
bool dynamicOwnership;
|
||||||
|
+ bool mountNamespace;
|
||||||
|
char *baselabel;
|
||||||
|
virSecurityManagerDACChownCallback chownCallback;
|
||||||
|
};
|
||||||
|
@@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
+virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
|
||||||
|
+ bool mountNamespace)
|
||||||
|
+{
|
||||||
|
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
+ priv->mountNamespace = mountNamespace;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
|
||||||
|
virSecurityManagerDACChownCallback chownCallback)
|
||||||
|
{
|
||||||
|
diff --git a/src/security/security_dac.h b/src/security/security_dac.h
|
||||||
|
index 846cefbb5..97681c961 100644
|
||||||
|
--- a/src/security/security_dac.h
|
||||||
|
+++ b/src/security/security_dac.h
|
||||||
|
@@ -32,6 +32,9 @@ int virSecurityDACSetUserAndGroup(virSecurityManagerPtr mgr,
|
||||||
|
void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
||||||
|
bool dynamic);
|
||||||
|
|
||||||
|
+void virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
|
||||||
|
+ bool mountNamespace);
|
||||||
|
+
|
||||||
|
void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
|
||||||
|
virSecurityManagerDACChownCallback chownCallback);
|
||||||
|
|
||||||
|
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
|
||||||
|
index 95b995230..e43c99d4f 100644
|
||||||
|
--- a/src/security/security_manager.c
|
||||||
|
+++ b/src/security/security_manager.c
|
||||||
|
@@ -146,7 +146,8 @@ virSecurityManagerNewDAC(const char *virtDriver,
|
||||||
|
virSecurityManagerPtr mgr;
|
||||||
|
|
||||||
|
virCheckFlags(VIR_SECURITY_MANAGER_NEW_MASK |
|
||||||
|
- VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP, NULL);
|
||||||
|
+ VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP |
|
||||||
|
+ VIR_SECURITY_MANAGER_MOUNT_NAMESPACE, NULL);
|
||||||
|
|
||||||
|
mgr = virSecurityManagerNewDriver(&virSecurityDriverDAC,
|
||||||
|
virtDriver,
|
||||||
|
@@ -161,6 +162,7 @@ virSecurityManagerNewDAC(const char *virtDriver,
|
||||||
|
}
|
||||||
|
|
||||||
|
virSecurityDACSetDynamicOwnership(mgr, flags & VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP);
|
||||||
|
+ virSecurityDACSetMountNamespace(mgr, flags & VIR_SECURITY_MANAGER_MOUNT_NAMESPACE);
|
||||||
|
virSecurityDACSetChownCallback(mgr, chownCallback);
|
||||||
|
|
||||||
|
return mgr;
|
||||||
|
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
|
||||||
|
index 01296d339..08fb89203 100644
|
||||||
|
--- a/src/security/security_manager.h
|
||||||
|
+++ b/src/security/security_manager.h
|
||||||
|
@@ -36,6 +36,7 @@ typedef enum {
|
||||||
|
VIR_SECURITY_MANAGER_REQUIRE_CONFINED = 1 << 2,
|
||||||
|
VIR_SECURITY_MANAGER_PRIVILEGED = 1 << 3,
|
||||||
|
VIR_SECURITY_MANAGER_DYNAMIC_OWNERSHIP = 1 << 4,
|
||||||
|
+ VIR_SECURITY_MANAGER_MOUNT_NAMESPACE = 1 << 5,
|
||||||
|
} virSecurityManagerNewFlags;
|
||||||
|
|
||||||
|
# define VIR_SECURITY_MANAGER_NEW_MASK \
|
101
0003-security-dac-relabel-spice-rendernode.patch
Normal file
101
0003-security-dac-relabel-spice-rendernode.patch
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
From: Cole Robinson <crobinso@redhat.com>
|
||||||
|
Date: Mon, 17 Jul 2017 08:57:57 -0400
|
||||||
|
Subject: [PATCH] security: dac: relabel spice rendernode
|
||||||
|
|
||||||
|
For a logged in user this a path like /dev/dri/renderD128 will have
|
||||||
|
default ownership root:video which won't work for the qemu:qemu user,
|
||||||
|
so we need to chown it.
|
||||||
|
|
||||||
|
We only do this when mount namespaces are enabled in the qemu driver,
|
||||||
|
so the chown'ing doesn't interfere with other users of the shared
|
||||||
|
render node path
|
||||||
|
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1460804
|
||||||
|
(cherry picked from commit 98931187eefdec6f2dea5cb82ab6d23a3ffa6634)
|
||||||
|
---
|
||||||
|
src/security/security_dac.c | 58 +++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 58 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
|
||||||
|
index 507be44a2..349dbe81d 100644
|
||||||
|
--- a/src/security/security_dac.c
|
||||||
|
+++ b/src/security/security_dac.c
|
||||||
|
@@ -1381,6 +1381,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
+virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
|
||||||
|
+ virDomainDefPtr def,
|
||||||
|
+ virDomainGraphicsDefPtr gfx)
|
||||||
|
+
|
||||||
|
+{
|
||||||
|
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
+ virSecurityLabelDefPtr seclabel;
|
||||||
|
+ uid_t user;
|
||||||
|
+ gid_t group;
|
||||||
|
+
|
||||||
|
+ /* Skip chowning the shared render file if namespaces are disabled */
|
||||||
|
+ if (!priv->mountNamespace)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
|
||||||
|
+ if (seclabel && !seclabel->relabel)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
|
||||||
|
+ return -1;
|
||||||
|
+
|
||||||
|
+ if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
|
||||||
|
+ gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
|
||||||
|
+ gfx->data.spice.rendernode) {
|
||||||
|
+ if (virSecurityDACSetOwnership(priv, NULL,
|
||||||
|
+ gfx->data.spice.rendernode,
|
||||||
|
+ user, group) < 0)
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
|
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
|
||||||
|
+ virDomainGraphicsDefPtr gfx ATTRIBUTE_UNUSED)
|
||||||
|
+
|
||||||
|
+{
|
||||||
|
+ /* The only graphics labelling we do is dependent on mountNamespaces,
|
||||||
|
+ in which case 'restoring' the label doesn't actually accomplish
|
||||||
|
+ anything, so there's nothing to do here */
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr def,
|
||||||
|
virDomainInputDefPtr input)
|
||||||
|
@@ -1491,6 +1539,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||||
|
rc = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ for (i = 0; i < def->ngraphics; i++) {
|
||||||
|
+ if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i]) < 0)
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (i = 0; i < def->ninputs; i++) {
|
||||||
|
if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
|
||||||
|
rc = -1;
|
||||||
|
@@ -1611,6 +1664,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ for (i = 0; i < def->ngraphics; i++) {
|
||||||
|
+ if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0)
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (i = 0; i < def->ninputs; i++) {
|
||||||
|
if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0)
|
||||||
|
return -1;
|
12
libvirt.spec
12
libvirt.spec
@ -240,7 +240,7 @@
|
|||||||
Summary: Library providing a simple virtualization API
|
Summary: Library providing a simple virtualization API
|
||||||
Name: libvirt
|
Name: libvirt
|
||||||
Version: 3.7.0
|
Version: 3.7.0
|
||||||
Release: 1%{?dist}%{?extra_release}
|
Release: 2%{?dist}%{?extra_release}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||||
@ -251,6 +251,12 @@ URL: https://libvirt.org/
|
|||||||
%endif
|
%endif
|
||||||
Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
|
Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
|
||||||
|
|
||||||
|
# Fix TPM2 passthrough (bz #1486240)
|
||||||
|
Patch0001: 0001-tpm-Use-dev-null-for-cancel-path-if-none-was-found.patch
|
||||||
|
# Fix spice GL qemu:///system rendernode permissions (bz #1460804)
|
||||||
|
Patch0002: 0002-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
|
||||||
|
Patch0003: 0003-security-dac-relabel-spice-rendernode.patch
|
||||||
|
|
||||||
Requires: libvirt-daemon = %{version}-%{release}
|
Requires: libvirt-daemon = %{version}-%{release}
|
||||||
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
||||||
Requires: libvirt-daemon-config-nwfilter = %{version}-%{release}
|
Requires: libvirt-daemon-config-nwfilter = %{version}-%{release}
|
||||||
@ -2121,6 +2127,10 @@ exit 0
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Sep 15 2017 Cole Robinson <crobinso@redhat.com> - 3.7.0-2
|
||||||
|
- Fix TPM2 passthrough (bz #1486240)
|
||||||
|
- Fix spice GL qemu:///system rendernode permissions (bz #1460804)
|
||||||
|
|
||||||
* Mon Sep 4 2017 Daniel P. Berrange <berrange@redhat.com> - 3.7.0-1
|
* Mon Sep 4 2017 Daniel P. Berrange <berrange@redhat.com> - 3.7.0-1
|
||||||
- Rebase to version 3.7.0
|
- Rebase to version 3.7.0
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user