packages/libvirt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!16 Substitute security_context_t with char

Browse Source 
Merge pull request !16 from XuYandong/master
This commit is contained in:
openeuler-ci-bot 2020-08-05 10:44:01 +08:00 committed by Gitee
commit 883534c2f4
4 changed files with 419 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

320
libvirt-Substitute-security_context_t-with-char.patch Normal file
View File

@ -0,0 +1,320 @@
From 0ca4dd0cd279448ff28beb4c88e52107531783a3 Mon Sep 17 00:00:00 2001
From: Xu Yandong <xuyandong2@huawei.com>
Date: Tue, 4 Aug 2020 01:44:48 +0000
Subject: [PATCH] Substitute security_context_t with char *
Historically, we've used security_context_t for variables passed
to libselinux APIs. But almost 7 years ago, libselinux developers
admitted in their API that in fact, it's just a 'char *' type
[1]. Ever since then the APIs accept 'char *' instead, but they
kept the old alias just for API stability. Well, not anymore [2].
1: https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9
2: https://github.com/SELinuxProject/selinux/commit/7a124ca2758136f49cc38efc26fb1a2d385ecfd9
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
(cherry-picked from commit e71e13488dc1aa65456e54a4b41bc925821b4263)
Signed-off-by: Xu Yandong <xuyandong2@huawei.com>
---
src/libvirt-lxc.c | 2 +-
src/rpc/virnetsocket.c | 2 +-
src/security/security_selinux.c | 26 +++++++++++++-------------
src/storage/storage_util.c | 2 +-
src/util/viridentity.c | 2 +-
tests/securityselinuxhelper.c | 16 ++++++++--------
tests/securityselinuxlabeltest.c | 4 ++--
tests/securityselinuxtest.c | 2 +-
tests/viridentitytest.c | 2 +-
9 files changed, 29 insertions(+), 29 deletions(-)
diff --git a/src/libvirt-lxc.c b/src/libvirt-lxc.c
index 47a06a3..25f1cfc 100644
--- a/src/libvirt-lxc.c
+++ b/src/libvirt-lxc.c
@@ -204,7 +204,7 @@ virDomainLxcEnterSecurityLabel(virSecurityModelPtr model,
if (STREQ(model->model, "selinux")) {
#ifdef WITH_SELINUX
if (oldlabel) {
- security_context_t ctx;
+ char *ctx;
if (getcon(&ctx) < 0) {
virReportSystemError(errno,
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 6c790cb..5537289 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -1595,7 +1595,7 @@ int virNetSocketGetUNIXIdentity(virNetSocketPtr sock G_GNUC_UNUSED,
int virNetSocketGetSELinuxContext(virNetSocketPtr sock,
char **context)
{
- security_context_t seccon = NULL;
+ char *seccon = NULL;
int ret = -1;
*context = NULL;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 8aeb6e4..72d1658 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -198,7 +198,7 @@ virSecuritySELinuxTransactionAppend(const char *path,
static int
virSecuritySELinuxRememberLabel(const char *path,
- const security_context_t con)
+ const char *con)
{
return virSecuritySetRememberedLabel(SECURITY_SELINUX_NAME,
path, con);
@@ -207,7 +207,7 @@ virSecuritySELinuxRememberLabel(const char *path,
static int
virSecuritySELinuxRecallLabel(const char *path,
- security_context_t *con)
+ char **con)
{
int rv;
@@ -431,7 +431,7 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
int *catMin,
int *catMax)
{
- security_context_t ourSecContext = NULL;
+ char *ourSecContext = NULL;
context_t ourContext = NULL;
char *cat = NULL;
char *tmp;
@@ -530,8 +530,8 @@ virSecuritySELinuxMCSGetProcessRange(char **sens,
}
static char *
-virSecuritySELinuxContextAddRange(security_context_t src,
- security_context_t dst)
+virSecuritySELinuxContextAddRange(char *src,
+ char *dst)
{
char *str = NULL;
char *ret = NULL;
@@ -575,7 +575,7 @@ virSecuritySELinuxGenNewContext(const char *basecontext,
context_t context = NULL;
char *ret = NULL;
char *str;
- security_context_t ourSecContext = NULL;
+ char *ourSecContext = NULL;
context_t ourContext = NULL;
VIR_DEBUG("basecontext=%s mcs=%s isObjectContext=%d",
@@ -967,7 +967,7 @@ virSecuritySELinuxReserveLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
pid_t pid)
{
- security_context_t pctx;
+ char *pctx;
context_t ctx = NULL;
const char *mcs;
int rv;
@@ -1217,7 +1217,7 @@ virSecuritySELinuxGetProcessLabel(virSecurityManagerPtr mgr G_GNUC_UNUSED,
pid_t pid,
virSecurityLabelPtr sec)
{
- security_context_t ctx;
+ char *ctx;
if (getpidcon_raw(pid, &ctx) == -1) {
virReportSystemError(errno,
@@ -1330,7 +1330,7 @@ virSecuritySELinuxSetFilecon(virSecurityManagerPtr mgr,
bool remember)
{
bool privileged = virSecurityManagerGetPrivileged(mgr);
- security_context_t econ = NULL;
+ char *econ = NULL;
int refcount;
int rc;
bool rollback = false;
@@ -1440,7 +1440,7 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
/* Set fcon to the appropriate label for path and mode, or return -1. */
static int
getContext(virSecurityManagerPtr mgr G_GNUC_UNUSED,
- const char *newpath, mode_t mode, security_context_t *fcon)
+ const char *newpath, mode_t mode, char **fcon)
{
virSecuritySELinuxDataPtr data = virSecurityManagerGetPrivateData(mgr);
@@ -1457,7 +1457,7 @@ virSecuritySELinuxRestoreFileLabel(virSecurityManagerPtr mgr,
{
bool privileged = virSecurityManagerGetPrivileged(mgr);
struct stat buf;
- security_context_t fcon = NULL;
+ char *fcon = NULL;
char *newpath = NULL;
int rc;
int ret = -1;
@@ -2972,7 +2972,7 @@ virSecuritySELinuxSetDaemonSocketLabel(virSecurityManagerPtr mgr G_GNUC_UNUSED,
{
/* TODO: verify DOI */
virSecurityLabelDefPtr secdef;
- security_context_t scon = NULL;
+ char *scon = NULL;
char *str = NULL;
int rc = -1;
@@ -3259,7 +3259,7 @@ virSecuritySELinuxSetTapFDLabel(virSecurityManagerPtr mgr,
int fd)
{
struct stat buf;
- security_context_t fcon = NULL;
+ char *fcon = NULL;
virSecurityLabelDefPtr secdef;
char *str = NULL, *proc = NULL, *fd_path = NULL;
int rc = -1;
diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c
index 1ec1d13..4c67d3a 100644
--- a/src/storage/storage_util.c
+++ b/src/storage/storage_util.c
@@ -1818,7 +1818,7 @@ virStorageBackendUpdateVolTargetInfoFD(virStorageSourcePtr target,
struct stat *sb)
{
#if WITH_SELINUX
- security_context_t filecon = NULL;
+ char *filecon = NULL;
#endif
if (virStorageSourceUpdateBackingSizes(target, fd, sb) < 0)
diff --git a/src/util/viridentity.c b/src/util/viridentity.c
index 8cc2db2..2cb9042 100644
--- a/src/util/viridentity.c
+++ b/src/util/viridentity.c
@@ -157,7 +157,7 @@ virIdentityPtr virIdentityGetSystem(void)
unsigned long long startTime;
g_autoptr(virIdentity) ret = NULL;
#if WITH_SELINUX
- security_context_t con;
+ char *con;
#endif
if (!(ret = virIdentityNew()))
diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c
index f89224c..63b5726 100644
--- a/tests/securityselinuxhelper.c
+++ b/tests/securityselinuxhelper.c
@@ -58,7 +58,7 @@ static struct selabel_handle *(*real_selabel_open)(unsigned int backend,
unsigned nopts);
static void (*real_selabel_close)(struct selabel_handle *handle);
static int (*real_selabel_lookup_raw)(struct selabel_handle *handle,
- security_context_t *con,
+ char **con,
const char *key,
int type);
@@ -94,7 +94,7 @@ static void init_syms(void)
* the virt_use_nfs bool is set.
*/
-int getcon_raw(security_context_t *context)
+int getcon_raw(char **context)
{
if (!is_selinux_enabled()) {
errno = EINVAL;
@@ -109,12 +109,12 @@ int getcon_raw(security_context_t *context)
return 0;
}
-int getcon(security_context_t *context)
+int getcon(char **context)
{
return getcon_raw(context);
}
-int getpidcon_raw(pid_t pid, security_context_t *context)
+int getpidcon_raw(pid_t pid, char **context)
{
if (!is_selinux_enabled()) {
errno = EINVAL;
@@ -134,7 +134,7 @@ int getpidcon_raw(pid_t pid, security_context_t *context)
return 0;
}
-int getpidcon(pid_t pid, security_context_t *context)
+int getpidcon(pid_t pid, char **context)
{
return getpidcon_raw(pid, context);
}
@@ -170,7 +170,7 @@ int setfilecon(const char *path, const char *con)
return setfilecon_raw(path, con);
}
-int getfilecon_raw(const char *path, security_context_t *con)
+int getfilecon_raw(const char *path, char **con)
{
char *constr = NULL;
ssize_t len = getxattr(path, "user.libvirt.selinux",
@@ -194,7 +194,7 @@ int getfilecon_raw(const char *path, security_context_t *con)
}
-int getfilecon(const char *path, security_context_t *con)
+int getfilecon(const char *path, char **con)
{
return getfilecon_raw(path, con);
}
@@ -315,7 +315,7 @@ void selabel_close(struct selabel_handle *handle)
}
int selabel_lookup_raw(struct selabel_handle *handle,
- security_context_t *con,
+ char **con,
const char *key,
int type)
{
diff --git a/tests/securityselinuxlabeltest.c b/tests/securityselinuxlabeltest.c
index 3040a36..50b447c 100644
--- a/tests/securityselinuxlabeltest.c
+++ b/tests/securityselinuxlabeltest.c
@@ -252,7 +252,7 @@ static int
testSELinuxCheckLabels(testSELinuxFile *files, size_t nfiles)
{
size_t i;
- security_context_t ctx;
+ char *ctx;
for (i = 0; i < nfiles; i++) {
ctx = NULL;
@@ -360,7 +360,7 @@ mymain(void)
if (virTestRun("Labelling " # name, testSELinuxLabeling, name) < 0) \
ret = -1;
- setcon((security_context_t)"system_r:system_u:libvirtd_t:s0:c0.c1023");
+ setcon("system_r:system_u:libvirtd_t:s0:c0.c1023");
DO_TEST_LABELING("disks");
DO_TEST_LABELING("kernel");
diff --git a/tests/securityselinuxtest.c b/tests/securityselinuxtest.c
index 6c8314d..3f069c2 100644
--- a/tests/securityselinuxtest.c
+++ b/tests/securityselinuxtest.c
@@ -217,7 +217,7 @@ testSELinuxGenLabel(const void *opaque)
context_t con = NULL;
context_t imgcon = NULL;
- if (setcon_raw((security_context_t)data->pidcon) < 0) {
+ if (setcon_raw(data->pidcon) < 0) {
perror("Cannot set process security context");
return -1;
}
diff --git a/tests/viridentitytest.c b/tests/viridentitytest.c
index 3f87af1..9a8c891 100644
--- a/tests/viridentitytest.c
+++ b/tests/viridentitytest.c
@@ -120,7 +120,7 @@ static int testIdentityGetSystem(const void *data)
static int testSetFakeSELinuxContext(const void *data G_GNUC_UNUSED)
{
#if WITH_SELINUX
- return setcon_raw((security_context_t)data);
+ return setcon_raw(data);
#else
VIR_DEBUG("libvirt not compiled with SELinux, skipping this test");
return EXIT_AM_SKIP;
--
2.25.4

53
libvirt-conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch Normal file
View File

@ -0,0 +1,53 @@
From cec735e6f4001caa0395eddc9d8a0fe18e97f9eb Mon Sep 17 00:00:00 2001
From: Xu Yandong <xuyandong2@huawei.com>
Date: Tue, 4 Aug 2020 08:40:36 +0000
Subject: [PATCH] conf: Don't format http cookies unless
VIR_DOMAIN_DEF_FORMAT_SECURE is used
Starting with 3b076391befc3fe72deb0c244ac6c2b4c100b410
(v6.1.0-122-g3b076391be) we support http cookies. Since they may contain
somewhat sensitive information we should not format them into the XML
unless VIR_DOMAIN_DEF_FORMAT_SECURE is asserted.
Reported-by: Han Han <hhan@redhat.com>
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
(cherry-picked from commit a5b064bf4b17a9884d7d361733737fb614ad8979)
Signed-off-by: Xu Yandong <xuyandong2@huawei.com>
---
src/conf/domain_conf.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 914e03c..cf93a59 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -24565,11 +24565,15 @@ virDomainSourceDefFormatSeclabel(virBufferPtr buf,
static void
virDomainDiskSourceFormatNetworkCookies(virBufferPtr buf,
- virStorageSourcePtr src)
+ virStorageSourcePtr src,
+ unsigned int flags)
{
g_auto(virBuffer) childBuf = VIR_BUFFER_INIT_CHILD(buf);
size_t i;
+ if (!(flags & VIR_DOMAIN_DEF_FORMAT_SECURE))
+ return;
+
for (i = 0; i < src->ncookies; i++) {
virBufferEscapeString(&childBuf, "<cookie name='%s'>", src->cookies[i]->name);
virBufferEscapeString(&childBuf, "%s</cookie>\n", src->cookies[i]->value);
@@ -24630,7 +24634,7 @@ virDomainDiskSourceFormatNetwork(virBufferPtr attrBuf,
virTristateBoolTypeToString(src->sslverify));
}
- virDomainDiskSourceFormatNetworkCookies(childBuf, src);
+ virDomainDiskSourceFormatNetworkCookies(childBuf, src, flags);
if (src->readahead)
virBufferAsprintf(childBuf, "<readahead size='%llu'/>\n", src->readahead);
--
2.25.4

40
libvirt-virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch Normal file
View File

@ -0,0 +1,40 @@
From 18c86b74537561ab926f1b5b71a1eea7ae5d0bcb Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 4 Aug 2020 09:09:04 +0000
Subject: [PATCH] virstoragetest: testBackingParse: Use
VIR_DOMAIN_DEF_FORMAT_SECURE when formatting xml
We want to format even the secure information in tests.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
(cherry-picked from commit 524de6cc35d3b222f0e940bb0fd027f5482572c5)
Signed-off-by: Xu Yandong <xuyandong2@huawei.com>
---
tests/virstoragetest.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tests/virstoragetest.c b/tests/virstoragetest.c
index 6e8ebeb..6d2b21c 100644
--- a/tests/virstoragetest.c
+++ b/tests/virstoragetest.c
@@ -594,6 +594,7 @@ testBackingParse(const void *args)
g_autoptr(virStorageSource) src = NULL;
int rc;
int erc = data->rv;
+ unsigned int xmlformatflags = VIR_DOMAIN_DEF_FORMAT_SECURE;
/* expect failure return code with NULL expected data */
if (!data->expect)
@@ -613,7 +614,7 @@ testBackingParse(const void *args)
return -1;
}
- if (virDomainDiskSourceFormat(&buf, src, "source", 0, false, 0, true, NULL) < 0 ||
+ if (virDomainDiskSourceFormat(&buf, src, "source", 0, false, xmlformatflags, true, NULL) < 0 ||
!(xml = virBufferContentAndReset(&buf))) {
fprintf(stderr, "failed to format disk source xml\n");
return -1;
--
2.25.4

7
libvirt.spec
View File

@ -99,7 +99,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 6.2.0
Release: 6
Release: 7
License: LGPLv2+
URL: https://libvirt.org/
@ -128,6 +128,9 @@ Patch0017: libvirt-virsh-Fix-return-code-for-dump-and-migrate.patch
Patch0018: libvirt-virsh-Fix-return-code-for-dump.patch
Patch0019: libvirt-cpu-aarch64-enable-host-model-cpu-for-AArch64-archit.patch
Patch0020: libvirt-cpu_map-add-kunpeng-920-features-as-known-features.patch
Patch0021: libvirt-Substitute-security_context_t-with-char.patch
Patch0022: libvirt-conf-Don-t-format-http-cookies-unless-VIR_DOMAIN_DEF.patch
Patch0023: libvirt-virstoragetest-testBackingParse-Use-VIR_DOMAIN_DEF_F.patch
Requires: libvirt-daemon = %{version}-%{release}
Requires: libvirt-daemon-config-network = %{version}-%{release}
@ -1860,6 +1863,8 @@ exit 0
%changelog
* Tue Aug 4 2020 Xu Yandong <xuyandong2@huawei.com> - 6.2.0-7
- Substitute security_context_t with char pointer.
* Tue May 26 2020 Xu Yandong <xuyandong2@huawei.com> - 6.2.0-6
- Introduce Kunpeng-920 cpu features.
* Wed May 20 2020 Xu Yandong <xuyandong2@huawei.com> - 6.2.0-5