Laine Stump [Wed, 1 Mar 2023 20:34:32 +0000 (15:34 -0500)]
security: make it possible to set SELinux label of child process from its binary
Normally when a child process is started by libvirt, the SELinux label
of that process is set to virtd_t (plus an MCS range). In at least one
case (passt) we need for the SELinux label of a child process label to
match the label that the binary would have transitioned to
automatically if it had been run standalone (in the case of passt,
that label is passt_t).
This patch modifies virSecuritySELinuxSetChildProcessLabel() (and all
the functions above it in the call chain) so that the toplevel
function can set a new argument "useBinarySpecificLabel" to true. If
it is true, then virSecuritySELinuxSetChildProcessLabel() will call
the new function virSecuritySELinuxContextSetFromFile(), which uses
the selinux library function security_compute_create() to determine
what would be the label of the new process if it had been run
standalone (rather than being run by libvirt) - the MCS range from the
normally-used label is added to this newly derived label, and that is
what is used for the new process rather than whatever is in the
domain's security label (which will usually be virtd_t).
In order to easily verify that nothing was broken by these changes to
the call chain, all callers currently set useBinarySpecificPath =
false, so all behavior should be completely unchanged. (The next
patch will set it to true only for the case of running passt.)
https://bugzilla.redhat.com/2172267 Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Laine Stump [Wed, 1 Mar 2023 16:34:24 +0000 (11:34 -0500)]
util: add an API to retrieve the resolved path to a virCommand's binary
The binary to be exec'ed by virExec() is stored in
virCommand::args[0], and is resolved to a full absolute path (stored
in a local of virExec() just prior to execve().
Since we will have another use for the full absolute path, lets make
an API to resolve/retrieve the absolute path, and cache it in
virCommand::binaryPath so we only have to do the resolution once.
Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Jim Fehlig [Fri, 10 Feb 2023 21:22:19 +0000 (14:22 -0700)]
libxl: Support specifying a custom firmware path
libxl added support for specifying custom firmware paths long ago. The
functionality exists in all Xen version supported by libvirt. This patch
adds support for user-specified efi firmware paths in the libxl driver.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
passt provides an AppArmor abstraction that covers all the
inner details of its operation, so we can simply import that
and add the libvirt-specific parts on top: namely, passt
needs to be able to create a socket and pid file, while
the libvirt daemon needs to be able to kill passt.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Currently it's only possible to set this parameter during domain
creation via QEMU commandline passthrough feature.
With the new delay attribute it's also possible to set this
parameter if you want to attach a new NBD disk
using "virsh attach-device domain device.xml" e.g.:
Eric Farman [Fri, 10 Mar 2023 02:38:09 +0000 (03:38 +0100)]
qemuAppendLoadparmMachineParm: add loadparm from hostdev
Commit 54fa1b44afc ("conf: Add loadparm boot option for a boot device")
added the ability to specify a loadparm parameter on a <boot/> tag, while
commit 29ba41c2d40 ("qemu: Add loadparm to qemu command line string")
added that value to the QEMU "-machine" command line parameters.
Unfortunately, the latter commit only looked at disks and network
devices for boot information, even though anything with
VIR_DOMAIN_DEF_FORMAT_ALLOW_BOOT could potentially have this tag.
In practice, a <hostdev> tag pointing to a passthrough (SCSI or DASD)
disk device can be used in this way, which means the loadparm is
accepted, but not given to QEMU.
Correct this, and add some XML/argv tests.
Signed-off-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Pavel Hrdina [Thu, 2 Mar 2023 22:48:08 +0000 (23:48 +0100)]
qemu_snapshot: fix external snapshot deletion for non-active snapshots
For shutoff VMs we don't have the storage source backing chain
populated so it will fail this check and error out. Move it to
part that is done only when VM is running.
Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
conf: add support for 'blob' in virtio video device
Add the ability to enable blob resources for the virtio video device.
This will accelerate the display path due to less or no copying of pixel
data.
Blob resource support can be enabled with e.g.:
<video>
<model type='virtio' blob='on'/>
</video>
Some additional background information about blob resources:
https://lists.freedesktop.org/archives/dri-devel/2020-August/275972.html
https://www.kraxel.org/blog/2021/05/virtio-gpu-qemu-graphics-update/
conf: explicitly set VIR_DOMAIN_VIDEO_TYPE_DEFAULT to 0
Ensure that new virDomainVideoDef objects have their 'type' set to
VIR_DOMAIN_VIDEO_TYPE_DEFAULT and remove places that this value is set
after construction. Since virDomainVideoDefNew() uses g_new0() allocate
the instance, all fields are initialized to 0.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Inside of virSCSIHostFindByPCI() there's a loop which iterates of
entries of "/sys/class/scsi_host" directory trying to identify
all symlinks (which then point to a SCSI device, but that's not
important right now). But the way virFileIsLink() is called can
never return a truthful reply - because it's called over
dent->d_name instead of full path. Fix this by moving the
virFileIsLink() call and passing constructed path into it.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Remove some obvious uses of VIR_FREE() in favor of automatic
cleanup. This also means, that some variables affected are
brought into the inner most block, so that automatic cleanup is
effective.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 6 Mar 2023 19:55:25 +0000 (20:55 +0100)]
qemuAppendKeyWrapMachineParms: Format "keywrap" arguments based on architecture
Use the guest architecture to decide whether to format
'aes-key-wrap'/'dea-key-wrap' rather than
QEMU_CAPS_AES_KEY_WRAP/QEMU_CAPS_DEA_KEY_WRAP which were set based on
architecture.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
QEMU_CAPS_AES_KEY_WRAP, QEMU_CAPS_DEA_KEY_WRAP and QEMU_CAPS_LOADPARM
are always asserted via virQEMUCapsInitQMPBasicArch thus don't need to
be explicitly enabled by tests.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 6 Mar 2023 15:11:38 +0000 (16:11 +0100)]
qemu: command: Replace caps check for QEMU_CAPS_MACH_VIRT_GIC_VERSION by arch check
QEMU_CAPS_MACH_VIRT_GIC_VERSION is always asserted for VIR_ARCH_AARCH64.
Note that this patch is a direct conversion of the logic originally
residing in the capabilities code. A better coversion would be (based on
whether it is available for just AARCH64 or also ARM) to base it on the
guest architecture.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 6 Mar 2023 14:57:54 +0000 (15:57 +0100)]
qemu: command: Format '-no-hpet' based on architecture check
Rather than asserting a capability based on architecture, format the
fallback parameter based on the presence of the newer capability and an
explicit architecture check.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Mon, 6 Mar 2023 14:38:15 +0000 (15:38 +0100)]
qemu: validate: Fix logic for validating presence of the HPET timer
Commit 24cc9cda826 switched over to use -machine hpet, but one of the
steps it did was to clear the QEMU_CAPS_NO_HPET capability.
The validation check still uses the old capability though which means
that for configs which would explicitly enable HPET we'd report an error.
Since HPET is an x86(_64) platform specific device, convert the
validation check to an architecture check as all supported qemu versions
actually support it.
Modify a test case to request HPET to catch posible future problems.
Fixes: 24cc9cda826 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 3 Mar 2023 13:38:25 +0000 (14:38 +0100)]
tests: qemuxml2argvdata: Port 'qemu-system-arm' cases with fake tests to 'qemu-system-aarch64'
'qemu-system-aarch64' is superset of the soon to be deprecated
'qemu-system-arm' binary. We can move over all of our fake-caps tests to
real caps on aarch64.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 3 Mar 2023 13:17:06 +0000 (14:17 +0100)]
qemuxml2argvdata: Convert test cases for 'ppc' architecture to latest caps
Convert the 'ppc-dtb' and 'ppce500-serial' to use real capabilities
albeit captured from a non-native machine. Thus the XML needs to be
converted to use virt type 'qemu'.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 3 Mar 2023 12:11:51 +0000 (13:11 +0100)]
testutilsqemu: Introduce ARG_QEMU_CAPS_DEL, to mask out flags from real caps
In certain cases we want to use as-real capabilities as possible but
that doesn't allow testing certain fallback scenarios of features that
can be complied out of QEMU.
ARG_QEMU_CAPS_DEL can be used similarly to ARG_QEMU_CAPS but the flag
arguments are actually masked out of the resulting caps.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 3 Mar 2023 11:42:05 +0000 (12:42 +0100)]
qemuTestCapsCacheInsertImpl: Require that callers always pass capabilities
There's just one case when we're populating the cache with empty caps so
that can allocate a dummy virQEMUCaps object rather than having the
logic inside qemuTestCapsCacheInsertImpl.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Fri, 3 Mar 2023 08:27:45 +0000 (09:27 +0100)]
qemu: capabilities: Don't make callers check return of virQEMUCapsNew(Binary)
The allocation of the object itself can't fail. What can fail is the
creation of the class on a programming error. Rather than punting the
error up the stack abort() directly on the first occurence as the error
can't be fixed during runtime.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Peter Krempa [Thu, 2 Mar 2023 16:32:28 +0000 (17:32 +0100)]
util: virfilecache: Introduce virFileCacheClear for usage in tests
In tests we need to be able to populate the cache with a deterministic
set of entries. This means we need to drop the contents of the cache
between runs to prevent spillage between test cases.
virFileCacheClear drops all entries from the hash table used for the
cache.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
Turns out that those overrides I recently removed where actually
there for a reason, and there was a motivation behind creating
the driver config as unprivileged too O:-)
Until a solution that can both ensure predictable output and
avoid code duplication is developed, go back to the previous
approach.
Fixes: 2f56f69f7f7e ("tests: Create privileged config for QEMU driver") Fixes: 0f49b6cc6b81 ("tests: Drop no longer necessary overrides") Fixes: 0b464cd84ff3 ("tests: Drop more QEMU driver config overrides") Signed-off-by: Andrea Bolognani <abologna@redhat.com>
These are allegedly necessary to keep the output consistent,
but now that we're using a privileged config for the driver we
get the desired behavior out of the box, and as a bonus the
paths match what you would actually see on a regular host.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
For almost all directories, the value we set matches the one
a standard deployment would use, but in a couple of cases they
deviate from that. Keep things consistent.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
tests: Move more QEMU driver settings to common code
None of these settings is specific to the xml2argv test. Moving
them to the common code ensures the behavior of the QEMU driver
is consistent across all QEMU tests.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Our QEMU test suite effectively covers the qemu:///system
scenario, and we have to partially replace the unprivileged
config with its privileged equivalent after the fact to keep up
the illusion.
Instead of jumping through these extra hoops, we can simply
start with a privileged configuration matching the privileged
driver we're creating for test programs.
This change highlights that we were missing a couple of
overrides, specifically in the tests for passt and dbus. Now
that we're creating a privileged config, this kind of issue
shouldn't be able to slip into the test suite.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
These are intended to be used for just a few specific tests,
but since we don't always free them up afterwards they could
end up accidentally affecting subsequent tests as well.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Follow the example of other similar settings and only enable it
for the few test cases that are actually about the specific
functionality, disabling it immediately afterwards.
A few test cases that were completely unrelated to SPICE TLS no
longer see the effects of having the feature enabled.
Signed-off-by: Andrea Bolognani <abologna@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
projects / thirdparty / libvirt.git / log
