Re: [PATCH v2] nbd/server: Add --selinux-label option

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Richard W.M. Jones" <rjones@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: vsementsov@virtuozzo.com, berrange@redhat.com,
	qemu-devel@nongnu.org, qemu-block@nongnu.org
Subject: Re: [PATCH v2] nbd/server: Add --selinux-label option
Date: Mon, 27 Sep 2021 22:39:06 +0100	[thread overview]
Message-ID: <20210927213906.GW3361@redhat.com> (raw)
In-Reply-To: <20210927211834.tzqpx4egzwbvjmrs@redhat.com>

On Mon, Sep 27, 2021 at 04:18:34PM -0500, Eric Blake wrote:
> On Fri, Jul 23, 2021 at 11:33:03AM +0100, Richard W.M. Jones wrote:
> > Under SELinux, Unix domain sockets have two labels.  One is on the
> > disk and can be set with commands such as chcon(1).  There is a
> > different label stored in memory (called the process label).  This can
> > only be set by the process creating the socket.  When using SELinux +
> > SVirt and wanting qemu to be able to connect to a qemu-nbd instance,
> > you must set both labels correctly first.
> > 
> > For qemu-nbd the options to set the second label are awkward.  You can
> > create the socket in a wrapper program and then exec into qemu-nbd.
> > Or you could try something with LD_PRELOAD.
> > 
> > This commit adds the ability to set the label straightforwardly on the
> > command line, via the new --selinux-label flag.  (The name of the flag
> > is the same as the equivalent nbdkit option.)
> > 
> > A worked example showing how to use the new option can be found in
> > this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1984938
> > 
> > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1984938
> > Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
> > ---
> 
> I'm making one tweak to your patch before sending the pull request:
> 
> > +++ b/qemu-nbd.c
> > @@ -64,6 +68,7 @@
> >  #define QEMU_NBD_OPT_FORK          263
> >  #define QEMU_NBD_OPT_TLSAUTHZ      264
> >  #define QEMU_NBD_OPT_PID_FILE      265
> > +#define QEMU_NBD_OPT_SELINUX_LABEL 266
> >  
> >  #define MBR_SIZE 512
> >  
> > @@ -116,6 +121,9 @@ static void usage(const char *name)
> >  "  --fork                    fork off the server process and exit the parent\n"
> >  "                            once the server is running\n"
> >  "  --pid-file=PATH           store the server's process ID in the given file\n"
> > +#ifdef CONFIG_SELINUX
> > +"  --selinux-label=LABEL     set SELinux process label on listening socket\n"
> > +#endif
> 
> The new option is only conditionally advertised under --help (qemu-nbd
> lacks a stable machine-parseable output, so scraping --help output
> will have to do for now)...
> 
> >  #if HAVE_NBD_DEVICE
> >  "\n"
> >  "Kernel NBD client support:\n"
> > @@ -532,6 +540,8 @@ int main(int argc, char **argv)
> >          { "trace", required_argument, NULL, 'T' },
> >          { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
> >          { "pid-file", required_argument, NULL, QEMU_NBD_OPT_PID_FILE },
> > +        { "selinux-label", required_argument, NULL,
> > +          QEMU_NBD_OPT_SELINUX_LABEL },
> 
> ...but is unconditionally supported as a long option even when support
> was not compiled in...
> 
> >          { NULL, 0, NULL, 0 }
> >      };
> >      int ch;
> > @@ -558,6 +568,7 @@ int main(int argc, char **argv)
> >      int old_stderr = -1;
> >      unsigned socket_activation;
> >      const char *pid_file_name = NULL;
> > +    const char *selinux_label = NULL;
> >      BlockExportOptions *export_opts;
> >  
> >  #ifdef CONFIG_POSIX
> > @@ -747,6 +758,9 @@ int main(int argc, char **argv)
> >          case QEMU_NBD_OPT_PID_FILE:
> >              pid_file_name = optarg;
> >              break;
> > +        case QEMU_NBD_OPT_SELINUX_LABEL:
> > +            selinux_label = optarg;
> > +            break;
> >          }
> >      }
> >  
> > @@ -938,6 +952,16 @@ int main(int argc, char **argv)
> >          } else {
> >              backlog = MIN(shared, SOMAXCONN);
> >          }
> > +        if (sockpath && selinux_label) {
> > +#ifdef CONFIG_SELINUX
> > +            if (setsockcreatecon_raw(selinux_label) == -1) {
> > +                error_report("Cannot set SELinux socket create context "
> > +                             "to %s: %s",
> > +                             selinux_label, strerror(errno));
> > +                exit(EXIT_FAILURE);
> > +            }
> > +#endif
> 
> ...but here we silently ignore it if support is not compiled in.
> Better is to issue an error message about using an unsupported option,
> so I'll squash this in:
> 
> diff --git i/qemu-nbd.c w/qemu-nbd.c
> index 5dc82c419255..94f8ec07c064 100644
> --- i/qemu-nbd.c
> +++ w/qemu-nbd.c
> @@ -962,6 +962,9 @@ int main(int argc, char **argv)
>                               selinux_label, strerror(errno));
>                  exit(EXIT_FAILURE);
>              }
> +#else
> +            error_report("SELinux support not enabled in this binary");
> +            exit(EXIT_FAILURE);
>  #endif
>          }
>          saddr = nbd_build_socket_address(sockpath, bindto, port);
> @@ -978,6 +981,9 @@ int main(int argc, char **argv)
>                               strerror(errno));
>                  exit(EXIT_FAILURE);
>              }
> +#else
> +            error_report("SELinux support not enabled in this binary");
> +            exit(EXIT_FAILURE);
>  #endif
>          }
>      } else {
> 

Good idea, thanks.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/

     prev parent reply	other threads:[~2021-09-27 21:40 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-23 10:33 [PATCH v2] nbd/server: Add --selinux-label option Richard W.M. Jones
2021-07-23 10:33 ` Richard W.M. Jones
2021-07-23 10:47   ` Daniel P. Berrangé
2021-07-26 14:22     ` Eric Blake
2021-07-23 16:18   ` Kevin Wolf
2021-07-23 16:34     ` Richard W.M. Jones
2021-07-23 16:38     ` Daniel P. Berrangé
2021-08-25 19:35       ` Eric Blake
2021-09-24 19:23         ` Eric Blake
2021-09-27 12:48           ` Vladimir Sementsov-Ogievskiy
2021-09-27 12:55         ` Daniel P. Berrangé
2021-09-27 21:18   ` Eric Blake
2021-09-27 21:39     ` Richard W.M. Jones [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210927213906.GW3361@redhat.com \
    --to=rjones@redhat.com \
    --cc=berrange@redhat.com \
    --cc=eblake@redhat.com \
    --cc=qemu-block@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=vsementsov@virtuozzo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.