2018-09-25 20:15:24 +08:00
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
function die {
|
|
|
|
echo $@ >&2
|
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
|
|
|
function show_help {
|
|
|
|
cat << EOF
|
2020-12-02 17:55:01 +08:00
|
|
|
Usage: ${0##*/} -[hqnu] [PATH ...]
|
2018-09-25 20:15:24 +08:00
|
|
|
|
|
|
|
Clear out any XATTRs set by libvirt on all files that have them.
|
|
|
|
The idea is to reset refcounting, should it break.
|
|
|
|
|
|
|
|
-h display this help and exit
|
|
|
|
-q quiet (don't print which files are being fixed)
|
|
|
|
-n dry run; don't remove any XATTR just report the file name
|
2020-11-27 00:19:43 +08:00
|
|
|
-u unsafe; don't check whether there are running VMs; PATH must be specified
|
2018-09-25 20:15:24 +08:00
|
|
|
|
|
|
|
PATH can be specified to refine search to only to given path
|
|
|
|
instead of whole root ('/'), which is the default.
|
|
|
|
EOF
|
|
|
|
}
|
|
|
|
|
|
|
|
QUIET=0
|
|
|
|
DRY_RUN=0
|
2020-11-27 00:19:43 +08:00
|
|
|
UNSAFE=0
|
2018-09-25 20:15:24 +08:00
|
|
|
|
|
|
|
# So far only qemu and lxc drivers use security driver.
|
|
|
|
URI=("qemu:///system"
|
|
|
|
"lxc:///system")
|
|
|
|
|
2020-12-02 16:57:30 +08:00
|
|
|
if [ $(whoami) != "root" ]; then
|
2018-09-25 20:15:24 +08:00
|
|
|
die "Must be run as root"
|
|
|
|
fi
|
|
|
|
|
2020-11-27 00:19:43 +08:00
|
|
|
while getopts hqnu opt; do
|
2018-09-25 20:15:24 +08:00
|
|
|
case $opt in
|
|
|
|
h)
|
|
|
|
show_help
|
|
|
|
exit 0
|
|
|
|
;;
|
|
|
|
q)
|
|
|
|
QUIET=1
|
|
|
|
;;
|
|
|
|
n)
|
|
|
|
DRY_RUN=1
|
|
|
|
;;
|
2020-11-27 00:19:43 +08:00
|
|
|
u)
|
|
|
|
UNSAFE=1
|
|
|
|
;;
|
2018-09-25 20:15:24 +08:00
|
|
|
*)
|
|
|
|
show_help >&2
|
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
done
|
|
|
|
|
2020-12-02 17:24:21 +08:00
|
|
|
case $(uname -s) in
|
|
|
|
Linux)
|
|
|
|
XATTR_PREFIX="trusted.libvirt.security"
|
|
|
|
;;
|
|
|
|
|
|
|
|
FreeBSD)
|
|
|
|
XATTR_PREFIX="system.libvirt.security"
|
|
|
|
;;
|
|
|
|
|
|
|
|
*)
|
|
|
|
die "$0 is not supported on this platform"
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
|
2020-11-27 00:19:43 +08:00
|
|
|
if [ ${DRY_RUN} -eq 0 ] && [ ${UNSAFE} -eq 0 ]; then
|
2018-09-25 20:15:24 +08:00
|
|
|
for u in ${URI[*]} ; do
|
|
|
|
if [ -n "`virsh -q -c $u list 2>/dev/null`" ]; then
|
|
|
|
die "There are still some domains running for $u"
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
2019-01-15 16:19:08 +08:00
|
|
|
declare -a XATTRS
|
|
|
|
for i in "dac" "selinux"; do
|
2020-12-02 17:24:21 +08:00
|
|
|
XATTRS+=("$XATTR_PREFIX.$i" "$XATTR_PREFIX.ref_$i" "$XATTR_PREFIX.timestamp_$i")
|
2019-01-15 16:19:08 +08:00
|
|
|
done
|
|
|
|
|
2020-12-02 17:55:01 +08:00
|
|
|
fix_xattrs() {
|
|
|
|
local DIR="$1"
|
2019-01-15 16:19:08 +08:00
|
|
|
|
2020-12-02 17:55:01 +08:00
|
|
|
for i in $(getfattr -R -d -m ${XATTR_PREFIX} --absolute-names ${DIR} 2>/dev/null | grep "^# file:" | cut -d':' -f 2); do
|
|
|
|
if [ ${DRY_RUN} -ne 0 ]; then
|
2021-02-25 00:17:41 +08:00
|
|
|
getfattr -d -m ${XATTR_PREFIX} --absolute-names $i
|
2020-12-02 17:55:01 +08:00
|
|
|
continue
|
|
|
|
fi
|
2020-12-02 17:24:21 +08:00
|
|
|
|
2020-12-02 17:55:01 +08:00
|
|
|
if [ ${QUIET} -eq 0 ]; then
|
|
|
|
echo "Fixing $i";
|
|
|
|
fi
|
|
|
|
for x in ${XATTRS[*]}; do
|
|
|
|
setfattr -x $x $i
|
|
|
|
done
|
2018-09-25 20:15:24 +08:00
|
|
|
done
|
2020-12-02 17:55:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
shift $((OPTIND - 1))
|
|
|
|
if [ $# -gt 0 ]; then
|
2021-11-26 21:36:16 +08:00
|
|
|
for arg in "$@"
|
|
|
|
do
|
|
|
|
fix_xattrs "$arg"
|
2020-12-02 17:55:01 +08:00
|
|
|
done
|
|
|
|
else
|
|
|
|
if [ ${UNSAFE} -eq 1 ]; then
|
|
|
|
die "Unsafe mode (-u) requires explicit 'PATH' argument"
|
|
|
|
fi
|
|
|
|
fix_xattrs "/"
|
|
|
|
fi
|