aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile1
-rw-r--r--build-data/platforms.mk4
-rw-r--r--build-root/deb/debian/.gitignore1
-rw-r--r--doxygen/siphon_templates/markdown/syscfg/index_header.md2
-rw-r--r--doxygen/user_doc.md1
-rw-r--r--extras/rpm/vpp.spec77
-rw-r--r--extras/selinux/selinux_doc.md294
-rw-r--r--extras/selinux/vpp-custom.fc22
-rw-r--r--extras/selinux/vpp-custom.if2
-rw-r--r--extras/selinux/vpp-custom.te139
-rw-r--r--extras/vpp_config/data/startup.conf.template2
-rw-r--r--extras/vpp_config/vpplib/AutoConfig.py4
-rw-r--r--src/vlib/unix/cli.c24
-rw-r--r--src/vnet/devices/virtio/vhost-user.c30
-rw-r--r--src/vpp/conf/startup.conf2
15 files changed, 582 insertions, 23 deletions
diff --git a/Makefile b/Makefile
index 1a8ef6e4bca..7c584f67660 100644
--- a/Makefile
+++ b/Makefile
@@ -85,6 +85,7 @@ RPM_DEPENDS += numactl-devel
RPM_DEPENDS += check check-devel
RPM_DEPENDS += boost boost-devel
RPM_DEPENDS += subunit subunit-devel
+RPM_DEPENDS += selinux-policy selinux-policy-devel
ifeq ($(OS_ID)-$(OS_VERSION_ID),fedora-25)
RPM_DEPENDS += openssl-devel
diff --git a/build-data/platforms.mk b/build-data/platforms.mk
index 45bd3a1b8a1..d555f2ab3eb 100644
--- a/build-data/platforms.mk
+++ b/build-data/platforms.mk
@@ -75,6 +75,10 @@ install-deb: $(patsubst %,%-find-source,$(ROOT_PACKAGES))
echo ../../src/scripts/vppctl-cmd-list /usr/share/vpp \
>> deb/debian/vpp.install ; \
\
+ : add log directory ; \
+ echo /var/log/vpp/ \
+ >> deb/debian/vpp.dirs ; \
+ \
: dev package needs a couple of additions ; \
echo ../$(INSTALL_PREFIX)$(ARCH)/vpp/bin/vppapigen /usr/bin \
>> deb/debian/vpp-dev.install ; \
diff --git a/build-root/deb/debian/.gitignore b/build-root/deb/debian/.gitignore
index 7b1028d6ad4..489f8eb2c33 100644
--- a/build-root/deb/debian/.gitignore
+++ b/build-root/deb/debian/.gitignore
@@ -3,6 +3,7 @@ files
*debhelper*
*.substvars
*.install
+*.dirs
vpp/
vpp-dev/
vpp-lib/
diff --git a/doxygen/siphon_templates/markdown/syscfg/index_header.md b/doxygen/siphon_templates/markdown/syscfg/index_header.md
index 5d338a0472b..f5a9816b99c 100644
--- a/doxygen/siphon_templates/markdown/syscfg/index_header.md
+++ b/doxygen/siphon_templates/markdown/syscfg/index_header.md
@@ -87,7 +87,7 @@ to make the content easier to read. For example:
```
unix {
nodaemon
- log /tmp/vpp.log
+ log /var/log/vpp/vpp.log
full-coredump
cli-listen localhost:5002
}
diff --git a/doxygen/user_doc.md b/doxygen/user_doc.md
index 7ac81e109ce..4d6b22f6bff 100644
--- a/doxygen/user_doc.md
+++ b/doxygen/user_doc.md
@@ -13,6 +13,7 @@ Several modules provide operational, dataplane-user focused documentation.
- @subpage dpdk_crypto_ipsec_doc
- @subpage flowprobe_plugin_doc
- @subpage qos_doc
+- @subpage selinux_doc
- @subpage span_doc
- @subpage srv6_doc
- @subpage srmpls_doc
diff --git a/extras/rpm/vpp.spec b/extras/rpm/vpp.spec
index 532b9a219d4..d3bc517c5b4 100644
--- a/extras/rpm/vpp.spec
+++ b/extras/rpm/vpp.spec
@@ -24,12 +24,30 @@
%{?systemd_requires}
+
+# SELinux Related definitions
+%global selinuxtype targeted
+%global moduletype services
+%global modulenames vpp-custom
+
+# Usage: _format var format
+# Expand 'modulenames' into various formats as needed
+# Format must contain '$x' somewhere to do anything useful
+%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %1+=" "; done;
+
+# Relabel files
+%global relabel_files() \ # ADD files in *.fc file
+
+# Version of distribution SELinux policy package
+%global selinux_policyver 3.13.1-128.6.fc22
+
+
Name: vpp
Summary: Vector Packet Processing
License: ASL 2.0
Version: %{_version}
Release: %{_release}
-Requires: vpp-lib = %{_version}-%{_release}, net-tools, pciutils, python
+Requires: vpp-lib = %{_version}-%{_release}, vpp-selinux-policy = %{_version}-%{_release}, net-tools, pciutils, python
BuildRequires: systemd, chrpath
BuildRequires: check, check-devel
BuildRequires: subunit, subunit-devel
@@ -51,6 +69,7 @@ BuildRequires: apr-devel
BuildRequires: numactl-devel
BuildRequires: autoconf automake libtool byacc bison flex
BuildRequires: boost boost-devel
+BuildRequires: selinux-policy selinux-policy-devel
Source: %{name}-%{_version}-%{_release}.tar.xz
# Source: vpp-latest.tar.xz
@@ -64,6 +83,7 @@ vpp_json_test - vector packet engine JSON test tool
%package lib
Summary: VPP libraries
Group: System Environment/Libraries
+Requires: vpp-selinux-policy = %{_version}-%{_release}
%description lib
This package contains the VPP shared libraries, including:
@@ -119,6 +139,14 @@ Requires: vpp = %{_version}-%{_release}, vpp-lib = %{_version}-%{_release}, pyth
%description api-python
This package contains the python bindings for the vpp api
+%package selinux-policy
+Summary: VPP Security-Enhanced Linux (SELinux) policy
+Group: System Environment/Base
+Requires(post): selinux-policy-base >= %{selinux_policyver}, selinux-policy-targeted >= %{selinux_policyver}, policycoreutils, policycoreutils-python libselinux-utils
+
+%description selinux-policy
+This package contains a tailored VPP SELinux policy
+
%prep
# Unpack into dir with longer name as work around of debugedit bug in in rpm-build 4.13
rm -rf %{name}-%{_version}
@@ -142,6 +170,7 @@ cd '%{_tmp_build_dir}'
make -C build-root PLATFORM=vpp AESNI=n TAG=%{_vpp_tag} install-packages
%endif
cd %{_mu_build_dir}/../src/vpp-api/python && %py2_build
+cd %{_mu_build_dir}/../extras/selinux && make -f %{_datadir}/selinux/devel/Makefile
%install
#
@@ -207,6 +236,19 @@ done
# Python bindings
cd %{_mu_build_dir}/../src/vpp-api/python && %py2_install
+# SELinux Policy
+# Install SELinux interfaces
+%_format INTERFACES %{_mu_build_dir}/../extras/selinux/$x.if
+install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -p -m 644 $INTERFACES \
+ %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+
+# Install policy modules
+%_format MODULES %{_mu_build_dir}/../extras/selinux/$x.pp
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 0644 $MODULES \
+ %{buildroot}%{_datadir}/selinux/packages
+
#
# devel
#
@@ -237,6 +279,10 @@ do
%{buildroot}/usr/share/doc/vpp/examples/sample-plugin/$file )
done
+# vppctl sockfile directory
+mkdir -p -m755 %{buildroot}%{_localstatedir}/run/vpp
+# vpp.log directory
+mkdir -p -m755 %{buildroot}%{_localstatedir}/log/vpp
#
# vpp-plugins
@@ -274,6 +320,15 @@ fi
%preun
%systemd_preun vpp.service
+%post selinux-policy
+%_format MODULES %{_datadir}/selinux/packages/$x.pp
+%{_sbindir}/semodule -n -X 400 -s %{selinuxtype} -i $MODULES
+if %{_sbindir}/selinuxenabled ; then
+ %{_sbindir}/load_policy
+ %relabel_files
+fi
+
+
%postun
%systemd_postun
if [ $1 -eq 0 ] ; then
@@ -299,6 +354,15 @@ else
echo "Upgrading package, dont' unbind interfaces"
fi
+%postun selinux-policy
+if [ $1 -eq 0 ]; then
+ %{_sbindir}/semodule -n -r %{modulenames}
+ if %{_sbindir}/selinuxenabled ; then
+ %{_sbindir}/load_policy
+ %relabel_files
+ fi
+fi
+
%files
%defattr(-,bin,bin)
%{_unitdir}/vpp.service
@@ -309,6 +373,12 @@ fi
%config(noreplace) /etc/vpp/startup.conf
/usr/share/vpp/api/*
+%defattr(-,root,vpp)
+%{_localstatedir}/run/vpp*
+
+%defattr(-,root,root)
+%{_localstatedir}/log/vpp*
+
%files lib
%defattr(-,bin,bin)
%exclude %{_libdir}/vpp_plugins
@@ -330,6 +400,11 @@ fi
%defattr(644,root,root)
%{python2_sitelib}/vpp_papi*
+%files selinux-policy
+%defattr(-,root,root,0755)
+%attr(0644,root,root) %{_datadir}/selinux/packages/*.pp
+%attr(0644,root,root) %{_datadir}/selinux/devel/include/%{moduletype}/*.if
+
%files devel
%defattr(-,bin,bin)
/usr/bin/vppapigen
diff --git a/extras/selinux/selinux_doc.md b/extras/selinux/selinux_doc.md
new file mode 100644
index 00000000000..e71bd658286
--- /dev/null
+++ b/extras/selinux/selinux_doc.md
@@ -0,0 +1,294 @@
+# SELinux - VPP Custom SELinux Policy {#selinux_doc}
+
+## Overview
+
+Security-enhanced Linux (SELinux) is a security feature in the Linux kernel. At
+a very high level, SELinux implements mandatory access controls (MAC), as
+opposed to discretionary access control (DAC) implemented in standard Linux. MAC
+defines how processes can interact with other system components (Files,
+Directories, Other Processes, Pipes, Sockets, Network Ports). Each system
+component is assigned a label, and then the SELinux Policy defines which labels
+and which actions on each label a process is able to perform. The VPP Custom
+SELinux Policy defines the actions VPP is allowed to perform on which labels.
+
+The VPP Custom SELinux Policy is intended to be installed on RPM based platforms
+(tested on CentOS 7 and RHEL 7). Though SELinux can run on Debian platforms, it
+typically is not and therefore is not currently being built for Debian.
+
+The VPP Custom SELinux Policy does not enable or disable SELinux, only allows
+VPP to run when SELinux is enabled. A fresh install of either Fedora, CentOS or
+RHEL will have SELinux enabled by default. To determine if SELinux is enabled on
+a given system and enable it if needed, run:
+
+```
+ $ getenforce
+ Permissive
+
+ $ sudo setenforce 1
+
+ $ getenforce
+ Enforcing
+```
+
+To make the change persistent, modify the following file to set
+`SELINUX=enforcing`:
+
+```
+ $ sudo vi /etc/selinux/config
+ :
+ # This file controls the state of SELinux on the system.
+ # SELINUX= can take one of these three values:
+ # enforcing - SELinux security policy is enforced.
+ # permissive - SELinux prints warnings instead of enforcing.
+ # disabled - No SELinux policy is loaded.
+ SELINUX=enforcing
+ :
+```
+
+## Installation
+
+To install VPP, see the installation instructions on the VPP Wiki
+(https://wiki.fd.io/view/VPP/Installing_VPP_binaries_from_packages). The VPP
+Custom SELinux Policy is packaged in its own RPM starting in 18.04,
+`vpp-selinux-policy-<VERSION>-<RELEASE>.rpm`. It is packaged and installed along
+with the other VPP RPMs.
+
+### Fresh Install of VPP
+
+If VPP has never been installed on a system, then starting in 18.04, the VPP
+Custom SELinux Policy will be installed with the other RPMs and all the system
+components managed by VPP will be labeled properly.
+
+### Fix SELinux Labels for VPP
+In the case where the VPP Custom Policy is being installed for the first time,
+either because VPP has been upgraded or packages were removed and then
+reinstalled, several directories and files will not not be properly labeled. The
+labels on these files will need to be fixed for VPP to run properly with SELinux
+enabled. After the VPP Custom SELinux Policy is installed, run the following
+commands to fix the labels. If VPP is already running, make sure to restart
+VPP after the labels are fixed. This change is persistent for the life of the
+file. Once the VPP Custom Policy is installed on the system, subsequent files
+created by VPP will be labeled properly. This is only to fix files created by
+VPP prior to the VPP Custom Policy being installed.
+
+```
+ $ sudo restorecon -Rv /etc/vpp/
+ $ sudo restorecon -Rv /usr/lib/vpp_api_test_plugins/
+ $ sudo restorecon -Rv /usr/lib/vpp_plugins/
+ $ sudo restorecon -Rv /usr/share/vpp/
+ $ sudo restorecon -Rv /var/run/vpp/
+
+ $ sudo chcon -t vpp_tmp_t /tmp/vpp_*
+ $ sudo chcon -t vpp_var_run_t /var/run/.vpp_*
+```
+
+**NOTE:** Because the VPP APIs allow custom filenames in certain scenarios, the
+above commands may not handle all files. Inspect your system and correct any
+files that are mislabeled. For example, to verify all VPP files in `/tmp/` are
+labeled properly, run:
+
+```
+ $ sudo ls -alZ /tmp/
+```
+
+Any files not properly labeled with `vpp_tmp_t`, run:
+
+```
+ $ sudo chcon -t vpp_tmp_t /tmp/<filename>
+```
+
+## VPP Files
+
+### Recommended Default File Directories
+
+Documentation in the VPP Wiki (https://wiki.fd.io/view/VPP/) and doxygen
+generated documentation have examples with files located in certain directories.
+Some of the recommend file locations have been moved to satisfy SELinux. Most of
+the documentation has been updated, but links to older documentation still exist
+and there may have been instances that were missed. Use the file locations
+described below to allow SELinux to properly label the given files.
+
+File locations that have changed:
+* VPP Debug CLI Script Files
+* vHost Sockets
+* VPP Log Files
+
+#### VPP Debug CLI Script Files
+
+The VPP Debug CLI, `vppctl`, allows a sequence of CLI commands to be read from a
+file and executed. To avoid from having to grant VPP access to all of `/tmp/` and
+possibly `/home/` sub-directories, it is recommended that any VPP Debug CLI script
+files be placed in a common directory such as `/usr/share/vpp/`.
+
+For example:
+```
+$ cat /usr/share/vpp/scripts/gigup.txt
+set interface state GigabitEthernet0/8/0 up
+set interface state GigabitEthernet0/9/0 up
+```
+
+To execute:
+```
+$ vppctl exec /usr/share/vpp/scripts/gigup.txt
+```
+Or
+```
+$ vppctl
+ _______ _ _ _____ ___
+ __/ __/ _ \ (_)__ | | / / _ \/ _ \
+ _/ _// // / / / _ \ | |/ / ___/ ___/
+ /_/ /____(_)_/\___/ |___/_/ /_/
+
+vpp# exec /usr/share/vpp/scripts/gigup.txt
+vpp# quit
+
+```
+
+If the file is not labeled properly, you will see something similar to:
+```
+$ vppctl exec /home/<user>/dev/vpp/scripts/vppctl/gigup.txt
+exec: failed to open `/home/<user>/dev/vpp/scripts/vppctl/gigup.txt': Permission denied
+
+$ ls -alZ
+drwxrwxr-x. <user> <user> unconfined_u:object_r:user_home_t:s0 .
+drwxrwxr-x. <user> <user> unconfined_u:object_r:user_home_t:s0 ..
+-rw-r--r--. <user> <user> unconfined_u:object_r:user_home_t:s0 gigup.txt
+```
+
+##### Original Documentation
+
+Some of the original documentation showed script files being executed out of
+`/tmp/`. Convenience also may lead to script files being placed in
+`/home/<user>/` subdirectories. If a file is generated by the VPP process in
+`/tmp/`, for example a trace file or pcap file, it will get properly labeled
+with the SELinux label `vpp_tmp_t`. When a file is created, unless a rule is in
+place for the process that created it, the file will inherit the SELinux label
+of the parent directory. So if a user creates a file themselves in `/tmp/`, it
+will get the SELinux label `tmp_t`, which VPP does not have permission to
+access. Therefore it is recommended that script files are located as described
+above.
+
+#### vHost Sockets
+
+vHost sockets are created from VPP perspective in either Server or Client mode.
+In Server mode, the socket name is provided to VPP and VPP creates the socket.
+In Client mode, the socket name is provided to VPP and the hypervisor creates
+the socket. In order for VPP and hypervisor to share the socket resource with
+SELinux enabled, a rule in the VPP Custom SELinux Policy has been added. This
+rules allows processes with the `svirt_t` label (the hypervisor) to access
+sockets with the `vpp_var_run_t` label. As such, when SELinux is enabled,
+vHost sockets should be created in the directory `/var/run/vpp/`.
+
+##### Original Documentation
+
+Some of the original documentation showed vHost sockets being created in the
+directory `/tmp/`. To work properly with SELinux enabled, vHost sockets should be
+created as described above.
+
+#### VPP Log Files
+
+The VPP log file location is set by updating the `/etc/vpp/startup.conf` file:
+
+```
+vi /etc/vpp/startup.conf
+unix {
+:
+ log /var/log/vpp/vpp.log
+:
+}
+
+```
+
+By moving the log file to `/var/log/vpp/`, it will get the label `vpp_log_t`,
+which indicates that the files are log files so they benefit from the
+associated rules (for example granting rights to logrotate so that it can
+manipulate them).
+
+##### Original Documentation
+
+The default `startup.conf` file creates the VPP log file in `/tmp/vpp.log`. By
+leaving the log file in `/tmp/`, it will get the label `vpp_tmp_t`. Moving it
+to `/var/log/vpp/`, it will get the label `vpp_log_t`.
+
+### Use of Non-default File Directories
+
+VPP installs multiple files on the system.
+Some files have fixed directory and file names:
+- /etc/bash_completion.d/vppctl_completion
+- /etc/sysctl.d/80-vpp.conf
+- /usr/lib/systemd/system/vpp.service
+
+Others files have default directory and file names but the default can be
+overwritten:
+- /etc/vpp/startup.conf
+ - Can be changed via the `/usr/lib/systemd/system/vpp.service` file by
+ changing the -c option on the VPP command line:
+
+```
+ExecStart=/usr/bin/vpp -c /etc/vpp/startup.conf
+```
+
+- /run/vpp/cli.sock
+ - Can be changed via the `/etc/vpp/startup.conf` file by changing the
+ cli-listen setting:
+
+```
+unix {
+:
+ cli-listen /run/vpp/cli.sock
+:
+}
+```
+
+
+- /var/log/vpp/vpp.log
+ - Can be changed via the `/etc/vpp/startup.conf` file by changing the log
+ setting:
+
+```
+unix {
+ :
+ log /var/log/vpp/vpp.log
+ :
+}
+
+```
+
+If the directory of any VPP installed files is changed from the default, ensure
+that the proper SELiunx label is applied. The SELinux label can be determined by
+passing the -Z option to many common Linux commands:
+
+```
+ls -alZ /run/vpp/
+drwxr-xr-x. root vpp system_u:object_r:vpp_var_run_t:s0 .
+drwxr-xr-x. root root system_u:object_r:var_run_t:s0 ..
+srwxrwxr-x. root vpp system_u:object_r:vpp_var_run_t:s0 cli.sock
+```
+
+### VPP SELinux Types ###
+
+The following SELinux types are created by the VPP Custom SELinux Policy:
+- `vpp_t` - Applied to:
+ - VPP process and spawned threads.
+
+- `vpp_config_rw_t` - Applied to:
+ - `/etc/vpp/*`
+
+- `vpp_tmp_t` - Applied to:
+ - `/tmp/*`
+
+- `vpp_exec_t` - Applied to:
+ - `/usr/bin/*`
+
+- `vpp_lib_t` - Applied to:
+ - `/usr/lib/vpp_api_test_plugins/*`
+ - `/usr/lib/vpp_plugins/*`
+
+- `vpp_unit_file_t` - Applied to:
+ - `/usr/lib/systemd/system/vpp.*`
+
+- `vpp_log_t` - Applied to:
+ - `/var/log/vpp/*`
+
+- `vpp_var_run_t` - Applied to:
+ - `/var/run/vpp/*`
diff --git a/extras/selinux/vpp-custom.fc b/extras/selinux/vpp-custom.fc
new file mode 100644
index 00000000000..5b9d277ebea
--- /dev/null
+++ b/extras/selinux/vpp-custom.fc
@@ -0,0 +1,22 @@
+/etc/vpp(/.*)? gen_context(system_u:object_r:vpp_config_rw_t,s0)
+
+/usr/bin/elftool -- gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/jvpp_gen.py -- gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/svmdbtool -- gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/svmtool -- gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vpp -- gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vppapigen -- gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vpp_api_test -- gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vppctl -- gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vpp_get_metrics -- gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vpp_json_test -- gen_context(system_u:object_r:vpp_exec_t,s0)
+/usr/bin/vpp_restart -- gen_context(system_u:object_r:vpp_exec_t,s0)
+
+/usr/lib/systemd/system/vpp.* -- gen_context(system_u:object_r:vpp_unit_file_t,s0)
+
+/usr/lib/vpp_plugins(/.*)? gen_context(system_u:object_r:vpp_lib_t,s0)
+/usr/lib/vpp_api_test_plugins(/.*)? gen_context(system_u:object_r:vpp_lib_t,s0)
+
+/var/log/vpp(/.*)? gen_context(system_u:object_r:vpp_log_t,s0)
+
+/var/run/vpp(/.*)? gen_context(system_u:object_r:vpp_var_run_t,s0)
diff --git a/extras/selinux/vpp-custom.if b/extras/selinux/vpp-custom.if
new file mode 100644
index 00000000000..573da143cbb
--- /dev/null
+++ b/extras/selinux/vpp-custom.if
@@ -0,0 +1,2 @@
+##
+ VPP service. \ No newline at end of file
diff --git a/extras/selinux/vpp-custom.te b/extras/selinux/vpp-custom.te
new file mode 100644
index 00000000000..e0a1f64d018
--- /dev/null
+++ b/extras/selinux/vpp-custom.te
@@ -0,0 +1,139 @@
+policy_module(vpp-custom,1.0)
+
+########################################
+#
+# Declarations
+#
+
+gen_require(`
+ type hugetlbfs_t;
+ type svirt_t;
+ type svirt_image_t;
+ type systemd_sysctl_t;
+ class capability sys_admin;
+')
+
+type vpp_t;
+type vpp_exec_t;
+init_daemon_domain(vpp_t, vpp_exec_t)
+
+type vpp_config_rw_t;
+files_config_file(vpp_config_rw_t)
+
+type vpp_lib_t; # if there is vpp_var_lib_t, we don't need vpp_lib_t
+files_type(vpp_lib_t)
+
+type vpp_log_t;
+logging_log_file(vpp_log_t)
+
+type vpp_var_run_t;
+files_type(vpp_var_run_t)
+
+type vpp_unit_file_t;
+systemd_unit_file(vpp_unit_file_t)
+
+type vpp_tmpfs_t;
+files_tmpfs_file(vpp_tmpfs_t)
+
+type vpp_tmp_t;
+files_tmp_file(vpp_tmp_t)
+
+########################################
+#
+# vpp local policy
+#
+
+allow vpp_t self:capability { dac_override ipc_lock setgid sys_rawio net_raw sys_admin }; # too benefolent
+dontaudit vpp_t self:capability2 block_suspend;
+allow vpp_t self:process { execmem execstack setsched signal }; # too benefolent
+allow vpp_t self:packet_socket { bind create setopt ioctl };
+allow vpp_t self:tun_socket { create relabelto relabelfrom };
+allow vpp_t self:udp_socket { create ioctl };
+allow vpp_t self:unix_dgram_socket { connect create ioctl };
+allow vpp_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
+manage_files_pattern(vpp_t, vpp_lib_t, vpp_lib_t)
+allow vpp_t vpp_lib_t:file execute;
+files_var_lib_filetrans(vpp_t, vpp_lib_t, {file dir})
+
+manage_dirs_pattern(vpp_t, vpp_log_t, vpp_log_t)
+manage_files_pattern(vpp_t, vpp_log_t, vpp_log_t)
+logging_log_filetrans(vpp_t, vpp_log_t, {file dir})
+
+manage_dirs_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
+manage_files_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
+manage_sock_files_pattern(vpp_t, vpp_var_run_t, vpp_var_run_t)
+allow vpp_t vpp_var_run_t:dir mounton;
+files_pid_filetrans(vpp_t, vpp_var_run_t, { dir sock_file file })
+
+manage_dirs_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
+manage_files_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
+manage_sock_files_pattern(vpp_t, vpp_tmp_t, vpp_tmp_t)
+allow vpp_t vpp_tmp_t:dir mounton;
+files_tmp_filetrans(vpp_t, vpp_tmp_t, { dir sock_file file })
+
+manage_dirs_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
+manage_files_pattern(vpp_t, vpp_tmpfs_t, vpp_tmpfs_t)
+fs_tmpfs_filetrans(vpp_t, vpp_tmpfs_t, { dir file })
+
+read_files_pattern(vpp_t, vpp_config_rw_t, vpp_config_rw_t)
+
+kernel_read_system_state(vpp_t)
+kernel_read_network_state(vpp_t)
+kernel_dgram_send(vpp_t)
+kernel_request_load_module(vpp_t)
+
+auth_read_passwd(vpp_t)
+
+corenet_rw_tun_tap_dev(vpp_t)
+
+dev_rw_userio_dev(vpp_t)
+dev_rw_sysfs(vpp_t)
+dev_read_cpuid(vpp_t)
+dev_rw_vfio_dev(vpp_t)
+
+domain_obj_id_change_exemption(vpp_t)
+
+fs_manage_hugetlbfs_dirs(vpp_t)
+fs_manage_hugetlbfs_files(vpp_t)
+allow vpp_t hugetlbfs_t:filesystem { getattr mount unmount };
+fs_getattr_tmpfs(vpp_t)
+
+logging_send_syslog_msg(vpp_t)
+
+miscfiles_read_generic_certs(vpp_t)
+
+userdom_list_user_home_content(vpp_t)
+
+optional_policy(`
+ virt_stream_connect_svirt(vpp_t)
+')
+
+optional_policy(`
+ unconfined_attach_tun_iface(vpp_t)
+')
+
+
+########################################
+#
+# svirt local policy for vpp
+#
+
+allow svirt_t vpp_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
+manage_files_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
+manage_sock_files_pattern(svirt_t, vpp_var_run_t, vpp_var_run_t)
+
+allow vpp_t svirt_image_t:file { read write };
+
+
+########################################
+#
+# systemd_sysctl_t local policy for vpp
+#
+
+read_files_pattern(systemd_sysctl_t, vpp_config_rw_t, vpp_config_rw_t)
+
+
diff --git a/extras/vpp_config/data/startup.conf.template b/extras/vpp_config/data/startup.conf.template
index 91b92c62aea..912bbc4b085 100644
--- a/extras/vpp_config/data/startup.conf.template
+++ b/extras/vpp_config/data/startup.conf.template
@@ -1,7 +1,7 @@
unix {{
{unix}
- log /tmp/vpp.log
+ log /var/log/vpp/vpp.log
full-coredump
cli-listen /run/vpp/cli.sock
}}
diff --git a/extras/vpp_config/vpplib/AutoConfig.py b/extras/vpp_config/vpplib/AutoConfig.py
index 36b6833e7a9..26603e8e380 100644
--- a/extras/vpp_config/vpplib/AutoConfig.py
+++ b/extras/vpp_config/vpplib/AutoConfig.py
@@ -1637,7 +1637,7 @@ class AutoConfig(object):
question = "Would you like connect this interface {} to the VM [Y/n]? ".format(name)
answer = self._ask_user_yn(question, 'y')
if answer == 'y':
- sockfilename = '/tmp/sock{}.sock'.format(inum)
+ sockfilename = '/var/run/vpp/sock{}.sock'.format(inum)
if os.path.exists(sockfilename):
os.remove(sockfilename)
cmd = 'vppctl create vhost-user socket {} server'.format(sockfilename)
@@ -1679,7 +1679,7 @@ class AutoConfig(object):
for intf in ints_with_vints:
vhoststr = 'comment { The following command creates the socket }\n'
vhoststr += 'comment { and returns a virtual interface }\n'
- vhoststr += 'comment {{ create vhost-user socket /tmp/sock{}.sock server }}\n'. \
+ vhoststr += 'comment {{ create vhost-user socket /var/run/vpp/sock{}.sock server }}\n'. \
format(intf['bridge'])
setintdnstr = 'set interface state {} down\n'.format(intf['name'])
diff --git a/src/vlib/unix/cli.c b/src/vlib/unix/cli.c
index 9f5862a036f..0cf4ed38fe3 100644
--- a/src/vlib/unix/cli.c
+++ b/src/vlib/unix/cli.c
@@ -3011,16 +3011,32 @@ done:
}
/*?
- * Executes a sequence of CLI commands which are read from a file.
- *
- * If a command is unrecognised or otherwise invalid then the usual CLI
+ * Executes a sequence of CLI commands which are read from a file. If
+ * a command is unrecognised or otherwise invalid then the usual CLI
* feedback will be generated, however execution of subsequent commands
* from the file will continue.
+ *
+ * The VPP code is indifferent to the file location. However, if SELinux
+ * is enabled, then the file needs to have an SELinux label the VPP
+ * process is allowed to access. For example, if a file is created in
+ * '<em>/usr/share/vpp/</em>', it will be allowed. However, files manually
+ * created in '/tmp/' or '/home/<user>/' will not be accessible by the VPP
+ * process when SELinux is enabled.
+ *
+ * @cliexpar
+ * Sample file:
+ * @clistart
+ * <b><em>$ cat /usr/share/vpp/scripts/gigup.txt</em></b>
+ * set interface state GigabitEthernet0/8/0 up
+ * set interface state GigabitEthernet0/9/0 up
+ * @cliend
+ * Example of how to execute a set of CLI commands from a file:
+ * @cliexcmd{exec /usr/share/vpp/scripts/gigup.txt}
?*/
/* *INDENT-OFF* */
VLIB_CLI_COMMAND (cli_exec, static) = {
.path = "exec",
- .short_help = "Execute commands from file",
+ .short_help = "exec <filename>",
.function = unix_cli_exec,
.is_mp_safe = 1,
};
diff --git a/src/vnet/devices/virtio/vhost-user.c b/src/vnet/devices/virtio/vhost-user.c
index c7820406538..874a97dbd77 100644
--- a/src/vnet/devices/virtio/vhost-user.c
+++ b/src/vnet/devices/virtio/vhost-user.c
@@ -3355,16 +3355,23 @@ done:
*
* There are several parameters associated with a vHost interface:
*
- * - <b>socket <socket-filename></b> - Name of the linux socket used by QEMU/VM and
- * VPP to manage the vHost interface. If socket does not already exist, VPP will
- * create the socket.
+ * - <b>socket <socket-filename></b> - Name of the linux socket used by hypervisor
+ * and VPP to manage the vHost interface. If in '<em>server</em>' mode, VPP will
+ * create the socket if it does not already exist. If in '<em>client</em>' mode,
+ * hypervisor will create the socket if it does not already exist. The VPP code
+ * is indifferent to the file location. However, if SELinux is enabled, then the
+ * socket needs to be created in '<em>/var/run/vpp/</em>'.
*
- * - <b>server</b> - Optional flag to indicate that VPP should be the server for the
- * linux socket. If not provided, VPP will be the client.
+ * - <b>server</b> - Optional flag to indicate that VPP should be the server for
+ * the linux socket. If not provided, VPP will be the client. In '<em>server</em>'
+ * mode, the VM can be reset without tearing down the vHost Interface. In
+ * '<em>client</em>' mode, VPP can be reset without bringing down the VM and
+ * tearing down the vHost Interface.
*
* - <b>feature-mask <hex></b> - Optional virtio/vhost feature set negotiated at
- * startup. By default, all supported features will be advertised. Otherwise,
- * provide the set of features desired.
+ * startup. <b>This is intended for degugging only.</b> It is recommended that this
+ * parameter not be used except by experienced users. By default, all supported
+ * features will be advertised. Otherwise, provide the set of features desired.
* - 0x000008000 (15) - VIRTIO_NET_F_MRG_RXBUF
* - 0x000020000 (17) - VIRTIO_NET_F_CTRL_VQ
* - 0x000200000 (21) - VIRTIO_NET_F_GUEST_ANNOUNCE
@@ -3382,17 +3389,14 @@ done:
* in the name to be specified. If instance already exists, name will be used
* anyway and multiple instances will have the same name. Use with caution.
*
- * - <b>mode [interrupt | polling]</b> - Optional parameter specifying
- * the input thread polling policy.
- *
* @cliexpar
* Example of how to create a vhost interface with VPP as the client and all features enabled:
- * @cliexstart{create vhost-user socket /tmp/vhost1.sock}
+ * @cliexstart{create vhost-user socket /var/run/vpp/vhost1.sock}
* VirtualEthernet0/0/0
* @cliexend
* Example of how to create a vhost interface with VPP as the server and with just
* multiple queues enabled:
- * @cliexstart{create vhost-user socket /tmp/vhost2.sock server feature-mask 0x40400000}
+ * @cliexstart{create vhost-user socket /var/run/vpp/vhost2.sock server feature-mask 0x40400000}
* VirtualEthernet0/0/1
* @cliexend
* Once the vHost interface is created, enable the interface using:
@@ -3451,7 +3455,7 @@ VLIB_CLI_COMMAND (vhost_user_delete_command, static) = {
* VHOST_USER_PROTOCOL_F_MQ (0)
* VHOST_USER_PROTOCOL_F_LOG_SHMFD (1)
*
- * socket filename /tmp/vhost1.sock type client errno "Success"
+ * socket filename /var/run/vpp/vhost1.sock type client errno "Success"
*
* rx placement:
* thread 1 on vring 1
diff --git a/src/vpp/conf/startup.conf b/src/vpp/conf/startup.conf
index b18c6743869..2a12ef9ec2a 100644
--- a/src/vpp/conf/startup.conf
+++ b/src/vpp/conf/startup.conf
@@ -1,7 +1,7 @@
unix {
nodaemon
- log /tmp/vpp.log
+ log /var/log/vpp/vpp.log
full-coredump
cli-listen /run/vpp/cli.sock
gid vpp