This patch series extends the libvirt security driver API, and sVirt
implementation to cover management of host device labelling. Previously
users would have to set a global boolean tunable virt_use_pci/usb to
allow all domains access to all host devices. With this series applied
libvirt will automatically relabel only the individual PCI/USB devices
which are assigned to a guest. ie it should make host device assignment
'just work' when sVirt is enforcing, and improve security
It also attempts to address a problem with restoration of disk labels.
The current code uses matchpathcon() to find the defalt label for a
path. This works fine for locations which have a defined label in the
policy (eg like /var/lib/libvirt/images), but if storing disk images
in non-defualt locations, eg a external USB drive mounted under a
place like /media/myusbdisk/virtual-images/, matchpathcon() returns
NULL. In this scenario the disk would remain labelled with the MCS
level specific to the just stopped VM. Since MCS labels are allocated
on demand on each boot, this could allow a future VMs to access disks
that it ought not to be able to.
Dan Walsh suggested that we default to using the label defined
for matchpathcon("/var/libvirt/images/00-DEFAULT") in this case, but
this doesn't work for restoring USB/PCI device labels[1]. In all the
case I've had this problem so far, the files' original label matched
that of the directory it was contained in, so this patch just uses
the containing directory's label when restoring labels. Dan didn't
like this idea when I first mentioned it in IRC though, so perhaps
I need to implement different logic still... ?
Regards,
Daniel
[1] PCI device access from VMs requires labelling
/sys/bus/pci/devices/$DOMAIN:$BUS:$SLOT:FUNCTION/{config, resource*, rom}
while USB device access requires labelling
/dev/bus/usb/$BUS/$DEVICE
--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list