On 05/15/2018 06:30 AM, Boris Fiuczynski wrote:
On 05/10/2018 11:57 PM, Stefan Berger wrote:
In this patch we label the swtpm process with SELinux labels. We give
it the
same label as the QEMU process has. We label its state directory and
files
as well. We restore the old security labels once the swtpm has
terminated.
The file and process labels now look as follows:
Directory: /var/lib/libvirt/swtpm
[root@localhost swtpm]# ls -lZ
total 4
rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932
4096 Apr 5 16:46 testvm
[root@localhost testvm]# ls -lZ
total 8
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932
3648 Apr 5 16:46 tpm-00.permall
The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932
2237 Apr 5 16:46 vtpm.log
[root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep
swtpm | grep ctrl | grep -v grep
system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892
? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl
type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660
--tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log
file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
[root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep
qemu | grep tpm | grep -v grep
system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704
48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..]
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
---
src/libvirt_private.syms | 2 +
src/qemu/qemu_tpm.c | 24 +++++-
src/security/security_driver.h | 7 ++
src/security/security_manager.c | 36 +++++++++
src/security/security_manager.h | 6 ++
src/security/security_selinux.c | 164
++++++++++++++++++++++++++++++++++++++++
src/security/security_stack.c | 40 ++++++++++
7 files changed, 278 insertions(+), 1 deletion(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 75b8932..2ce67e7 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1319,6 +1319,7 @@ virSecurityManagerRestoreImageLabel;
virSecurityManagerRestoreInputLabel;
virSecurityManagerRestoreMemoryLabel;
virSecurityManagerRestoreSavedStateLabel;
+virSecurityManagerRestoreTPMLabels;
virSecurityManagerSetAllLabel;
virSecurityManagerSetChardevLabel;
virSecurityManagerSetChildProcessLabel;
@@ -1333,6 +1334,7 @@ virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel;
virSecurityManagerSetSocketLabel;
virSecurityManagerSetTapFDLabel;
+virSecurityManagerSetTPMLabels;
Shouldn't there be wrappers for
virSecurityManagerRestoreTPMLabels
virSecurityManagerSetTPMLabels
in src/qemu/qemu_security.h and possibly src/qemu/qemu_security.c?
virSecurityManagerStackAddNested;
virSecurityManagerTransactionAbort;
virSecurityManagerTransactionCommit;
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 024d24d..62f0146 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
make syntax-check error
0.03 prohibit_virConnectOpen_in_virsh
prohibit_virSecurity
../src/qemu/qemu_tpm.c:812: if
(virSecurityManagerSetTPMLabels(driver->securityManager,
../src/qemu/qemu_tpm.c:816: if
(virSecurityManagerSetChildProcessLabel(driver->securityManager,
../src/qemu/qemu_tpm.c:820: if
(virSecurityManagerPreFork(driver->securityManager) < 0)
../src/qemu/qemu_tpm.c:829:
virSecurityManagerPostFork(driver->securityManager);
../src/qemu/qemu_tpm.c:860:
virSecurityManagerRestoreTPMLabels(driver->securityManager, def);
../src/qemu/qemu_tpm.c:911:
virSecurityManagerRestoreTPMLabels(driver->securityManager, def);
maint.mk: prefer qemuSecurity wrappers
../cfg.mk:998: recipe for target 'sc_prohibit_virSecurity' failed
make: *** [sc_prohibit_virSecurity] Error 1
I wrapped this now in two functions:
int qemuSecurityStartTPMEmulator(virQEMUDriverPtr driver,
virDomainDefPtr def,
virCommandPtr cmd,
uid_t uid,
gid_t gid,
int *exitstatus,
int *cmdret);
void qemuSecurityCleanupTPMEmulator(virQEMUDriverPtr driver,
virDomainDefPtr def);
I will repost a v5 later today.
Stefan
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
