On 05/21/2018 06:33 PM, John Ferlan wrote:
On 05/15/2018 08:26 PM, Stefan Berger wrote:
In this patch we label the swtpm process with SELinux labels. We give it the
same label as the QEMU process has. We label its state directory and files
as well. We restore the old security labels once the swtpm has terminated.
The file and process labels now look as follows:
Directory: /var/lib/libvirt/swtpm
[root@localhost swtpm]# ls -lZ
total 4
rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm
[root@localhost testvm]# ls -lZ
total 8
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall
The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log
[root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
[root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..]
Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
---
src/libvirt_private.syms | 2 +
src/qemu/qemu_security.c | 69 +++++++++++++++++
src/qemu/qemu_security.h | 11 +++
src/qemu/qemu_tpm.c | 12 ++-
src/security/security_driver.h | 7 ++
src/security/security_manager.c | 36 +++++++++
src/security/security_manager.h | 6 ++
src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++
src/security/security_stack.c | 40 ++++++++++
9 files changed, 345 insertions(+), 2 deletions(-)
Reviewed-by: John Ferlan <jferlan@xxxxxxxxxx>
Thanks.
This patch here obviously solves the issue for SELinux. I have in the
meantime worked on a Ubuntu system with AppArmor and would follow up
with AppArmor related patches. The issue is, if AppArmor is active, the
swtpm will not start at this point. This additional patch set will fix
this then. The problem is primarily related to the call to
virSecurityManagerSetChildProcessLabel(), which does what we/I want for
the swtpm process under SELinux but is not suitable for the swtpm
process under AppArmor. There it would apply an AppArmor profile for
QEMU to the swtpm process, which is probably not what we want. With the
paths to log file, PID file etc. accepted, we can extend the libvirtd
AppArmor profile with a swtpm subprofile to switch to from the libvirt
profile during the execve().
Stefan
John
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list