Re: [PATCH v5 09/11] security: Label the external swtpm with SELinux labels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 05/21/2018 06:33 PM, John Ferlan wrote:


On 05/15/2018 08:26 PM, Stefan Berger wrote:

In this patch we label the swtpm process with SELinux labels. We give it the
same label as the QEMU process has. We label its state directory and files
as well. We restore the old security labels once the swtpm has terminated.

The file and process labels now look as follows:

Directory: /var/lib/libvirt/swtpm

[root@localhost swtpm]# ls -lZ
total 4
rwx------. 2 tss  tss  system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr  5 16:46 testvm

[root@localhost testvm]# ls -lZ
total 8
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr  5 16:46 tpm-00.permall

The log in /var/log/swtpm/libvirt/qemu is labeled as follows:

-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr  5 16:46 vtpm.log

[root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0  0.0 28172  3892 ?        Ss   16:57   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log

[root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0  0.0 3096704 48500 ?    Sl   16:57   3:28 /bin/qemu-system-x86_64 [..]

Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
---
  src/libvirt_private.syms        |   2 +
  src/qemu/qemu_security.c        |  69 +++++++++++++++++
  src/qemu/qemu_security.h        |  11 +++
  src/qemu/qemu_tpm.c             |  12 ++-
  src/security/security_driver.h  |   7 ++
  src/security/security_manager.c |  36 +++++++++
  src/security/security_manager.h |   6 ++
  src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++
  src/security/security_stack.c   |  40 ++++++++++
  9 files changed, 345 insertions(+), 2 deletions(-)


Reviewed-by: John Ferlan <jferlan@xxxxxxxxxx>


Thanks.
This patch here obviously solves the issue for SELinux. I have in the meantime worked on a Ubuntu system with AppArmor and would follow up with AppArmor related patches. The issue is, if AppArmor is active, the swtpm will not start at this point. This additional patch set will fix this then. The problem is primarily related to the call to virSecurityManagerSetChildProcessLabel(), which does what we/I want for the swtpm process under SELinux but is not suitable for the swtpm process under AppArmor. There it would apply an AppArmor profile for QEMU to the swtpm process, which is probably not what we want. With the paths to log file, PID file etc. accepted, we can extend the libvirtd AppArmor profile with a swtpm subprofile to switch to from the libvirt profile during the execve(). 

   Stefan



John



--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux