On Thu, May 24, 2018 at 04:26:05PM -0400, Stefan Berger wrote:
In this patch we label the swtpm process with SELinux labels. We give it the same label as the QEMU process has. We label its state directory and files as well. We restore the old security labels once the swtpm has terminated. The file and process labels now look as follows: Directory: /var/lib/libvirt/swtpm [root@localhost swtpm]# ls -lZ total 4 rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm [root@localhost testvm]# ls -lZ total 8 -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall The log in /var/log/swtpm/libvirt/qemu is labeled as follows: -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..] Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> Reviewed-by: John Ferlan <jferlan@xxxxxxxxxx> --- src/libvirt_private.syms | 2 + src/qemu/qemu_security.c | 69 +++++++++++++++++ src/qemu/qemu_security.h | 11 +++ src/qemu/qemu_tpm.c | 12 ++- src/security/security_driver.h | 7 ++ src/security/security_manager.c | 36 +++++++++ src/security/security_manager.h | 6 ++ src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++ src/security/security_stack.c | 40 ++++++++++ 9 files changed, 345 insertions(+), 2 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 92e84155d1..6377fb7947 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -3048,6 +3048,167 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityManagerPtr mgr, return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel); } + +/* + * _virSecuritySELinuxSetFileLabels: + * + * @mgr: the virSecurityManager + * @path: path to a directory or a file + * @seclabel: the security label + * + * Set the file labels on the given path; if the path is a directory + * we label all files found there, including the directory itself, + * otherwise we just label the file. + */ +static int +_virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr,
Please drop the leading _. We do not have a separate namespace for static functions.
+ const char *path, + virSecurityLabelDefPtr seclabel) +{ + int ret = 0; + struct dirent *ent; + char *filename = NULL; + DIR *dir; + + if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel))) + return ret; + + if (!virFileIsDir(path)) + return 0; + + if (virDirOpen(&dir, path) < 0) + return -1; + + while ((ret = virDirRead(dir, &ent, path)) > 0) { + if (ent->d_type != DT_REG) + continue; + + if (virAsprintf(&filename, "%s/%s", path, ent->d_name) < 0) { + ret = -1; + break; + } + ret = virSecuritySELinuxSetFilecon(mgr, filename, + seclabel->imagelabel); + VIR_FREE(filename); + if (ret < 0) + break; + } + if (ret < 0) + virReportSystemError(errno, _("Unable to label files under %s"), + path); + + virDirClose(&dir); + + return ret; +} + + +/* + * _virSecuritySELinuxRestoreFileLabels: + * + * @mgr: the virSecurityManager + * @path: path to a directory or a file + * + * Restore the file labels on the given path; if the path is a directory + * we restore all file labels found there, including the label of the + * directory itself, otherwise we just restore the label on the file. + */ +static int +_virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr,
here too
+ const char *path)
Reviewed-by: Ján Tomko <jtomko@xxxxxxxxxx> Jano
Attachment:
signature.asc
Description: Digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list