The default permissions (0600 root:root) are of no use to the qemu process so we need to change the owner to qemu iff running with namespaces. Signed-off-by: Erik Skultety <eskultet@xxxxxxxxxx> --- src/security/security_dac.c | 51 +++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 9f73114631..6f8ca8cd54 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -48,6 +48,7 @@ VIR_LOG_INIT("security.security_dac"); #define SECURITY_DAC_NAME "dac" +#define DEV_SEV "/dev/sev" typedef struct _virSecurityDACData virSecurityDACData; typedef virSecurityDACData *virSecurityDACDataPtr; @@ -1676,6 +1677,16 @@ virSecurityDACRestoreMemoryLabel(virSecurityManagerPtr mgr, } +static int +virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED) +{ + /* we only label /dev/sev when running with namespaces, so we don't need to + * restore anything */ + return 0; +} + + static int virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -1746,6 +1757,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, rc = -1; } + if (def->sev) { + if (virSecurityDACRestoreSEVLabel(mgr, def) < 0) + rc = -1; + } + if (def->os.loader && def->os.loader->nvram && virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0) rc = -1; @@ -1819,6 +1835,36 @@ virSecurityDACSetMemoryLabel(virSecurityManagerPtr mgr, } +static int +virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def) +{ + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityLabelDefPtr seclabel; + uid_t user; + gid_t group; + + /* Skip chowning /dev/sev if namespaces are disabled as we'd significantly + * increase the chance of a DOS attack on SEV + */ + if (!priv->mountNamespace) + return 0; + + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); + if (seclabel && !seclabel->relabel) + return 0; + + if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0) + return -1; + + if (virSecurityDACSetOwnership(mgr, NULL, DEV_SEV, + user, group, false) < 0) + return -1; + + return 0; +} + + static int virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -1888,6 +1934,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, return -1; } + if (def->sev) { + if (virSecurityDACSetSEVLabel(mgr, def) < 0) + return -1; + } + if (virSecurityDACGetImageIds(secdef, priv, &user, &group)) return -1; -- 2.20.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list