[PATCH 0/3] security: Don't remember labels for TPM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



As it turns out, /dev/tpm0 can't be opened more than once. This doesn't
fit into our seclabel remembering approach and thus disable it for TPM
devices.

There's also another type of files which can't be opened more than once
- /dev/vfio/N. Usually, this won't be a problem unless users try to
attach/detach some devices from the same IOMMU group. This will require
more treatment though because it's broken on more levels. 

  1) we remove /dev/vfio/N in private devtmpfs on device detach, even
     though there is another device still attached to domain from the
     same IOMMU group,

  2) we remove the IOMMU group from CGroups, i.e. we effectively deny
     access to qemu

  3) we restore seclabels (regardless of seclabel remembering)

Therefore, I'm only addressing TPM issue here and will continue work on
hostdevs.

Michal Prívozník (3):
  security: Try to lock only paths with remember == true
  security_dac: Allow selective remember/recall for chardevs
  security: Don't remember labels for TPM

 src/security/security_dac.c     | 91 ++++++++++++++++++++++-----------
 src/security/security_selinux.c | 16 +++---
 2 files changed, 71 insertions(+), 36 deletions(-)

-- 
2.21.0

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux