As it turns out, /dev/tpm0 can't be opened more than once. This doesn't
fit into our seclabel remembering approach and thus disable it for TPM
devices.
There's also another type of files which can't be opened more than once
- /dev/vfio/N. Usually, this won't be a problem unless users try to
attach/detach some devices from the same IOMMU group. This will require
more treatment though because it's broken on more levels.
1) we remove /dev/vfio/N in private devtmpfs on device detach, even
though there is another device still attached to domain from the
same IOMMU group,
2) we remove the IOMMU group from CGroups, i.e. we effectively deny
access to qemu
3) we restore seclabels (regardless of seclabel remembering)
Therefore, I'm only addressing TPM issue here and will continue work on
hostdevs.
Michal Prívozník (3):
security: Try to lock only paths with remember == true
security_dac: Allow selective remember/recall for chardevs
security: Don't remember labels for TPM
src/security/security_dac.c | 91 ++++++++++++++++++++++-----------
src/security/security_selinux.c | 16 +++---
2 files changed, 71 insertions(+), 36 deletions(-)
--
2.21.0
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
