For SGX type of memory, QEMU needs to open and talk to
/dev/sgx_vepc and /dev/sgx_provision files. But we do not set nor
restore SELinux labels on these files when starting a guest.
Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
src/security/security_dac.c | 3 ---
src/security/security_manager.h | 4 ++++
src/security/security_selinux.c | 24 ++++++++++++++++++++++--
3 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 917fcf76a3..abfc07218e 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -47,9 +47,6 @@
VIR_LOG_INIT("security.security_dac");
#define SECURITY_DAC_NAME "dac"
-#define DEV_SEV "/dev/sev"
-#define DEV_SGX_VEPC "/dev/sgx_vepc"
-#define DEV_SGX_PROVISION "/dev/sgx_provision"
typedef struct _virSecurityDACData virSecurityDACData;
struct _virSecurityDACData {
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 60597ffc0a..4afdcc167b 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -23,6 +23,10 @@
#include "domain_conf.h"
#include "vircommand.h"
+#define DEV_SEV "/dev/sev"
+#define DEV_SGX_VEPC "/dev/sgx_vepc"
+#define DEV_SGX_PROVISION "/dev/sgx_provision"
+
typedef struct _virSecurityManager virSecurityManager;
typedef enum {
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 93cc12407a..c4832e1bfc 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1577,10 +1577,21 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManager *mgr,
return -1;
break;
+ case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (!seclabel || !seclabel->relabel)
+ return 0;
+
+ if (virSecuritySELinuxSetFilecon(mgr, DEV_SGX_VEPC,
+ seclabel->imagelabel, true) < 0 ||
+ virSecuritySELinuxSetFilecon(mgr, DEV_SGX_PROVISION,
+ seclabel->imagelabel, true) < 0)
+ return -1;
+ break;
+
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
- case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
break;
}
@@ -1607,9 +1618,18 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManager *mgr,
ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true);
break;
+ case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (!seclabel || !seclabel->relabel)
+ return 0;
+
+ ret = virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_VEPC, true);
+ if (virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_PROVISION, true) < 0)
+ ret = -1;
+ break;
+
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
- case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
ret = 0;
--
2.38.2
