[PATCH 4/5] security: Set seclabels for pstore device

Michal Privoznik <mprivozn@xxxxxxxxxx> · Mon, 10 Jun 2024 12:11:18 +0200

The acpi-erst backend for pstore device exposes a path in the
host accessible to the guest and as such we must set seclabels on
it to grant QEMU RW access.

Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
 src/security/security_dac.c     | 10 ++++++++++
 src/security/security_selinux.c |  9 +++++++++
 src/security/virt-aa-helper.c   |  4 ++++
 3 files changed, 23 insertions(+)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 669b90125c..0e1bb3ffa8 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1985,6 +1985,10 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
         virSecurityDACRestoreFileLabel(mgr, def->os.slic_table) < 0)
         rc = -1;
 
+    if (def->pstore &&
+        virSecurityDACRestoreFileLabel(mgr, def->pstore->path) < 0)
+        rc = -1;
+
     return rc;
 }
 
@@ -2220,6 +2224,12 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
                                    user, group, true) < 0)
         return -1;
 
+    if (def->pstore &&
+        virSecurityDACSetOwnership(mgr, NULL,
+                                   def->pstore->path,
+                                   user, group, true) < 0)
+        return -1;
+
     return 0;
 }
 
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index e29f627bc2..ba0ce8fb9d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2911,6 +2911,10 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.slic_table, true) < 0)
         rc = -1;
 
+    if (def->pstore &&
+        virSecuritySELinuxRestoreFileLabel(mgr, def->pstore->path, true) < 0)
+        rc = -1;
+
     return rc;
 }
 
@@ -3335,6 +3339,11 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
                                      data->content_context, true) < 0)
         return -1;
 
+    if (def->pstore &&
+        virSecuritySELinuxSetFilecon(mgr, def->pstore->path,
+                                     data->content_context, true) < 0)
+        return -1;
+
     return 0;
 }
 
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 0374581f07..2ab0b0b80c 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1001,6 +1001,10 @@ get_files(vahControl * ctl)
         if (vah_add_file(&buf, ctl->def->os.slic_table, "r") != 0)
             goto cleanup;
 
+    if (ctl->def->pstore)
+        if (vah_add_file(&buf, ctl->def->pstore->path, "rw") != 0)
+            goto cleanup;
+
     if (ctl->def->os.loader && ctl->def->os.loader->path)
         if (vah_add_file(&buf, ctl->def->os.loader->path, "rk") != 0)
             goto cleanup;
-- 
2.44.2







