[PATCH 5/5] security: Set seclabels on UEFI shim

Michal Privoznik <mprivozn@xxxxxxxxxx> · Thu, 6 Mar 2025 09:36:18 +0100

Again, trivial. Just copy what is done for kernel and initrd.

Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx>
---
 src/security/security_dac.c     | 10 ++++++++++
 src/security/security_selinux.c |  9 +++++++++
 src/security/virt-aa-helper.c   |  4 ++++
 3 files changed, 23 insertions(+)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 0505f4e4a3..c3f747a14a 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -2046,6 +2046,10 @@ virSecurityDACRestoreAllLabel(virSecurityManager *mgr,
         virSecurityDACRestoreFileLabel(mgr, def->os.initrd) < 0)
         rc = -1;
 
+    if (def->os.shim &&
+        virSecurityDACRestoreFileLabel(mgr, def->os.shim) < 0)
+        rc = -1;
+
     if (def->os.dtb &&
         virSecurityDACRestoreFileLabel(mgr, def->os.dtb) < 0)
         rc = -1;
@@ -2294,6 +2298,12 @@ virSecurityDACSetAllLabel(virSecurityManager *mgr,
                                    user, group, true) < 0)
         return -1;
 
+    if (def->os.shim &&
+        virSecurityDACSetOwnership(mgr, NULL,
+                                   def->os.shim,
+                                   user, group, true) < 0)
+        return -1;
+
     if (def->os.dtb &&
         virSecurityDACSetOwnership(mgr, NULL,
                                    def->os.dtb,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index cdc32d9b34..cf4283217d 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -3009,6 +3009,10 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManager *mgr,
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.initrd, true) < 0)
         rc = -1;
 
+    if (def->os.shim &&
+        virSecuritySELinuxRestoreFileLabel(mgr, def->os.shim, true) < 0)
+        rc = -1;
+
     if (def->os.dtb &&
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.dtb, true) < 0)
         rc = -1;
@@ -3438,6 +3442,11 @@ virSecuritySELinuxSetAllLabel(virSecurityManager *mgr,
                                      data->content_context, true) < 0)
         return -1;
 
+    if (def->os.shim &&
+        virSecuritySELinuxSetFilecon(mgr, def->os.shim,
+                                     data->content_context, true) < 0)
+        return -1;
+
     if (def->os.dtb &&
         virSecuritySELinuxSetFilecon(mgr, def->os.dtb,
                                      data->content_context, true) < 0)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index c255b64f35..5b27bbd663 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -970,6 +970,10 @@ get_files(vahControl * ctl)
         if (vah_add_file(&buf, ctl->def->os.initrd, "r") != 0)
             goto cleanup;
 
+    if (ctl->def->os.shim)
+        if (vah_add_file(&buf, ctl->def->os.shim, "r") != 0)
+            goto cleanup;
+
     if (ctl->def->os.dtb)
         if (vah_add_file(&buf, ctl->def->os.dtb, "r") != 0)
             goto cleanup;
-- 
2.45.3







