[PATCH v3 2/3] security: Introduce SetSocketLabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This API labels all sockets created until ClearSocketLabel is called in
a way that a vm can access them (i.e., they are labeled with svirt_t
based label in SELinux).
---
Notes:
    Version 3:
    - new patch

 src/libvirt_private.syms        |    1 +
 src/security/security_dac.c     |    9 +++++++++
 src/security/security_driver.h  |    3 +++
 src/security/security_manager.c |   10 ++++++++++
 src/security/security_manager.h |    2 ++
 src/security/security_nop.c     |    7 +++++++
 src/security/security_selinux.c |   38 ++++++++++++++++++++++++++++++++++++++
 src/security/security_stack.c   |   17 +++++++++++++++++
 8 files changed, 87 insertions(+), 0 deletions(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index c3e33b4..2a453bc 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -911,6 +911,7 @@ virSecurityManagerSetHostdevLabel;
 virSecurityManagerSetProcessFDLabel;
 virSecurityManagerSetProcessLabel;
 virSecurityManagerSetSavedStateLabel;
+virSecurityManagerSetSocketLabel;
 virSecurityManagerVerify;
 
 # sexpr.h
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 6df4087..e5465fc 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -675,6 +675,14 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 
 
 static int
+virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                             virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
+
+static int
 virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                  virDomainObjPtr vm ATTRIBUTE_UNUSED)
 {
@@ -715,6 +723,7 @@ virSecurityDriver virSecurityDriverDAC = {
     virSecurityDACRestoreSecurityImageLabel,
 
     virSecurityDACSetDaemonSocketLabel,
+    virSecurityDACSetSocketLabel,
     virSecurityDACClearSocketLabel,
 
     virSecurityDACGenLabel,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 73c8f04..94f27f8 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -43,6 +43,8 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
                                                    virDomainDiskDefPtr disk);
 typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
                                                      virDomainObjPtr vm);
+typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
+                                                virDomainObjPtr vm);
 typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
                                                 virDomainObjPtr vm);
 typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
@@ -102,6 +104,7 @@ struct _virSecurityDriver {
     virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
 
     virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
+    virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
     virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
 
     virSecurityDomainGenLabel domainGenSecurityLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index d30ebcf..b2fd0d0 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -170,6 +170,16 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
     return -1;
 }
 
+int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
+                                     virDomainObjPtr vm)
+{
+    if (mgr->drv->domainSetSecuritySocketLabel)
+        return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
+
+    virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+    return -1;
+}
+
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                        virDomainObjPtr vm)
 {
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 8d614a7..38342c2 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -55,6 +55,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
                                         virDomainDiskDefPtr disk);
 int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
                                            virDomainObjPtr vm);
+int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
+                                     virDomainObjPtr vm);
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                        virDomainObjPtr vm);
 int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 67d3ff6..a68a6c0 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -59,6 +59,12 @@ static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr AT
     return 0;
 }
 
+static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                                              virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
 static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                                 virDomainObjPtr vm ATTRIBUTE_UNUSED)
 {
@@ -172,6 +178,7 @@ virSecurityDriver virSecurityDriverNop = {
     virSecurityDomainRestoreImageLabelNop,
 
     virSecurityDomainSetDaemonSocketLabelNop,
+    virSecurityDomainSetSocketLabelNop,
     virSecurityDomainClearSocketLabelNop,
 
     virSecurityDomainGenLabelNop,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index f87c9a5..cddbed5 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1137,6 +1137,43 @@ done:
 }
 
 static int
+SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
+                              virDomainObjPtr vm)
+{
+    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    int rc = -1;
+
+    if (secdef->label == NULL)
+        return 0;
+
+    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("security label driver mismatch: "
+                                 "'%s' model configured for domain, but "
+                                 "hypervisor driver is '%s'."),
+                               secdef->model, virSecurityManagerGetModel(mgr));
+        goto done;
+    }
+
+    VIR_DEBUG("Setting VM %s socket context %s",
+              vm->def->name, secdef->label);
+    if (setsockcreatecon(secdef->label) == -1) {
+        virReportSystemError(errno,
+                             _("unable to set socket security context '%s'"),
+                             secdef->label);
+        goto done;
+    }
+
+    rc = 0;
+
+done:
+    if (security_getenforce() != 1)
+        rc = 0;
+
+    return rc;
+}
+
+static int
 SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
                                 virDomainObjPtr vm)
 {
@@ -1313,6 +1350,7 @@ virSecurityDriver virSecurityDriverSELinux = {
     SELinuxRestoreSecurityImageLabel,
 
     SELinuxSetSecurityDaemonSocketLabel,
+    SELinuxSetSecuritySocketLabel,
     SELinuxClearSecuritySocketLabel,
 
     SELinuxGenSecurityLabel,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 404ff65..f263f5b 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -355,6 +355,22 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
 
 
 static int
+virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
+                               virDomainObjPtr vm)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    int rc = 0;
+
+    if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0)
+        rc = -1;
+    if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
+static int
 virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
                                  virDomainObjPtr vm)
 {
@@ -419,6 +435,7 @@ virSecurityDriver virSecurityDriverStack = {
     virSecurityStackRestoreSecurityImageLabel,
 
     virSecurityStackSetDaemonSocketLabel,
+    virSecurityStackSetSocketLabel,
     virSecurityStackClearSocketLabel,
 
     virSecurityStackGenLabel,
-- 
1.7.6.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]