Re: [PATCH v3 2/3] security: Introduce SetSocketLabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 26, 2011 at 10:23:47AM +0200, Jiri Denemark wrote:
> This API labels all sockets created until ClearSocketLabel is called in
> a way that a vm can access them (i.e., they are labeled with svirt_t
> based label in SELinux).
> ---
> Notes:
>     Version 3:
>     - new patch
> 
>  src/libvirt_private.syms        |    1 +
>  src/security/security_dac.c     |    9 +++++++++
>  src/security/security_driver.h  |    3 +++
>  src/security/security_manager.c |   10 ++++++++++
>  src/security/security_manager.h |    2 ++
>  src/security/security_nop.c     |    7 +++++++
>  src/security/security_selinux.c |   38 ++++++++++++++++++++++++++++++++++++++
>  src/security/security_stack.c   |   17 +++++++++++++++++
>  8 files changed, 87 insertions(+), 0 deletions(-)
> 
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index c3e33b4..2a453bc 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -911,6 +911,7 @@ virSecurityManagerSetHostdevLabel;
>  virSecurityManagerSetProcessFDLabel;
>  virSecurityManagerSetProcessLabel;
>  virSecurityManagerSetSavedStateLabel;
> +virSecurityManagerSetSocketLabel;
>  virSecurityManagerVerify;
>  
>  # sexpr.h
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 6df4087..e5465fc 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -675,6 +675,14 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
>  
>  
>  static int
> +virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> +                             virDomainObjPtr vm ATTRIBUTE_UNUSED)
> +{
> +    return 0;
> +}
> +
> +
> +static int
>  virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
>                                   virDomainObjPtr vm ATTRIBUTE_UNUSED)
>  {
> @@ -715,6 +723,7 @@ virSecurityDriver virSecurityDriverDAC = {
>      virSecurityDACRestoreSecurityImageLabel,
>  
>      virSecurityDACSetDaemonSocketLabel,
> +    virSecurityDACSetSocketLabel,
>      virSecurityDACClearSocketLabel,
>  
>      virSecurityDACGenLabel,
> diff --git a/src/security/security_driver.h b/src/security/security_driver.h
> index 73c8f04..94f27f8 100644
> --- a/src/security/security_driver.h
> +++ b/src/security/security_driver.h
> @@ -43,6 +43,8 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
>                                                     virDomainDiskDefPtr disk);
>  typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
>                                                       virDomainObjPtr vm);
> +typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
> +                                                virDomainObjPtr vm);
>  typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
>                                                  virDomainObjPtr vm);
>  typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
> @@ -102,6 +104,7 @@ struct _virSecurityDriver {
>      virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
>  
>      virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
> +    virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
>      virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
>  
>      virSecurityDomainGenLabel domainGenSecurityLabel;
> diff --git a/src/security/security_manager.c b/src/security/security_manager.c
> index d30ebcf..b2fd0d0 100644
> --- a/src/security/security_manager.c
> +++ b/src/security/security_manager.c
> @@ -170,6 +170,16 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
>      return -1;
>  }
>  
> +int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
> +                                     virDomainObjPtr vm)
> +{
> +    if (mgr->drv->domainSetSecuritySocketLabel)
> +        return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
> +
> +    virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
> +    return -1;
> +}
> +
>  int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
>                                         virDomainObjPtr vm)
>  {
> diff --git a/src/security/security_manager.h b/src/security/security_manager.h
> index 8d614a7..38342c2 100644
> --- a/src/security/security_manager.h
> +++ b/src/security/security_manager.h
> @@ -55,6 +55,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
>                                          virDomainDiskDefPtr disk);
>  int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
>                                             virDomainObjPtr vm);
> +int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
> +                                     virDomainObjPtr vm);
>  int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
>                                         virDomainObjPtr vm);
>  int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
> diff --git a/src/security/security_nop.c b/src/security/security_nop.c
> index 67d3ff6..a68a6c0 100644
> --- a/src/security/security_nop.c
> +++ b/src/security/security_nop.c
> @@ -59,6 +59,12 @@ static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr AT
>      return 0;
>  }
>  
> +static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> +                                              virDomainObjPtr vm ATTRIBUTE_UNUSED)
> +{
> +    return 0;
> +}
> +
>  static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
>                                                  virDomainObjPtr vm ATTRIBUTE_UNUSED)
>  {
> @@ -172,6 +178,7 @@ virSecurityDriver virSecurityDriverNop = {
>      virSecurityDomainRestoreImageLabelNop,
>  
>      virSecurityDomainSetDaemonSocketLabelNop,
> +    virSecurityDomainSetSocketLabelNop,
>      virSecurityDomainClearSocketLabelNop,
>  
>      virSecurityDomainGenLabelNop,
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index f87c9a5..cddbed5 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -1137,6 +1137,43 @@ done:
>  }
>  
>  static int
> +SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
> +                              virDomainObjPtr vm)
> +{
> +    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
> +    int rc = -1;
> +
> +    if (secdef->label == NULL)
> +        return 0;
> +
> +    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
> +        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
> +                               _("security label driver mismatch: "
> +                                 "'%s' model configured for domain, but "
> +                                 "hypervisor driver is '%s'."),
> +                               secdef->model, virSecurityManagerGetModel(mgr));
> +        goto done;
> +    }
> +
> +    VIR_DEBUG("Setting VM %s socket context %s",
> +              vm->def->name, secdef->label);
> +    if (setsockcreatecon(secdef->label) == -1) {
> +        virReportSystemError(errno,
> +                             _("unable to set socket security context '%s'"),
> +                             secdef->label);
> +        goto done;
> +    }
> +
> +    rc = 0;
> +
> +done:
> +    if (security_getenforce() != 1)
> +        rc = 0;
> +
> +    return rc;
> +}
> +
> +static int
>  SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
>                                  virDomainObjPtr vm)
>  {
> @@ -1313,6 +1350,7 @@ virSecurityDriver virSecurityDriverSELinux = {
>      SELinuxRestoreSecurityImageLabel,
>  
>      SELinuxSetSecurityDaemonSocketLabel,
> +    SELinuxSetSecuritySocketLabel,
>      SELinuxClearSecuritySocketLabel,
>  
>      SELinuxGenSecurityLabel,
> diff --git a/src/security/security_stack.c b/src/security/security_stack.c
> index 404ff65..f263f5b 100644
> --- a/src/security/security_stack.c
> +++ b/src/security/security_stack.c
> @@ -355,6 +355,22 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
>  
>  
>  static int
> +virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
> +                               virDomainObjPtr vm)
> +{
> +    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> +    int rc = 0;
> +
> +    if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0)
> +        rc = -1;
> +    if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0)
> +        rc = -1;
> +
> +    return rc;
> +}
> +
> +
> +static int
>  virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
>                                   virDomainObjPtr vm)
>  {
> @@ -419,6 +435,7 @@ virSecurityDriver virSecurityDriverStack = {
>      virSecurityStackRestoreSecurityImageLabel,
>  
>      virSecurityStackSetDaemonSocketLabel,
> +    virSecurityStackSetSocketLabel,
>      virSecurityStackClearSocketLabel,
>  
>      virSecurityStackGenLabel,

  ACK, looks fine. My only concern would be about availability of
  setsockcreatecon() , hopefully it's supported on all systems where
  SELinux is detected,

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel@xxxxxxxxxxxx  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]