On Fri, Aug 26, 2011 at 10:23:47AM +0200, Jiri Denemark wrote:
> This API labels all sockets created until ClearSocketLabel is called in
> a way that a vm can access them (i.e., they are labeled with svirt_t
> based label in SELinux).
> ---
> Notes:
> Version 3:
> - new patch
>
> src/libvirt_private.syms | 1 +
> src/security/security_dac.c | 9 +++++++++
> src/security/security_driver.h | 3 +++
> src/security/security_manager.c | 10 ++++++++++
> src/security/security_manager.h | 2 ++
> src/security/security_nop.c | 7 +++++++
> src/security/security_selinux.c | 38 ++++++++++++++++++++++++++++++++++++++
> src/security/security_stack.c | 17 +++++++++++++++++
> 8 files changed, 87 insertions(+), 0 deletions(-)
>
> diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
> index c3e33b4..2a453bc 100644
> --- a/src/libvirt_private.syms
> +++ b/src/libvirt_private.syms
> @@ -911,6 +911,7 @@ virSecurityManagerSetHostdevLabel;
> virSecurityManagerSetProcessFDLabel;
> virSecurityManagerSetProcessLabel;
> virSecurityManagerSetSavedStateLabel;
> +virSecurityManagerSetSocketLabel;
> virSecurityManagerVerify;
>
> # sexpr.h
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 6df4087..e5465fc 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -675,6 +675,14 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
>
>
> static int
> +virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> + virDomainObjPtr vm ATTRIBUTE_UNUSED)
> +{
> + return 0;
> +}
> +
> +
> +static int
> virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> virDomainObjPtr vm ATTRIBUTE_UNUSED)
> {
> @@ -715,6 +723,7 @@ virSecurityDriver virSecurityDriverDAC = {
> virSecurityDACRestoreSecurityImageLabel,
>
> virSecurityDACSetDaemonSocketLabel,
> + virSecurityDACSetSocketLabel,
> virSecurityDACClearSocketLabel,
>
> virSecurityDACGenLabel,
> diff --git a/src/security/security_driver.h b/src/security/security_driver.h
> index 73c8f04..94f27f8 100644
> --- a/src/security/security_driver.h
> +++ b/src/security/security_driver.h
> @@ -43,6 +43,8 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
> virDomainDiskDefPtr disk);
> typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
> virDomainObjPtr vm);
> +typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
> + virDomainObjPtr vm);
> typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
> virDomainObjPtr vm);
> typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
> @@ -102,6 +104,7 @@ struct _virSecurityDriver {
> virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
>
> virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
> + virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
> virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
>
> virSecurityDomainGenLabel domainGenSecurityLabel;
> diff --git a/src/security/security_manager.c b/src/security/security_manager.c
> index d30ebcf..b2fd0d0 100644
> --- a/src/security/security_manager.c
> +++ b/src/security/security_manager.c
> @@ -170,6 +170,16 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
> return -1;
> }
>
> +int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
> + virDomainObjPtr vm)
> +{
> + if (mgr->drv->domainSetSecuritySocketLabel)
> + return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
> +
> + virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
> + return -1;
> +}
> +
> int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
> virDomainObjPtr vm)
> {
> diff --git a/src/security/security_manager.h b/src/security/security_manager.h
> index 8d614a7..38342c2 100644
> --- a/src/security/security_manager.h
> +++ b/src/security/security_manager.h
> @@ -55,6 +55,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
> virDomainDiskDefPtr disk);
> int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
> virDomainObjPtr vm);
> +int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
> + virDomainObjPtr vm);
> int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
> virDomainObjPtr vm);
> int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
> diff --git a/src/security/security_nop.c b/src/security/security_nop.c
> index 67d3ff6..a68a6c0 100644
> --- a/src/security/security_nop.c
> +++ b/src/security/security_nop.c
> @@ -59,6 +59,12 @@ static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr AT
> return 0;
> }
>
> +static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> + virDomainObjPtr vm ATTRIBUTE_UNUSED)
> +{
> + return 0;
> +}
> +
> static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
> virDomainObjPtr vm ATTRIBUTE_UNUSED)
> {
> @@ -172,6 +178,7 @@ virSecurityDriver virSecurityDriverNop = {
> virSecurityDomainRestoreImageLabelNop,
>
> virSecurityDomainSetDaemonSocketLabelNop,
> + virSecurityDomainSetSocketLabelNop,
> virSecurityDomainClearSocketLabelNop,
>
> virSecurityDomainGenLabelNop,
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index f87c9a5..cddbed5 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -1137,6 +1137,43 @@ done:
> }
>
> static int
> +SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
> + virDomainObjPtr vm)
> +{
> + const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
> + int rc = -1;
> +
> + if (secdef->label == NULL)
> + return 0;
> +
> + if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
> + virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
> + _("security label driver mismatch: "
> + "'%s' model configured for domain, but "
> + "hypervisor driver is '%s'."),
> + secdef->model, virSecurityManagerGetModel(mgr));
> + goto done;
> + }
> +
> + VIR_DEBUG("Setting VM %s socket context %s",
> + vm->def->name, secdef->label);
> + if (setsockcreatecon(secdef->label) == -1) {
> + virReportSystemError(errno,
> + _("unable to set socket security context '%s'"),
> + secdef->label);
> + goto done;
> + }
> +
> + rc = 0;
> +
> +done:
> + if (security_getenforce() != 1)
> + rc = 0;
> +
> + return rc;
> +}
> +
> +static int
> SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
> virDomainObjPtr vm)
> {
> @@ -1313,6 +1350,7 @@ virSecurityDriver virSecurityDriverSELinux = {
> SELinuxRestoreSecurityImageLabel,
>
> SELinuxSetSecurityDaemonSocketLabel,
> + SELinuxSetSecuritySocketLabel,
> SELinuxClearSecuritySocketLabel,
>
> SELinuxGenSecurityLabel,
> diff --git a/src/security/security_stack.c b/src/security/security_stack.c
> index 404ff65..f263f5b 100644
> --- a/src/security/security_stack.c
> +++ b/src/security/security_stack.c
> @@ -355,6 +355,22 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
>
>
> static int
> +virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
> + virDomainObjPtr vm)
> +{
> + virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> + int rc = 0;
> +
> + if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0)
> + rc = -1;
> + if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0)
> + rc = -1;
> +
> + return rc;
> +}
> +
> +
> +static int
> virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
> virDomainObjPtr vm)
> {
> @@ -419,6 +435,7 @@ virSecurityDriver virSecurityDriverStack = {
> virSecurityStackRestoreSecurityImageLabel,
>
> virSecurityStackSetDaemonSocketLabel,
> + virSecurityStackSetSocketLabel,
> virSecurityStackClearSocketLabel,
>
> virSecurityStackGenLabel,
ACK, looks fine. My only concern would be about availability of
setsockcreatecon() , hopefully it's supported on all systems where
SELinux is detected,
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel@xxxxxxxxxxxx | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list