Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>
---
src/security/security_selinux.c | 90 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
Index: libvirt/src/security/security_selinux.c
===================================================================
--- libvirt.orig/src/security/security_selinux.c
+++ libvirt/src/security/security_selinux.c
@@ -76,6 +76,12 @@ struct _virSecuritySELinuxCallbackData {
#define SECURITY_SELINUX_VOID_DOI "0"
#define SECURITY_SELINUX_NAME "selinux"
+static int
+virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainTPMDefPtr tpm);
+
+
/*
* Returns 0 on success, 1 if already reserved, or -1 on fatal error
*/
@@ -1017,6 +1023,80 @@ err:
return rc;
}
+
+static int
+virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainTPMDefPtr tpm)
+{
+ int rc;
+ virSecurityLabelDefPtr seclabel;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (seclabel == NULL)
+ return -1;
+
+ switch (tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ rc = virSecuritySELinuxSetFilecon(tpm->data.passthrough.path,
+ seclabel->imagelabel);
+ if (rc < 0)
+ return -1;
+
+ if (tpm->data.passthrough.cancel_path) {
+ rc = virSecuritySELinuxSetFilecon(
+ tpm->data.passthrough.cancel_path,
+ seclabel->imagelabel);
+ if (rc < 0) {
+ virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def,
+ tpm);
+ return -1;
+ }
+ } else {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("Cannot start guest without TPM "
+ "cancel path"));
+ return -1;
+ }
+ break;
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ }
+
+ return 0;
+}
+
+
+static int
+virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ virDomainTPMDefPtr tpm)
+{
+ int rc = 0;
+ virSecurityLabelDefPtr seclabel;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+ if (seclabel == NULL)
+ return -1;
+
+ switch (tpm->type) {
+ case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+ rc = virSecuritySELinuxRestoreSecurityFileLabel(
+ mgr, tpm->data.passthrough.path);
+
+ if (tpm->data.passthrough.cancel_path) {
+ rc = virSecuritySELinuxRestoreSecurityFileLabel(mgr,
+ tpm->data.passthrough.cancel_path);
+ }
+ break;
+ case VIR_DOMAIN_TPM_TYPE_LAST:
+ break;
+ }
+
+ return rc;
+}
+
+
static int
virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@@ -1685,6 +1765,12 @@ virSecuritySELinuxRestoreSecurityAllLabe
if (secdef->norelabel || data->skipAllLabel)
return 0;
+ if (def->tpm) {
+ if (virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def,
+ def->tpm) < 0)
+ rc = -1;
+ }
+
for (i = 0 ; i < def->nhostdevs ; i++) {
if (virSecuritySELinuxRestoreSecurityHostdevLabel(mgr,
def,
@@ -2095,6 +2181,11 @@ virSecuritySELinuxSetSecurityAllLabel(vi
NULL) < 0)
return -1;
}
+ if (def->tpm) {
+ if (virSecuritySELinuxSetSecurityTPMFileLabel(mgr, def,
+ def->tpm) < 0)
+ return -1;
+ }
if (virDomainChrDefForeach(def,
true,
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list