[PATCH V1 4/6] Add SELinux labeling support for TPM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx>

---
 src/security/security_selinux.c |   90 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)

Index: libvirt/src/security/security_selinux.c
===================================================================
--- libvirt.orig/src/security/security_selinux.c
+++ libvirt/src/security/security_selinux.c
@@ -76,6 +76,12 @@ struct _virSecuritySELinuxCallbackData {
 #define SECURITY_SELINUX_VOID_DOI       "0"
 #define SECURITY_SELINUX_NAME "selinux"
 
+static int
+virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
+                                                 virDomainDefPtr def,
+                                                 virDomainTPMDefPtr tpm);
+
+
 /*
  * Returns 0 on success, 1 if already reserved, or -1 on fatal error
  */
@@ -1017,6 +1023,80 @@ err:
     return rc;
 }
 
+
+static int
+virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr,
+                                          virDomainDefPtr def,
+                                          virDomainTPMDefPtr tpm)
+{
+    int rc;
+    virSecurityLabelDefPtr seclabel;
+
+    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+    if (seclabel == NULL)
+        return -1;
+
+    switch (tpm->type) {
+    case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+        rc = virSecuritySELinuxSetFilecon(tpm->data.passthrough.path,
+                                          seclabel->imagelabel);
+        if (rc < 0)
+            return -1;
+
+        if (tpm->data.passthrough.cancel_path) {
+            rc = virSecuritySELinuxSetFilecon(
+                                 tpm->data.passthrough.cancel_path,
+                                 seclabel->imagelabel);
+            if (rc < 0) {
+                virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def,
+                                                                 tpm);
+                return -1;
+            }
+        } else {
+            virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+                           _("Cannot start guest without TPM "
+                           "cancel path"));
+            return -1;
+        }
+        break;
+    case VIR_DOMAIN_TPM_TYPE_LAST:
+        break;
+    }
+
+    return 0;
+}
+
+
+static int
+virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr,
+                                                 virDomainDefPtr def,
+                                                 virDomainTPMDefPtr tpm)
+{
+    int rc = 0;
+    virSecurityLabelDefPtr seclabel;
+
+    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+    if (seclabel == NULL)
+        return -1;
+
+    switch (tpm->type) {
+    case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
+        rc = virSecuritySELinuxRestoreSecurityFileLabel(
+                 mgr, tpm->data.passthrough.path);
+
+        if (tpm->data.passthrough.cancel_path) {
+            rc = virSecuritySELinuxRestoreSecurityFileLabel(mgr,
+                                  tpm->data.passthrough.cancel_path);
+        }
+        break;
+    case VIR_DOMAIN_TPM_TYPE_LAST:
+        break;
+    }
+
+    return rc;
+}
+
+
 static int
 virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr,
                                                virDomainDefPtr def,
@@ -1685,6 +1765,12 @@ virSecuritySELinuxRestoreSecurityAllLabe
     if (secdef->norelabel || data->skipAllLabel)
         return 0;
 
+    if (def->tpm) {
+        if (virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def,
+                                                             def->tpm) < 0)
+            rc = -1;
+    }
+
     for (i = 0 ; i < def->nhostdevs ; i++) {
         if (virSecuritySELinuxRestoreSecurityHostdevLabel(mgr,
                                                           def,
@@ -2095,6 +2181,11 @@ virSecuritySELinuxSetSecurityAllLabel(vi
                                                       NULL) < 0)
             return -1;
     }
+    if (def->tpm) {
+        if (virSecuritySELinuxSetSecurityTPMFileLabel(mgr, def,
+                                                      def->tpm) < 0)
+            return -1;
+    }
 
     if (virDomainChrDefForeach(def,
                                true,

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]