Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> --- src/security/security_selinux.c | 90 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) Index: libvirt/src/security/security_selinux.c =================================================================== --- libvirt.orig/src/security/security_selinux.c +++ libvirt/src/security/security_selinux.c @@ -76,6 +76,12 @@ struct _virSecuritySELinuxCallbackData { #define SECURITY_SELINUX_VOID_DOI "0" #define SECURITY_SELINUX_NAME "selinux" +static int +virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainTPMDefPtr tpm); + + /* * Returns 0 on success, 1 if already reserved, or -1 on fatal error */ @@ -1017,6 +1023,80 @@ err: return rc; } + +static int +virSecuritySELinuxSetSecurityTPMFileLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainTPMDefPtr tpm) +{ + int rc; + virSecurityLabelDefPtr seclabel; + + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (seclabel == NULL) + return -1; + + switch (tpm->type) { + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + rc = virSecuritySELinuxSetFilecon(tpm->data.passthrough.path, + seclabel->imagelabel); + if (rc < 0) + return -1; + + if (tpm->data.passthrough.cancel_path) { + rc = virSecuritySELinuxSetFilecon( + tpm->data.passthrough.cancel_path, + seclabel->imagelabel); + if (rc < 0) { + virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def, + tpm); + return -1; + } + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Cannot start guest without TPM " + "cancel path")); + return -1; + } + break; + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + + return 0; +} + + +static int +virSecuritySELinuxRestoreSecurityTPMFileLabelInt(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainTPMDefPtr tpm) +{ + int rc = 0; + virSecurityLabelDefPtr seclabel; + + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (seclabel == NULL) + return -1; + + switch (tpm->type) { + case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH: + rc = virSecuritySELinuxRestoreSecurityFileLabel( + mgr, tpm->data.passthrough.path); + + if (tpm->data.passthrough.cancel_path) { + rc = virSecuritySELinuxRestoreSecurityFileLabel(mgr, + tpm->data.passthrough.cancel_path); + } + break; + case VIR_DOMAIN_TPM_TYPE_LAST: + break; + } + + return rc; +} + + static int virSecuritySELinuxRestoreSecurityImageLabelInt(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -1685,6 +1765,12 @@ virSecuritySELinuxRestoreSecurityAllLabe if (secdef->norelabel || data->skipAllLabel) return 0; + if (def->tpm) { + if (virSecuritySELinuxRestoreSecurityTPMFileLabelInt(mgr, def, + def->tpm) < 0) + rc = -1; + } + for (i = 0 ; i < def->nhostdevs ; i++) { if (virSecuritySELinuxRestoreSecurityHostdevLabel(mgr, def, @@ -2095,6 +2181,11 @@ virSecuritySELinuxSetSecurityAllLabel(vi NULL) < 0) return -1; } + if (def->tpm) { + if (virSecuritySELinuxSetSecurityTPMFileLabel(mgr, def, + def->tpm) < 0) + return -1; + } if (virDomainChrDefForeach(def, true, -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list