8:01 a.m.
The method labels the file descriptor even if dynamic labeling/relabeling
is turned off. This is needed for files created by libvirt and then
passed along to qemu as a FD.
---
src/libvirt_private.syms | 1 +
src/security/security_dac.c | 9 +++++++++
src/security/security_driver.h | 4 ++++
src/security/security_manager.c | 16 ++++++++++++++++
src/security/security_manager.h | 3 +++
src/security/security_nop.c | 1 +
src/security/security_selinux.c | 21 +++++++++++++++++++++
src/security/security_stack.c | 19 +++++++++++++++++++
8 files changed, 74 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 795e011..dd06f11 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1035,6 +1035,7 @@ virSecurityManagerRestoreImageLabel;
virSecurityManagerRestoreSavedStateLabel;
virSecurityManagerSetAllLabel;
virSecurityManagerSetChildProcessLabel;
+virSecurityManagerSetCreatedFDLabel;
virSecurityManagerSetDaemonSocketLabel;
virSecurityManagerSetHostdevLabel;
virSecurityManagerSetHugepages;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 0d6defc..ef528f6 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1180,6 +1180,14 @@ virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
}
static int
+virSecurityDACSetCreatedFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
+ int fd ATTRIBUTE_UNUSED)
+{
+ return 0;
+}
+
+static int
virSecurityDACSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainDefPtr def ATTRIBUTE_UNUSED,
int fd ATTRIBUTE_UNUSED)
@@ -1231,6 +1239,7 @@ virSecurityDriver virSecurityDriverDAC = {
.domainRestoreSavedStateLabel = virSecurityDACRestoreSavedStateLabel,
.domainSetSecurityImageFDLabel = virSecurityDACSetImageFDLabel,
+ .domainSetSecurityCreatedFDLabel = virSecurityDACSetCreatedFDLabel,
.domainSetSecurityTapFDLabel = virSecurityDACSetTapFDLabel,
.domainGetSecurityMountOptions = virSecurityDACGetMountOptions,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index cc401e1..0edcc34 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -100,6 +100,9 @@ typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr
mgr,
typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
int fd);
+typedef int (*virSecurityDomainSetCreatedFDLabel) (virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ int fd);
typedef int (*virSecurityDomainSetTapFDLabel) (virSecurityManagerPtr mgr,
virDomainDefPtr def,
int fd);
@@ -146,6 +149,7 @@ struct _virSecurityDriver {
virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;
virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
+ virSecurityDomainSetCreatedFDLabel domainSetSecurityCreatedFDLabel;
virSecurityDomainSetTapFDLabel domainSetSecurityTapFDLabel;
virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index f7c5c2e..2152246 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -663,6 +663,22 @@ int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
return -1;
}
+int virSecurityManagerSetCreatedFDLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ int fd)
+{
+ if (mgr->drv->domainSetSecurityCreatedFDLabel) {
+ int ret;
+ virObjectLock(mgr);
+ ret = mgr->drv->domainSetSecurityCreatedFDLabel(mgr, vm, fd);
+ virObjectUnlock(mgr);
+ return ret;
+ }
+
+ virReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+ return -1;
+}
+
int virSecurityManagerSetTapFDLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
int fd)
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 711b354..343dffb 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -112,6 +112,9 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
int fd);
+int virSecurityManagerSetCreatedFDLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def,
+ int fd);
int virSecurityManagerSetTapFDLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
int fd);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 233404c..ee0e05b 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -223,6 +223,7 @@ virSecurityDriver virSecurityDriverNop = {
.domainRestoreSavedStateLabel = virSecurityDomainRestoreSavedStateLabelNop,
.domainSetSecurityImageFDLabel = virSecurityDomainSetFDLabelNop,
+ .domainSetSecurityCreatedFDLabel = virSecurityDomainSetFDLabelNop,
.domainSetSecurityTapFDLabel = virSecurityDomainSetFDLabelNop,
.domainGetSecurityMountOptions = virSecurityDomainGetMountOptionsNop,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7802dda..5894259 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2446,6 +2446,26 @@ virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr
mgr,
return opts;
}
+static int
+virSecuritySELinuxSetCreatedFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainDefPtr def,
+ int fd)
+{
+ virSecurityLabelDefPtr secdef;
+
+ if ((secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME))) {
+ if (!secdef->imagelabel)
+ secdef->imagelabel = virSecuritySELinuxGenImageLabel(mgr, def);
+ } else {
+ return -1;
+ }
+
+ if (secdef->imagelabel == NULL)
+ return 0;
+
+ return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
+}
+
virSecurityDriver virSecurityDriverSELinux = {
.privateDataLen = sizeof(virSecuritySELinuxData),
.name = SECURITY_SELINUX_NAME,
@@ -2483,6 +2503,7 @@ virSecurityDriver virSecurityDriverSELinux = {
.domainRestoreSavedStateLabel = virSecuritySELinuxRestoreSavedStateLabel,
.domainSetSecurityImageFDLabel = virSecuritySELinuxSetImageFDLabel,
+ .domainSetSecurityCreatedFDLabel = virSecuritySELinuxSetCreatedFDLabel,
.domainSetSecurityTapFDLabel = virSecuritySELinuxSetTapFDLabel,
.domainGetSecurityMountOptions = virSecuritySELinuxGetSecurityMountOptions,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 14d757d..926ffbe 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -471,6 +471,24 @@ virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
}
static int
+virSecurityStackSetCreatedFDLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr vm,
+ int fd)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityStackItemPtr item = priv->itemsHead;
+ int rc = 0;
+
+ for (; item; item = item->next) {
+ if (virSecurityManagerSetCreatedFDLabel(item->securityManager, vm, fd) <
0)
+ rc = -1;
+ }
+
+ return rc;
+}
+
+
+static int
virSecurityStackSetTapFDLabel(virSecurityManagerPtr mgr,
virDomainDefPtr vm,
int fd)
@@ -569,6 +587,7 @@ virSecurityDriver virSecurityDriverStack = {
.domainRestoreSavedStateLabel = virSecurityStackRestoreSavedStateLabel,
.domainSetSecurityImageFDLabel = virSecurityStackSetImageFDLabel,
+ .domainSetSecurityCreatedFDLabel = virSecurityStackSetCreatedFDLabel,
.domainSetSecurityTapFDLabel = virSecurityStackSetTapFDLabel,
.domainGetSecurityMountOptions = virSecurityStackGetMountOptions,
--
1.8.2.1