4 a.m.
On Fri, Aug 26, 2011 at 10:23:47AM +0200, Jiri Denemark wrote:
This API labels all sockets created until ClearSocketLabel is called
in
a way that a vm can access them (i.e., they are labeled with svirt_t
based label in SELinux).
---
Notes:
Version 3:
- new patch
src/libvirt_private.syms | 1 +
src/security/security_dac.c | 9 +++++++++
src/security/security_driver.h | 3 +++
src/security/security_manager.c | 10 ++++++++++
src/security/security_manager.h | 2 ++
src/security/security_nop.c | 7 +++++++
src/security/security_selinux.c | 38 ++++++++++++++++++++++++++++++++++++++
src/security/security_stack.c | 17 +++++++++++++++++
8 files changed, 87 insertions(+), 0 deletions(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index c3e33b4..2a453bc 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -911,6 +911,7 @@ virSecurityManagerSetHostdevLabel;
virSecurityManagerSetProcessFDLabel;
virSecurityManagerSetProcessLabel;
virSecurityManagerSetSavedStateLabel;
+virSecurityManagerSetSocketLabel;
virSecurityManagerVerify;
# sexpr.h
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 6df4087..e5465fc 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -675,6 +675,14 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
static int
+virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+ return 0;
+}
+
+
+static int
virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED)
{
@@ -715,6 +723,7 @@ virSecurityDriver virSecurityDriverDAC = {
virSecurityDACRestoreSecurityImageLabel,
virSecurityDACSetDaemonSocketLabel,
+ virSecurityDACSetSocketLabel,
virSecurityDACClearSocketLabel,
virSecurityDACGenLabel,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 73c8f04..94f27f8 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -43,6 +43,8 @@ typedef int (*virSecurityDomainRestoreImageLabel)
(virSecurityManagerPtr mgr,
virDomainDiskDefPtr disk);
typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
virDomainObjPtr vm);
+typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
+ virDomainObjPtr vm);
typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
virDomainObjPtr vm);
typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
@@ -102,6 +104,7 @@ struct _virSecurityDriver {
virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
+ virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
virSecurityDomainGenLabel domainGenSecurityLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index d30ebcf..b2fd0d0 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -170,6 +170,16 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr
mgr,
return -1;
}
+int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm)
+{
+ if (mgr->drv->domainSetSecuritySocketLabel)
+ return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
+
+ virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+ return -1;
+}
+
int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm)
{
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 8d614a7..38342c2 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -55,6 +55,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
virDomainDiskDefPtr disk);
int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm);
+int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm);
int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm);
int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 67d3ff6..a68a6c0 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -59,6 +59,12 @@ static int
virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr AT
return 0;
}
+static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
+ virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+ return 0;
+}
+
static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr
ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED)
{
@@ -172,6 +178,7 @@ virSecurityDriver virSecurityDriverNop = {
virSecurityDomainRestoreImageLabelNop,
virSecurityDomainSetDaemonSocketLabelNop,
+ virSecurityDomainSetSocketLabelNop,
virSecurityDomainClearSocketLabelNop,
virSecurityDomainGenLabelNop,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index f87c9a5..cddbed5 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1137,6 +1137,43 @@ done:
}
static int
+SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm)
+{
+ const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+ int rc = -1;
+
+ if (secdef->label == NULL)
+ return 0;
+
+ if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
+ virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+ _("security label driver mismatch: "
+ "'%s' model configured for domain, but
"
+ "hypervisor driver is '%s'."),
+ secdef->model, virSecurityManagerGetModel(mgr));
+ goto done;
+ }
+
+ VIR_DEBUG("Setting VM %s socket context %s",
+ vm->def->name, secdef->label);
+ if (setsockcreatecon(secdef->label) == -1) {
+ virReportSystemError(errno,
+ _("unable to set socket security context
'%s'"),
+ secdef->label);
+ goto done;
+ }
+
+ rc = 0;
+
+done:
+ if (security_getenforce() != 1)
+ rc = 0;
+
+ return rc;
+}
+
+static int
SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm)
{
@@ -1313,6 +1350,7 @@ virSecurityDriver virSecurityDriverSELinux = {
SELinuxRestoreSecurityImageLabel,
SELinuxSetSecurityDaemonSocketLabel,
+ SELinuxSetSecuritySocketLabel,
SELinuxClearSecuritySocketLabel,
SELinuxGenSecurityLabel,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 404ff65..f263f5b 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -355,6 +355,22 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
static int
+virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
+ virDomainObjPtr vm)
+{
+ virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ int rc = 0;
+
+ if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0)
+ rc = -1;
+ if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0)
+ rc = -1;
+
+ return rc;
+}
+
+
+static int
virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
virDomainObjPtr vm)
{
@@ -419,6 +435,7 @@ virSecurityDriver virSecurityDriverStack = {
virSecurityStackRestoreSecurityImageLabel,
virSecurityStackSetDaemonSocketLabel,
+ virSecurityStackSetSocketLabel,
virSecurityStackClearSocketLabel,
virSecurityStackGenLabel,
ACK, looks fine. My only concern would be about availability of
setsockcreatecon() , hopefully it's supported on all systems where
SELinux is detected,
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/