Re: [libvirt] [PATCH v3 06/14] security: Add DAC and SELinux security for tpm-emulator
On 05/04/2018 04:21 PM, Stefan Berger wrote:
Extend the DAC and SELinux modules with support for the
tpm-emulator.
Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com>
---
src/security/security_dac.c | 4 ++++
src/security/security_selinux.c | 5 +++++
2 files changed, 9 insertions(+)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 5efbc27..351f6f4 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1373,6 +1373,10 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr mgr,
false);
break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ ret = virSecurityDACSetChardevLabel(mgr, def,
+ &tpm->data.emulator.source,
+ false);
+ break;
case VIR_DOMAIN_TPM_TYPE_LAST:
break;
}
virSecurityDACRestoreTPMFileLabel doesn't need to be changed? e.g.:
ret = virSecurityDACRestoreChardevLabel(mgr, def,
&tpm->data.emulator.source,
false);
diff --git a/src/security/security_selinux.c
b/src/security/security_selinux.c
index f5ba877..17bc07a 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1473,6 +1473,11 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
}
break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+ tpmdev = tpm->data.emulator.source.data.nix.path;
+ rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel);
+ if (rc < 0)
+ return -1;
+ break;
case VIR_DOMAIN_TPM_TYPE_LAST:
break;
}
Similarly for virSecuritySELinuxRestoreTPMFileLabelInt:
tpmdev = tpm->data.emulator.source.data.nix.path;
rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev);
?
With the adjustments or at least an explanation in the commit message
why they cannot be Restored,
Reviewed-by: John Ferlan <jferlan(a)redhat.com>
John