Re: [libvirt] [PATCH v4 09/11] security: Label the external swtpm with SELinux labels

On 05/10/2018 11:57 PM, Stefan Berger wrote: > In this patch we label the swtpm process with SELinux labels. We give > it the > same label as the QEMU process has. We label its state directory and > files > as well. We restore the old security labels once the swtpm has > terminated. > > The file and process labels now look as follows: > > Directory: /var/lib/libvirt/swtpm > > [root@localhost swtpm]# ls -lZ > total 4 > rwx------. 2 tss  tss system_u:object_r:svirt_image_t:s0:c254,c932 > 4096 Apr  5 16:46 testvm > > [root@localhost testvm]# ls -lZ > total 8 > -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 > 3648 Apr  5 16:46 tpm-00.permall > > The log in /var/log/swtpm/libvirt/qemu is labeled as follows: > > -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 > 2237 Apr  5 16:46 vtpm.log > > [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep > swtpm | grep ctrl | grep -v grep > system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0  0.0 28172 3892 > ?        Ss   16:57   0:00 /usr/bin/swtpm socket --daemon --ctrl > type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 > --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log > file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log > > [root@localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep > qemu | grep tpm | grep -v grep > system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0  0.0 3096704 > 48500 ?    Sl   16:57   3:28 /bin/qemu-system-x86_64 [..] > > Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com&gt; > --- >   src/libvirt_private.syms        |   2 + >   src/qemu/qemu_tpm.c             |  24 +++++- >   src/security/security_driver.h  |   7 ++ >   src/security/security_manager.c |  36 +++++++++ >   src/security/security_manager.h |   6 ++ >   src/security/security_selinux.c | 164 > ++++++++++++++++++++++++++++++++++++++++ >   src/security/security_stack.c   |  40 ++++++++++ >   7 files changed, 278 insertions(+), 1 deletion(-) > > diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms > index 75b8932..2ce67e7 100644 > --- a/src/libvirt_private.syms > +++ b/src/libvirt_private.syms > @@ -1319,6 +1319,7 @@ virSecurityManagerRestoreImageLabel; >   virSecurityManagerRestoreInputLabel; >   virSecurityManagerRestoreMemoryLabel; >   virSecurityManagerRestoreSavedStateLabel; > +virSecurityManagerRestoreTPMLabels; >   virSecurityManagerSetAllLabel; >   virSecurityManagerSetChardevLabel; >   virSecurityManagerSetChildProcessLabel; > @@ -1333,6 +1334,7 @@ virSecurityManagerSetProcessLabel; >   virSecurityManagerSetSavedStateLabel; >   virSecurityManagerSetSocketLabel; >   virSecurityManagerSetTapFDLabel; > +virSecurityManagerSetTPMLabels; Shouldn't there be wrappers for virSecurityManagerRestoreTPMLabels virSecurityManagerSetTPMLabels in src/qemu/qemu_security.h and possibly src/qemu/qemu_security.c? >   virSecurityManagerStackAddNested; >   virSecurityManagerTransactionAbort; >   virSecurityManagerTransactionCommit; > diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c > index 024d24d..62f0146 100644 > --- a/src/qemu/qemu_tpm.c > +++ b/src/qemu/qemu_tpm.c make syntax-check error 0.03 prohibit_virConnectOpen_in_virsh prohibit_virSecurity ../src/qemu/qemu_tpm.c:812:    if (virSecurityManagerSetTPMLabels(driver->securityManager, ../src/qemu/qemu_tpm.c:816:    if (virSecurityManagerSetChildProcessLabel(driver->securityManager, ../src/qemu/qemu_tpm.c:820:    if (virSecurityManagerPreFork(driver->securityManager) < 0) ../src/qemu/qemu_tpm.c:829: virSecurityManagerPostFork(driver->securityManager); ../src/qemu/qemu_tpm.c:860: virSecurityManagerRestoreTPMLabels(driver->securityManager, def); ../src/qemu/qemu_tpm.c:911: virSecurityManagerRestoreTPMLabels(driver->securityManager, def); maint.mk: prefer qemuSecurity wrappers ../cfg.mk:998: recipe for target 'sc_prohibit_virSecurity' failed make: *** [sc_prohibit_virSecurity] Error 1