For SGX type of memory, QEMU needs to open and talk to /dev/sgx_vepc and /dev/sgx_provision files. But we do not set nor restore SELinux labels on these files when starting a guest. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/security/security_dac.c | 3 --- src/security/security_manager.h | 4 ++++ src/security/security_selinux.c | 24 ++++++++++++++++++++++-- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 917fcf76a3..abfc07218e 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -47,9 +47,6 @@ VIR_LOG_INIT("security.security_dac"); #define SECURITY_DAC_NAME "dac" -#define DEV_SEV "/dev/sev" -#define DEV_SGX_VEPC "/dev/sgx_vepc" -#define DEV_SGX_PROVISION "/dev/sgx_provision" typedef struct _virSecurityDACData virSecurityDACData; struct _virSecurityDACData { diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 60597ffc0a..4afdcc167b 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -23,6 +23,10 @@ #include "domain_conf.h" #include "vircommand.h" +#define DEV_SEV "/dev/sev" +#define DEV_SGX_VEPC "/dev/sgx_vepc" +#define DEV_SGX_PROVISION "/dev/sgx_provision" + typedef struct _virSecurityManager virSecurityManager; typedef enum { diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 93cc12407a..c4832e1bfc 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1577,10 +1577,21 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManager *mgr, return -1; break; + case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC: + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (!seclabel || !seclabel->relabel) + return 0; + + if (virSecuritySELinuxSetFilecon(mgr, DEV_SGX_VEPC, + seclabel->imagelabel, true) < 0 || + virSecuritySELinuxSetFilecon(mgr, DEV_SGX_PROVISION, + seclabel->imagelabel, true) < 0) + return -1; + break; + case VIR_DOMAIN_MEMORY_MODEL_NONE: case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM: - case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC: case VIR_DOMAIN_MEMORY_MODEL_LAST: break; } @@ -1607,9 +1618,18 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManager *mgr, ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true); break; + case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC: + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME); + if (!seclabel || !seclabel->relabel) + return 0; + + ret = virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_VEPC, true); + if (virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_PROVISION, true) < 0) + ret = -1; + break; + case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM: - case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC: case VIR_DOMAIN_MEMORY_MODEL_NONE: case VIR_DOMAIN_MEMORY_MODEL_LAST: ret = 0; -- 2.38.2