Re: [PATCH v6 12/13] security: Always forget labels for TPM state directory
On Mon, Sep 02, 2024 at 04:55:30PM GMT, Peter Krempa wrote:
I wanted to first complain that it's missing the 'dac'
driver counter
part, but weirdly enough the 'dac' security driver is completely missing
the impl for:
domainSetSecurityTPMLabels and domainRestoreSecurityTPMLabels
Do we assume that the paths for the TPM emulator have always the correct
owner?
I guess so? I noticed this as well and wanted to look into addressing
this gap, but I was starting to seriously run out of steam by that
point so I decided to leave it alone for now. It doesn't seem to get
in the way in practice.
This function has pre-existing very questionable logic in handling
failure:
[...]
Obviously this is for a different patch, but since you seem to be keen
on fixing labelling for TPMs ...
It would be nice to fix this. Just like the above though, it's a
pre-existing issue so it should be okay to address it with a
follow-up series and avoid it holding up this feature further.
In the meantime, I've posted [v7] which should hopefully take care of
all your other concerns.
[v7]
https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/CX...
--
Andrea Bolognani / Red Hat / Virtualization