[libvirt] [PATCH 4/7] security: Label parent directories of character devices
We are currently unable to label parent directories for some paths.
However, we will need to have per-domain directories that we would like
to have labelled, but we can't label all of them. So let's add a
boolean variable that will determine whether parent directory for such
chardev should be labelled as well as that character device itself.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
src/conf/domain_conf.h | 1 +
src/security/security_dac.c | 13 ++++++++++++-
src/security/security_selinux.c | 13 ++++++++++++-
3 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index e1872bca002c..9d549a395e29 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1191,6 +1191,7 @@ struct _virDomainChrSourceDef {
} udp;
struct {
char *path;
+ bool autopath;
bool listen;
} nix;
int spicevmc;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index ea34d40fac51..28e9f0091e74 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -29,6 +29,7 @@
#endif
#include "security_dac.h"
+#include "dirname.h"
#include "virerror.h"
#include "virfile.h"
#include "viralloc.h"
@@ -744,7 +745,7 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
virSecurityLabelDefPtr seclabel;
virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
- char *in = NULL, *out = NULL;
+ char *in = NULL, *out = NULL, *dir = NULL;
int ret = -1;
uid_t user;
gid_t group;
@@ -795,6 +796,15 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
user, group) < 0)
goto done;
}
+ if (dev_source->data.nix.autopath) {
+ if (!(dir = mdir_name(dev_source->data.nix.path))) {
+ virReportOOMError();
+ goto done;
+ }
+
+ if (virSecurityDACSetOwnership(dir, user, group) < 0)
+ goto done;
+ }
ret = 0;
break;
@@ -813,6 +823,7 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
}
done:
+ VIR_FREE(dir);
VIR_FREE(in);
VIR_FREE(out);
return ret;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7000701d0447..9f5ec05b59fb 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -33,6 +33,7 @@
#include "security_driver.h"
#include "security_selinux.h"
+#include "dirname.h"
#include "virerror.h"
#include "viralloc.h"
#include "virlog.h"
@@ -1712,7 +1713,7 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
virSecurityLabelDefPtr seclabel;
virSecurityDeviceLabelDefPtr chr_seclabel = NULL;
char *imagelabel = NULL;
- char *in = NULL, *out = NULL;
+ char *in = NULL, *out = NULL, *dir = NULL;
int ret = -1;
seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
@@ -1744,6 +1745,15 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
imagelabel) < 0)
goto done;
}
+ if (dev_source->data.nix.autopath) {
+ if (!(dir = mdir_name(dev_source->data.nix.path))) {
+ virReportOOMError();
+ goto done;
+ }
+
+ if (virSecuritySELinuxSetFilecon(dir, imagelabel) < 0)
+ goto done;
+ }
ret = 0;
break;
@@ -1769,6 +1779,7 @@ virSecuritySELinuxSetSecurityChardevLabel(virDomainDefPtr def,
}
done:
+ VIR_FREE(dir);
VIR_FREE(in);
VIR_FREE(out);
return ret;
--
2.5.0