For the case where -fw_cfg uses a file, we need to set the
seclabels on it to allow QEMU the access. While QEMU allows
writing into the file (if specified on the command line), so far
we are enabling reading only and thus we can use read only label
(in case of SELinux).
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/security/security_dac.c | 50 +++++++++++++++++++++++++++++++++
src/security/security_selinux.c | 50 +++++++++++++++++++++++++++++++++
src/security/virt-aa-helper.c | 12 ++++++++
3 files changed, 112 insertions(+)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 7b95a6f86d..7e65b78fbe 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1916,6 +1916,24 @@ virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr
G_GNUC_UNUSED,
}
+static int
+virSecurityDACRestoreSysinfoLabel(virSecurityManagerPtr mgr,
+ virSysinfoDefPtr def)
+{
+ size_t i;
+
+ for (i = 0; i < def->nfw_cfgs; i++) {
+ virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
+
+ if (f->file &&
+ virSecurityDACRestoreFileLabel(mgr, f->file) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
static int
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@@ -1991,6 +2009,12 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
rc = -1;
}
+ for (i = 0; i < def->nsysinfo; i++) {
+ if (virSecurityDACRestoreSysinfoLabel(mgr,
+ def->sysinfo[i]) < 0)
+ rc = -1;
+ }
+
if (def->os.loader && def->os.loader->nvram &&
virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
rc = -1;
@@ -2094,6 +2118,27 @@ virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,
}
+static int
+virSecurityDACSetSysinfoLabel(virSecurityManagerPtr mgr,
+ uid_t user,
+ gid_t group,
+ virSysinfoDefPtr def)
+{
+ size_t i;
+
+ for (i = 0; i < def->nfw_cfgs; i++) {
+ virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
+
+ if (f->file &&
+ virSecurityDACSetOwnership(mgr, NULL, f->file,
+ user, group, true) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
static int
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@@ -2173,6 +2218,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
return -1;
+ for (i = 0; i < def->nsysinfo; i++) {
+ if (virSecurityDACSetSysinfoLabel(mgr, user, group, def->sysinfo[i]) < 0)
+ return -1;
+ }
+
if (def->os.loader && def->os.loader->nvram &&
virSecurityDACSetOwnership(mgr, NULL,
def->os.loader->nvram,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7bb7c2b7b1..e6819af26c 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2720,6 +2720,24 @@ virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int
virtType)
}
+static int
+virSecuritySELinuxRestoreSysinfoLabel(virSecurityManagerPtr mgr,
+ virSysinfoDefPtr def)
+{
+ size_t i;
+
+ for (i = 0; i < def->nfw_cfgs; i++) {
+ virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
+
+ if (f->file &&
+ virSecuritySELinuxRestoreFileLabel(mgr, f->file, true) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
static int
virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@@ -2786,6 +2804,11 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
mgr) < 0)
rc = -1;
+ for (i = 0; i < def->nsysinfo; i++) {
+ if (virSecuritySELinuxRestoreSysinfoLabel(mgr, def->sysinfo[i]) < 0)
+ rc = -1;
+ }
+
if (def->os.loader && def->os.loader->nvram &&
virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, true) <
0)
rc = -1;
@@ -3123,6 +3146,26 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr
def,
}
+static int
+virSecuritySELinuxSetSysinfoLabel(virSecurityManagerPtr mgr,
+ virSysinfoDefPtr def,
+ virSecuritySELinuxDataPtr data)
+{
+ size_t i;
+
+ for (i = 0; i < def->nfw_cfgs; i++) {
+ virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i];
+
+ if (f->file &&
+ virSecuritySELinuxSetFilecon(mgr, f->file,
+ data->content_context, true) < 0)
+ return -1;
+ }
+
+ return 0;
+}
+
+
static int
virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
@@ -3194,6 +3237,13 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
mgr) < 0)
return -1;
+ for (i = 0; i < def->nsysinfo; i++) {
+ if (virSecuritySELinuxSetSysinfoLabel(mgr,
+ def->sysinfo[i],
+ data) < 0)
+ return -1;
+ }
+
/* This is different than kernel or initrd. The nvram store
* is really a disk, qemu can read and write to it. */
if (def->os.loader && def->os.loader->nvram &&
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 6e6dd1b1db..34c281100e 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1175,6 +1175,18 @@ get_files(vahControl * ctl)
}
}
+ for (i = 0; i < ctl->def->nsysinfo; i++) {
+ size_t j;
+
+ for (j = 0; j < ctl->def->sysinfo[i]->nfw_cfgs; j++) {
+ virSysinfoFWCfgDefPtr f = &ctl->def->sysinfo[i]->fw_cfgs[j];
+
+ if (f->file &&
+ vah_add_file(&buf, f->file, "r") != 0)
+ goto cleanup;
+ }
+ }
+
for (i = 0; i < ctl->def->nshmems; i++) {
virDomainShmemDef *shmem = ctl->def->shmems[i];
/* explicit server paths can be on any model to overwrites defaults.
--
2.26.2