[libvirt] [PATCH 2/2] qemu: fix security labeling for attach/detach of char devices

Friday, 1 December 2017

Commit e93d844b90 was not enough to fix the permission denied
issue.  We need to apply security labels as well.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1465833

Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com&gt;
---
 src/qemu/qemu_hotplug.c  | 10 ++++++++
 src/qemu/qemu_security.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++
 src/qemu/qemu_security.h |  8 +++++++
 3 files changed, 78 insertions(+)

diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index cbc7af59b7..6ef28bf051 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1815,6 +1815,7 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
     bool chardevAttached = false;
     bool teardowncgroup = false;
     bool teardowndevice = false;
+    bool teardownlabel = false;
     char *tlsAlias = NULL;
     char *secAlias = NULL;
     bool need_release = false;
@@ -1835,6 +1836,10 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
         goto cleanup;
     teardowndevice = true;
 
+    if (qemuSecuritySetChardevLabel(driver, vm, chr) < 0)
+        goto cleanup;
+    teardownlabel = true;
+
     if (qemuSetupChardevCgroup(vm, chr) < 0)
         goto cleanup;
     teardowncgroup = true;
@@ -1877,6 +1882,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
             qemuDomainReleaseDeviceAddress(vm, &chr->info, NULL);
         if (teardowncgroup && qemuTeardownChardevCgroup(vm, chr) < 0)
             VIR_WARN("Unable to remove chr device cgroup ACL on hotplug
fail");
+        if (teardownlabel && qemuSecurityRestoreChardevLabel(driver, vm, chr)
< 0)
+            VIR_WARN("Unable to restore security label on char device");
         if (teardowndevice && qemuDomainNamespaceTeardownChardev(driver, vm, chr)
< 0)
             VIR_WARN("Unable to remove chr device from /dev");
     }
@@ -4154,6 +4161,9 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
     if (qemuTeardownChardevCgroup(vm, chr) < 0)
         VIR_WARN("Failed to remove chr device cgroup ACL");
 
+    if (qemuSecurityRestoreChardevLabel(driver, vm, chr) < 0)
+        VIR_WARN("Unable to restore security label on char device");
+
     if (qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0)
         VIR_WARN("Unable to remove chr device from /dev");
 
diff --git a/src/qemu/qemu_security.c b/src/qemu/qemu_security.c
index e7d2bbd5a3..2aced22d2d 100644
--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@@ -364,3 +364,63 @@ qemuSecurityRestoreInputLabel(virDomainObjPtr vm,
     virSecurityManagerTransactionAbort(driver->securityManager);
     return ret;
 }
+
+
+int
+qemuSecuritySetChardevLabel(virQEMUDriverPtr driver,
+                            virDomainObjPtr vm,
+                            virDomainChrDefPtr chr)
+{
+    int ret = -1;
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+
+    if (virSecurityManagerSetChardevLabel(driver->securityManager,
+                                          vm->def,
+                                          chr->source,
+                                          priv->chardevStdioLogd) < 0)
+        goto cleanup;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
+
+
+int
+qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
+                                virDomainObjPtr vm,
+                                virDomainChrDefPtr chr)
+{
+    int ret = -1;
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+
+    if (virSecurityManagerRestoreChardevLabel(driver->securityManager,
+                                              vm->def,
+                                              chr->source,
+                                              priv->chardevStdioLogd) < 0)
+        goto cleanup;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
diff --git a/src/qemu/qemu_security.h b/src/qemu/qemu_security.h
index 76d63f06ec..d54ce6fead 100644
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@@ -76,6 +76,14 @@ int qemuSecuritySetInputLabel(virDomainObjPtr vm,
 int qemuSecurityRestoreInputLabel(virDomainObjPtr vm,
                                   virDomainInputDefPtr input);
 
+int qemuSecuritySetChardevLabel(virQEMUDriverPtr driver,
+                                virDomainObjPtr vm,
+                                virDomainChrDefPtr chr);
+
+int qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
+                                    virDomainObjPtr vm,
+                                    virDomainChrDefPtr chr);
+
 /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
  * new APIs here. If an API can touch a /dev file add a proper wrapper instead.
  */
-- 
2.14.3


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH 2/2] qemu: fix security labeling for attach/detach of char devices