[libvirt] [PATCH v3 06/14] security: Add DAC and SELinux security for tpm-emulator
John Ferlan
jferlan at redhat.com
Tue May 8 20:01:17 UTC 2018
On 05/04/2018 04:21 PM, Stefan Berger wrote:
> Extend the DAC and SELinux modules with support for the
> tpm-emulator.
>
> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> ---
> src/security/security_dac.c | 4 ++++
> src/security/security_selinux.c | 5 +++++
> 2 files changed, 9 insertions(+)
>
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index 5efbc27..351f6f4 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -1373,6 +1373,10 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr mgr,
> false);
> break;
> case VIR_DOMAIN_TPM_TYPE_EMULATOR:
> + ret = virSecurityDACSetChardevLabel(mgr, def,
> + &tpm->data.emulator.source,
> + false);
> + break;
> case VIR_DOMAIN_TPM_TYPE_LAST:
> break;
> }
virSecurityDACRestoreTPMFileLabel doesn't need to be changed? e.g.:
ret = virSecurityDACRestoreChardevLabel(mgr, def,
&tpm->data.emulator.source,
false);
> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
> index f5ba877..17bc07a 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -1473,6 +1473,11 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
> }
> break;
> case VIR_DOMAIN_TPM_TYPE_EMULATOR:
> + tpmdev = tpm->data.emulator.source.data.nix.path;
> + rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel);
> + if (rc < 0)
> + return -1;
> + break;
> case VIR_DOMAIN_TPM_TYPE_LAST:
> break;
> }
>
Similarly for virSecuritySELinuxRestoreTPMFileLabelInt:
tpmdev = tpm->data.emulator.source.data.nix.path;
rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev);
?
With the adjustments or at least an explanation in the commit message
why they cannot be Restored,
Reviewed-by: John Ferlan <jferlan at redhat.com>
John
More information about the libvir-list
mailing list