[libvirt] [PATCH 2/4] security: add security part for shmem device

Sun Aug 2 11:27:59 UTC 2015

On 07/30/2015 05:54 PM, Daniel P. Berrange wrote:
> On Thu, Jul 23, 2015 at 06:13:47PM +0800, Luyao Huang wrote:
>> A new api to help set/restore the shmem deivce dac/selinux label.
> s/deivce/device/

Thanks, i will fix in next version

>
>> Signed-off-by: Luyao Huang <lhuang at redhat.com>
>> ---
>>   src/libvirt_private.syms        |  2 ++
>>   src/security/security_dac.c     | 67 +++++++++++++++++++++++++++++++++++++++
>>   src/security/security_driver.h  | 11 +++++++
>>   src/security/security_manager.c | 38 ++++++++++++++++++++++
>>   src/security/security_manager.h |  8 +++++
>>   src/security/security_selinux.c | 70 +++++++++++++++++++++++++++++++++++++++++
>>   src/security/security_stack.c   | 41 ++++++++++++++++++++++++
>>   7 files changed, 237 insertions(+)
> Also need to add to the security_nop.c impl

Okay, i must missed this file at that time :)

>> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
>> index deb6980..f954aa5 100644
>> --- a/src/security/security_dac.c
>> +++ b/src/security/security_dac.c
>> @@ -39,6 +39,7 @@
>>   #include "virstoragefile.h"
>>   #include "virstring.h"
>>   #include "virutil.h"
>> +#include "virshm.h"
>>   
>>   #define VIR_FROM_THIS VIR_FROM_SECURITY
>>   
>> @@ -922,6 +923,69 @@ virSecurityDACRestoreSecurityTPMFileLabel(virSecurityManagerPtr mgr,
>>   
>>   
>>   static int
>> +virSecurityDACSetShmemLabel(virSecurityManagerPtr mgr,
>> +                            virDomainDefPtr def,
>> +                            virDomainShmemDefPtr shmem,
>> +                            char *path)
>> +{
>> +    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
>> +    virSecurityLabelDefPtr seclabel;
>> +    virSecurityDeviceLabelDefPtr shmem_seclabel = NULL;
>> +    char *tmppath;
>> +    uid_t user;
>> +    gid_t group;
>> +
>> +    if (shmem->server.enabled)
>> +        tmppath = shmem->server.chr.data.nix.path;
>> +    else
>> +        tmppath = path;
> Even when the server is enabled, QEMU still needs access to the path
> doesn't it.
...
>> +    if (shmem->server.enabled)
>> +        return virSecurityDACRestoreChardevLabel(mgr, def, NULL, &shmem->server.chr);
> We need to restore path, even when server is enabled
...
> Same comment as earlier
>
...
> +
> +    if (shmem->server.enabled)
> +        tmppath = shmem->server.chr.data.nix.path;
> +    else
> +        tmppath = path;
> And again

Hmm...these $path are the shm path, if the shmem device is server 
enabled, the used shm is created by ivshmem-server, which will depends 
on ivshmem-server's label. And qemu process will connect to the socket 
created by ivshmem-server, so change the label for shm created by 
ivshmem-sever is useless (also we don't know the shm name created by 
ivshmem-server).

However, never mind, i will do a refactor and remove the variable $path 
here to make this function easy to put in 
virSecuritySELinuxSetSecurityAllLabel and 
virSecuritySELinuxSetSecurityAllLabel, since i noticed another reply 
from you for this patch.

>
>   > +
>> +    if (!tmppath)
>> +        return 0;
>> +
>> +    if (shmem_seclabel && shmem_seclabel->label)
>> +        return virSecuritySELinuxSetFilecon(tmppath, shmem_seclabel->label);
>> +    else
>> +        return virSecuritySELinuxSetFilecon(tmppath, data->file_context);
>> +}
>> +
>> +
>> +static int
>>   virSecuritySELinuxSetSecurityAllLabel(virSecurityManagerPtr mgr,
>>                                         virDomainDefPtr def,
>>                                         const char *stdin_path)
> Regards,
> Daniel

Thanks a lot for your review and help.

Luyao