[libvirt] [PATCH v8 09/18] security: Label the external swtpm with SELinux labels
Ján Tomko
jtomko at redhat.com
Sat Jun 2 13:18:55 UTC 2018
On Thu, May 24, 2018 at 04:26:05PM -0400, Stefan Berger wrote:
>In this patch we label the swtpm process with SELinux labels. We give it the
>same label as the QEMU process has. We label its state directory and files
>as well. We restore the old security labels once the swtpm has terminated.
>
>The file and process labels now look as follows:
>
>Directory: /var/lib/libvirt/swtpm
>
>[root at localhost swtpm]# ls -lZ
>total 4
>rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm
>
>[root at localhost testvm]# ls -lZ
>total 8
>-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall
>
>The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
>
>-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log
>
>[root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
>system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
>
>[root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
>system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..]
>
>Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
>Reviewed-by: John Ferlan <jferlan at redhat.com>
>---
> src/libvirt_private.syms | 2 +
> src/qemu/qemu_security.c | 69 +++++++++++++++++
> src/qemu/qemu_security.h | 11 +++
> src/qemu/qemu_tpm.c | 12 ++-
> src/security/security_driver.h | 7 ++
> src/security/security_manager.c | 36 +++++++++
> src/security/security_manager.h | 6 ++
> src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++
> src/security/security_stack.c | 40 ++++++++++
> 9 files changed, 345 insertions(+), 2 deletions(-)
>
>diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
>index 92e84155d1..6377fb7947 100644
>--- a/src/security/security_selinux.c
>+++ b/src/security/security_selinux.c
>@@ -3048,6 +3048,167 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityManagerPtr mgr,
> return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel);
> }
>
>+
>+/*
>+ * _virSecuritySELinuxSetFileLabels:
>+ *
>+ * @mgr: the virSecurityManager
>+ * @path: path to a directory or a file
>+ * @seclabel: the security label
>+ *
>+ * Set the file labels on the given path; if the path is a directory
>+ * we label all files found there, including the directory itself,
>+ * otherwise we just label the file.
>+ */
>+static int
>+_virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr,
Please drop the leading _. We do not have a separate namespace for
static functions.
>+ const char *path,
>+ virSecurityLabelDefPtr seclabel)
>+{
>+ int ret = 0;
>+ struct dirent *ent;
>+ char *filename = NULL;
>+ DIR *dir;
>+
>+ if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel)))
>+ return ret;
>+
>+ if (!virFileIsDir(path))
>+ return 0;
>+
>+ if (virDirOpen(&dir, path) < 0)
>+ return -1;
>+
>+ while ((ret = virDirRead(dir, &ent, path)) > 0) {
>+ if (ent->d_type != DT_REG)
>+ continue;
>+
>+ if (virAsprintf(&filename, "%s/%s", path, ent->d_name) < 0) {
>+ ret = -1;
>+ break;
>+ }
>+ ret = virSecuritySELinuxSetFilecon(mgr, filename,
>+ seclabel->imagelabel);
>+ VIR_FREE(filename);
>+ if (ret < 0)
>+ break;
>+ }
>+ if (ret < 0)
>+ virReportSystemError(errno, _("Unable to label files under %s"),
>+ path);
>+
>+ virDirClose(&dir);
>+
>+ return ret;
>+}
>+
>+
>+/*
>+ * _virSecuritySELinuxRestoreFileLabels:
>+ *
>+ * @mgr: the virSecurityManager
>+ * @path: path to a directory or a file
>+ *
>+ * Restore the file labels on the given path; if the path is a directory
>+ * we restore all file labels found there, including the label of the
>+ * directory itself, otherwise we just restore the label on the file.
>+ */
>+static int
>+_virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr,
here too
>+ const char *path)
Reviewed-by: Ján Tomko <jtomko at redhat.com>
Jano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180602/4c5e1cdf/attachment-0001.sig>
More information about the libvir-list
mailing list