[libvirt] [PATCH v8 09/18] security: Label the external swtpm with SELinux labels

Ján Tomko jtomko at redhat.com
Sat Jun 2 13:18:55 UTC 2018 

On Thu, May 24, 2018 at 04:26:05PM -0400, Stefan Berger wrote:
>In this patch we label the swtpm process with SELinux labels. We give it the
>same label as the QEMU process has. We label its state directory and files
>as well. We restore the old security labels once the swtpm has terminated.
>
>The file and process labels now look as follows:
>
>Directory: /var/lib/libvirt/swtpm
>
>[root at localhost swtpm]# ls -lZ
>total 4
>rwx------. 2 tss  tss  system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr  5 16:46 testvm
>
>[root at localhost testvm]# ls -lZ
>total 8
>-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr  5 16:46 tpm-00.permall
>
>The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
>
>-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr  5 16:46 vtpm.log
>
>[root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
>system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0  0.0 28172  3892 ?        Ss   16:57   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
>
>[root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
>system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0  0.0 3096704 48500 ?    Sl   16:57   3:28 /bin/qemu-system-x86_64 [..]
>
>Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
>Reviewed-by: John Ferlan <jferlan at redhat.com>
>---
> src/libvirt_private.syms        |   2 +
> src/qemu/qemu_security.c        |  69 +++++++++++++++++
> src/qemu/qemu_security.h        |  11 +++
> src/qemu/qemu_tpm.c             |  12 ++-
> src/security/security_driver.h  |   7 ++
> src/security/security_manager.c |  36 +++++++++
> src/security/security_manager.h |   6 ++
> src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++
> src/security/security_stack.c   |  40 ++++++++++
> 9 files changed, 345 insertions(+), 2 deletions(-)
>
>diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
>index 92e84155d1..6377fb7947 100644
>--- a/src/security/security_selinux.c
>+++ b/src/security/security_selinux.c
>@@ -3048,6 +3048,167 @@ virSecuritySELinuxDomainSetPathLabel(virSecurityManagerPtr mgr,
>     return virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel);
> }
>
>+
>+/*
>+ * _virSecuritySELinuxSetFileLabels:
>+ *
>+ * @mgr: the virSecurityManager
>+ * @path: path to a directory or a file
>+ * @seclabel: the security label
>+ *
>+ * Set the file labels on the given path; if the path is a directory
>+ * we label all files found there, including the directory itself,
>+ * otherwise we just label the file.
>+ */
>+static int
>+_virSecuritySELinuxSetFileLabels(virSecurityManagerPtr mgr,

Please drop the leading _. We do not have a separate namespace for
static functions.

>+                                 const char *path,
>+                                 virSecurityLabelDefPtr seclabel)
>+{
>+    int ret = 0;
>+    struct dirent *ent;
>+    char *filename = NULL;
>+    DIR *dir;
>+
>+    if ((ret = virSecuritySELinuxSetFilecon(mgr, path, seclabel->imagelabel)))
>+        return ret;
>+
>+    if (!virFileIsDir(path))
>+        return 0;
>+
>+    if (virDirOpen(&dir, path) < 0)
>+        return -1;
>+
>+    while ((ret = virDirRead(dir, &ent, path)) > 0) {
>+        if (ent->d_type != DT_REG)
>+            continue;
>+
>+        if (virAsprintf(&filename, "%s/%s", path, ent->d_name) < 0) {
>+            ret = -1;
>+            break;
>+        }
>+        ret = virSecuritySELinuxSetFilecon(mgr, filename,
>+                                           seclabel->imagelabel);
>+        VIR_FREE(filename);
>+        if (ret < 0)
>+            break;
>+    }
>+    if (ret < 0)
>+        virReportSystemError(errno, _("Unable to label files under %s"),
>+                             path);
>+
>+    virDirClose(&dir);
>+
>+    return ret;
>+}
>+
>+
>+/*
>+ * _virSecuritySELinuxRestoreFileLabels:
>+ *
>+ * @mgr: the virSecurityManager
>+ * @path: path to a directory or a file
>+ *
>+ * Restore the file labels on the given path; if the path is a directory
>+ * we restore all file labels found there, including the label of the
>+ * directory itself, otherwise we just restore the label on the file.
>+ */
>+static int
>+_virSecuritySELinuxRestoreFileLabels(virSecurityManagerPtr mgr,

here too

>+                                     const char *path)

Reviewed-by: Ján Tomko <jtomko at redhat.com>

Jano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180602/4c5e1cdf/attachment-0001.sig>

More information about the libvir-list mailing list