[libvirt] [PATCH v5 09/11] security: Label the external swtpm with SELinux labels
Stefan Berger
stefanb at linux.vnet.ibm.com
Tue May 22 00:47:22 UTC 2018
On 05/21/2018 06:33 PM, John Ferlan wrote:
>
> On 05/15/2018 08:26 PM, Stefan Berger wrote:
>> In this patch we label the swtpm process with SELinux labels. We give it the
>> same label as the QEMU process has. We label its state directory and files
>> as well. We restore the old security labels once the swtpm has terminated.
>>
>> The file and process labels now look as follows:
>>
>> Directory: /var/lib/libvirt/swtpm
>>
>> [root at localhost swtpm]# ls -lZ
>> total 4
>> rwx------. 2 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr 5 16:46 testvm
>>
>> [root at localhost testvm]# ls -lZ
>> total 8
>> -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr 5 16:46 tpm-00.permall
>>
>> The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
>>
>> -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr 5 16:46 vtpm.log
>>
>> [root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
>> system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0 0.0 28172 3892 ? Ss 16:57 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
>>
>> [root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
>> system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0 0.0 3096704 48500 ? Sl 16:57 3:28 /bin/qemu-system-x86_64 [..]
>>
>> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
>> ---
>> src/libvirt_private.syms | 2 +
>> src/qemu/qemu_security.c | 69 +++++++++++++++++
>> src/qemu/qemu_security.h | 11 +++
>> src/qemu/qemu_tpm.c | 12 ++-
>> src/security/security_driver.h | 7 ++
>> src/security/security_manager.c | 36 +++++++++
>> src/security/security_manager.h | 6 ++
>> src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++
>> src/security/security_stack.c | 40 ++++++++++
>> 9 files changed, 345 insertions(+), 2 deletions(-)
>>
> Reviewed-by: John Ferlan <jferlan at redhat.com>
Thanks.
This patch here obviously solves the issue for SELinux. I have in the
meantime worked on a Ubuntu system with AppArmor and would follow up
with AppArmor related patches. The issue is, if AppArmor is active, the
swtpm will not start at this point. This additional patch set will fix
this then. The problem is primarily related to the call to
virSecurityManagerSetChildProcessLabel(), which does what we/I want for
the swtpm process under SELinux but is not suitable for the swtpm
process under AppArmor. There it would apply an AppArmor profile for
QEMU to the swtpm process, which is probably not what we want. With the
paths to log file, PID file etc. accepted, we can extend the libvirtd
AppArmor profile with a swtpm subprofile to switch to from the libvirt
profile during the execve().
Stefan
>
> John
>
More information about the libvir-list
mailing list