[libvirt] [PATCH v5 09/11] security: Label the external swtpm with SELinux labels

Stefan Berger stefanb at linux.vnet.ibm.com
Tue May 22 00:47:22 UTC 2018 

On 05/21/2018 06:33 PM, John Ferlan wrote:
>
> On 05/15/2018 08:26 PM, Stefan Berger wrote:
>> In this patch we label the swtpm process with SELinux labels. We give it the
>> same label as the QEMU process has. We label its state directory and files
>> as well. We restore the old security labels once the swtpm has terminated.
>>
>> The file and process labels now look as follows:
>>
>> Directory: /var/lib/libvirt/swtpm
>>
>> [root at localhost swtpm]# ls -lZ
>> total 4
>> rwx------. 2 tss  tss  system_u:object_r:svirt_image_t:s0:c254,c932 4096 Apr  5 16:46 testvm
>>
>> [root at localhost testvm]# ls -lZ
>> total 8
>> -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 3648 Apr  5 16:46 tpm-00.permall
>>
>> The log in /var/log/swtpm/libvirt/qemu is labeled as follows:
>>
>> -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c254,c932 2237 Apr  5 16:46 vtpm.log
>>
>> [root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep swtpm | grep ctrl | grep -v grep
>> system_u:system_r:svirt_t:s0:c254,c932 tss 25664 0.0  0.0 28172  3892 ?        Ss   16:57   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/testvm-swtpm.sock,mode=0660 --tpmstate dir=/var/lib/libvirt/swtpm/testvm/tpm1.2 --log file=/var/log/swtpm/libvirt/qemu/testvm-swtpm.log
>>
>> [root at localhost 485d0004-a48f-436a-8457-8a3b73e28567]# ps auxZ | grep qemu | grep tpm | grep -v grep
>> system_u:system_r:svirt_t:s0:c254,c932 qemu 25669 99.0  0.0 3096704 48500 ?    Sl   16:57   3:28 /bin/qemu-system-x86_64 [..]
>>
>> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
>> ---
>>   src/libvirt_private.syms        |   2 +
>>   src/qemu/qemu_security.c        |  69 +++++++++++++++++
>>   src/qemu/qemu_security.h        |  11 +++
>>   src/qemu/qemu_tpm.c             |  12 ++-
>>   src/security/security_driver.h  |   7 ++
>>   src/security/security_manager.c |  36 +++++++++
>>   src/security/security_manager.h |   6 ++
>>   src/security/security_selinux.c | 164 ++++++++++++++++++++++++++++++++++++++++
>>   src/security/security_stack.c   |  40 ++++++++++
>>   9 files changed, 345 insertions(+), 2 deletions(-)
>>
> Reviewed-by: John Ferlan <jferlan at redhat.com>

Thanks.

This patch here obviously solves the issue for SELinux. I have in the 
meantime worked on a Ubuntu system with AppArmor and would follow up 
with AppArmor related patches. The issue is, if AppArmor is active, the 
swtpm will not start at this point. This additional patch set will fix 
this then. The problem is primarily related to the call to 
virSecurityManagerSetChildProcessLabel(), which does what we/I want for 
the swtpm process under SELinux but is not suitable for the swtpm 
process under AppArmor. There it would apply an AppArmor profile for 
QEMU to the swtpm process, which is probably not what we want. With the 
paths to log file, PID file etc. accepted, we can extend the libvirtd 
AppArmor profile with a swtpm subprofile to switch to from the libvirt 
profile during the execve().

    Stefan

>
> John
>

More information about the libvir-list mailing list