[libvirt] [PATCH 0/3] security: Don't remember labels for TPM
Cole Robinson
crobinso at redhat.com
Thu Oct 10 20:16:26 UTC 2019
On 10/1/19 11:00 AM, Michal Privoznik wrote:
> As it turns out, /dev/tpm0 can't be opened more than once. This doesn't
> fit into our seclabel remembering approach and thus disable it for TPM
> devices.
>
> There's also another type of files which can't be opened more than once
> - /dev/vfio/N. Usually, this won't be a problem unless users try to
> attach/detach some devices from the same IOMMU group. This will require
> more treatment though because it's broken on more levels.
>
> 1) we remove /dev/vfio/N in private devtmpfs on device detach, even
> though there is another device still attached to domain from the
> same IOMMU group,
>
> 2) we remove the IOMMU group from CGroups, i.e. we effectively deny
> access to qemu
>
> 3) we restore seclabels (regardless of seclabel remembering)
>
> Therefore, I'm only addressing TPM issue here and will continue work on
> hostdevs.
>
> Michal Prívozník (3):
> security: Try to lock only paths with remember == true
> security_dac: Allow selective remember/recall for chardevs
> security: Don't remember labels for TPM
>
> src/security/security_dac.c | 91 ++++++++++++++++++++++-----------
> src/security/security_selinux.c | 16 +++---
> 2 files changed, 71 insertions(+), 36 deletions(-)
>
Reviewed-by: Cole Robinson <crobinso at redhat.com>
but see comment on #3, I think the EMULATOR bits can be dropped.
I verified this fixes TPM passthrough VM startup too
- Cole
More information about the libvir-list
mailing list