[PATCH 5/6] secdrivers: Relabel firmware config files

Michal Privoznik mprivozn at redhat.com
Wed Jun 3 17:01:37 UTC 2020


For the case where -fw_cfg uses a file, we need to set the
seclabels on it to allow QEMU the access. While QEMU allows
writing into the file (if specified on the command line), so far
we are enabling reading only and thus we can use read only label
(in case of SELinux).

Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
---
 src/security/security_dac.c     | 14 ++++++++++++++
 src/security/security_selinux.c | 13 +++++++++++++
 src/security/virt-aa-helper.c   |  6 ++++++
 3 files changed, 33 insertions(+)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 7b95a6f86d..a1340c242c 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1991,6 +1991,12 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
             rc = -1;
     }
 
+    for (i = 0; i < def->nfw_cfgs; i++) {
+        if (def->fw_cfgs[i].file &&
+            virSecurityDACRestoreFileLabel(mgr, def->fw_cfgs[i].file) < 0)
+            rc = -1;
+    }
+
     if (def->os.loader && def->os.loader->nvram &&
         virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
         rc = -1;
@@ -2173,6 +2179,14 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
     if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
         return -1;
 
+    for (i = 0; i < def->nfw_cfgs; i++) {
+        if (def->fw_cfgs[i].file &&
+            virSecurityDACSetOwnership(mgr, NULL,
+                                       def->fw_cfgs[i].file,
+                                       user, group, true) < 0)
+            return -1;
+    }
+
     if (def->os.loader && def->os.loader->nvram &&
         virSecurityDACSetOwnership(mgr, NULL,
                                    def->os.loader->nvram,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7bb7c2b7b1..c5a8e33bd7 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2786,6 +2786,12 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr,
                                      mgr) < 0)
         rc = -1;
 
+    for (i = 0; i < def->nfw_cfgs; i++) {
+        if (def->fw_cfgs[i].file &&
+            virSecuritySELinuxRestoreFileLabel(mgr, def->fw_cfgs[i].file, true) < 0)
+            rc = -1;
+    }
+
     if (def->os.loader && def->os.loader->nvram &&
         virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, true) < 0)
         rc = -1;
@@ -3194,6 +3200,13 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr,
                                      mgr) < 0)
         return -1;
 
+    for (i = 0; i < def->nfw_cfgs; i++) {
+        if (def->fw_cfgs[i].file &&
+            virSecuritySELinuxSetFilecon(mgr, def->fw_cfgs[i].file,
+                                         data->content_context, true) < 0)
+            return -1;
+    }
+
     /* This is different than kernel or initrd. The nvram store
      * is really a disk, qemu can read and write to it. */
     if (def->os.loader && def->os.loader->nvram &&
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 6e6dd1b1db..12beef6442 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1175,6 +1175,12 @@ get_files(vahControl * ctl)
         }
     }
 
+    for (i = 0; i < ctl->def->nfw_cfgs; i++) {
+        if (ctl->def->fw_cfgs[i].file &&
+            vah_add_file(&buf, ctl->def->fw_cfgs[i].file, "r") != 0)
+            goto cleanup;
+    }
+
     for (i = 0; i < ctl->def->nshmems; i++) {
         virDomainShmemDef *shmem = ctl->def->shmems[i];
         /* explicit server paths can be on any model to overwrites defaults.
-- 
2.26.2




More information about the libvir-list mailing list