[libvirt][PATCH v15 8/9] security_dac: Set DAC label on SGX /dev nodes

Lin Yang lin.a.yang at intel.com
Wed Aug 31 07:40:40 UTC 2022


From: Michal Privoznik <mprivozn at redhat.com>

As advertised in previous commits, QEMU needs to access
/dev/sgx_vepc and /dev/sgx_provision files when SGX memory
backend is configured. And if it weren't for QEMU's namespaces,
we wouldn't dare to relabel them, because they are system wide
files. But if namespaces are used, then we can set label on
domain's private copies, just like we do for /dev/sev.

Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
Signed-off-by: Haibin Huang <haibin.huang at intel.com>
---
 src/security/security_dac.c | 46 ++++++++++++++++++++++---------------
 1 file changed, 28 insertions(+), 18 deletions(-)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index d94995c9cf..5ca63e30f4 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -48,6 +48,8 @@ VIR_LOG_INIT("security.security_dac");
 
 #define SECURITY_DAC_NAME "dac"
 #define DEV_SEV "/dev/sev"
+#define DEV_SGX_VEPC "/dev/sgx_vepc"
+#define DEV_SGX_PROVISION "/dev/sgx_provision"
 
 typedef struct _virSecurityDACData virSecurityDACData;
 struct _virSecurityDACData {
@@ -1843,24 +1845,24 @@ virSecurityDACRestoreMemoryLabel(virSecurityManager *mgr,
                                  virDomainDef *def G_GNUC_UNUSED,
                                  virDomainMemoryDef *mem)
 {
-    int ret = -1;
-
     switch (mem->model) {
     case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
-        ret = virSecurityDACRestoreFileLabel(mgr, mem->nvdimmPath);
+        return virSecurityDACRestoreFileLabel(mgr, mem->nvdimmPath);
+
+    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+        /* We set label on SGX /dev nodes iff running with namespaces, so we
+         * don't need to restore anything. */
         break;
 
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
-        ret = 0;
         break;
     }
 
-    return ret;
+    return 0;
 }
 
 
@@ -2020,35 +2022,43 @@ virSecurityDACSetMemoryLabel(virSecurityManager *mgr,
 {
     virSecurityDACData *priv = virSecurityManagerGetPrivateData(mgr);
     virSecurityLabelDef *seclabel;
-    int ret = -1;
     uid_t user;
     gid_t group;
 
+    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+    if (seclabel && !seclabel->relabel)
+        return 0;
+
+    if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+        return -1;
+
     switch (mem->model) {
     case VIR_DOMAIN_MEMORY_MODEL_NVDIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM:
-        seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
-        if (seclabel && !seclabel->relabel)
-            return 0;
+        return virSecurityDACSetOwnership(mgr, NULL,
+                                          mem->nvdimmPath,
+                                          user, group, true);
 
-        if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+        /* Skip chowning SGX if namespaces are disabled. */
+        if (priv->mountNamespace &&
+            (virSecurityDACSetOwnership(mgr, NULL,
+                                        DEV_SGX_VEPC,
+                                        user, group, true) < 0 ||
+             virSecurityDACSetOwnership(mgr, NULL,
+                                        DEV_SGX_PROVISION,
+                                        user, group, true) < 0))
             return -1;
-
-        ret = virSecurityDACSetOwnership(mgr, NULL,
-                                         mem->nvdimmPath,
-                                         user, group, true);
         break;
 
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
-        ret = 0;
         break;
     }
 
-    return ret;
+    return 0;
 }
 
 
-- 
2.25.1



More information about the libvir-list mailing list