[PATCH v2 1/3] qemu_passt: Don't make passt transition to svirt_t/libvirt_domain on start

Daniel P. Berrangé berrange at redhat.com
Thu Feb 23 10:47:09 UTC 2023 

On Thu, Feb 23, 2023 at 11:40:00AM +0100, Jiri Denemark wrote:
> On Wed, Feb 22, 2023 at 14:21:29 +0100, Stefano Brivio wrote:
> > qemuSecurityCommandRun() causes an explicit domain transition of the
> > new process, but passt ships with its own SELinux policy, with
> > external interfaces for libvirtd, so we simply need to transition
> > from virtd_t to passt_t as passt is executed. The qemu type
> > enforcement rules have little to do with it.
> > 
> > That is, if we switch to svirt_t, passt will run in the security
> > context that's intended for QEMU, which allows a number of
> > operations not needed by passt. On the other hand, with a switch
> > to svirt_t, passt won't be able to create its own PID file.
> > 
> > Usage of those new interfaces is implemented by this change in
> > selinux-policy:
> >   https://github.com/fedora-selinux/selinux-policy/pull/1613
> > 
> > Replace qemuSecurityCommandRun() with virCommandRun(), and explicitly
> > set the label, preserving the correct MCS range for the given VM
> > instance. This is a temporary measure: eventually, we'll need a more
> > generic and elegant mechanism for helper binaries.
> > 
> > Fixes: a56f0168d576 ("qemu: hook up passt config to qemu domains")
> > Signed-off-by: Stefano Brivio <sbrivio at redhat.com>
> > ---
> >  src/qemu/qemu_passt.c | 33 +++++++++++++++++++++++++++------
> >  1 file changed, 27 insertions(+), 6 deletions(-)
> > 
> > diff --git a/src/qemu/qemu_passt.c b/src/qemu/qemu_passt.c
> > index 1217a6a087..81f48dd630 100644
> > --- a/src/qemu/qemu_passt.c
> > +++ b/src/qemu/qemu_passt.c
> > @@ -30,6 +30,11 @@
> >  #include "virlog.h"
> >  #include "virpidfile.h"
> >  
> > +#ifdef WITH_SELINUX
> > +# include <selinux/selinux.h>
> > +# include <selinux/context.h>
> > +#endif
> > +
> >  #define VIR_FROM_THIS VIR_FROM_NONE
> >  
> >  VIR_LOG_INIT("qemu.passt");
> > @@ -158,8 +163,11 @@ qemuPasstStart(virDomainObj *vm,
> >      g_autofree char *errbuf = NULL;
> >      char macaddr[VIR_MAC_STRING_BUFLEN];
> >      size_t i;
> > -    int exitstatus = 0;
> > -    int cmdret = 0;
> > +#ifdef WITH_SELINUX
> > +    virSecurityLabelDef *seclabel;
> > +    context_t s;
> > +    const char *newLabel;
> > +#endif
> >  
> >      cmd = virCommandNew(PASST);
> >  
> > @@ -271,18 +279,31 @@ qemuPasstStart(virDomainObj *vm,
> >      if (qemuExtDeviceLogCommand(driver, vm, cmd, "passt") < 0)
> >          return -1;
> >  
> > -    if (qemuSecurityCommandRun(driver, vm, cmd, -1, -1, &exitstatus, &cmdret) < 0)
> > -        goto error;
> > +#ifdef WITH_SELINUX
> > +    /* TODO: Implement a new security manager function for helper binaries,
> > +     * possibly deriving domain names from security attributes of the helper
> > +     * binary itself.
> > +     */
> > +    seclabel = virDomainDefGetSecurityLabelDef(vm->def, "selinux");
> > +    s = context_new(seclabel->label);
> > +    context_type_set(s, "passt_t");
> > +    newLabel = context_str(s);
> > +
> > +    virCommandSetSELinuxLabel(cmd, newLabel);
> > +#endif
> >  
> > -    if (cmdret < 0 || exitstatus != 0) {
> > +    if (virCommandRun(cmd, NULL)) {
> >          virReportError(VIR_ERR_INTERNAL_ERROR,
> >                         _("Could not start 'passt': %s"), NULLSTR(errbuf));
> >          goto error;
> >      }
> >  
> > +    context_free(s);
> 
> This would need to be enclosed in #ifdef too.
> 
> > +
> >      return 0;
> >  
> >   error:
> > -    qemuPasstKill(pidfile);
> > +    context_free(s);
> 
> And here as well.
> 
> > +    qemuPasstKill(pidfile, passtSocketName);
> >      return -1;
> >  }
> 
> I have to admit I'm not sure whether a proper solution via security
> manager is feasible with a reasonable short time frame, i.e., ready to
> be pushed ideally just after the release as I feel it would be too much
> of a change for the freeze (but as I said, I may be wrong, I'm not
> familiar with the details of the security manager code).
> 
> This hacky approach has its downsides apart from the easily fixed nits
> above. Due to not going through the security manager layers, this code
> would try to use SELinux even if the driver is actually disabled in
> runtime (which can happen for various reasons).
> 
> So the question is, can a proper solution be implemented fast enough or
> we need some form of this hack to have this new functionality working?
> Michal, do you have any idea about the feasibility of providing a proper
> solution to this?

This really isn't difficult to do in the security manager IMHO. It is
just a variation on the existing virSecurityManagerSetChildProcessLabel
method, which instead of using the standard QEMU svirt_t labels, queries
the label by calling getfilecon on the binary to be execd and appending
the MCS label.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list