[PATCH] security_selinux: Set and restore /dev/sgx_* labels

Wed Jan 4 10:12:12 UTC 2023

For SGX type of memory, QEMU needs to open and talk to
/dev/sgx_vepc and /dev/sgx_provision files. But we do not set nor
restore SELinux labels on these files when starting a guest.

Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
---
 src/security/security_dac.c     |  3 ---
 src/security/security_manager.h |  4 ++++
 src/security/security_selinux.c | 24 ++++++++++++++++++++++--
 3 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 917fcf76a3..abfc07218e 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -47,9 +47,6 @@
 VIR_LOG_INIT("security.security_dac");
 
 #define SECURITY_DAC_NAME "dac"
-#define DEV_SEV "/dev/sev"
-#define DEV_SGX_VEPC "/dev/sgx_vepc"
-#define DEV_SGX_PROVISION "/dev/sgx_provision"
 
 typedef struct _virSecurityDACData virSecurityDACData;
 struct _virSecurityDACData {
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 60597ffc0a..4afdcc167b 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -23,6 +23,10 @@
 #include "domain_conf.h"
 #include "vircommand.h"
 
+#define DEV_SEV "/dev/sev"
+#define DEV_SGX_VEPC "/dev/sgx_vepc"
+#define DEV_SGX_PROVISION "/dev/sgx_provision"
+
 typedef struct _virSecurityManager virSecurityManager;
 
 typedef enum {
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 93cc12407a..c4832e1bfc 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1577,10 +1577,21 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManager *mgr,
             return -1;
         break;
 
+    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+        seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+        if (!seclabel || !seclabel->relabel)
+            return 0;
+
+        if (virSecuritySELinuxSetFilecon(mgr, DEV_SGX_VEPC,
+                                         seclabel->imagelabel, true) < 0 ||
+            virSecuritySELinuxSetFilecon(mgr, DEV_SGX_PROVISION,
+                                         seclabel->imagelabel, true) < 0)
+            return -1;
+        break;
+
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
         break;
     }
@@ -1607,9 +1618,18 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManager *mgr,
         ret = virSecuritySELinuxRestoreFileLabel(mgr, mem->nvdimmPath, true);
         break;
 
+    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+        seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME);
+        if (!seclabel || !seclabel->relabel)
+            return 0;
+
+        ret = virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_VEPC, true);
+        if (virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_PROVISION, true) < 0)
+            ret = -1;
+        break;
+
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-    case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
         ret = 0;
-- 
2.38.2

