[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 3/4] security: Introduce method for labeling file descriptors of created files



The method labels the file descriptor even if dynamic labeling/relabeling
is turned off. This is needed for files created by libvirt and then
passed along to qemu as a FD.
---
 src/libvirt_private.syms        |  1 +
 src/security/security_dac.c     |  9 +++++++++
 src/security/security_driver.h  |  4 ++++
 src/security/security_manager.c | 16 ++++++++++++++++
 src/security/security_manager.h |  3 +++
 src/security/security_nop.c     |  1 +
 src/security/security_selinux.c | 21 +++++++++++++++++++++
 src/security/security_stack.c   | 19 +++++++++++++++++++
 8 files changed, 74 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 795e011..dd06f11 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1035,6 +1035,7 @@ virSecurityManagerRestoreImageLabel;
 virSecurityManagerRestoreSavedStateLabel;
 virSecurityManagerSetAllLabel;
 virSecurityManagerSetChildProcessLabel;
+virSecurityManagerSetCreatedFDLabel;
 virSecurityManagerSetDaemonSocketLabel;
 virSecurityManagerSetHostdevLabel;
 virSecurityManagerSetHugepages;
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 0d6defc..ef528f6 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1180,6 +1180,14 @@ virSecurityDACSetImageFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 }

 static int
+virSecurityDACSetCreatedFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                                virDomainDefPtr def ATTRIBUTE_UNUSED,
+                                int fd ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
+static int
 virSecurityDACSetTapFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                             virDomainDefPtr def ATTRIBUTE_UNUSED,
                             int fd ATTRIBUTE_UNUSED)
@@ -1231,6 +1239,7 @@ virSecurityDriver virSecurityDriverDAC = {
     .domainRestoreSavedStateLabel       = virSecurityDACRestoreSavedStateLabel,

     .domainSetSecurityImageFDLabel      = virSecurityDACSetImageFDLabel,
+    .domainSetSecurityCreatedFDLabel    = virSecurityDACSetCreatedFDLabel,
     .domainSetSecurityTapFDLabel        = virSecurityDACSetTapFDLabel,

     .domainGetSecurityMountOptions      = virSecurityDACGetMountOptions,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index cc401e1..0edcc34 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -100,6 +100,9 @@ typedef int (*virSecurityDomainSecurityVerify) (virSecurityManagerPtr mgr,
 typedef int (*virSecurityDomainSetImageFDLabel) (virSecurityManagerPtr mgr,
                                                  virDomainDefPtr def,
                                                  int fd);
+typedef int (*virSecurityDomainSetCreatedFDLabel) (virSecurityManagerPtr mgr,
+                                                   virDomainDefPtr def,
+                                                   int fd);
 typedef int (*virSecurityDomainSetTapFDLabel) (virSecurityManagerPtr mgr,
                                                virDomainDefPtr def,
                                                int fd);
@@ -146,6 +149,7 @@ struct _virSecurityDriver {
     virSecurityDomainRestoreSavedStateLabel domainRestoreSavedStateLabel;

     virSecurityDomainSetImageFDLabel domainSetSecurityImageFDLabel;
+    virSecurityDomainSetCreatedFDLabel domainSetSecurityCreatedFDLabel;
     virSecurityDomainSetTapFDLabel domainSetSecurityTapFDLabel;

     virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index f7c5c2e..2152246 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -663,6 +663,22 @@ int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
     return -1;
 }

+int virSecurityManagerSetCreatedFDLabel(virSecurityManagerPtr mgr,
+                                        virDomainDefPtr vm,
+                                        int fd)
+{
+    if (mgr->drv->domainSetSecurityCreatedFDLabel) {
+        int ret;
+        virObjectLock(mgr);
+        ret = mgr->drv->domainSetSecurityCreatedFDLabel(mgr, vm, fd);
+        virObjectUnlock(mgr);
+        return ret;
+    }
+
+    virReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+    return -1;
+}
+
 int virSecurityManagerSetTapFDLabel(virSecurityManagerPtr mgr,
                                     virDomainDefPtr vm,
                                     int fd)
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 711b354..343dffb 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -112,6 +112,9 @@ int virSecurityManagerVerify(virSecurityManagerPtr mgr,
 int virSecurityManagerSetImageFDLabel(virSecurityManagerPtr mgr,
                                       virDomainDefPtr def,
                                       int fd);
+int virSecurityManagerSetCreatedFDLabel(virSecurityManagerPtr mgr,
+                                        virDomainDefPtr def,
+                                        int fd);
 int virSecurityManagerSetTapFDLabel(virSecurityManagerPtr mgr,
                                     virDomainDefPtr vm,
                                     int fd);
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 233404c..ee0e05b 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -223,6 +223,7 @@ virSecurityDriver virSecurityDriverNop = {
     .domainRestoreSavedStateLabel       = virSecurityDomainRestoreSavedStateLabelNop,

     .domainSetSecurityImageFDLabel      = virSecurityDomainSetFDLabelNop,
+    .domainSetSecurityCreatedFDLabel    = virSecurityDomainSetFDLabelNop,
     .domainSetSecurityTapFDLabel        = virSecurityDomainSetFDLabelNop,

     .domainGetSecurityMountOptions      = virSecurityDomainGetMountOptionsNop,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 7802dda..5894259 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -2446,6 +2446,26 @@ virSecuritySELinuxGetSecurityMountOptions(virSecurityManagerPtr mgr,
     return opts;
 }

+static int
+virSecuritySELinuxSetCreatedFDLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                                    virDomainDefPtr def,
+                                    int fd)
+{
+    virSecurityLabelDefPtr secdef;
+
+    if ((secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_SELINUX_NAME))) {
+        if (!secdef->imagelabel)
+            secdef->imagelabel = virSecuritySELinuxGenImageLabel(mgr, def);
+    } else {
+        return -1;
+    }
+
+    if (secdef->imagelabel == NULL)
+        return 0;
+
+    return virSecuritySELinuxFSetFilecon(fd, secdef->imagelabel);
+}
+
 virSecurityDriver virSecurityDriverSELinux = {
     .privateDataLen                     = sizeof(virSecuritySELinuxData),
     .name                               = SECURITY_SELINUX_NAME,
@@ -2483,6 +2503,7 @@ virSecurityDriver virSecurityDriverSELinux = {
     .domainRestoreSavedStateLabel       = virSecuritySELinuxRestoreSavedStateLabel,

     .domainSetSecurityImageFDLabel      = virSecuritySELinuxSetImageFDLabel,
+    .domainSetSecurityCreatedFDLabel    = virSecuritySELinuxSetCreatedFDLabel,
     .domainSetSecurityTapFDLabel        = virSecuritySELinuxSetTapFDLabel,

     .domainGetSecurityMountOptions      = virSecuritySELinuxGetSecurityMountOptions,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 14d757d..926ffbe 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -471,6 +471,24 @@ virSecurityStackSetImageFDLabel(virSecurityManagerPtr mgr,
 }

 static int
+virSecurityStackSetCreatedFDLabel(virSecurityManagerPtr mgr,
+                                  virDomainDefPtr vm,
+                                  int fd)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityStackItemPtr item = priv->itemsHead;
+    int rc = 0;
+
+    for (; item; item = item->next) {
+        if (virSecurityManagerSetCreatedFDLabel(item->securityManager, vm, fd) < 0)
+            rc = -1;
+    }
+
+    return rc;
+}
+
+
+static int
 virSecurityStackSetTapFDLabel(virSecurityManagerPtr mgr,
                               virDomainDefPtr vm,
                               int fd)
@@ -569,6 +587,7 @@ virSecurityDriver virSecurityDriverStack = {
     .domainRestoreSavedStateLabel       = virSecurityStackRestoreSavedStateLabel,

     .domainSetSecurityImageFDLabel      = virSecurityStackSetImageFDLabel,
+    .domainSetSecurityCreatedFDLabel    = virSecurityStackSetCreatedFDLabel,
     .domainSetSecurityTapFDLabel        = virSecurityStackSetTapFDLabel,

     .domainGetSecurityMountOptions      = virSecurityStackGetMountOptions,
-- 
1.8.2.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]