[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH V1 4/6] Add SELinux labeling support for TPM

On 03/14/2013 06:34 PM, Daniel P. Berrange wrote:
On Thu, Mar 14, 2013 at 04:24:27PM -0400, Stefan Berger wrote:
On 03/14/2013 10:29 AM, Daniel P. Berrange wrote:
On Wed, Mar 13, 2013 at 12:03:52PM -0400, Stefan Berger wrote:
Signed-off-by: Stefan Berger <stefanb linux vnet ibm com>

  src/security/security_selinux.c |   90 ++++++++++++++++++++++++++++++++++++++++
  1 file changed, 90 insertions(+)
I imagine we also need to update security_apparmour.c and
DAC: this seems to only be necessary if the the owner of the device
is not root. Typically it is owned by root. I added support for it
anyway now.
AppArmour: it looks like no other character devices are being
labeled so I may not have to do this for the TPM, either (?)

Also src/conf/domain_audit.c will need to emit an audit event when the
TPM is configured to use a host device.
type=VIRT_RESOURCE msg=audit(1363292411.635:499): pid=23365 uid=0
auid=4294967295 ses=4294967295
subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm
resrc=cgroup reason=allow vm="TPM-PT"
cgroup="/sys/fs/cgroup/devices/libvirt/qemu/TPM-PT/" class=path
path=/dev/tpm0 rdev=0A:E0 acl=rw exe="/usr/sbin/libvirtd" hostname=?
addr=? terminal=? res=success'

Is this message type sufficient for a host device?
No, this is just a generic message related to cgroups setup.
We need to emit explicit audit log for each device in addition
to this, since we cannot assume cgroups is enabled.

We need to extend the virDomainAuditStart method to include
this new device type.

Ok, so now libvirt is also printing this one here:

type=VIRT_RESOURCE msg=audit(1363305463.181:1302): pid=17807 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='virt=kvm resrc=dev reason=start vm="TPM-PT" uuid=a4d7cd22-da89-3094-6212-079a48a309a1 device="/dev/tpm0" exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=pts/20 res=success'

I suppose the msg='' part is somewhat device specific. So above really only shows /dev/tpm0 and I don't think there's much else worth mentioning.

The last thing is now in which patch to put this :-) I would keep it in a separate patch after the one touching the SELinux and DAC labeling...


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]