[libvirt] [PATCH v3 06/14] security: Add DAC and SELinux security for tpm-emulator

Wed May 9 16:24:59 UTC 2018

On 05/08/2018 04:01 PM, John Ferlan wrote:
>
> On 05/04/2018 04:21 PM, Stefan Berger wrote:
>> Extend the DAC and SELinux modules with support for the
>> tpm-emulator.
>>
>> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
>> ---
>>   src/security/security_dac.c     | 4 ++++
>>   src/security/security_selinux.c | 5 +++++
>>   2 files changed, 9 insertions(+)
>>
>> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
>> index 5efbc27..351f6f4 100644
>> --- a/src/security/security_dac.c
>> +++ b/src/security/security_dac.c
>> @@ -1373,6 +1373,10 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr mgr,
>>                                               false);
>>           break;
>>       case VIR_DOMAIN_TPM_TYPE_EMULATOR:
>> +        ret = virSecurityDACSetChardevLabel(mgr, def,
>> +                                            &tpm->data.emulator.source,
>> +                                            false);
>> +        break;
>>       case VIR_DOMAIN_TPM_TYPE_LAST:
>>           break;
>>       }
> virSecurityDACRestoreTPMFileLabel doesn't need to be changed? e.g.:

Hm, this is setting the DAC label for the Unix socket so that QEMU can 
connect to it. swtpm creates it but then also removes it upon 
termination. So basically restoring the security label is not need. 
Maybe I should add a comment in the code why it's not there. The same is 
true for the SELinux label below.

>
>
>      ret = virSecurityDACRestoreChardevLabel(mgr, def,
>                                              &tpm->data.emulator.source,
>                                              false);
>
>
>> diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
>> index f5ba877..17bc07a 100644
>> --- a/src/security/security_selinux.c
>> +++ b/src/security/security_selinux.c
>> @@ -1473,6 +1473,11 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
>>           }
>>           break;
>>       case VIR_DOMAIN_TPM_TYPE_EMULATOR:
>> +        tpmdev = tpm->data.emulator.source.data.nix.path;
>> +        rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel);
>> +        if (rc < 0)
>> +            return -1;
>> +        break;
>>       case VIR_DOMAIN_TPM_TYPE_LAST:
>>           break;
>>       }
>>
> Similarly for virSecuritySELinuxRestoreTPMFileLabelInt:
>
>          tpmdev = tpm->data.emulator.source.data.nix.path;
>          rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev);
>
> ?
>
> With the adjustments or at least an explanation in the commit message
> why they cannot be Restored,
>
> Reviewed-by: John Ferlan <jferlan at redhat.com>
>
> John
>